I had this problem on a client's server some years ago running Red Hat Linux. The RAID system was setup as drive mirroring. The first drive failed at some point, but the system kept working until the second drive failed. But by that stage the computer server failed completely (as it would). I was able to resurrect the system, but it left me skeptical of RAID systems - especially in systems where there is no on-site system administrator to regularly check the system.

That's why you setup automatic email notification of RAID drive failure!

RAID5 is bad news; stay away from it. If you want to keep your data moderately reliably, use RAID1 and an incremental backup scheme (offsite, on-net, anything other than on hard disk on the same machine as the RAID).

Are you forgetting integrated hot-swap RAID 5E and 5EE. If you can loose two drives before your data gives up the ghost, then you can configure proper notifications and replace your dead FRU without worry. Also, have you considered redundant arrays configured as software RAID 1? If you use a remote iSCSI device as your mirror drive you can keep a complete copy of your data colo'ed away from your burned out crust of a data center. RAID 5 isn't the problem, badly designed storage solutions are the problem.

RAID5 is a good thing.

A distinction that I've heard elsewhere applies here:

   RAID is a *CONTINUITY* strategy, not a backup strategy.

RAID shrinks recovery time down to nothing in many situations. Backups do not.

Backups provide "deep sh*t" recovery.

The two purposes can overlap.

RAID always has a trade-off of cost (or overhead) versus the amount of protection you get. Picking RAID-5 over RAID-1 should mean in part that you have decided that you cannot afford (or do not need) that much protection and you are willing to be exposed to two-disk total data loss.

(It is not just a straight RAID-1 versus RAID-5 choice, either; you can choose how many RAID-5 groups you split your disks into, trading off overhead against how much data you will lose if you have two disks fail in the same group and so on.)

This is a rather short-sighted approach and assumes you will always be able to fit a complete backup onto one disk. Most decent software (and hardware) RAID solutions offer the option to have a hot spare drive. This will reduce your exposure to total loss to the time it takes to re sync your drive back to a spare. RAID 5 offers a much faster read time than your single drive implementations.

What about Raid-6 (double parity) such as used by Network Appliance?

Both a hot spare and RAID 6 lose an extra disk to overhead. Also, hot spare re-sync on a large RAID-5 SATA array is not exactly fast these days, so you can be exposed for a not insignificant amount of time.

Read times faster than raw single disk IO are not exactly a priority for this use; in fact, most of this data will never be read after it is written, because most of the time we hope to never need our backups. That we can read from this setup faster and more conveniently than going to tape is good enough.

No system design is static. If our storage and incremental backup sizes grow enough to invalidate this design (which would have to be a lot of growth), we would have to re-evaluate this approach and perhaps switch to something else. In the mean time, we can gain the benefits, including more days of conveniently accessible online incremental backups in the common case.

If you lose a disk in RAID5, even if you have a hot swap disk ready and activate it immediately, there's still a significant amount of time spent writing data to that new disk. The danger is losing a second disk while your repair disk is still being brought online. The repair time for RAID5 is much greater than for RAID1 because there's a lot more data to read.

If the disks are getting old, the probability of a second drive failure increases once the first drive has failed. And if your hot swap is just as old as the RAID5 drives, you may be replacing a failed old device with another which is just as old.

I'd want more redundancy - e.g. can recover from a 2-drive loss.