Definition and Empirical Evaluation of Voters for Redundant Smart Sensor Systems Definición y Evaluación Empírica de Algoritmos de Voteo para Sistemas Redundantes de Sensado Inteligente

Abstract This study is the first attempt for integration voting algorithms with fault diagnosis devices. Voting algorithms are used to arbitrate between the results of redundant modules in fault-tolerant systems. Smart sensors are used for FDI (Fault Detection and Isolation) purposes by means of their built in intelligence. Integration of fault masking and FDI strategies is necessary in the construction of ultra-available/safe systems with on-line fault detection capability. This article introduces a range of novel software voting algorithms which adjudicate among the results of redundant smart sensors in a Triple Modular Redundant (TMR) system. Techniques to integrate replicated smart sensors and fault masking approach are discussed, and a classification of hybrid voters is provided based on result and confidence values, which affect the metrics of availability and safety.Thus, voters are classified into four groups: Independent-diagnostic safety-optimised voters, Integrated-diagnostic safety-optimised voters, Independent-diagnostic availability-optimised voters and Integrated-diagnostic availability-optimised voters. The properties of each category are explained and sample versions of each class as well as their possible application areas are discussed. Keywords: Ultra-Available System, Smart Sensor, Fault Masking, Triple Modular Redundancy. Resumen Este estudio es una primer aproximación para la integración de algoritmos de voteo con dispositivos de diagnóstico de fallas. Los algoritmos de voteo son usados para arbitrar entre los resultados de elementos redundantes en sistemas tolerantes a fallas. Los sensores inteligentes son usados para propositos de detección y separación de fallas (FDI) dada la capacidad su capacidad de inteligencia construida. La integración de enmascaramiento de fallas y las estrategias de FDI is necesaria en la construcción de sistemas altamente disponibles y seguros con la capacidad de detección de fallas en línea. Este artículo introduce un rango de algoritmos de voteo los cuales adjudican un resultado entre los resultados generados por los sensores inteligentes en un módulo de redundancia triple. Las técnicas para integrar los sensores inteligentes replicados y la aproximación de enmascaramiento de fallas son revisadas en este artículo. Una clasificación de algoritmos de voteo híbrido es provista con base en el resultado y los valores de confianza los cuales afectan las métricas de disponibilidad y seguridad de estos algoritmos. De hecho los algoritmos de voteo son clasificados en cuatro grupos: Diagnóstico-Independiente con seguridad-optimizada, Diagnóstico-Integrado con seguridad-optimizada, Diagnóstico-Independiente con disponibilidad-opitimizada y Diagnóstico-Integrado con disponibilidad-optimizada. Las propiedades de cada categoria son revisadas asi como muestras de sus implementaciones son discutidas

Towards a Metric for the Assessment of Safety Critical Control Systems

There is a need for better integration of the fault tolerant and the control designs for safety critical systems such as aircraft. The dependability of current designs is assessed primarily with measures of the interconnection of fault tolerant components: the reliability function and the mean time to failure. These measures do not directly take into account the interaction of the fault tolerant components with the dynamics of the aircraft. In this paper, a first step to better integrate these designs is made. It is based on the observation that unstable systems are intrinsically unreliable and that a necessary condition for reliability is the existence of a stabilizing control law that depends on the interconnection of the working fault tolerant components. Since operation of a fault tolerant interconnection of digital computers in a harsh environment can result in transient errors, a methodology to analyze the mean square stability of the fault tolerant closed-loop system is presented. A definition for mean square stabilizability is then used to introduce the new dynamical system reliability concept. An example illustrates the effect on mean square stability of several fault tolerant design choices and illustrates possible dynamical system reliability plot

A fuzzy voting scheme for hardware and software fault tolerant systems

Voting algorithms are used to arbitrate between the results of redundant modules in fault-tolerant systems. Inexact majority and weighted average voters have been used in many applications, although both have problems associated with them. Inexact majority voters require an application- specific 'voter threshold' value to be specified, whereas weighted average voters are unable to produce a benign output when no agreement exists between the voter inputs. Neither voter type is able to cope with uncertainties associated with the voter inputs. This paper introduces a novel voting scheme based on fuzzy set theory. It softens the harsh behaviour of the inexact majority voter in the neighbourhood of the 'voter threshold', and handles uncertainty and some multiple error cases in the region defined by the fuzzy input variables. The voter assigns a fuzzy difference value to each pair of voter inputs based on their numerical distance. A set of fuzzy rules then determines a single fuzzy agreeability value for each individual input which describes how well it matches the other inputs. The agreeability of each voter input is then defuzzified to give a weighting value for that input which determines its contribution to the voter output. The weight values are then used in the weighted average algorithm for calculating the voter final output. The voter is experimentally evaluated from the point of view safety and availability, and compared with the inexact majority voter in a Triple Modular Redundant structured framework. The impact of changing some fuzzy variables on the performance of the voter is also investigated. We show that the fuzzy voter gives more correct outputs (higher availability) than the inexact majority voter with small and large errors, less incorrect outputs (higher safety) than the inexact majority voter in the presence of small errors, and less benign outputs than the inexact majority voter. The percentage of the benign outputs of the majority voter that are successfully handled by the fuzzy voter (resulting in correct outputs) is more than the percentage of those that are unsuccessfully resolved by the fuzzy voter (resulting in incorrect outputs). Our results suggest that the fuzzy voter is a viable alternative to a traditional inexact voter in cases where the benefits of a large increase in availability, and a considerable decrease in the number of benign outputs outweighs the cost of a small degradation in the safety performance of the system. The fuzzy voter is also a useful voting algorithm when arbitrating between the responses of dynamic channels of control systems incorporating uncertainties. This is the first reported use of a complete fuzzy voter in the context of fault tolerance. (C) 2004 Elsevier B.V. All rights reserved

A taxonomy for software voting algorithms used in safety-critical systems

Voting algorithms are used to provide an error masking capability in a wide range of highly dependable commercial & research applications. These applications include N-Modular Redundant hardware systems and diversely designed software systems based on N-Version Programming. The most sophisticated & complex algorithms can even tolerate malicious (or Byzantine) subsystem errors. The algorithms can be implemented in hardware or software depending on the characteristics of the application, and the type of voter selected. Many voting algorithms have been defined in the literature, each with particular strengths and weaknesses. Having surveyed more than 70 references from the literature, a functional classification is used in this paper to provide taxonomy of those voting algorithms used in safety-critical applications. We classify voters into three categories: generic, hybrid, and purpose-built voters. Selected algorithms of each category are described, for illustrative purposes, and application areas proposed. Approaches to the comparison of algorithm behavior are also surveyed. These approaches compare the acceptability of voter behavior based on either statistical considerations (e.g., number of successes, number of benign or catastrophic results), or probabilistic computations (e.g., probability of choosing correct value in each voting cycle or average mean square error) during q voting cycles

Multiple error filtering in cyclic systems

Voting algorithms are used to arbitrate between the variant results in fault-tolerant systems. Traditional voters produce incorrect outputs in multiple error conditions. This paper introduces a class of voters, called predictor voters, which can resolve some multiple error conditions. These voters use analysis of a sequence of results in cyclic systems to select the most likely correct variant result as the voter output. Large discontinuities between successive results in cyclic systems are indicative of faults. The voting algorithms have the effect of filtering discontinuities to improve availability. Three different versions of predictor voters are described. Fault-injection simulation tests are used to investigate their safety and availability performance in triple error scenarios. Experimental results show that predictor voters give safety behaviour between majority and median voters. Predictor voters with order three and above give higher availability than the median voter. Predictor voters are suitable for use in systems in which some incorrect outputs can be tolerated in order to maintain functionality over a long period of time

Smoothing voter: A novel voting algorithm for handling multiple errors in fault-tolerant control systems

Voting algorithms are used to arbitrate between variant results in a wide range of highly dependable real-time control applications. These applications include N-Modular Redundant hardware systems and diversely designed software systems based on N-Version Programming. The most sophisticated and complex voting algorithms can even tolerate malicious (or Byzantine) variant errors. Voting algorithms can be implemented in either hardware or software depending on the characteristics of the application and the type of voter selected. The behaviour of voting algorithms in multiple error scenarios is considered in this article. Complete disagreement is defined as those cases where no two variant results are the same. A novel algorithm for real-time control applications, the smoothing voter, is introduced and its behaviour compared with three previously published voters. Software implemented error-injection tests, reported here, show that the smoothing voter achieves a compromise between the result selection capabilities of the median voter and the safety features of the majority voter. The smoothing voter is an appropriate voter for applications in which maximising the number of correct outputs and minimising the number of benign errors of the system is the main concern, and a slight degradation in safety can be tolerated

Component-oriented voter model for dependable control applications

In many industrial applications arbitration between redundant subsystems using voting algorithms is popular. Many voting strategies, implemented in hardware or software, have been proposed of which majority and median voters have been widely used in real applications. Component-oriented design and modeling is receiving increasing amounts of interest in the software engineering community. Detailed analysis of voters shows that they can also be considered as a combination of independent components, each performing a specific function. This article proposes a component-oriented model for voters. The model offers benefits such as reusability, flexibility, and extensibility to the system designer. Components and their families are introduced, categorised and simulated. The model is simulated and a library of simulated components is provided. The generality of the model not only supports the analysis of a large number of voter permutations but also facilitates system design and implementation phases. The article presents the experimental results of selected component-oriented voters including majority, median, and linear predictor voters within a Triple Modular Redundant, TMR, system for a wide range of error scenarios. The correctness of the voter model is also proved by comparing the experimental results of selected component-oriented voters with those of the corresponding directly implemented voters