AU3407099A - Synchronisation and/or data exchange method for secure, fault-tolerant computers and corresponding device - Google Patents

Synchronisation and/or data exchange method for secure, fault-tolerant computers and corresponding device Download PDF

Info

Publication number
AU3407099A
AU3407099A AU34070/99A AU3407099A AU3407099A AU 3407099 A AU3407099 A AU 3407099A AU 34070/99 A AU34070/99 A AU 34070/99A AU 3407099 A AU3407099 A AU 3407099A AU 3407099 A AU3407099 A AU 3407099A
Authority
AU
Australia
Prior art keywords
computer
synchronization
channels
data exchange
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
AU34070/99A
Other versions
AU750613B2 (en
Inventor
Friedrich Schmerbeck
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Publication of AU3407099A publication Critical patent/AU3407099A/en
Application granted granted Critical
Publication of AU750613B2 publication Critical patent/AU750613B2/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1675Temporal synchronisation or re-synchronisation of redundant processing components
    • G06F11/1683Temporal synchronisation or re-synchronisation of redundant processing components at instruction level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/182Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits based on mutual exchange of the output between redundant processing components

Abstract

The invention relates to a synchronisation and/or data exchange method for secure, fault-tolerant computers. The method enables the synchronisation of or the exchange of data between several individual computers working in parallel. The synchronisation or exchange of data is carried out with interrupt signals and using standard components. The invention also relates to a device for carrying out the inventive method.

Description

Synchronisation and/or Data Exchange Method for Secure, Fault-tolerant Computers and Corresponding Device Description Synchronization and/or data exchange method for secure, high-availability computers and device suitable 5 therefor The invention relates to a synchronization and/or data exchange method for secure, high availability computers in a multi-computer system 10 having at least two computer channels working in parallel, which channels check at least their results for correspondence by means of mutual comparison and, within their program execution, emit interrupt signals for the result comparison, and also to a device for 15 carrying out the method. In the processing of open-loop and/or closed loop control tasks, multi-computer systems are used to ensure security and to increase availability. Programs whose execution is synchronized run on these individual 20 computers, in which case, at the synchronization points, results or interim results of the programs are compared or suitably tested in another way. For this there are, in principle, two known variants, hardware synchronization and software synchronization. 25 In the hardware synchronization method, close coupling of the computers is achieved by additional logic on the computers, the said close coupling producing clock or instruction synchronism or path identity. 30 DE-B 24 13 401 describes such a device for synchronizing three computers, use being made of delay elements which take account of the processing time of slow computers. In this system, the failure of one computer cannot be identified, since the decision to 35 continue the execution program is taken as a majority decision "two out of three". In other known systems, as described in .4N - DE-B 21 55 159 for example, a special logic circuit is used which evaluates the specific pulses that are used and generates the corresponding signals for further configuration of the functional sequence for the computers. Thus, the synchronization of counters of a plurality of computers is brought about by a 5 synchronization signal being output onto a line shared by all of the computers and the attainment of a specific counting position being ensured by means of a logic circuit within the individual computers. In this case, the objective is again directed at creating 10 redundancy within the system, since comparison results of two of the three computers suffice for maintaining the functional sequence of the control system. The failure of a computer is not specified. In the examples mentioned here, the decision regarding synchronism of 15 the computers is taken by means of hardware solutions, which have the disadvantage that the computers have to be designed in a special way and the use of purchasable CPU circuit boards as computers and commercially available operating systems is thus prevented or made 20 more difficult. In the software synchronization method, loose coupling of the computers is achieved by means of a programmed data exchange between the computers via communication channels. The synchronization task is 25 incorporated in the program from the outset and is not processed externally, outside the program. Such solutions allow, in principle, the use of purchasable computer components and likewise of purchasable commercially available operating systems. 30 However, the computing power of the secure and/or high availability computer built therefrom is unsatisfactory since a high proportion of the available time is necessary for the result comparison that is necessary for synchronization, and the proportion of time for the 35 actual control task is thus reduced. Such a solution is described in DE-A 34 31 169, where the input information is processed in sections by IQ Ja plurality of computers, in particular microcomputers with internal clock generators, and the interim results 06- - 3 are subjected to a comparison. The synchronization of the computers for the comparison is initiated by interrupt signals generated by programming. The fastest computer is the first to transmit the interrupt signal 5 to the other computers and waits for continuation of the next program step until the other computers have, for their part, transmitted interrupt signals. The computers are started for the next program step only after the last interrupt signal has been input and 10 processed. The invention is based on the object of providing a method and a device by means of which the routines during the operation of multi-computer systems which are necessary for synchronization and/or data 15 exchange are shortened and the performance of the high availability computers is thus increased with improvement in the security and reliability. This object is achieved according to the invention by means of the feature in the characterizing 20 part of Claims 1 and 6 in conjunction with the features in the respective preamble. Advantageous and expedient refinements of the invention are contained in the subclaims. The connected individual computers of the high 25 availability computer system are called computer channels below. A particular advantage of the invention is that by virtue of the configuration according to the invention, in particular by virtue of directly making available a memory area of addressable memory cells for 30 the individual computer channels, more flexible and faster variants of: the synchronization comparison and/or of the data exchange at specific program locations become possible given the use of industry standard computers, the following method steps being 35 performed: assignment of memory areas (Zl,. . Zn) of at least one computer-external coupling board (K) to the computer channels (R1,..., Rn), -4 - identification of at least one synchronization and/or data exchange point in the program execution of each computer channel (R1, -, Rn) and allocation of an associated cell address, 5 - outputting of an interrupt signal by each computer channel (R1,..., Rn) when a synchronization and/or data exchange point is reached, - writing of a current event number and of the 10 data content of the event to a designated memory cell (Zpl..., Zpn) of the coupling board (K), which memory cell is assigned to the respective computer channel (R1,..., Rn) by the cell address, 15 - checking of the corresponding memory cells (Zp) of the computer channels (R) for the presence of corresponding event numbers, - reading of the memory cells (Zp) of all the computer channels (RI,..., Rn), comparison 20 among one another and voting, - continuation of the program execution of the computer channels (R1,... Rn) and/or alarm triggering as a function of the voting result. The device according to the invention can be 25 integrated without difficulty in existing standard computers, in which case the computer channels (R1. -. Rn) are connected to at least one coupling board (KI... Kn), the coupling board (Ki... Kn) is subdivided into n memory areas (ZI... Zn) and each memory area (Z1... Zn) 30 is subdivided into at least n addressable memory cells (Zp1... Zpn) and each memory area (ZI... Zn) is respectively assigned to a computer channel (RI,... Rn) and the memory areas (Z1... Zn), for the result comparison, can be read by all of the computer channels 35 ( RI... Rn) but can be written to only by the respectively assigned computer channel (R). The invention will be explained in more detail below using exemplary embodiments which are TRAz, illustrated, at least in part, in the figures. 4u - 5 In the figures: Fig. 1 shows an overview illustration of the interaction of the computer channels, memory areas and memory cells, 5 Fig. 2 shows a configuration with a common coupling board for all of the computer channels, Fig. 3 shows a configuration with one coupling board for each individual computer channel. The device for synchronization and/or for data 10 exchange connects the computer channels R via an internal CPU bus or an external bus (PCI, ISA, VME, etc.) to a coupling board K. As is illustrated in Fig. 1, there are n memory areas 2 on the coupling board K, the said memory areas 15 each being assigned to one of n computer channels R. These memory areas Z, realized by a dual-port RAM for example, each comprise a quantity of addressable memory cells Zp, to which, in turn, different information items can be written and from which information items 20 can be read. One possible assignment in accordance with a preferred exemplary embodiment would be for the memory area Z1 to be assigned to the computer channel R1, the memory area Z2 to the computer channel R2, etc., through to the assignment of the memory area Zn 25 to the computer channel Rn. According to the invention, each computer channel R can read and write to the assigned dedicated memory area Z. The memory areas Z of the other computer channels R can only be read by "foreign" computer 30 channels R. This is intended to prevent the situation where the contents of the memory areas Z can be altered by access by unauthorized computer channels R. A change to the memory area contents can only be performed by the process course of the respectively associated 35 computer channel R. Access to a computer memory cell Zp is atomic with regard to the concurrence of the computer channels R. In other words, when one computer A channel R writes to a memory cell Zp and another L computer channel R reads the same memory cell Zp, the 7NTO<C - 6 read data are either the data prior to writing or after writing, but not mixed data. Each computer channel R can trigger an interrupt, e.g. via the data lines of a bus system that are present, to the other computer 5 channels R, each computer channel R having the possibility of temporarily or permanently preventing interrupts to itself. Each memory cell Zp identifies a synchronization and/or data exchange point which is 10 present in parallel for each computer channel R. The cell address used is known to each computer channel R, either by being jointly allocated or by being negotiated by suitable software or hardware between the computer channels R. 15 This memory cell Zp is occupied by an identification unique to the propagation time (e.g. memory cell Zpl identifies synchronization and/or data exchange point 1, etc.) and by the information to be exchanged or a signature information item of the information to be 20 synchronized or voted. For the method according to the invention, the program of the computer channels R contains program sections which are to be used to effect functional testing of whether the computer channels R are 25 synchronous or specific data are present. If the processes running on the parallel computer channels R reach a synchronization and/or data exchange point (or if messages to be synchronized are generated on the parallel computer channels R by processes proceeding 30 there), the following sequence takes place: a first computer channel R1, which has been the first to reach the synchronization and/or data exchange point within its program section, calls a functional sequence, in particular a synchronization routine, in 35 accordance with the programming. A current event number and the data content of the event or a corresponding signature for the data content are entered in the memory area - assigned to the said computer channel of the coupling board K in the agreed memory cell Zp. Lu - 7 A test is then performed to see whether an event bearing the same number has been entered in the associated memory cells Zp of the memory areas Z of the other computer channels R. If this information is 5 negative, that is to say the other computer channels R have not yet reached the synchronization and/or data exchange point, the first computer channel R1 enters a waiting loop or the message is buffered. If the information from the other computer 10 channels R is that they have reached the synchronization and/or data exchange point within their program section, a wake-up interrupt is sent to the other computer channels R, as a consequence of which all the computer channels will read the assigned memory 15 cells Zpl to Zpn of their dedicated memory area Z and also the memory cells Zp of the memory areas Z of the other computer channels R, compare them with their own results and vote. As a result, complete correspondence or majority correspondence in line with the security 20 and availability requirements is expected. Depending on the result of the comparison of the memory cells Zp of the computer channels R, the next program section is started or the message is forwarded or a security alarm is triggered. Until the 25 instant of the next synchronization and/or data exchange point set in the program section, the interrupt for the computer channels R is prohibited. Furthermore, e.g. the state of a defined memory cell Zp can be written to with the information that a next 30 program section is active but not yet synchronized. In addition to the method described, information can also be exchanged without realizing synchronization. Furthermore, memory test programs can be executed in parallel or temporally separately on the 35 computer channels R, the computer channels R exchanging the test results using a signature and thus mutually monitoring them. Figure 2 illustrates, in a block diagram, a configuration in which a common coupling board K is - 8 provided for all of the computer channels R1 to Rn. For data transmission in the case of synchronization and/or data exchange, each computer channel Ri to Rn is connected to a common coupling board K in each case via 5 its bus system and a respective bus adapter BAl to Ban or directly. In this case, the coupling board K contains the memory areas for all the computer channels R1 to Rn. The configuration for each individual computer channel R with an associated coupling board K 10 is shown by the block diagram in Figure 3. In this variant, a coupling board K1 to Kn is connected for each computer channel R1 to Rn, the said coupling board respectively containing the memory areas Zi to Zn for all of the computer channels R. The memory areas Z are 15 thus present in redundant fashion. The coupling boards Ki to Kn are connected to one another and, by means of suitable replication mechanisms, realize the identity of the data in the coupling boards K1 to Kn. As a further exemplary embodiment it is 20 possible for the replication mechanism to be effected in a time-delayed manner, that is to say firstly the data from a first computer channel RI are written to the dedicated coupling board K1 and then the data are transferred to the other n coupling boards K. The 25 connection between the coupling boards K1 to Kn should be realized in a suitable manner (e.g. each to each or after the manner of one or a plurality of communication buses). The invention is not restricted to the 30 exemplary embodiments that are illustrated here. Rather, by combination and modification of the means and features mentioned, it is possible to realize further embodiment variants without departing from the scope of the invention. 35
L/

Claims (9)

1. Synchronization and/or data exchange method for secure, high-availability computers in a multi-computer 5 system having at least two computer channels working in parallel, which channels check at least their results for correspondence by means of mutual comparison and, within their program execution, emit interrupt signals for the result comparison, characterized by the 10 following method steps: - assignment of memory areas (Z1, ... Zn) of at least one computer-external coupling board (K) to the computer channels (RI,..., Rn), identification of at least one synchronization 15 and/or data exchange point in the program execution of each computer channel (Ri, ... , Rn) and allocation of an associated cell address, - outputting of an interrupt signal by each computer channel (Ri, ... , Rn) when a 20 synchronization and/or data exchange point is reached, - writing of a current event number and of the data content of the event to a memory cell (Zpl. .., Zpn) of the coupling board (K), which 25 memory cell is assigned to the respective computer channel (R1,..., Rn) and is designated by the cell address, - checking of the corresponding memory cells (Zp) of the computer channels (R) for the presence 30 of corresponding event numbers, - reading of the memory cells (Zp) of all the computer channels (R1,..., Rn), comparison among one another and voting, - continuation of the program execution of the 35 computer channels (R, ... Rn) and/or alarm triggering as a function of the voting result.
2. Synchronization and/or data exchange method according to Claim 1, characterized L U C) - 10 in that access is made atomically to each memory cell (Zp) in such a way that the data read are either the data prior to writing or the data after writing, but never mixed data. 5
3. Synchronization and/or data exchange method according to claim 1, characterized in that each computer channel (R) has the possibility of temporarily or permanently preventing interrupts to 10 itself.
4. Synchronization and/or data exchange method according to Claim 1 or 2, characterized in that each computer channel (R) has read and write 15 access to the assigned dedicated memory area (Z) and only read access to the memory areas (Z) of the other computer channels (R) .
5. Synchronization and/or data exchange method according to Claim 1, 20 characterized in that, in addition to the program execution for synchronization, information is exchanged without synchronization.
6. Synchronization and/or data exchange method 25 according to Claim 1 or 5, characterized in that, in parallel with or temporally separately from the synchronization and/or data exchange program execution, memory test programs are executed on the 30 computer channels (R) by the computer channels (R) exchanging and monitoring the test results using a signature.
7. Device for synchronization and/or for data exchange in a multi-computer system having at least two 35 computer channels working in parallel, which channels check at least their results for correspondence by means of mutual comparison and, within their program execution, emit interrupt signals for the result comparison, Pi characterized in that the computer channels (RI,... Rn) are connected to at least one coupling board (K1, ..., Kn) , in which case the coupling board (KI ... Kn) is subdivided into 5 n memory areas (Zi, ... , Zn) and each memory area (Zi, ..., Zn) is subdivided into at least n addressable memory cells (Zp, .. ., Zpn) and each memory area (Zi,..., Zn) is respectively assigned to a computer channel (RI,... Rn) and the memory areas (Zl,..., Zn), 10 for the result comparison, can be read by all of the computer channels ( R1,..., Rn) but can be written to only by the respectively assigned computer channel (R).
8. Device according to Claim 4, characterized 15 in that the coupling boards (K1,..., Kn) are passive coupling boards.
9. Device according to Claim 4, characterized in that the computer channels (R1,..., Rn) are 20 industry-standard computers with standard CPU circuit boards.
AU34070/99A 1998-02-25 1999-02-17 Synchronisation and/or data exchange method for secure, fault-tolerant computers and corresponding device Ceased AU750613B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
DE19809089 1998-02-25
DE19809089A DE19809089A1 (en) 1998-02-25 1998-02-25 Process for synchronising and/or data exchange for secure high access computer in multi computer system
PCT/DE1999/000498 WO1999044135A1 (en) 1998-02-25 1999-02-17 Synchronisation and/or data exchange method for secure, fault-tolerant computers and corresponding device

Publications (2)

Publication Number Publication Date
AU3407099A true AU3407099A (en) 1999-09-15
AU750613B2 AU750613B2 (en) 2002-07-25

Family

ID=7859591

Family Applications (1)

Application Number Title Priority Date Filing Date
AU34070/99A Ceased AU750613B2 (en) 1998-02-25 1999-02-17 Synchronisation and/or data exchange method for secure, fault-tolerant computers and corresponding device

Country Status (9)

Country Link
EP (1) EP1057109B1 (en)
CN (1) CN1294708A (en)
AT (1) ATE208922T1 (en)
AU (1) AU750613B2 (en)
DE (2) DE19809089A1 (en)
DK (1) DK1057109T3 (en)
ES (1) ES2168860T3 (en)
PL (1) PL342601A1 (en)
WO (1) WO1999044135A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10133652A1 (en) * 2001-07-11 2003-01-30 Siemens Ag Automation system for use in automation technology has a redundant central unit comprising two identical central units that are synchronized so that they execute the same programs and commands in a synchronized manner
CN1328672C (en) * 2002-10-30 2007-07-25 松下电器产业株式会社 Inter-device data exchange system device used for it exchange completion data management device and program
DE502005006441D1 (en) * 2004-10-25 2009-02-26 Bosch Gmbh Robert METHOD AND DEVICE FOR MODE SWITCHING AND SIGNAL COMPARISON IN A COMPUTER SYSTEM HAVING AT LEAST TWO PROCESSING UNITS
US7350026B2 (en) 2004-12-03 2008-03-25 Thales Memory based cross compare for cross checked systems
EP2372554B1 (en) * 2007-03-29 2013-03-20 Fujitsu Limited Information processing device and error processing method
FR2925191B1 (en) * 2007-12-14 2010-03-05 Thales Sa HIGH-INTEGRITY DIGITAL PROCESSING ARCHITECTURE WITH MULTIPLE SUPERVISED RESOURCES

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2513409A1 (en) * 1981-09-22 1983-03-25 Alsthom Cgee METHOD FOR SYNCHRONIZING TWO MICROPROCESSORS
CH675781A5 (en) * 1987-04-16 1990-10-31 Bbc Brown Boveri & Cie
US5226152A (en) * 1990-12-07 1993-07-06 Motorola, Inc. Functional lockstep arrangement for redundant processors
DE4219005A1 (en) * 1992-06-10 1993-12-16 Siemens Ag Computer system

Also Published As

Publication number Publication date
DK1057109T3 (en) 2002-03-11
EP1057109B1 (en) 2001-11-14
ES2168860T3 (en) 2002-06-16
AU750613B2 (en) 2002-07-25
EP1057109A1 (en) 2000-12-06
DE19809089A1 (en) 1999-08-26
DE59900434D1 (en) 2001-12-20
WO1999044135A1 (en) 1999-09-02
PL342601A1 (en) 2001-06-18
ATE208922T1 (en) 2001-11-15
CN1294708A (en) 2001-05-09

Similar Documents

Publication Publication Date Title
US5777874A (en) Programmable controller backup system
US6374364B1 (en) Fault tolerant computing system using instruction counting
CA1121513A (en) Multiconfigurable modular processing system integrated with a preprocessing system
EP0306244B1 (en) Fault tolerant computer system with fault isolation
US4358823A (en) Double redundant processor
EP0306252B1 (en) Fault tolerant computer system input/output interface
EP1667024B1 (en) Memory based cross compare for cross checked systems
JPH0734179B2 (en) Automatic flight controller with multiple heterogeneous data processing channels.
JPH0683660A (en) Modularized processor system
AU750613B2 (en) Synchronisation and/or data exchange method for secure, fault-tolerant computers and corresponding device
US5382950A (en) Device for implementing an interrupt distribution in a multi-computer system
RU1792540C (en) Multiprocessor computation system
US5140593A (en) Method of checking test program in duplex processing apparatus
KR100256097B1 (en) Serial bus controller
US7788680B2 (en) Method and system for event management
US20030158972A1 (en) Device and method for the synchronization of a system of networked computers
US5311524A (en) Fault tolerant three port communications module
JPS62135038A (en) Data communications system for slave processor
SU752342A1 (en) Multiprocessor computing system
KR100218400B1 (en) Apparatus of control for elevator group management
SU924692A1 (en) Device for interfacing computers in homogenious computing system
JPS61292752A (en) Virtual computer system
JPH08212093A (en) Fault tolerant computer system
JPS62163101A (en) Elevator controller
SU618733A1 (en) Microprocessor for data input-output

Legal Events

Date Code Title Description
MK14 Patent ceased section 143(a) (annual fees not paid) or expired