A typical microprocessor controller, such as is used in anti-lock braking systems, includes two microprocessor configured as shown in FIG. 1. Microprocessors A and B simultaneously execute ABS algorithms in response to inputs from wheel sensors (not shown) for generating outputs needed to activate a vehicle's brakes. A comparator 10 checks for identity between the two microprocessor outputs, and if identity is detected, the comparator sends one of the microprocessor's outputs to the brake system. When the comparator finds a lack of identity, a fault is assumed to have occurred, the controller is shut down, and the normal (non-ABS) braking system is put into effect.
The above-described type of controller suffers from the fact that a fault in either of the microprocessors causes the entire ABS system to shut down. From this point of view, the long term reliability of such a system is less than what is desirable.
To increase reliability, the controller can be made reconfigurable, meaning that a component that is detected as being faulty can be removed from the system. In a dual microprocessor system, the faulty microprocessor would be removed from the system and the good microprocessor would continue to run. The problem with this approach is that after the faulty microprocessor has been removed, there is nothing left against which to check the output of the good microprocessor, so system safety is lowered.
To improve the safety of this type of system, a triple redundant system (using three microprocessors) can be used. When a fault occurs in the triple redundant system, the faulty microprocessor is switched out of the system based on a majority vote. This system then becomes a dual redundant system of the type discussed above. When a second failure occurs, the system shuts down.
Common concerns with all approaches to redundant microprocessor controllers are safety and reliability. The approaches discussed above are considered safe insofar as they are able to detect a faulty controller and switch it off. To increase safety, the systems may add additional redundancy or other additional checking circuits that add complexity. This additional complexity can, of course, lead to less reliability insofar as there are more components capable of failing. It can therefore be seen that a new and different approach to improved reliability, while maintaining a high level of safety, is desirable.