Primary controller designation in fault tolerant systems

What is claimed is: 1. A fault tolerant controller strategy for a fail-operational vehicle system comprising the steps of: (a) providing a first controller and a second controller both generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions, the first controller initially designated as a primary controller and the second controller initially designated as a secondary controller, the actuation devices being responsive only to the designated primary controller; (b) detecting an error in one of the two controllers, wherein the respective controller detected with the error is initially identified as a faulty controller and the other controller is initially identified as a non-faulty controller, wherein detecting an error in one of the two controllers in step (b) includes self-detection of the error by the faulty controller; (c) if a controller error is detected in step (b), then generating control signals by the non-faulty designated primary controller for controlling actuation of the actuation devices, the control signals including an identifier that identifies the non-faulty controller as the designated primary controller; (d) in response to detecting the error in step (b), resetting the faulty controller to operate in a safe operating mode as the secondary controller, and actuating a first error message to a user alerting the user of the error detected in step (b); and (e) transmitting a message from the faulty controller to the non-faulty controller identifying the error in response to detecting the error in one of the two controllers, wherein the non-faulty controller is subsequently designated as the primary controller. 2. The fault tolerant controller strategy of claim 1 wherein if the first controller and second controller fail simultaneously, then the respective controller that re-initializes and begins operating in the safe operating mode is designated the primary controller. 3. The fault tolerant controller strategy of claim 1 wherein detecting an error in one of the two controllers in step (b) comprises the following steps: the first and second controller monitoring communication activity of one another; and identifying an error in the other controller in response to no communication activity from the other controller. 4. The fault tolerant controller strategy of claim 1 wherein detecting an error in one of the two controllers in step (b) comprises the following steps: the first and second controller monitoring communication activity of one another; and identifying an error in the other controller in response to the other controller deviating from an expected behavior. 5. The fault tolerant controller strategy of claim 1 wherein if the first controller and second controller fail permanently, then the actuation devices include a self-contained control strategy for maintaining operation until the user performs a control action for taking control of the autonomous vehicle system. 6. The fault tolerant controller strategy of claim 1 comprising the steps of: (f) if an error is subsequently detected in the non-faulty controller designated as the primary controller in step (e), then transmitting a message identifying the error from the designated primary controller to the secondary controller operating in the safe operating mode; (g) generating control signals by the secondary controller operating in the safe operating mode in response to the error detected in step (f), the control signals including an identifier that identifies the secondary controller operating in safe operating mode as the designated primary controller; and (h) actuating a second error message to the user in response to the error detected in step (f), wherein the second error message generated in response to the error detected in step (f) is of a greater urgency relative to the first error message generated in response to the error detected in step (b). 7. The fault tolerant controller strategy of claim 6 wherein the primary controller identified in step (f) operates in safe operating mode as succeeding designated secondary controller. 8. The fault tolerant controller strategy of claim 7 wherein the error message actuated in response to the error detected in step (f) signals to the user that user intervention should be performed for taking control of the control actuation device. 9. The fault tolerant controller strategy of claim 8 wherein control of the actuation devices by the first and second controllers are terminated in response to the user performing a control action for taking control of the actuation device. 10. The fault tolerant controller strategy of claim 6 wherein the first and second controllers are reset to a non-fault operating mode in response to an ignition start sequence, the ignition start sequence including turning off a vehicle ignition and the re-actuating the vehicle ignition. 11. The fault tolerant controller strategy of claim 6 wherein the safe operating mode operation includes operating the actuation devices using limited operating system support. 12. A fault tolerant controller system for a fail-operational vehicle system comprising: a first controller generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions, the first controller initially designated as a primary controller; a second controller generating control signals intended to control the actuation devices on the vehicle, the second controller initially designated as a secondary controller, the actuation devices being responsive only to the designated primary controller; wherein when an error is detected in one of the two controllers, a message is transmitted from the faulty controller to the non-faulty controller identifying the error, and wherein the non-faulty controller is subsequently designated as the primary controller; wherein control signals generated by the non-faulty designated primary controller for controlling actuation of the actuation devices include an identifier that identifies the non-faulty controller as the designated primary controller; wherein in response to detecting the error, the faulty controller is re-initialized to operate in a safe operating mode as the secondary controller; wherein if an error is subsequently detected in the non-faulty controller designated as the primary controller, then transmitting a message identifying the error from the designated primary controller to the secondary controller operating currently in the safe operating mode, the primary controller identified as having an error is designated as a succeeding secondary controller operating in safe operating mode; wherein the secondary controller currently operating in the safe operating mode generates control signals that include an identifier identifying the secondary controller currently operating in safe operating mode as the designated primary controller; and wherein a second error message is actuated to the user after errors are detected in both the first and second controllers, and wherein the second error message generated in response to the error detected in first and second controllers is of greater urgency relative to the first error message generated in response to the error detected in one of the two controllers. 13. The fault tolerant controller system of claim 12 wherein a first error message is actuated for alerting a user of the error detected in one of the two controllers. 14. The fault tolerant controller system of claim 12 wherein if an error is subsequently detected in the designated primary controller operating in safe operat