Multiple Redundant System with SafeXchangeTM of Data
Higher criticality applications
This is the usage scenario that provides the highest level of fault
detection. It provides spacial and temporal separation,
and a platform for control, sensing and processing
The application is split across two or more microcontrollers that
exchange data using a robust protocol with determinable fault
Why Use SafeRTOS in this Scenario?
This scheme can be architected in a number of different ways, with the
optimal solution depending on the problem domain. Below is a non-exhaustive
list of examples chosen to demonstrate the diversity of options:
Isolate all the safety critical code onto a single microcontroller,
and in so doing minimising the amount of code that has to be developed
to the highest (and also most lengthy and costly), safety standards.
Execute the entire application on a single microcontroller, with
a second microcontroller replicating, monitoring and/or comparing
inputs and outputs that have a direct safety impact.
Executing the entire application on both microcontrollers simultaneously,
using separate (redundant) sensor inputs.
In this architecture, one
microcontroller can generate the control outputs, and the other can monitor
the generated control outputs.
Extend the previous example by executing different implementations
of the entire application on both microcontrollers simultaneously.
This adds software implementation redundancy to the already
present sensor and actuator redundancy.
This usage scenario provides an alternative to using a large and complex
separation kernel on a single processor. Separation kernels are a well
understood, trusted, and appropriate solution for many problem domains.
They will however result in a sub optimal design if they are used unnecessarily.
This is because large separation kernels are themselves more complex,
and require the use of more complex, expensive, and power hungry processors,
increasing both your development and recurring costs.