An embodiment relates to fault tolerant control systems.
Systems which provide safety functions typically utilize redundant controllers to ensure safety by shutting down functions that have experienced a fault or failure. If a fault is detected, the controller is shut down or the controller fail silent where no signals are generated by the controller and a secondary controller is reconfigured to become the primary controller.
Some systems try to implement control systems utilizing a fail-operational system where additional controllers are used to ensure that a safe operation can be continued for a duration of time, such as dual duplex controllers or a triple modular redundancy approach. In a dual-duplex approach, if a first controller fails and fails silent, a second controller will be activated and all actuators will switch over to rely on requests from the second controller. Unlike software faults where a fault in one controller would be present in the duplicate controller, hardware faults (e.g., power supply faults, short to ground faults, etc) are typically independent and chances are that the secondary controller won't have the same hardware fault that occurred with the primary controller and can properly operate thereafter. In certain operations, maintaining functionality of a controller is critical where the system requires either an instantaneously takeover of the primary controller responsibilities or a controller must function for a duration of time until another controller can be reconfigured to take over. As a result, systems utilize multiple controllers as backup controllers. Certain critical functions may need to be replicated on three or more controllers in order for the system to tolerate more than one failure in the same drive/operation/ignition cycle. Scaling a dual-duplex pattern towards handling more than one failure may not be cost effective approach given that more than one controller failure may need to be tolerated in a same driving cycle. Therefore, if two controller failures must be tolerated, then four controllers would be required if using a traditional-dual duplex design. Recall that a controller includes either two processors or two cores where functions are executed independently and simultaneously on a respective controller. Alternatively, the control system may include one processor and one independent monitoring module As a result, each controller would have a same function executed by each processor or core within each controller. As a result, if a dual-duplex design is utilized and two controller failures must be tolerated, then three controllers must be utilized and a same function will be executed simultaneously and independently six times which results in costly and inefficient consumption of system resources.
For a triple modular redundancy approach, all controllers execute the same function, but this pattern does not scale well. A formula for determining the number of units to handle the number of failures is 2N+1 where N is the number of failures. Therefore, to handle two failures, five units are required.