There are possible techniques to avoid the issues of voting gate failure. I worked on this problem in the early 1980's during the development of triple redundant microcontroller controller boards for use in Industrial Energy Management systems. Down time of the process control equipment and the supporting energy control systems is considered unacceptable in a large facility that runs its operations 24x7. Thus the systems I was designing had to be ultra reliable even considering the issues of software upset or transient hardware faults.

We produced a system of voting that worked as follows:
Periodic run time state from each processor of the three was written into triple ported memory (that has to be SRAM for resistance to noise and alpha particle upsets). Each processor also had the job of checking the results of the other two. If the results agreed then this processor would signal to each of the other two via an interrupt mechanism that worked with a re-triggerable hardware circuit (similar to the way that a modern day watch dog functions). Each processor had two of these circuits and they were designed to automatically take the offending processor off-line in the case of an error and then raise an alert. This technique removed the possibility of a single point failure in the voting logic. If one or more of the ports to the SRAM memory failed then the corresponding processor would be prevented from providing the "your good to go for now" signal to the other two processors and then there would be a local shutdown of that processor.


Michael Karas