NPR just did a piece on cosmic rays, saying they cause hardware faults way more often than people realize. In one case they switched off a passenger jet's autopilot. They're also getting blamed for the Toyota unintended accelerations.
They said it's common now in critical systems to use three computers and ignore any single computer that disagrees with the other two.
See above comment. With 2, you don't. With 3, you do.
But if there's a human in the loop and a manual alternate control pathway, detecting a disagreement allows you to cue the manual operator and transfer control to them. Or fall back to a much simpler system of computer aid.
With 1, hardware failures are extremely hard to detect at all, as even your computational checks for internal consistency are subject to mutation.
> See above comment. With 2, you don't. With 3, you do.
Unless all 3 different give different results, two failures and one correct.
IIRC the shuttle had a 3+1 system 3 as a cohort with voting and if they couldn't reach consensus the 1 was a minimal system that could keep the lights on.
You don't need to. You just need to know that the module as a whole has a fault. Reboot the module and let the hot spare take over (all critical functions have a hot spare).
I can understand a backup if the first fails, but why two identical systems contemporaneously computing?