Since faults in components of complex systems are not completely avoidable, systems which are critical with regard to safety must be set up to be tolerant of faults. Fault tolerance is the ability of a system to behave in a defined manner when a component breaks down or exhibits a fault, e.g., the ability to continue to provide correct, or at least no false, output quantities.
Applications that are critical with regard to safety use structures in which components are set up redundantly. So-called 1oo2 structures (1 out of 2) are based on the assumption that two redundant components behave identically, and that they supply identical output quantities for identical input quantities, as long as none of the components is faulty. In such structures a comparator thus performs continuous comparisons of the output quantities of the redundant components and stops the output if a discrepancy arises. While it is true that this so-called integrated, non-steady behavior causes a system standstill to come about in some instances, the further processing of incorrect output quantities is reliably prevented. The direct identification of the individual faulty component is usually impossible.
So-called 1oo2D structures additionally include a fault detection and the provision of status reports by the redundant components, which make it possible to detect the faulty component and to deactivate it selectively in the event of a discrepancy in the output quantities. This allows a continued (emergency) operation of the system using the intact component, at least for a certain period of time (integrated, steady behavior).
Also known are structures which provide such a deactivation based on status reports, but which do not necessarily perform a continuous comparison of the output quantities. In addition, it is known to hold one or more of the components in passive readiness and to activate the intact, passive component only if a fault has occurred in an active component, which then continues the operation accordingly.
In such systems a so-called voter supplies an evaluation or switchover signal on the basis of an evaluation of the status reports, which causes a corresponding system to switch from a faulty component to an intact component, that is to say, which activates it as the case may be, and which forwards input quantities to the component and makes output quantities of the component available at a system output. A corresponding voter checks the plausibility of the incoming status reports and makes a selection, for instance via a truth table. For example, the status reports include a plurality of activation recommendations associated with the particular components. A corresponding voter decision may be outvoted via a user intervention.
According to conventional safety standards (e.g., IEC 61508), components of a safety-critical system must be transferred into a safe state in the event of a fault. Paths via which this safe state is attained must regularly be checked also with regard to “latent” faults. This check, which is to be implemented at the start of an operating cycle, for instance, ensures that these paths are reliably available in the event of a fault. In the previously discussed redundant systems, e.g., in systems having two redundant control devices, the safe state is attained following a switchover to an intact control device via a voter, for instance, because a further operation is ensured via the intact control device in this case.
As mentioned, all paths that lead to a corresponding switchover are thus to be checked, usually once during the operating cycle, such as during the initialization of a system. A complete test of all paths, however, is time-intensive and complex from the software standpoint, since both components must be synchronized with respect to each other prior to such tests. Furthermore, given a plurality of paths, a switch between both control devices takes place several times, which causes excessive loading of corresponding components, which in turn increases the susceptibility to faults.
Therefore, improved options for checking functions of corresponding control systems are required, which are able to be implemented in a simple and reliable manner and which do not have the mentioned disadvantages.