In critical control applications, the use of redundancy is commonplace for improving the realiability of the system. Various techniques have been developed for reliable operation of redundant channels including interchannel frame synchronization, voting planes, etc. These techniques are designed to improve the fault detection and isolation (FDI) and fault tolerance capabilities of the system and to guarantee identical operations as well as graceful degradation in the presence of asymmetrical events and transient faults as long as they are simplex in nature.
Notwithstanding the capabilities of these FDI and fault tolerant techniques, the possibility of degraded or non-identical system operation cannot ever be prevented. The reasons for degradations can be many and include such normal events as temporary loss of power or abnormal events and false alarms such as asymmetrical transients, multiple simultaneous failures and dissimilar information faults. The last of these events is called the "Byzantine General's" problem in which a (sub)system transmits different information to different other subsystems causing divergence and can ultimately lead to catastrophic loss of an otherwise properly functioning, healthy system. (It is evident that if a "Byzantine General" gives conflicting battle plans to his field commanders then he will lose the battle. This is particularly apropos in the context of a redundant channel avionic control system as used in military fighter aircraft.)
The fault tolerant character of the system demands that it be capable of upgrading or "healing" a channel indicating faulty operation which is in fact not truly misoperating but is merely experiencing a transient. It is important to make this upgrade smoothly, i.e., without disturbing the unaffected operating part of the system. Current practice is to reinitialize a channel which is indicating faulty operation. The thinking is that this reinitialization will ultimately lead to convergence of the reinitialized channel with the other channels under the influence of appropriate functional signal stimuli. However, according to the teachings of the present invention, to be fully disclosed below, it can be shown that the reinitialized channel's information data base cannot be guaranteed to be made identical to the system data base in the unaffected channels using this approach. In fact, under appropriate conditions it can diverge sufficiently to give the appearance of a channel failure as detected by an output voting plane.
Thus, it is thought in the art that if the selected initialization values are derived on line using the upcoming channel's own data base, and the output of dynamic functions in a cycle such as filters, etc., are repeatedly used as back values for the next cycle that the "transients" will eventually die down. However, as pointed out above, this technique cannot guarantee identicality. Similarly, the technique for forcing convergence of dynamic elements between the affected and unaffected channels also fails to guarantee identicality. Furthermore, such an approach produces limited transients in the unaffected channels and is, therefore, unacceptable.
Another technique, i.e., of initializing the information in all channels to a known state can produce extremely large transients in the system outputs and must, therefore, be also considered unacceptable.