An embodiment relates to fault tolerant control systems.
Systems which provide safety functions typically utilize redundant controllers to ensure safety by shutting down functions that have experienced a fault or failure. If a fault is detected, the controller is shut down or the controller fails silently where no signals are generated by the controller and a secondary controller is reconfigured to become the primary controller.
Some systems try to implement control systems utilizing a fail-operational system where additional controllers are used to ensure that a safe operation can be continued for a duration of time, such as dual duplex controllers. If a first controller fails and fails silently, depending on the system design, a second controller may be active all the time and may need to be activated. If this is performed, all actuators will switch over to rely on requests from the second controller. Unlike software faults where a fault in one controller would be present in the duplicate controller, hardware faults (e.g., power supply faults, short to ground faults, etc), although not to a level of criticality of software faults since software design faults would affect both controllers the same, will typically fail independently, and the secondary controller while not typically having the same defect can properly operate thereafter.
Typically, a controller includes either two processors or two cores where functions are executed independently and simultaneously on a respective controller. As a result, both the primary controller and the secondary controller will have a same function executed by two processors or two cores within each controller. As a result, if a dual-duplex design is utilized, then a same function will be executed independently four times. The results from each controller are compared for determining whether an error is present in one of the controllers. While the dual-duplex design offers additional robustness, redundancy operation require additional resources (e.g., processors, cores) since each function is executed independently twice in each controller. Redundancy operations require using parallel execution of multiple copies requires additional hardware resources so that consequently there is a cost impact for providing these hardware resources.