ABSTRACT
The increasing reliability requirements of computerized process control systems, such as railway signalling systems, have to be met by fault-tolerant architectures. The mechanisms for achieving fault tolerance have to be clearly separated from the normal functionality of the system and, in particular, from the safety measures included in the system. These requirements can be met by using a new architecture for fault tolerance.
The new architectural features of VOTRICS (Voting Triple-modular Computing System) include arbitrary application scheduling (not periodic), flexible configuration to different degrees of redundancy in the application's network, fault tolerance mechanisms – in particular recovery – transparent to the application, and independence of the underlying hardware.
These benefits are obtained by applying a clear hierarchical concept to the fault-tolerant system structure and functions at the application's message handling level, such that different properties can independently be configured to the application's actual needs.
This layered structure is discussed in the paper. The fault tolerance mechanisms are implemented in software, and also executed in redundancy, such that no single point of failure may affect the system's reliability.
The generic interfaces to the application's message handling system allow for flexible configurations of the application's network structure.
Experiences from the integration with a railway signalling application are presented.
