With some automatic control systems, for example autopilots or automatic control systems in nuclear power plants, the failure of a sensor or of a signal processing computer may have severe consequences. In such cases, it is required that the automatic control remains operative even after failure of one or more components. Inoperativeness after failures of a plurality of components has, at least, to be indicated by a failure message. The automatic control system or some other measuring and signal processing installation is to be "fault-tolerant".
As far as the failure or an intolerable deterioration of the "hardware" is concerned, this fault-tolerance is achieved by providing the sensors and the signal processing computers multiply redundantly. An appropriate "redundancy management" then takes care of defective components being recognized and being eliminated for the forming of the measuring signal. In the simplest case, for example, when one and the same measured quantity is measured by three sensors, redundancy management can consist in voting monitoring: If of the two measured values two measured values are identical within predetermined tolerances, and the third measured value clearly deviates from the mean of the other two, it can be assumed that the third sensor is defective.
Signal processing, however, does not only rely on the hardware but also on the "software", i.e. the programming of the signal processing computers. Also the software can exhibit faults. There is, however, a basic difference between hardware failures and software faults. Hardware failures, i.e. the becoming inoperative of a component, occur statistically. It cannot be predicted, whether or when a component will fail. Usually the failure probability is an exponential function of time. By providing components redundantly and redundancy management an increased safety can be achieved. Software is not subjected to wear. Faults are latently contained in the software from the beginning. They become apparent, however, only with certain combinations of input quantities and internal states. Redundancy of software is of no use: If input signals are processed by the same software in three different channels, the faults will appear simultaneously in all three channels.
It is virtually impossible to test software for all imaginable combinations of input signals and internal states. Such a test would require intolerably long time even with the fastest computers.
In order to recognize software faults in critical systems such as flight controllers and autopilots, according to the prior art, programs for carrying out a particular signal processing are programmed multiply by different programmers in different program languages. Then the signal processing is carried out once with a first program, once with a second program, and, if necessary, also with a third program. It is improbable that under these circumstances a programming error occurs in all three or more programs at the same time. These different programs for carrying out the same signal processing are called "dissimilar software". An architecture operating with three or more dissimilar programs is described in a paper by Fischler and Firschein "A Fault Tolerant Multiprocessor Architecture for Real-Time Control Applications" in "Proceedings of the Annual Symposium on Computer Architecture", University of Florida, Dec. 2 to 11, 1973, New York, 115-157.
This multiple programming is very expensive. This is true in particular, if the system is to tolerate a plurality of occurring faults corresponding to, for example, a safety standard of "fail-operational, fail-operational, fail-safe".
Another solution is the installation of two sets of dissimilar software in each of a plurality of channels, the pairs of software sets used for the various channels being again identical. Then only two programs have to be created. In each channel, however, one set of software is monitored by just one second set of software incorporated in the channel. The redundancy of the channels does not result in additional safety, as software faults, as explained above, appear simultaneously in all channels. Thus, as far as the software is concerned, there is, now as before, only a twofold redundancy.
Swiss patent 640,959 and German patent 3,037,150 disclose a data processing system with three channels, wherein input data are processed in three parallel computers in accordance with one program. The computers work with relative time shift with identical data, i.e. the same program step is carried out by the various computers at different times. After a certain control section, the results are stored temporarily. When all results are available in the intermediate memory, there will be a voting monitoring step to eliminate mutilated results. Thereby the computing operation continues, even if one result has to wait for the other in the intermediate memory.
This time-shifted operation of programs permits elimination of outside disturbances. Such outside disturbance, for example a voltage spike, will occur at different program steps in the different programs. If the result is thereby falsified, this can be detected by the voting monitoring. If the programs ran time-parallel, such an outside disturbance could affect all three programs in the same way and would not be recognized by the voting monitoring. If, however, there is a fault in the program, this fault will made, with time shift, in all three computers with the same input data. The intermediate memory would receive, with time shift, three wrong results. After receipt of the last one of these wrong results, these results would be identified as "correct" by the voting monitoring step.