SafeRTOS Usage Scenario #3
Multiple Redundant System with SafeXchangeTM of Data
Higher criticality applications
This is the usage scenario that provides the highest level of fault
detection. It provides spacial and temporal separation,
and a platform for control, sensing and processing
The application is split across two or more microcontrollers that exchange data using a robust protocol with determinable fault detection.
Why Use SafeRTOS in this Scenario?This scheme can be architected in a number of different ways, with the optimal solution depending on the problem domain. Below is a non-exhaustive list of examples chosen to demonstrate the diversity of options:
Isolate all the safety critical code onto a single microcontroller,
and in so doing minimising the amount of code that has to be developed
to the highest (and also most lengthy and costly), safety standards.
Execute the entire application on a single microcontroller, with
a second microcontroller replicating, monitoring and/or comparing
inputs and outputs that have a direct safety impact.
Executing the entire application on both microcontrollers simultaneously,
using separate (redundant) sensor inputs.
In this architecture, one
microcontroller can generate the control outputs, and the other can monitor
the generated control outputs.
Extend the previous example by executing different implementations
of the entire application on both microcontrollers simultaneously.
This adds software implementation redundancy to the already
present sensor and actuator redundancy.