The present invention relates generally to control of real time systems and, more particularly to providing inherently reliable control of real time systems through asynchronous management of temporally redundant signals in a multi-feedback loop configuration.
Redundant control systems are used in various environments where performance and reliability are essential. These include commercial and military applications involving critical systems where performance integrity must be assured. Typical applications might include aerospace flight control systems, power plant monitoring systems, patient monitoring systems and various other computer driven control systems. In order to reliably control a system such as a power plant or a continuous process in an interactive, real time manner, a control system must be resilient to fault or failure occurrence and robust in its ability to minimize or avoid the effects of fault and failure. Modular or configurational redundancy provide a basic technique for providing reliable, resilient, robust control which is tolerant to the occurrence of faults or failures. Various approaches to redundancy management have been exploited in conventional control systems.
A typical control system technique involves the principle of "fault-masking". The approach here is not so much to eliminate faults, but rather to design a control system in such a manner that the integrity of the system is insensitive to the structure and/or content of the information presented to it. This is most often accomplished using redundant, concurrently active multi-control loops. A typical prior art configuration is illustrated in FIG. 1 for the specific case of two feedback control loops. In the event of a fault or failure along the first loop, the second feedback loop will maintain stability for the system. Conversely, should a fault or failure occur along the second loop, the first feedback loop will stabilize the system. In this way, the occurrence of faults or failures, which change the structure or content of information, do not significantly impact the performance of the system. Under nominal (no fault or failure) conditions these independent, redundant, multi-controller feedback loops cooperate to provide active real time monitoring for control of a continuous system. The multi-control loop redundancy of the scheme assures stability in the event of failure.
An often used alternative to this scheme utilizes redundant hardware modules in a parallel multi-modular configuration rather than multi-control loops. The outputs of these redundant modules may be averaged; although "voting" is the more typical mode of modular redundancy management. This prior art scheme is illustrated in FIG. 2 where all modules remain in an active state but not necessarily contributing to the control of the system. "Voting" is used to determine which of the redundant modules will be operating to control the system. Only these modules will be active, those not chosen will remain in stand-by mode. The scheme necessitates detection and isolation of faults or failures followed by reconfiguration when such faults or failures are identified. As long as proper detection and isolation are accomplished reconfiguration based on the availability of redundant stand-by modules can be implemented. Consequently, it is only in steady state following reconfiguration that reliability can be ensured. There remains a small but finite risk that the detection, isolation and reconfiguration process may be faulty or fail altogether. Even if such risk is negligible, under proper operating conditions, a finite amount of time is required for diagnosis and reconfiguration, during which time the system may be driven unstable. Thus, this scheme cannot guarantee transient stability during a fault or failure.