Ultrareliability has become important as designers have begun to incorporate digital computers into systems in which computer failures may involve loss of human life or loss of a critical mission. Examples include fly-by-wire aircraft, dynamically unstable aircraft, nuclear power plant controls, unmanned space vehicles, and autonomous undersea vehicles. Required failure probabilities are in the range of 10^-4 to 10^-10, depending on the nature of the mission and the likelihood that computer failure could result in loss of life. The authors describe their methodology for designing ultrareliable real-time computing systems and then describe an application of these techniques to the design of the Advanced Information Processing System (AIPS).

A dominant theme of the paper is that the system design must enable failure rates to be determined using analytical models, simulations, and proofs. The reason is that the required failure probabilities are too low to use life testing to determine the failure rate. Subjects covered include the tradeoffs between fault avoidance and fault tolerance, partitioning a design into fault containment regions, voting techniques for masking errors, and the use of fault-tolerant clocking in the presence of Byzantine faults. The authors compare approximate consensus and exact consensus in detecting erroneous outputs, concluding that only exact consensus is amenable to formal methods and analytical verification. This paper is a clear, concise description of the redundancy techniques used in ultrareliable real-time systems.