Available fail-safe systems

Continuity of service and cost-effectiveness are adding new challenges to life critical systems over and above the underlying safety concerns. The introduction of redundant components is a necessary condition for increasing the overall system availability with respect to physical component failures. Here we consider redundancy by means of replicating fail-safe components in a distributed real-time system for railway applications. In such a system, some functions cannot tolerate even a brief service interruption. These functions have to be replicated using active redundancy, and their outputs must be consolidated with the goal that the failure of one component has no effect on the delivered service. We formally investigate conditions for preserving safety properties of fail-safe components when replicating them using active redundancy. We focus our analysis on duplex computers with two fail-safe units. Given some safety constraints, we show that inconsistency of replicated units can lead to safety degradation even if each replicated component (taken individually) satisfies the given safety constraints. Two solutions are studied: masking and detection of state or context inconsistency. The former leads to requirements on the output consolidation function and the latter to requirements on the redundancy management mechanisms.