JPH01500307A - Multiple redundant false positive system and its usage - Google Patents

Abstract

(57) [Summary] This bulletin contains application data before electronic filing, so abstract data is not recorded.

Description

[Detailed description of the invention] Multiple redundant false detection system and method of using the same Technical background of the invention This invention relates to multiple redundant false positive systems, particularly those using voting logic. The invention relates to multiple redundant processors. Triple modular redundancy (TMR) Computational systems have been known for several centuries. For example, U.S. Patent No. 4,375,883 Specification (Wensley, Fault Tolerant Computer ional 5ysteta and Voter C1rcu1t) is TM Such a system according to R technology has been described. Generally TMR system The calculation functions are performed by three identical modules working synchronously, and the result of the calculation is The results are compared in the voting circuit. If one module malfunctions for some reason, then the result is voted out by the correct results from the other two modules. Ru.

The TMR principle is also described in the literature (“Proc, of the IE, No. 64 vol. 6, June 1976). another Documents useful as background technology include IEEET rans, on C0ff iputerS% Volume C-27, No. 6, June 1978 Davies and There is a paper by Walkerley.

The following patents are indicative of the state of the art in the field of this invention: US Pat.

U.S. Patent No. 3,356.837 (Raymond), U.S. Patent No. 3.5 01.743 (Dryden), U.S. Pat. No. 3.538,498 (Games et al.), U.S. Patent No. 3,865,173 (Bouri Cius et al.), U.S. Patent No. 3,680,069 (Neumann et al.) , U.S. Patent No. 3,783,250 (F Ietcher et al.), U.S. Pat. No. 3,805,235 (Foster et al.), U.S. Patent No. 3,848, No. 118 (Moder et al.), U.S. Patent No. 4,270.715 ( Orton et al.), U.S. Pat. No. 4,358,546 (Whitesl. de), U.S. Pat. No. 4.402.045 (Krol), U.S. Pat. No. 497,059 (Sm1th), the following patent provides power supply from the entire system. Documents related to this invention regarding the removal and replacement of calculation modules without disconnecting the Ru.

U.S. Pat. No. 3,993,935 (Phillips et al.), U.S. Pat. ．． No. 079.440 (Ohnuma et al.), U.S. Patent No. 4.454.552 Specification (B arnes et al.), U.S. Patent No. 4,375.683 (Wc Many fault-tolerant systems in the prior art, such as the systems described in A common drawback of systems is that the detection of faults within the system does not allow correct output from the voting circuit. It is to depend on something. If there is a failure in the voting circuit itself, there is no way to detect the failure. The output logic is also incorrect.

Other systems use various forms of multiple voting circuitry to address this problem. There is. However, all conventional systems have There is no such thing as complete satisfaction in the field of fault detection.

Therefore, in addition to detecting faults in multi-computation modules, each module Multiple redundant features that can also detect faults within associated fault-determining logic units The need for a voting system still exists. This invention aims to It is something.

Summary of the invention This invention has a multiple fault detection module in which fault detection is performed on the majority principle. The present invention relates to a multiple redundant computer system. Simply put, generally , this invention each has a processor, a memory, and a data bus between each computing device. data on the data bus between multiple computing devices and the memory and processor. A means for receiving the data on the way and transmitting it to the corresponding data bus, and a means for communicating with each computing device. and receives input from all of the data buses and provides a single voted output to the computing device. and voting circuitry connected to supply the voting information.

The system of the present invention also receives input from all of the data buses and is capable of handling system failures. a fault that cooperates with each connected computing device to generate a status word indicating the state of the A decision logic unit and an arrangement in which each computing unit is supplied with a voted fault status word. a corresponding data bus and means for connecting the failure determination logic.

More specifically, in the illustrated embodiment of the invention, the system is triple redundant. It is long. The failure decision logic unit receives signals from three data buses and connects three lines. connected to generate a bus comparison output signal representing an acknowledgment between the data buses. Contains bus comparison logic. In particular, the three output lines from the bus comparison logic indicates the same or different between each of the three possible pairs of data bus signals. Ru.

The fault decision logic also translates the bus compare output signal from the bus compare logic and means for generating a fault status word from the fault status word. The failure decision logic device is also addressable by the computing device and coupled to the fault detection logic to provide bus comparison output. Allows selective setting of force signals and facilitates detection of faults within fault-determining logic devices It has a test register.

Illustrated embodiments of the invention include a computing device, a bus comparison logic device, and a fault determinist, respectively. It is equipped with three modules including a Each module is further integrated into the overall Allows module removal or replacement without removing power from the system Equipped with electrical and mechanical means. Electrical and mechanical means are used during module insertion. Ensure the power connection before connection and disconnect the power supply after removing the module and disconnecting the middle line. It features a long power connection bin to ensure a Equipped with an electrical/mechanical interlock that generates an electrical disconnection signal prior to removal of the , whereby the shut-off signal is used to terminate module operation in an orderly manner. be done.

According to the method of the present invention, in a failure decision logic unit of a triple redundant computer system, error simulates an error condition in one of three synchronized computational subsystems. the first in the failure decision logic unit that runs and cooperates with each of the three subsystems. Generates a set of fault state conditions and assigns a large number into each of the three computational subsystems. Read the first fault condition on the three associated data buses by voting; generating a second set of fault condition conditions as a result of reading one fault condition condition; The second fault state condition is an improperly operating fault determinism. generates an identifier for the physical device.

In another variant, the step of simulating the fault condition involves selecting the data bus Deliberately writes incorrect data words to the A data bus reading is an indication of an error in the computational subsystem associated with the selected bus. The step of reading the first fault state condition is an improperly operating fault determination. Indicates a fixed logical unit.

In another variant, the step of simulating the fault condition includes the fault decision logic injects a selected set of bus comparison signals into the first fault state condition The step of reading produces the expected result from the bus comparison signal and the first fault The step of reading the state condition is a second condition indicating an error in the failure decision logic device itself. Generates an error condition.

According to another aspect of the invention, power is provided by multiple redundant power buses and an equal number of multiple power supplies. The system is supplied with power from multiple power sources by the source sharing circuit. Many electric currents in the system Each of the electrical loads receives power from all sources, but the system is not be affected by short circuits or other faults in the power source. Each power sharing circuit connects each A current limiting circuit is provided on the line to protect each line from possible overcurrent conditions caused by a short circuit in the load. Protect your power supply.

Diodes are also placed on each line from the power supply to protect against short circuits in other power supplies. Prevents the source from supplying current. Its output is coupled to one terminal of the load and another Combined with the current output from the power supply.

From the above description, it can be seen that the present invention is applicable to the field of multiple redundant majority voting computer systems. This will be recognized as a major advance in the field of development. In particular, this invention In addition to checking the operation of heavy computing devices, we also conduct failure detection related to each computing device. It also provides a reliable technique for checking the operation of output logic devices. this invention Other aspects and advantages of the will be apparent from the following detailed description in conjunction with the accompanying drawings. There will be.

Brief description of the drawing FIG. 1 is a block diagram of a triple redundant computer system according to the present invention.

FIG. 2a is a simplified block diagram of the computing device used in the invention.

Figure 2b is a simplified block diagram similar to Figure 2a, with a redundant data bus from a memory connected to a triple redundant computer system according to this invention via Shows how the data bus is interrupted.

Figure 3 further illustrates the bus comparison logic and failure decision logic of the system of Figure 1. It is a block diagram showing details.

FIG. 4 is a partial block diagram of one of the comparison logic devices of FIG.

FIG. 5 is a schematic block diagram illustrating the fault state logic device of FIG. 3.

Figure 6 shows a hardware block of one of the three computing subsystems shown in Figure 1. This is a diagram.

FIG. 7 shows various hardware of processors used in each calculation module of this invention. FIG. 2 is a block diagram showing a wear state.

Figure 8 is used to generate electrical interruption during module removal or replacement. FIG. 3 is a simplified front view showing a mechanical interlock.

Figure 9 shows how modules are configured for “hot” removal or replacement. It is a figure showing how it is configured.

FIG. 10 shows the power supply used in connection with the triple redundant computer system of the present invention. As illustrated for purposes of illustration in a simplified block diagram of a source sharing circuit, the present invention , to reduce the possibility of calculation errors resulting from certain types of computer failures. Types of fault-insensitive computers that use multiple calculation and voting circuits It's about systems. In typical real-time computer technology, multiple In monitoring and controlling process variables during complex industrial processes, computing devices are and analog input signals and generates digital and analog output signals . As shown in FIG. 2a, a typical computer system includes a processor 10. The same memory 12 is provided. Input and output signals are shown at 14 and 16 The computer communicates with the processor 10 and performs all the functions that the computer performs. can be considered to be a direct result of the manipulation of data memory 12.

Processor lO connects memory 12 to address line 18 carrying a memory address. to a data "write" path 20 and memory 12 for stored data words; Considered as a data “read” path 22 for retrieving stored data words. The memory 12 communicates with the memory 12 over a data path that can be used. The computer system of this invention In the system, the data read from the memory of the triplexed computing devices is used for fault detection. monitored for and later returned to the processor IO in the form of majority-voted data. . A typical triplex computing device is shown in conceptual form in Figure 2b. Ru. Data words from memory 12 are routed on line 24 to one of three data buses 26. transmitted to. The other two data buses receive data from the other two computing devices. , the three data buses will always be connected if the three computing devices operate in exactly synchronized The same data must be transmitted. Data on three data buses is the same Only when this is not the case is the test process described below. The data bus 26 is the voting circuit 3 0 to separate inputs on line 28, this voting circuit 30 is connected to data bus 26 or selects the majority-voted one of the data signals and outputs a single output on line 32. do. Processor IO receives the voted data on line 32 and actually It receives “voted data” from the memory of the multi-computation system, Acts as if received directly from that memory.

The above description of the data flow will be explained once the hardware of the computing device is explained in more detail. It has been simplified somewhat to make it easier to understand. The data path to and from memory 12 is Only the read path 22 is taken out en route to be processed by the processing circuit 30. is configured as a single bidirectional bus.

A triple redundant computer system is shown in FIG. 1 and includes three computing devices 40a, 40b and 40c. Throughout this explanation, the attached symbols a, b, c is used to identify one of the three computational subsystems. Attached sign It is not used when it could be any of the subsystems.

The computer system also has three voting circuits 30a, 30b.

Three circuits 42a, 42b with 30c1 bus comparison logic.

Three circuits 44a, 44b with 42C1 fault comparison logic.

Equipped with 44c1 and three data buses 2Ba, 2eb, and 26c. Ru. Data from each computing device 40 is sent on line 24 to a corresponding data bus 26. It will be done. Data signals from all three data buses 26 are routed by line 28a. to voting circuit 30a, and by similar lines 28b and 28c to voting circuit 30b. and input to 30c. Each voting circuit 30 outputs back to a corresponding computing device 40. It has line 32. In each of the three subsystems, a data bus 26 Line 28 from 28 is also connected as an input to bus comparison logic 42. child Logic unit 42 determines which of the various pairs of data bus signals on lines 46.48.50 It generates three binary output signals indicating which are compared. Line 46 is A-B , that is, whether the signals on data buses 26a and 2eb are equal. . Similarly, line 48 indicates whether or not it is B-C, and line 50 indicates whether or not it is A-C. As shown in the figure These bus comparison output signals are directly input to fault decision logic 44, as shown in FIG. Powered.

As will be explained in more detail below, failure decision logic 44 determines the state of the overall system. Generates a fault condition word indicating. This fault status word is provided by fault decision logic 44. is read out by line 52 and transmitted on line 24 to the corresponding data bus 26. sent.

Depending on other data in the system, the fault condition data signal may also be sent from data bus 2B. is transmitted over line 28 to voting circuit 30, which detects the fault condition vector. signal that a vote has been passed or a majority vote. According to this aspect of the invention, Fault status information is read simultaneously from each fault decision logic device 44 by computing device 40. However, the computing device obtains a voted version of the fault condition.

Bus comparison logic 42 connects lines 46 . Generates output on 48.50.

Table 1 A-B B-CA-C conditions 111#1 No failure 110#2 Comparator failure 10183 Comparator failure 011#5 No failure 000#8 Multiple failures Condition #1 is a normal condition in which outputs A, B, and C are all equal. The other seven conditions are This indicates some sort of malfunction. For example, if only module A is faulty, then B- Only the C line is true (1), and the A-C and A-B lines are false (0).

This is shown as condition #6. Similarly, condition #7 and condition #4 are Represents failure of modules B and C. Condition #2. #3. #5 represents a comparator failure. are doing. This is because if the comparator logic unit is working properly, it This is because these conditions are impossible. For example, for condition #2, A-B and There cannot be a state where A≠C even though B−C.

Bus comparison logic 42 is shown in FIG. 3 and includes three logic comparators [30,1 , 60, 2, and 60J are provided, and an input line 2 from the data node 26 is provided to them. 8 are connected. In particular, buses 26a and 28b are connected to logic comparator 80.1. buses 26b and 26c are connected to logic comparator GO92, and buses 2ea and 26c are connected to logic comparator GO92. and 2ec are connected to a logic comparator 60.3. Logical comparator 60.1. B o, 2.60.3 outputs outputs indicating whether or not A-B, B-C, and A-C respectively. Line 4El to constant logic device 44 occurs at 48.50. One of the logical comparators 60 One is shown in detail in FIG.

Each data bus 26 is a multi-bit bus, while the data bus 26 is a multi-bit bus, while the data bus 26 is The output on pin 4f3.48.50 is a single binary signal. Therefore, each logical comparator 60 takes two sets of N binary inputs, where N is the number of bits in the word on data bus 26. It is.

For example, as shown in FIG. 64.1 to 64. It has N. Comparator 60 selects bit 1 of bus A (62, 1 ) with bit 1 (64, 1) of bus B and N (B2.N and 64.N ) are compared for all bits up to A 1-bit comparison inverts the bit on bus A. Then use AND gate 68.1 to perform an AND operation with the bit on bus B, or The bits on bus B are inverted and the bits on bus A are inverted using AND gate 68.1. This is done by operating and.

If the bits of bus A and bus B are equal, the output of these AND gates is “0”. Yes, the output of the OR gate 70 is also 0, and the inverted output A-B is true (logic 1) It is. If the bits on bus A are different from the bits from bus B, then -) Either the output of 66.1 or 68.1 becomes 1” and the output of OR gate 70 The power also becomes "1" and the inverted output A-B is logic 0 (false).

If the data words from the two buses 28a and 26b fill all bit positions are the same, all AND gates 68 produce a logic "0" output. Ru. Therefore, OR gate 70 has a logic "0" output and the output on line 46 is a logic "0" output. It is “1”. However, if the input words differ in at least one bit position, If the This passes through OR gate 70 and produces a logic "0" signal on A-B output line 46. Ru. Of course, the other logical comparators 60.2 and 60.3 are similarly constructed.

Fault decision logic 44 is also shown in more detail in FIG. There are three Exclusive off (XOR) gate 72.1.72.2゜72.3 and test register a fault state register 74, a fault state register 76, and a fault state logic unit 78. Ba Output lines 4B, 48.50 from the comparison logic 42 each have three exclusive It is connected as an input to the target OR gate 72.1.72.2.72.3. exclusive The other input of the target OR gate is connected to lines 80.1 and 80.2 from the test register 74. ．． 80.3 and this test register 74 is connected to the processor on line 82. It has data written from 10 onwards. If test register 74 is zero , XOR gate 72 has no effect on the input signals on lines 46, 48, 50. , the output of XOR gate 72 is provided as an input to fault condition logic 78. late The fault condition logic provides an output on line 84 to the fault condition register 76, which It may be read from processor 10 as indicated by line 86. test register A logic “1” at any position of the star is determined by one of the XOR gates 72 to determine the failure logic. has the effect of logically inverting the corresponding input signal to device 44. these The potentially transformed input is the XOR game) 90.92.94 as A″-B-, B--C- and A--C-. ing.

Fault condition logic 78 is shown in detail in FIG. This is one possible configuration of the value table. Input on lines 90° 92, 94 is inverter 9 6 and reversed to line 90″.

92-. Outputs a parallel set of three inverted inputs on 94″.Logic device The output from 78 is sent to eight AND gates 100 to 107 and an OR gate 108. Given. AND gate 100 receives input from lines 90.92.94 , outputs "1" when there is no failure and the system is operating normally. Andoge Route 101 receives human power from lines 92, 90- and 94-, and module A Outputs “1” in case of failure. AND gate 102 is on lines 94, 90-, 92 - Receives human power from - and outputs "1" when the B module is in failure. Andoge The port 103 receives inputs from lines 90, 92-, and 94-, and the C module Outputs “1” in case of failure. AND gate 104 is line 92.94°90- outputs “1” only for impossible conditions indicating comparator failure. do. Similarly, AND gate 105 receives input from line 90.94.92= The AND gate 106 outputs “1” only for comparator failure, and the AND gate 106 outputs “1” on line 90. ．． “1” only when another comparator fails after receiving input from 92°94- Output. The outputs from AND gates 104, 105, and 106 are OR gates. It is ORed at 108 to provide a single output signal indicating a comparator failure.

The final AND gate 107 receives inputs from lines 90-, 92-, 94''. , outputs “1” only when there is a multiple failure where there is no match between any two computing devices. Strengthen.

The 6 bits of output from fault condition logic 78 are included along with any useful condition items. stored in the fault status register 76 and read by the processor during system operation. can be done. An important feature of this invention is that the fault status register is This is how it is loaded into the processor. This is shown in the hardware block diagram in Figure 6. best explained by considering the data flow of 3 examples The hardware within each of the subsystems includes a processor 10, memory 12, and and additional programmable read-only memory (FROM) 110, voting circuit 3 0, bus comparison logic device 42, failure decision logic device 44, multiplexer 112, Timing and synchronization logic unit 114, timing and synchronization signal voting circuit 11 6, and shutdown processing logic 118. Also memory 12, multiplayer a first internal bus 120 connected to the bus 112 and the failure decision logic 44; and voting circuit 30. Processor 10, and PR″M and hardware register A second internal bus 122 is connected to the star 110. 2 internal buses 1 20 and 122 are connected to each other via a buffer 124. of this invention The operation of the system can be seen from the discussion of the various alternating data flow paths with reference to Figure 6. will be recognized.

Writing data to memory This is a relatively simple flow path, from processor 10 to second internal bus 12. 2, through a buffer 124 to a first internal bus 120, and from there a memory Reach 12.

Reading data from memory This is a normal voted memory read operation. The data is stored from memory 12. 1 internal bus 120 and from there through multiplexer 112 to the data bus 26.

All data buses 2B are then read back through the voting circuit 30 and the voting circuit 3 The output of 0 is sent through the second internal bus 122 to the processor IO. Depending on the condition Thus, processor IO performs an unvoted read from memory 12. this The data flow path in these cases is from the memory box to the first internal bus 120, through buffer 124 to second internal bus 122 and thence to processor 10 sent to.

Writing data to test register Processor 10 writes data to test registers within fault decision logic 44. I can do it. The path is from processor IO to second internal bus 122 and from there through buffer 124 to first internal bus 120 and thence to failure decision logic 44; leading to.

Reading data from the fault condition register This is when the voted fault condition information is programmed. This is an important path read by the processor 10. The path is the failure decision logic unit 4 4 to a first internal bus 120 and thence through multiplexer 112. The data bus 26 is reached. The other two subsystems are on the other two data buses 26. simultaneously give those signals of the fault condition. Voting circuit 30 is connected to data bus 26. reads all three fault status words of the 122 to processor 10. In some cases, from the fault condition register An unvoted reading is required. In that case, the flow path is a failure decision logic device. 44 to a first internal bus 120 and thence through a buffer 124 to a second internal bus 120. 122 and directly to processor IO.

Data flow to and from communication module The same voting principle described so far can be used with a communication module coupled to a data bus. It can be applied to the exchange of data between Communication module 130 is for communicating with external devices. have other means of The output signal is sent through the communication module and input Signals are received through a communication module. However, with the processor 10 Instead of direct communication, a path is established through data bus 26. for data entry On the other hand, the communication module 130 transmits externally generated input signals to the three data buses 2. Distribute to 6. Input signals are coupled from data bus 26 to voting circuit 30 and input at the location. For output, each computing device transfers output data to a second internal bus 1. 22, buffer 124, first internal bus 120, and multiplexer 112. data bus 26.

Multiplexer 112 provides data and address information to communication module 130. Provided for transmission. Communication module 130 receives output data from data bus 26. data, has its own voting circuitry (not shown), and is external to the system. Give the voted data to the target device.

Each subsystem processor 10 includes voting circuitry 30, bus comparison logic 42, and and failure decision logic 44. Ru. The bus comparison test intentionally applies an incorrect data word to one of the data buses 2B. , by checking the fault indication by reading the fault status register. It will be done. For example, subsystem A may have incorrect data on its data bus 26a. Suppose we have a code. This is a fault state vector indicating that module A is faulty. Generate torque. However, if one of the subsystem's bus comparison logic 42 is faulty, this is the subsystem with the faulty compare logic unit. resulting in inaccurate error diagnosis. Two subsystems are modules A has a fault status register that pinpoints the fault in A, while the third one indicates the other status. show. When these registers are read back over data bus 26, at least Bus comparison logic 42 in both subsystems indicates the faulty module identifier. generates output.

As an example, bus comparison logic 42 in module C Assume that there is a fault that always generates logic "1" at the output. If the module fails If we simulate A, we can put inaccurate data on data bus 2Eia. produces the following output from the bus comparison logic 42 in the three subsystems: Ru.゛ Good module Failed module A-C00 Modules A and B are connected only when the B-C output line is at logic “1°”. Produces the appropriate output from the bus comparison logic. This means that module A is faulty. It is converted into a fault status bit indicating the The failed module C has a “comparator error” ” but does not convey any indication as to which comparator is in error. produces incorrect results when converted to a cut.

A voted read operation of fault condition register 76 is used to retrieve fault condition information. The fault condition vectors from each subsystem are transmitted to each data bus 26 when and are read from those buses into voting circuit 30 and bus comparison logic 42.

Buses 2Eia and 26b carry the appropriate indication that module A is faulty. However, since bus 2Bc carries the comparator error indication, in this case the error is on bus 2Bc. It is located at 6c. At this time, the output of bus comparison logic 42 is as follows.

Good module Failed module B-CO0 A-C00 That error condition in this example is one that produces a “1” output on the A-B line. Therefore, module C produces the correct result even if it fails. In any case , at least the majority of the modules indicate that module C is faulty. produces an output. This status word is then read from the fault decision logic. , the identifier of the failed bus comparison logic unit is obtained.

In summary, a failure in the compare logic unit can result in an intentionally inaccurate Provide a data word and read the resulting fault status word from the fault decision logic unit It is detected by If more than one bus comparison logic unit 42 has an error If so, the voted reading of the fault condition matches the simulated data error condition. 1- Indicates an error. The process that takes the voted reading of the fault status register is itself creates a new state in the fault state register. Moshi bus comparison logic device 4 If there are no faults in 2, all modules A from the status register. From reading the error condition, the new state of the fault status register indicates no error. vinegar. However, if the bus comparison logic or failure determination logic of one of the modules If there is a fault in the The new state of the fault status register is determined by the fault bus comparison logic or fault determination. Indicates an error in a module with fixed logic units. Testing is essentially failure decision logic Provides a way to check the integrity of the device itself.

Another routine test performed periodically by processor 10 is the failure decision logic unit. It has the effect of checking. Each processor 10 has a 3-bit test register Write a set of test vectors. Each test vector simulates the conditions shown in Table 1. to curate. The appropriate characteristics shown in Table 1 are as follows: Expected soon. Under normal conditions, the output line from bus comparison logic 42 All of 46, 48, and 50 are logic "1', indicating that there is no 5o.Fault condition To simulate the condition, the test register stores the bit complement of the desired pattern loaded. For example, a failure of module A would be indicated by the following bus comparison output.

A-B 0 The XOR gate complements the bus compare output signal when a logic “1” is in the test register. The normal 1-1-1 pattern in the output signal The desired pattern is determined by giving the complement of the desired pattern in the test register. Can be converted into turns. In the example given, a 0-1-0 pattern is simulated by the complement pattern 1-0-1 in the test register. be able to. The other output forms in Table 1 are similarly simulated. As aforementioned , the test in which data errors are simulated also detects errors in the fault-determining logic unit. identify For example, if the test register is a test register that simulates a failure in module A, Assume that it is loaded at turn 1-0-1. This means that failure decision logic 44 accurately If it works, a fault condition indicating a failure of module A among the three modules. generate a state vector. However, there is a positive error in module B's failure decision logic unit. Suppose there is a fault that causes a fault condition that is not correct. If the fault condition word is When read from the fault-determining logic, the test register is temporarily cleared and The expected main input reading from the fault status register is in module A (simulated indicates that there is a fault. If this voted read process itself generates a new fault status word indicating the error in module B, and which module identify if the module has an error in the failure decision logic.

One aspect of this invention that has not been discussed in depth so far concerns the synchronization of the three modules. It is something that Obviously, it is critical that the three modules operate in synchrony. is important. Synchronization involves three separate concepts. i.e. a common clock In setting the timebase using signals, control functions that must be performed Common implementations with relatively long durations, such as 1 millisecond, used by processors Setting the time clock and synchronizing the module during startup or initialization It is the period.

The timebase clock generator has its own 10 MHz clock output and two Phase votes in each module connected to receive those of other modules It is equipped with a shutoff circuit (not shown). The phase voting output controls the crystal oscillator and also increases the Generates the clock signal for the module in conjunction with the width controller.

This device uses a synchronized 10 MHz clock signal generated by each module. provide. Real-time clock signals are much slower than lO MHz clock signals. generated by a normal clock division chain to generate a real-time clock signal. Ru.

Again the voting principle is used to real-time clock pulses from all three modules. ensure that they are synchronized.

Startup represents a special case of synchronization. Modules are first powered separately is supplied. FIG. 7 shows a power reduction state 1311, a standby state 132, and a failure state 13. 4. Various settings of the processor 1o, including the IJ top setting state 13B and the running state 138 Indicates the hardware status of the A brownout condition occurs when either supply voltage is effective. It will happen if it runs out. Upon power restoration, processor enters reset state 13B Perform the transfer. In reset state 13B, the processor is synchronized with other modules. run the software without data voting, but do not allow data to be voted on. P The processor is allowed to enter running state 138 by issuing a “reset request”. Request permission. Reset requests from just one module have no effect However, if another processor also outputs a reset request, this is called a “voting reset.” "cut" command, which is output commonly to all processors. Voting reset. The effect is to shut down all processors until shutdown consent is received from all of them. It's about keeping them. At that time, the processor is released and running at the same time. to go into. In the running state, the processors vote data in complete synchronization.

A failure condition enters into a hardware failure or transient failure occurrence, causing the processor to lose synchronization. and execute invalid data. The faulty module will attempt to clear the fault and Attempts to enter dynamic reset state, but if fault persists, re-enters enters a failure state.

The standby condition may be anything like power failure, module removal or lack of voting majority. A standby shutdown is initiated to conduct early monitoring of such notable incidents. wait state is expected Temporary used to protect critical data before one of the incidents be. At the end of the standby process, there is a transition to the reset state.

According to an important aspect of the invention, the module can be It has the ability to allow exchange of joules. In other words, the system of this invention Allows “hot” removal and replacement of modules, where each module includes a computing device, voting circuit 30, bus comparison logic 42 and failure decision logic 44. I'm reading. If one of the modules fails and the failure is Once detected, the faulty module should ideally be removed from the system. External processes by which the system is controlled without losing the integrity of the data it outputs must be replaced without interruption. Unfortunately, the power supply Removing and replacing modules while they are being supplied to a system can cause many notable problems. give a problem. In particular, the system will susceptible to errors caused by similar signals.

Two mechanisms protect the system from improper operation and spurious signals during removal and replacement. used to protect the system. As shown in FIG. Its operation is controlled by an electromechanical interlock consisting of a screw locking device 142. Fixed in position. The screw locking device 142 includes a long shaft 142 terminating in a threaded portion 142b. a and an enlarged portion 142c of intermediate diameter, the enlarged portion 142c acts as a cam. When the screw locking device 142 is in its fixed position, Cam portion 142c forces microswitch 144 into one of its two operating states. . When the screw locking device 142 is removed, the cam portion 142c allows the micro switch The switch 144 is forced to the other state and generates a shutdown signal to the processor. cut off The signal is sent to the microprocessor before the module is actually removed from the system. Used to end the work. This allows the removed module to Further pseudo operations during the process are also prevented.

To maintain proper operation of the circuitry within the module during insertion and removal, Removal and replacement assumptions must be made while the supplied DC power is maintained. stomach. A second mechanism, shown in Figure 9, is used for this purpose. The module 140 is It includes an input/output (110) connector 146, which is a typical power input bin 148. and an extended length second power input bin 150. long bottle 150 The power connection is made first when the module is installed in the equipment, and the ensures that it is the last to be shut off when it is removed. Feed via long bin 150 The power supplied is connected through an internal series inductor or series resistor 152, which Eliminate momentary power surges that might otherwise occur. The circuit is inductor The current limiting effect of the capacitor or resistor 152 charges slowly and the short bin 14 The inductor or resistor 152 is automatically bypassed when 8 contacts.

The process of replacing a module involves replacing the module with another module that is already operational. Of course, this will not be completed until the modules are fully synchronized. new module inserted After the start-up operation is completed and power is applied, synchronization is similar to the start-up operation described earlier. It is done in a certain way. However, the process is not exactly the same. It is three This is because the modules do not start at the same time. In this case the new module The module does not initially contain programs or data stored in memory.

Once the new module is in real-time synchronization with the timebase and two other modules is set, it sends a “reset request” and the two modules reset their “ Wait for "reset request" to be sent. Modules operating in running state 13g will Periodically sends a “reset request” for the new module to enter running state 138. Give a window or time slot. Upon receiving a “voted reset”, the new The module enters the running state 13g and operates in conjunction with the other two modules, The voted data is used to determine the appropriate program execution. new A new module will initially have nothing in its memory, so it will generate the correct data. No, it is voted on by the other two modules. Same as memory of other modules. It still remains to load the new module's memory to match.

This process is done as "background" work by all modules. Motion motion The background work performed in addition to other processing performed by the module is reading memory locations. and write its contents back into memory. read and write these The software runs on all three modules simultaneously using the voting circuit 30. will be carried out. In this way, the contents in the operating module's "good" memory are kept fresh. copied into new memory. All memory of the new module has been accumulated again If the new module is an error detection logic unit as already explained, can vote in agreement with other modules until detected by

Figure 10 shows that when one of the many power supplies fails, the power supply to the load is A block of power sharing circuits that can be used advantageously in the system of the present invention, which can be connected to A lock diagram is shown. According to this aspect of the invention, power is supplied to a set of redundant power supplies. The system is connected from three separate power supplies IBOa, 160b, and 160c on the power supply bus. electrical loads in various functional units in the system.

Each electrical load in the system, one shown as block 162, is connected to a power sharing circuit. Power is supplied via line 164. Several loads and corresponding power sharing circuits The lines can also be connected to a set of redundant power supply buses.

Each power supply 160 has a positive voltage output line 166a, which together form a power supply bus. 166b, 1[113c and negative voltage output line 168a.

188b and 168c. Negative voltage output line 168 is commonly connected to ground. connected, and one terminal of load 162 is also grounded. Positive voltage output line Each of the power sharing circuits 166 is connected to all of the power sharing circuits 184, and the power sharing circuits 1.6 One of 4 is illustrated.

The power sharing circuit 164 includes three current limiting circuits 170 and three diodes 1.7 2. Each power supply line 166 has a current limit circuit 170 and a diode 1 72 and are connected in series. Negative or cathode terminal of diode 172 are commonly connected to a load 162.

Current is routed from power supply bus 166 through current limiting circuit 170 and diode 172. flows to the load 162. The current from power supply 160 is additive at load 162. be combined. If a failure occurs that prevents current from being supplied to one of the power supplies, , the remaining power supplies provide the additional current needed to maintain the load current constant. difference Additionally, if either power supply or power bus develops a short circuit between its positive and negative terminals, and this does not adversely affect the operation of the system. It means that the current is supplied from another power source. diode 172 is shorted from a properly operating power source. This is because it prevents current from flowing through the part. Hence remaining good power is equal to the addition do not experience any physical load.

Finally, if the load experiences a fault that draws too much current from the power system, If so, the total current output is limited by current limiting circuit 170. child This means that a failure in one load circuit will cause the entire power system to use power as a load, and the other prevent power from being taken away from the load.

As is clear from the above description, the present invention is a computer system that tolerates failures. This represents a major advantage in the field of technology. In particular, this invention multiple redundant systems that not only detect faults in the fault-determining logic but also detect faults in the It provides a long computer system. The system of this invention also Includes a means to remove or replace a faulty module without shutting down the stem. . Although one embodiment of the invention has been described in detail for purposes of illustration, various modifications may be made. Other shapes can be made without departing from the scope of the invention. did Accordingly, the invention is to be limited only by the scope of the following claims.

international search report

Claims (1)

[Claims] 1. processor and memory, and data between the processor and memory, respectively. a plurality of synchronized computing devices having a data path; a data bus cooperating with each computing device; Receives data on the data path between memory and processor and converts it to the corresponding data A means of transmitting data to the bus and cooperating with each computing device to receive input from all of the data buses. a voting circuit connected to provide a single voted output to the computing device; Works with each computing device, receives input from all data buses, and detects system failure conditions. a failure determination logic device connected to generate a status word indicating; means for reading the fault decision logic device through a corresponding data bus; multiple redundancy characterized in that each computing device is provided with a voted fault status word; computer system. 2. 2. The computer system according to claim 1, wherein the number of computing devices is three. 3. The failure decision logic device is A bus comparison output signal that receives signals from the data buses and indicates the degree of match between the data buses. a bus comparison logic device connected to generate Receives the bus comparison output signal from the bus comparison logic device and indicates the fault status for each computing device. and means for generating words therefrom. computer system. 4. The fault state logic device is also addressable by the computing device and the fault detection logic A test register is coupled to the device to allow selective setting of the bus comparison output signal. Claim 3 further comprising: facilitating the detection of faults in the fault-determining logic device. computer system. 5. 4. The computer system according to claim 3, wherein the number of computing devices is three. 6. 5. The computer system according to claim 4, wherein the number of computing devices is three. 7. The electrical load of the system is divided into multiple loads, and the system is power source and multiple power sharing circuits, each load receiving power from one or all of the power sources. Claim No. 1, in which all of the power sources are coupled to each load so that it can receive the force. The computer system according to item 1. 8. Each power sharing circuit is To limit the current supplied by either power source in case of a short circuit in the load a plurality of current limiting circuits connected to one of each power supply line; one of each power supply line to prevent the flow of current from one power source to the other. The computer according to claim 7, comprising a plurality of diodes connected to the computer system. 9. processor and memory, and data between the processor and memory, respectively. three synchronized computing devices having a data path; Three data buses cooperating with one of each computing device and a connection between the memory and the processor. A means for receiving data on the data path and transmitting it to the corresponding data bus, and each It works with a computing device and receives input from all of the data buses and sends a single vote to the computing device. a voting circuit connected to provide a selected output; connected to three data buses and detects a match or coincidence between each possible pair of data bus signals. a bus comparison logic device that outputs a bus comparison output signal indicating a non-matching condition; in conjunction with an end computing device, receiving as input a bus comparison signal from a bus comparison logic device; connected to perform an action that generates a status word indicating a fault condition of the system. a failure decision logic device; means for reading the fault decision logic device through a corresponding data bus; Triple redundancy characterized in that each computing device is supplied with a voted fault status word computer system. 10. The fault state logic unit is also addressable by the computing device and the fault detection logic. a test register coupled to the control device to allow selective setting of the bus comparison output signal; Claim 9, further comprising: facilitating the detection of a fault in a fault-determining logic device. computer system. l1. 3 each containing a computing unit, a bus comparison logic unit and a fault decision logic unit Configured with multiple modules, each module can cut off power to the entire system. claims that have means to allow removal and replacement of the module without The computer system according to scope item 10. 12. A means of allowing module removal and replacement without power interruption is Make sure to connect the power supply before making any other connections during module insertion, and other connections during module removal. The length is long to ensure that the power can be disconnected after the line has been disconnected. 12. The computer system according to claim 11, further comprising a power connection pin. 13. A means of allowing module removal and replacement without power interruption is Generates an electrical disconnection signal prior to the actual removal of the module, thereby is now used to terminate module operation in the normal way. The computer according to claim 11, comprising an electrical-mechanical interlock. ta system. 14. The system's electrical load is divided into multiple loads, and the system is divided into multiple separate loads. Equipped with a power supply and multiple power sharing circuits, each load can be connected to one or all of the power supplies. Claims coupling all of the power sources to each load so that it can receive power The computer system according to item 9. 15. Each power sharing circuit is To limit the current supplied by either power source in case of a short circuit in the load a plurality of current limiting circuits connected to one of each power supply line; one of each power supply line to prevent the flow of current from one power source to the other. and a plurality of diodes connected to the coil according to claim 14. computer system. 16. The number of power supplies is 3, Each power sharing circuit has three current limiting circuits connected to each of the three power sources, and three current limiting circuits connected to each of the three power supplies. It consists of a limiting circuit and three diodes connected in series, the diodes being used to control the electrical load. 16. A computer system according to claim 15, wherein the computer systems are connected in common. 17. Simulating an error condition in one of three synchronized computational subsystems To, a first fault in a fault decision logic unit cooperating with each of the three computational subsystems; generates a redundant set of state conditions and places a first fault condition on the three associated data buses; Read the conditions and then enter them into each of the three calculation systems by majority vote. Strengthen, a second fault condition in the fault-determining logic unit as a result of reading the first fault state condition; the second fault state condition is an improperly operating fault-determining logic device; failure resolution in a triple redundant computer system characterized by outputting an identifier of How to determine errors in fixed logical units. 18. Simulating a fault condition can be done by intentionally placing an inaccurate data word on the data bus. Write to the selected one, thereby causing the bus comparison of that datapath to The first Claims Reading of a fault condition condition indicates an improperly operating fault-determining logic device. The method according to paragraph 17. 19. The fault condition is simulated by selecting the bus comparison signal during the fault decision logic. the first fault condition condition is expected from the bus compare signal. The first fault state condition is read in the fault decision logic unit. 18. The method of claim 17, further comprising generating a second fault condition indicative of an error. 20. Duplicate used in multiple redundant computer systems using voting principles In the method of replacing one of the same calculation modules of the number, Identify the module to remove, Release the module securing device, including the means to create an interruption, before power is removed. terminates the module's operation and its power is removed after other connections are removed. Remove the faulty module so that Power is gradually increased before other connections are formed to avoid spurious signals. Install the replacement module as supplied, Synchronize the replacement module with other modules in the system and make it available for use by the module. in all modules to read and re-accumulate all memory locations used. Execute the program and thereby create a memory in the module that is already working. The configuration is lobbied into the replacement module, and this replacement module is used by other modules in the system. A method characterized by enabling the same operation as Joule.