Achieving Safety and Reliability for Systems with Remote Redundancy

Abstract

This paper presents a fault-tolerant control system built using a novel redundancy scheme and draws a comparison with a traditional solution by means of both qualitative and quantitative analysis. Either system comprises three interconnected electronic control units (ECUs) and two redundant actuators. The position of the attached mechanics is measured by redundant position sensors, thus closing the control loop. In case of an error (detected through observing rotational sensors), actuators may be passivated by retracting the power supply via associated output stages.While the traditional system under investigation is built rather conservatively, with a high degree of redundancy (overall, 14 components are used), the novel approach requires only 11 components and no crosswise wiring at all. In the novel design, encrypted communication channels convert all byzantine faults into crash faults. It will be shown that such a system is without a single point of failure, i.e. at least two components must fail to induce a system failure. Another advantage of the novel system is that one of the three redundant ECUs has the bus system as its only physical connection: it is not directly connected to any sensor or actuator. Consequently, this device does not need to be placed near the mechanical components which it controls, but may be located anywhere in the network (nevertheless, it is still needed for the sake of fault tolerance) Therefore, we use the term “remote redundancy to describe the design principle of such a system. In larger control systems, the mentioned ECU does not even need to be implemented in hardware. Instead, its software may run on any node possibly already existing in the control network.For an elaborate comparison of the two systems, we have conducted a quantitative reliability analysis. We used so-called information flow diagrams (IFDs) to describe the complex interactions between the individual components of the system. From an IFD, a fault tree can be created automatically. Using the tool OpenFTA, we have generated the minimal cut sets of those fault trees and calculated the reliability for both systems. Component unreliabilities were estimated using the US military handbook 21 7F. The results show that in terms of reliability, the system using remote redundancy is nearly as good as the conservative system, although the amount of resources it requires is significantly less.