SpaceX软件团队的一次线上访谈(Reddit),提到了系统设计时的三重冗余:
Contingency comes in many forms in our software. As noted, we triplicate almost everything so we can tolerate loss of any one flight computer, sensor, actuator, etc. on Falcon, and any 2 on Dragon. At a system-level, Falcon and Dragon are designed so that loss of things like engines are thrusters can be tolerated, and our algorithms compensate. We can also add certain contingencies to our state machines. For example, the Dragon state machine is designed to autonomously switch from approach to a breakout if certain failures are observed. – Jeff (” I run Flight Software and Cybersecurity at SpaceX”)
在我们的软件中,偶然性以多种形式存在。如前所述,我们几乎对所有东西都进行三重备份,因此我们可以容忍猎鹰火箭上的任何一个飞行计算机、传感器、执行器等的丢失,以及龙飞船上的任何两个系统的丢失。在系统级别上,猎鹰火箭和龙飞船的设计能够容忍发动机或推进器等的失效,并且我们的算法会进行补偿。我们还可以将某些应急措施添加到我们的状态机中。例如,龙飞船的状态机设计成在观察到某些故障时,可以自主地从接近状态切换到突破状态。——杰夫(在SpaceX负责飞行软件和网络安全)
网友T.J. Tarazevits在stackexchange上提到:
The triple redundancy gives the system radiation tolerance without the need for expensive rad hardened components.
三重冗余使系统具备了抗辐射能力,而无需使用昂贵的抗辐射组件。
对于上面的说法,网友Larry_C的说法似乎更为专业:
Most flight control systems are triple redundant for reliability (“triplex”). The use of rad hard components is not needed for a suborbital FCS system like that used on Falcon rockets as the flight control is not exposed to enough radiation over a long enough period to induce a fault in the processor, bus, etc. System that are on-orbit or used for deep space control would generally use rad hard silicon on insulator or silicon on sapphire processors like the hardened PowerPC.
大多数飞行控制系统采用三重冗余设计以确保可靠性(“triplex”)。对于猎鹰火箭上使用的亚轨道飞行控制系统(FCS),不需要使用抗辐射组件,因为飞行控制系统不会在足够长的时间内暴露在足够多的辐射下,从而导致处理器、总线等出现故障。用于轨道上的系统或深空控制的系统通常会使用抗辐射的硅绝缘体或硅蓝宝石处理器,如加固型PowerPC。