With continuing advances in the power and versatility of data processing networks and with improvements in circuit miniaturization, applications of such networks to a variety of data handling and information processing systems have also expanded. Microprocessor-based control systems continue to replace a number of system control functions that were formerly performed manually or through cumbersome mechanical/hydraulic linkage configurations. One environment where weight and space restrictions make microprocessor-based control particularly attractive is an airborne control system (e.g. spacecraft/aircraft avionics, weapons delivery, sensor-response system). Because of the critical nature of a significant number of control functions involved (inherent in the nature of the system being controlled), redundancy (backup availability) and fault diagnostics constitute an essential ingredient in the utility and operational success of such a network as a substitute for mechanical/hydraulic control. Moreover, redundancy itself is usually both quantitatively and qualitatively structured in an effort to provide the sought-after fail-safe capability of the system.
For example, in a spacecraft environment, which is extremely remote from a ground service/maintenance facility, high (triple or greater) redundancy is commonly employed to ensure continuous system operation. In non-spacecraft airborne vehicles, a hybrid redundancy approach, where a prime electrical flight control network is augmented by a mechanical/hydraulic link, or vice verse, may be employed.
In a multi-processor redundancy system, fault testing and redundancy management have often incorporated a voting scheme for failure detection and/or selection of which redundant system is to be placed on-line. In a high redundancy network, voting among master controllers, for example, is capable of detecting a failure, i.e. a mismatch among the master controllers, and typically follows an odd man-out rule to identify and exclude a faulty controller. The penalty for such an approach is the considerable cost and hardware (added weight and space) which must be borne by the network. In a dual redundancy network, on the other hand, such a voting technique can only detect a failure, but cannot identify which controller is the faulty unit so that reconfiguration of the network cannot occur. As a result, voting cannot be relied upon as a primary fault tolerance mechanism in a dual redundancy network. A second problem with conventional redundancy management systems is the cascading of faults, i.e. a single fault may cause faults in two or more units due to the coupling introduced by the redundancy management equipment.