Fail-safe synchronization circuit for duplicated systems

Actuators in safety critical systems must be driven by fail-safe signals. Under a failure in the system, such a signal must be either correct or on the safe state (e.g. red colour in traffic control lights). To achieve the fail-safe property, processors controlling such actuators use hardware and/or software redundancy (e.g. duplicated processors, software coding techniques). Each of the signals delivered by such a system must be fail-safe individually in order to drive an actuator. To create such signals, one has to use an interface that transforms the redundant signals delivered by the control processor into fail-safe signals. This can be performed by a fail-safe interface. The present work treats the case where the inputs of the interface are delivered by a duplicated system. To avoid common mode failures the two copies of the system do not share hardware resources. Thus, they use different clocks, and the two system copies are not mutually synchronized at clock cycle level. Any attempt to synchronise them will require to share some resources and will introduce common mode failures. This work proposes a circuit that transforms two copies of non-synchronised signals into synchronised signals, while at the same time preserves the safety of the system under the introduced common mode failures