Architecture for scalable fault tolerance in integrated fail-silent and fail-operational systems

What is claimed is: 1. An integrated fail-silence and fail-operational control system comprising: a primary controller controlling features of devices while operating under non-fault operating conditions; a secondary controller including a fail detector/decider module, the fail detector/decider module monitoring faults in the primary controller and the secondary controller, the fail detector/decider module determining whether the fault in the primary controller is associated with a fail-silence requirement or a fail-operational requirement, wherein if the fail detector/decider module determines the fault is a fail-silence requirement, then the fail detector/decider actuates a shutdown command to the primary controller to shut down a feature affected by the fault where the feature becomes non-operational, and wherein if the fail detector/decider module determines that the feature associated with the fault is a fail-operational requirement, then the fail detector/decider module signals the primary controller to relinquish controls of the feature to the secondary controller, wherein secondary controller functions as a high assurance system for controlling the feature in a fail-operational mode. 2. The integrated fail-silence and fail-operational control system of claim 1 wherein each feature of the system is categorized as a fail-silence feature or a fail-operational feature. 3. The integrated fail-silence and fail-operational control system of claim 2 wherein the fail-silence detector/decider monitors and detects faults in the primary controller. 4. The integrated fail-silence and fail-operational control system of claim 3 wherein the fail detector/decider module detects erroneous or unsafe conditions within the primary controller. 5. The integrated fail-silence and fail-operational control system of claim 4 wherein the fail detector/decider module detection of faults in the primary controller is common between fail-silence features and fail-operational features. 6. The integrated fail-silence and fail-operational control system of claim 2 wherein the fail-silence detector/decider determines whether the feature associated with the fault is categorized as a fail-silence feature or a fail-operational feature. 7. The integrated fail-silence and fail-operational control system of claim 1 further comprising a fail-operational control module for controlling features categorized as fail-operational features, the fail-operational control module controlling fail-operational features in response to the fail detection/decider module determining that the fault is a fail-operational fault. 8. The integrated fail-silence and fail-operational control system of claim 7 wherein the primary controller relinquishes control of the feature associated with the fail-operational condition in response to a communication from the fail detector/decider module determining the fault is the fail-operational fault. 9. The integrated fail-silence and fail-operational control system of claim 1 wherein software for controlling only features categorized as fail-operational features are stored in the fail-operational control module of the secondary controller. 10. The integrated fail-silence and fail-operational control system of claim 9 wherein the fail-operational control module includes software for controlling fail-operational features at reduced functionality. 11. A fault control strategy for an integrated fail-silence and fail-operational control system comprising the steps of: providing a primary controller controlling features of devices while operating under non-fault operating condition; providing a secondary controller including a fail detector/decider module, the fail detector/decider module monitoring faults in the primary controller and the secondary controller; determining, by the fail detector/decider module, whether a fault in the primary controller is a fail-silence requirement or a fail-operational requirement; actuating a shutdown command to the primary controller, by the fail detector/decider, to shut down the feature affected by the fault where the feature becomes non-operational in response to the fail detector/decider module determining that the fault is a fail-silence requirement; and relinquishing control of the feature to the secondary controller in response to the fail detector/decider module determining that the feature associated with the fault is a fail-operational requirement, wherein the secondary controller functions as a high assurance system for controlling the feature in a fail-operational mode. 12. The fault control strategy of claim 11 wherein each feature of the system is categorized as a fail-silence feature or a fail-operational feature. 13. The fault control strategy of claim 12 wherein faults in the primary controller are monitored and detected in the fail detector/decider module. 14. The fault control strategy of claim 13 wherein erroneous or unsafe conditions within the primary controller are determined by the fail detector/decider module. 15. The fault control strategy of claim 14 wherein the fail detector/decider module detection of faults in the primary controller is common between fail-silence conditions and fail-operational conditions. 16. The fault control strategy of claim 12 wherein the fail-silence detector/decider determines whether the feature associated with the fault is categorized as a fail-silence feature or a fail-operational feature. 17. The fault control strategy of claim 11 further comprising the step of controlling, by a fail-operational control module, features categorized as fail-operational features, the fail-operational control module controlling fail-operational features in response to fail detection/decider module determining that the fault is a fail-operational fault. 18. The fault control strategy of claim 17 wherein control of the feature associated with the fail-operational condition is relinquished by the primary controller in response to a communication from the fail detector/decider module determining the fault is a fail-operational fault. 19. The fault control strategy of claim 11 wherein software for controlling only features categorized as fail-operational features is stored in the fail-operational control module of the secondary controller. 20. The fault control strategy of claim 19 wherein the fail-operational control module includes software for controlling fail-operational features at reduced functionality.