A Dynamic System Architecture for Safety Related Systems

Abstract

Safety related applications usually demand the provision of redundant resources within the system and some method of reconfiguration when a failure is detected. One problem with such an approach is that it has proved to be very difficult to design, implement and test adequately this reconfigurability. A dynamic system architecture is described which obviates some of these difficulties. This architecture takes advantage of the fact that the processing associated with any set of inputs and at any instant of time is of finite duration. By arranging for sufficient parallel redundancy to be available so that the system is not compromised by a single process instance failure, system error recovery becomes almost trivial-There is no need to recover the single instance failure (because of the available redundancy) and future processing will be initiated by normal process initiation. Little error-recovery specific procedure is necessary other than producing an effective fail-stop processor. The efficient implementation of such a system depends crucially on a number of issues. These include a novel, fully distributed scheduling procedure and the topology and functionality of the underlying communication system. The implications of such an architecture for overall system safety include the effects and benefits of software diversity and the possibility of producing systems which are to some extent proof against their own design errors.