An embodiment relates generally to fault control in fail-operational vehicle systems.
Systems which provide safety functions typically utilize redundant controllers to ensure that safe operation can be continued for a duration of time to allow the system to transition to a mode of operation that does not depend on the current state of the failed operational system. Such systems typically utilize dual duplex controllers. If a first controller fails and falls silent, a second controller will be activated and all actuators will switch over to rely on requests from the second controller. The system will function properly if the defect was something that was hardware in nature (e.g., wiring issue, pin connect issue), such that the second controller does not have the same defect. However, if the defect is due to a defect that is common to both controllers, such as a software defect, then this software defect causes a runtime error that both controllers are susceptible to. As a result, if both controllers become silent, then there are no operational controls that can be carried out in the system, and therefore the system will fail to operate.