Hybrid dual-duplex fail-operational pattern and generalization to arbitrary number of failures

What is claimed is: 1. A dual-duplex fail-operational control system comprising: a primary controller controlling features of devices while operating under non-fault operating conditions, the primary controller comprising: a first processing unit executing a function utilizing an input data from sensing devices to generate a function result; a second processing unit simultaneously executing the function utilizing the input data from sensing devices to generate a function result; a first comparative module comparing the function result from the first processing unit with the function result from the second processing unit to determine whether an error is present in the primary controller, wherein the first comparative module generates a matching function result when the function result from the first processing unit substantially matches the function result from the second processing unit; a second controller comprising: a first processing unit executing the function utilizing the input data from sensing devices to generate a function result; a second processing unit operating in a non-redundant state, the second processing unit not executing the function while in the non-redundant state; a second comparative module determining whether an error is present in the second controller; wherein the matching function result identified by the first comparative module of the primary controller is input to the second comparative module of the second controller, wherein the second comparative module determines whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing unit of the second controller; and designating the second controller as a reconfigured primary controller to control the features of the devices when an error is detected in the primary controller, wherein the first processing unit and the second processing unit of the second controller are each enabled to respectively execute the function utilizing the input data from the sensing devices to generate a respective function result so that the second comparative module may compare the respective function results to determine whether an error is present in the second controller. 2. The control system of claim 1 further comprising a communication link coupled between the first comparative module and the second comparative module, wherein the matching function result determined by the first comparative module is communicated from the first comparative module to the second comparative module via the communication link. 3. The control system of claim 1 further comprising: at least a third controller including: a first processing unit executing a function utilizing the input data from sensing devices to generate a function result; a second processing unit operating in a non-redundant state, the second processing unit not executing the function while in the non-redundant state; a third comparative module determining whether an error is present in the at least third controller; wherein a matching function result identified by a respective comparative module of one of the preceding controllers is input to the third comparative module of the at least third controller, wherein the third comparative module determines whether an error is present in the at least third controller utilizing only the matching function result identified by the respective comparative module of one of the preceding controllers and the function result determined by the first processing unit of the at least third controller. 4. The control system of claim 3 wherein an error detected in the primary controller results in the primary controller failing fail-silent, and wherein the second controller is designated as a reconfigured primary controller, wherein the first processing unit and the second processing unit of the second controller are active to execute the function to determine whether the error is present in the second controller via the second comparative module. 5. The control system of claim 4 wherein the second comparative module determines whether an error is present the second controller designated as the reconfigured primary controller based on the function results from the first processing unit and the second processing unit of the second controller, wherein the matching function result identified by the second comparative module is provided to the third comparative module, wherein the third comparative module utilizes the matching function result from the second comparative module in cooperation with the function result from the first processing unit of the at least third controller to determine whether an error is present in the at least third controller. 6. The control system of claim 5 wherein an error in the second controller results in the second controller failing fail-silent, and wherein the third comparative module utilizes the matching function result from the first comparative module in cooperation with the function result from the first processing unit of the third controller to determine an error in the third controller. 7. The control system of claim 3 wherein each respective controller includes a dual-core processor, wherein each dual-core processor includes a respective first core and a respective second core. 8. The control system of claim 3 wherein each controller includes two single-core processors, wherein each respective core in each controller is a single-core processor. 9. The control system of claim 3 further comprising a communication link coupled between the second comparative module and the third comparative module, wherein the matching function result determined by the second comparative module is communicated from the second comparative module to the third comparative module via the communication link. 10. The control system of claim 1 wherein a number of controllers utilized in the control system is determined by a number of failures the control system is designed to tolerate, wherein the number of controllers is one greater than the number of failures the control system is designed to tolerate. 11. A method of minimizing software backups in a dual-duplex pattern approach, the method comprising the steps of: executing a function simultaneously in a first processing unit and a second processing unit of a primary controller utilizing an input data from sensing devices, the primary controller controlling features of devices while operating under non-fault operating conditions; comparing, by a comparative module of the primary controller, a function result from the first processing unit with a function result from the second processing unit to determine whether an error is present in the primary controller; executing the function in a first processing unit of a second controller utilizing the input data from sensing devices, wherein a second processing unit of the second controller operates in a non-redundant state, the second processing unit not executing the function while in the non-redundant state; inputting a matching function result identified by the first comparative module to a second comparative module in the second controller; comparing, by the comparative module of the second controller, the function result from the first processing unit of the second controller with the matching function result from the first comparative module; and determining, by the second comparative module, whether an error is present in the second controller utilizing only the matching function result identified by the first comparative module and the function result determined by the first processing uni