Two Channel Structure

Description of the Technique

Two channel structures, in the sense as used in this handbook, comprise two independent funtional units for the carrying out of the specified function o The two funtional units can be identical or they can be built up in different ways using the principle of diversification (hardware diversification, software diversification, and time diversification). The signaIs which are used by or produced by both systems are continuously compared with one another for the purposes of fault detection. This comparison can be carried out somewhat crudely (e. g. comparison of relevant input and output signaIs) or it can be very detailed (comparison of states of the system, bus signaIs, etc.). The comparison itself can be made in a variety of ways:

a) by fail safe comparator (external)

b) by external tested comparator

c) by internaI mutual comparison.

Characteristics and Special Features of the Technique

This technique will detect aIl faults which make themselves evident on the inputs of the comparator, even when they are caused by disturbances.

As far as in the comparison of e. g. digitalised analog signaIs and the like, certain tolerances are permitted or have to be considered, suitable "windows" must be provided for this purpose in relation to time and to measured values.

complementary tests should be arranged for those faults which do not make themselves apparent sufficiently quickly via the comparison system.

Special Factors in the Application and Incorporation of the Technique

In diversified two channel systems, it is only possible to compare the output results. Comparison of states of the system calls for identical construction and a completely synchronous running of the two channels; this is as a rule only feasible if both channels have a common time base. A second, independent time base must therefore be provided as an added feature in such systems.

As with aIl test programs, the periodical and complete carrying out of the complementary tests must be monitored.

Checking

The checking is carried out via an analysis of the switching circuitry involved (in some cases, where necessary, including proof tests of the hardware diversification), by checks as to the contents of the programs for the complementary tests and by fault simulation, especially at the comparator unit, where necessary at the second time base, as weIl as for those faults which are not revealed by the comparison.

Literature for Further Reading

Further details and examples of systems which have been realized will be found among others at /DEK/, /DER/ and /WIE/.

elsewhere.