Why does one need fault-tolerant control systems anyway?

The cost of design, implementation, and maintenance of a fault-tolerant control system are significantly higher than that of a traditional control system. Therefore, the only time that one can even think and justify of using a fault-tolerant control system is for safety-critical applications. How does a fault-tolerant control system increase the level of safety? This is the main subject of this talk. In this talk, we will first look at the perception of safety in the eyes of public in terms of potential risks. In a safety-critical (in synonym: hazardous, dangerous, or risk-prone) system, the role of a fault-tolerant control system is extremely important. One of its functions is to steer the process to a safe state whenever undesirable events (known as faults) occur. To fulfill this role reliably, the availability of the fault-tolerant control system has to be high. As we all know, in practice, things will break and designed functions will fail, it is just a matter of time. This also applies to fault-tolerant control system itself. Thus, to achieve a high degree of availability against random failures, one has to resort to redundancy. Furthermore, to avoid common cause failures, there are special requirements on the redundancy, such as reliability, independence, separation, and diversity. The concept of defence in depth against various failure modes will also be introduced. Finally, as an example, we will take a brief look at how the concept of fault-tolerant control system is utilized in safety control systems within nuclear power plants. So, why does one need fault-tolerant control systems anyway? The answer is to reduce potential and hidden risks in technological systems to a level that is deemed to be safe in the eyes of public.