Fault Tolerance

Each of the MicroNet TMR controller’s kernel sections

individually monitors all input data, performs all

application calculations, and generates all output values

and responses. This control’s architecture allows it to

operate with any single point of failure, without shutting

down. Architected for reliability and safety, the system’s

CPU fault tolerance logic of 3-2-0 allows the control to

function normally with any CPU module failed or

removed, and ensures a safe shutdown with multiple

CPU failures. An analog I/O fault tolerance logic of 3-2

1-0 allows the control to function normally with any one

or two analog modules failed or removed. A discrete I/O

fault tolerance logic of 3-2-1-0 allows the control to

function normally with any one or two discrete modules

failed or removed. A power supply fault tolerance logic of

2-1-0 allows the control to function normally with any one

power supply failed or removed.

Each kernel CPU module runs the identical software

program, in “lock-step” with the other two CPUs. All

inputs from each kernel are distributed to the other two

kernels. For each sensed input, each CPU compares its

read value with the value the other two CPUs read

before outputting a signal to the application software. All

CPUs use the same voted input signals in the same

application calculations to generate the same outputs.

All output values are then exchanged between kernels,

the results are voted, and the appropriate value is output.