Written by Maciej Gajdzica (Senior Software Developer)
Multi-processor solutions are overwhelmingly popular in safety-critical systems. Contrary to popular beliefs, increased performance is usually not the reason for this fact.
The two prevalent reasons are increased security by means of redundancy and simplified development by means of moving complicated, yet less critical elements to separate processors.
Let’s start with security -the system needs to maintain its security at all times, even when a malfunction or an error of a processor occurs. In case of a severe failure the processor might not be able to switch the system to the safe state on its own. Therefore, processor redundancy is indispensable as it provides the second processing unit to detect the problem and counteract.
The simplest redundancy system is one fitted with a supervising processor. In this configuration the main processor implements all the major functions, while the additional processor simply monitors operations and intervenes when significant anomalies are detected.
Using two independent processing channels is a more advanced solution. The channels have separate input and output but if the need arises they are both capable of triggering the safe state of the device. The channels exchange information, which is why they can easily spot discrepancies between the values they process. A single channel is usually not able to easily determine if the difference stems from its error or its counterpart’s one. It does not matter, though, as it knows that something is wrong and it is necessary to enter the safety mode. Such a system can detect much more complex problems than the supervising processor solution.
More advanced still is the voting system. In this case more independent channels are present, three or five, as long as the number is odd. The voting system collects information from all channels and based on a chosen strategy it decides on the output. Of course, designing such a system we need to remember about providing redundancy to the voting system, so that it does not become the weakest link, that is a “single point of failure.”
Voting systems and double-channel control systems can be easily combined into hybrid solutions. For example, each channel of the voting system can be made of two separate channels, or the other way round, two separate channels can be realized as two voting systems.
Talking about multiple channels performing the same task, a topic worth mentioning is diverse programming. This approach assumes that each of the independent channels is developed by a different programming team, therefore, the probability of the same software mistake occurring in all channels is much lower. The teams work based on the same documentation but they do not share their code, nor even ideas on how to implement the solution. This diversification can be even higher if different types of processors, different programming languages, techniques, or methodologies are used.
The second reason for utilizing multi-processor solutions is the aim of separating the less critical part of the system and develop it under a lower security level, with less stringent standards, and in much shorter time. What is more, it allows to use some ready-made solutions which do not meet the requirements of the higher levels of security.
This approach is especially tempting if we want to fit the system with modules such as TCP/IP stack or display support. These modules usually require much memory, often with dynamic allocation, and can occupy much of the processor’s resources. Moreover, there is a higher chance of errors regarding memory leaks, stack overflows, or deadlocks. Separating the elements in question solves a lot problems.
Fort the processor performing actions crucial to security all additional processors can be transparent. The processor in a network lane can be treated as an element of the network infrastructure. It is an element of the so called “black channel.” Similarly, the processor responsible for displaying data reacts to certain commands, so it can be treated as part of the HMI interface.
Separating tasks and assigning them to different processors it is also possible to avoid complicated integration, wherever multiple programmers work on the same code. Integrating code from separate processors operating in accordance with a strictly defined interface is much easier.
Learn more about safety-critical systems!