AU750613B2 - Synchronisation and/or data exchange method for secure, fault-tolerant computers and corresponding device - Google Patents
Synchronisation and/or data exchange method for secure, fault-tolerant computers and corresponding device Download PDFInfo
- Publication number
- AU750613B2 AU750613B2 AU34070/99A AU3407099A AU750613B2 AU 750613 B2 AU750613 B2 AU 750613B2 AU 34070/99 A AU34070/99 A AU 34070/99A AU 3407099 A AU3407099 A AU 3407099A AU 750613 B2 AU750613 B2 AU 750613B2
- Authority
- AU
- Australia
- Prior art keywords
- computer
- synchronization
- channels
- data exchange
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Ceased
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1675—Temporal synchronisation or re-synchronisation of redundant processing components
- G06F11/1683—Temporal synchronisation or re-synchronisation of redundant processing components at instruction level
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
- G06F11/182—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits based on mutual exchange of the output between redundant processing components
Abstract
The invention relates to a synchronisation and/or data exchange method for secure, fault-tolerant computers. The method enables the synchronisation of or the exchange of data between several individual computers working in parallel. The synchronisation or exchange of data is carried out with interrupt signals and using standard components. The invention also relates to a device for carrying out the inventive method.
Description
25-RUU-2000 14:51 ZT PR BLN +49 30 38624963 S.02/14 +49 30 38624963 Synchronisation and/or Data Exchange Method for Secure, Fault-tolerant Computers and Corresponding Device Description Synchronization and/or data exchange method for secure, high-availability computers and device suitable therefor .The invention relates to a synchronization and/or data exchange method for secure, highavailability computers in a multi-computer system having at least two computer channels working in parallel, which channels check at least their results for correspondence by means of mutual comparison and, within their program execution, emit interrupt signals for the result comparison, and also to a device for carrying out the method.
In the processing of open-loop and/or closedloop control tasks, multi-computer systems are used to ensure security and to increase availability. Programs whose execution is synchronized run on these individual computers, in which case, at the synchronization points, results or interim results of the programs are compared or suitably" tested in another way. For this there are, in principle, two known variants, hardware synchronization and software synchronization.
In the hardware synchronization method, close coupling of the computers is achieved by additional logic on the computers, the said close coupling producing clock or instruction synchronism or path identity.
DE-B 24 13 401 describes such a device for synchronizing three computers, use being made of delay elements which take account of the processing time of slow computers. In this system, the failure of one computer cannot be identified, since the decision to continue the execution program is taken as a majority decision "two out of three".
OIn other known systems, as described in p DE-B 21 55 159 for example, a special logic circuit is 1 used which evaluates the specific pulses that are used
.A)
257A-UG-2000 14:51 ZT PA BLN +49 30 38624963 S.03/14 +49 30 38624963 -2and generates the corresponding signals for further configuration of the functional sequence for the computers. Thus, the synchronization of counters of a plurality of computers is brought about by a synchronization signal being output onto a line shared by all of the com puters and the attainment of a specific counting position being ensured by means of a logic circuit within, the individual computers. In this case, the objective is again directed at creating redundancy within the system, since comparison results of two of the three computers suffice for maintaining the functional sequence of the control system. The failure of a computer is not specified. In the examples mentioned here, the idecision regarding synchronism of the computers is taken by means of hardware solutions, which have the disadvantage that the computers have to be designed in a special way and the use of purchasable CPU circuit boards- as computers and commercially available operating systems is thus prevented or made more difficult.
In the software synchronization method, loose coupling of the computers is achieved by means of a programmed data exchange between the computers via communication channels. The synchronization task is incorporated in the program from the outset and is not processed externally, outside the program.
Such solutions allow, in principle, the use of purchasable computer components and likewise of purchasable commercially available operating systems.
However, the computing power of the secure and/or highavailability computer built therefrom is unsatisfactory since a high proportion of the available time is necessary for the result comparison that is necessary for synchronization, And the proportion of time for the actual control task is thus reduced.
Such a solution is described in DE-A 34 31 169, where the input information is processed in sections by a plurality of computers, in particular microcomputers with internal clock generators, and the interim results S25-AUG-2000 14:52 ZT PA BLN +49 30 38624963 S.04/14 +49 30 38624963 3 are subjected to a comparison. The synchronization of the computers for the comparison is initiated by interrupt signals generated by programming. The fastest computer is the first to transmit the interrupt signal to the other computers and waits for continuation of the next program step until the other computers have, for their part, transmitted interrupt signals. The computers are started for the next program step only after the last interrupt signal has been input and processed.
The invention is based on the object of providing a method and a device by means of which the routines during the operation of multi-computer systems which are necessary: for synchronization and/or data exchange are shortened and the performance of the highavailability computers is thus increased with improvement in the security and reliability.
This object is achieved according to the invention by means of the feature in the characterizing part of Claims 1 and 6 in conjunction with the features in the respective preamble. Advantageous and expedient p refinements of the invention are contained in the subclaims.
The connected individual computers of the highavailability computer system are called computer channels below. A particular advantage of the invention is that by virtue of the configuration according to the invention, in particular by virtue of directly making available a memory area of addressable memory cells for the individual computer channels, more flexible and faster variants oft the synchronization comparison and/or of the data exchange at specific program locations become possible given the use of industrystandard computers, the following method steps being performed: assignment of memory areas of at least one computer-external coupling board (K) to the computer channels Rn), S25-AUG-2000 14:52 ZT PA BLN +49 30 38624963 S.05/14 +49 30 38624963 4 identification of at least one synchronization and/or data, exchange point in the program execution of each computer channel Rn) and allocation of an associated cell address, outputting of an interrupt signal by each computer channel Rn) when a synchronization and/or data exchange point is reached, writing of a current event number and of the data content of the event to a designated memory cell Zpn) of the coupling board which memory cell is assigned to the respective computer channel Rn) by the cell address, checking of the corresponding memory cells (Zp) of the computer channels for the presence of corresponding event numbers, reading of the memory cells (Zp) of all the computer channels Rn), comparison among one another and voting, continuation of the program execution of the computer channels Rn) and/or alarm triggering as a function of the voting result.
The device according to the invention can be integrated without ,difficulty in existing standard computers, in which case the computer channels Rn) are connected to at least one coupling board Kn), the coupling board Kn) is subdivided into n memory areas Zn) and each memory area Zn) is subdivided into at least n addressable memory cells Zpn) and each memory area Zn) is respectively assigned, to a computer channel Rn) and the memory areas Zn), for the result comparison, can be read by all of the computer channels Rn) but can be written to only by the respectively assigned:computer channel The invention: will be explained in more detail below using exemplary embodiments which are SR, illustrated, at least;in part, in the figures.
25-7AUG-2000 14:52 ZT PP BLN +49 30 38624963 S.06/14 +49 30 38624963 In the figures: Fig. 1 shows an overview illustration of the interaction of the computer channels, memory areas and memory cells, Fig. 2 shows, a configuration with a common coupling board for all of the computer channels, Fig. 3 shows a configuration with one coupling board for each individual computer channel.
The device for synchronization and/or for data exchange connects the computer channels R via an internal CPU bus or, an external bus (PCI, ISA, VME, etc.) to a coupling board K.
As is illustrated in Fig. 1, there are n memory areas Z on the coupling board K, the said memory areas each being assigned to one of n computer channels R.
These memory areas Z, realized by a dual-port RAM for example, each comprise a quantity of addressable memory cells Zp, to which,, in turn, different information items can be written and from which information items can be read. One possible assignment in accordance with a preferred exemplary embodiment would be for the memory area Zi to be, assigned to the computer channel Ri, the memory area* Z2 to the computer channel R2, etc., through to the: assignment of the memory area Zn to the computer channel Rn.
According to the invention, each computer channel R can read and write to the assigned dedicated memory area Z. The memory areas Z of the other computer channels R can only be read by "foreign" computer channels R. This is intended to prevent the situation where the contents oftthe memory areas Z can be altered by access by unauthorized computer channels R. A change to the memory area contents can only be performed by the process course of the respectively associated computer channel R. Access to a computer memory cell Zp is atomic with regard to the concurrence of the computer channels R. In other words, when one computer channel R writes to a memory cell Zp and another Scomputer channel R reads the same memory cell Zp, the 257RUG-2000 14:52 ZT PA BLN ,+49 30 38624963 S.07/14 +49 30938624963 read data are either,the data prior to writing or after writing, but not mixed data. Each computer channel R can trigger an interrupt, e.g. via the data lines of a bus system that are present, to the other computer channels R, each computer channel R having the possibility of temporarily or permanently preventing interrupts to itself., Each memory cell Zp identifies a synchronization and/or data exchange point which is present in parallel :for each computer channel R. The cell address used is~known to each computer channel R, either by being jointly allocated or by being negotiated by suitable software or hardware between the computer channels 1R.' This memory cell Zp is occupied by an identification unique to the propagation time memory cell Zpl identifies synchronization and/or data exchange. point 1, etc.) and by the, information to be exchanged or a signature information item of the information to be synchronized or voted..
For the method according to the invention, the program of the computer channels R contains program sections which are to be used to effect functional testing of whether the computer channels R are synchronous or specific data are present. If the processes running on the parallel computer channels R reach a synchronization and/or data exchange point (or if messages to be synchronized are generated on the parallel computer channels R by processes proceeding there), the following sequence takes place: a first computer channel R1, which has been the first to reach the synchronization and/or data exchange point within its program section, calls a functional sequence, in particular a synchronization routine, in accordance with the programming. A current event number and the data content of the event or a corresponding signature for the data content are entered in the memory area assigned to the said computer channelof the culn orKinthe agreed memory cell Zp.
257RUG-2000 14:53 ZT PA BLN .+49 30 38624963 S.08/14 +49 30 38624963 -7- A test is then performed to see whether an event bearing the same number has been entered in the associated memory cells Zp of the memory areas Z of the other Computer channels R. If this information is negative, that is to' say the other computer channels R have not yet reached the synchronization and/or data exchange point, the first computer channel R1 enters a waiting loop or the message is buffered.
If the information from the other computer channels R, is that they have reached the synchronization and/or data exchange point within their program section, a wake-up interrupt is sent to the other computer channels R, as a consequence of which all the computer channels will read the assigned memory cells Zpi to Zpn of their dedicated memory area Z and also the memory cells Zp of the memory areas Z of the other computer channels R. compare them with their own results and vote. As a result, complete correspondence or majority correspondence in line with the security and availability requirements is expected.
Depending on the result of the comparison of the memory cells Zp of the computer channels R, the next program section is started or the message is forwarded or a security alarm is triggered. Until the instant of the next synchronization and/or data exchange point set,, in the program section, the interrupt for the computer channels R is prohibited.
Furthermore, e.g. the state of a defined memory cell Zp can be written to with the information that a next program section is active but not yet synchronized.
In addition to the method described, information can also be exchanged without realizing synchronization. Furthermore, memory test programs can be executed in parallel or temporally separately on the computer channels R, the computer channels R exchanging the test results using a signature and thus mutually monitoring them. 1 Figure 2 illustrates, in a block diagram, a 1 ~configuration in which a common coupling board K is 25-AUG-2000 14:53 ZT PA BLN +49 30 38624963 S.09/14 +49 30 38624963 8 provided for all of the computer channels R1 to Rn. For data transmission in the case of synchronization and/or data exchange, each computer channel R1 to Rn is connected to a common coupling board K in each case via its bus system and a respective bus adapter BA1 to Ban or directly. In this case, the coupling board K contains the memory areas for all the computer channels R1 to Rn. The configuration for each individual computer channel R with an associated coupling board K P is shown by the block diagram in Figure 3. In this variant, a coupling "board K1 to Kn is connected for each computer channel R1 to Rn, the said coupling board respectively containing the memory areas Z1 to Zn for all of the computer channels R. The memory areas Z are thus present in redundant fashion. The coupling boards K1 to Kn are connected to one another and, by means of suitable replication mechanisms, realize the identity of the data in the coupling boards K1 to Kn.
As a further exemplary embodiment it is possible for the replication mechanism to be effected in a time-delayed manner, that is to say firstly the data from a first computer channel R1 are written to the dedicated coupling board K1 and then the data are transferred to the other n coupling boards K. The connection between the coupling boards K1 to Kn should be realized in a suitable manner each to each or after the manner of one or a plurality of communication buses).
The invention is not restricted to the exemplary embodiments that are illustrated here.
Rather, by combination and modification of the means and features mentioned, it is possible to realize further embodiment variants without departing from the scope of the invention.
Claims (3)
1. Synchronization and/or data exchange method for secure, high-availability Computers in a multi-computer system having at least two computer channels working in parallel, which channels check at least their results for correspondence by means of mutual comparison and, within their program execution, emit interrupt signals for the result comparison, characterized by the following method steps: assignment of memory areas (Z1, Zn) of at least one computer -external coupling board (K) to the computer channels (R 1 identification of at least one synchronization and/or data, exchange point in the program execution of each computer channel Rn) and allocation of an associated cell address, outputting of an interrupt signal by each computer channel Rn) when a synchronization and/or data exchange point is reached, writing of a current event number and of the data content of the event to a memory cell (Zpl.. Zpn) of the coupling board which memory cell .is assigned to the respective computer channel Rn) and is designated by the cell address, checking of the corresponding memory cells (Zp) of the computer channels for the presence of corresponding event numbers, reading of the memory cells (Zp) of all the computer channels Rn), comparison among one another and voting, continuation :of the program execution of the computer channels Rn) and/or alarm triggering as a function of the voting result.
2. Synchronization and/or data exchange method according to Claim 1., characterized
25-AUG-2000 14:54 ZT PR BLN +49 30 38624963 S.11/14 +49 30 38624963 10 in that access is made atomically to each memory cell (Zp) in such a way that the data read are either the data prior to writing or the data after writing, but never mixed data. 3. Synchronization and/or data exchange method according to Claim 1, characterized in that each computer channel has the possibility of temporarily or permanently preventing interrupts to itself. 4. Synchronization and/or data exchange method according to Claim 1 or 2, characterized in that each computer channel has read and write access to the assigned dedicated memory area and only read access to the memory areas of the other computer channels Synchronization and/or data exchange method according to Claim 1, characterized in that, in addition to the program execution for synchronization, information is exchanged without p synchronization. 6. Synchronization and/or data exchange method according to Claim 1 or characterized in that, in parallel with or temporally separately from the synchronization and/or data exchange program execution, memory test programs are executed on the computer channels by the computer channels (R) exchanging and monitoring the test results using a signature. 7. Device for synchronization and/or for data exchange in a multi-computer system having at least two computer channels working in parallel, which channels check at least their results for correspondence by means of mutual comparison and, within their program 0 execution, emit interrupt signals for the result comparison, 11 characterized in that the computer channels Rn) are connected to at least one coupling board Kn), in which case the coupling board Kn) is subdivided into n memory areas Zn) and each memory area Zn) is subdivided into at least n addressable memory cells Zpn) and each memory area Zn) is respectively assigned to a computer channel Rn) and the memory areas Zn), for the result comparison, can be read by all of the computer channels Rn) but can be written to only by the respectively assigned computer channel 8. Device according to Claim 7, characterized in that the coupling boards Kn) are passive S. coupling boards. 9. Device according to Claim 7, characterized in that the computer channels Rn) are 20 industry-standard computers with standard CPU circuit boards. DATED this Thirty-first Day of May, 2002 Siemens Aktiengesellschaft Patent Attorneys for the Applicant S. SPRUSON FERGUSON
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE19809089A DE19809089A1 (en) | 1998-02-25 | 1998-02-25 | Process for synchronising and/or data exchange for secure high access computer in multi computer system |
| DE19809089 | 1998-02-25 | ||
| PCT/DE1999/000498 WO1999044135A1 (en) | 1998-02-25 | 1999-02-17 | Synchronisation and/or data exchange method for secure, fault-tolerant computers and corresponding device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| AU3407099A AU3407099A (en) | 1999-09-15 |
| AU750613B2 true AU750613B2 (en) | 2002-07-25 |
Family
ID=7859591
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| AU34070/99A Ceased AU750613B2 (en) | 1998-02-25 | 1999-02-17 | Synchronisation and/or data exchange method for secure, fault-tolerant computers and corresponding device |
Country Status (9)
| Country | Link |
|---|---|
| EP (1) | EP1057109B1 (en) |
| CN (1) | CN1294708A (en) |
| AT (1) | ATE208922T1 (en) |
| AU (1) | AU750613B2 (en) |
| DE (2) | DE19809089A1 (en) |
| DK (1) | DK1057109T3 (en) |
| ES (1) | ES2168860T3 (en) |
| PL (1) | PL342601A1 (en) |
| WO (1) | WO1999044135A1 (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE10133652A1 (en) * | 2001-07-11 | 2003-01-30 | Siemens Ag | Automation system for use in automation technology has a redundant central unit comprising two identical central units that are synchronized so that they execute the same programs and commands in a synchronized manner |
| AU2003280579A1 (en) * | 2002-10-30 | 2004-05-25 | Matsushita Electric Industrial Co., Ltd. | Inter-device data exchange system, device used for it, exchange completion data management device, and program |
| JP2008518305A (en) * | 2004-10-25 | 2008-05-29 | ローベルト ボッシュ ゲゼルシャフト ミット ベシュレンクテル ハフツング | Driving mode switching method and driving mode switching apparatus in a computer system having at least two processing units |
| US7350026B2 (en) | 2004-12-03 | 2008-03-25 | Thales | Memory based cross compare for cross checked systems |
| WO2008120352A1 (en) * | 2007-03-29 | 2008-10-09 | Fujitsu Limited | Information processing apparatus and error processing method |
| FR2925191B1 (en) * | 2007-12-14 | 2010-03-05 | Thales Sa | HIGH-INTEGRITY DIGITAL PROCESSING ARCHITECTURE WITH MULTIPLE SUPERVISED RESOURCES |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0286856B1 (en) * | 1987-04-16 | 1993-05-19 | BBC Brown Boveri AG | Fault-tolerant computer arrangement |
| US5226152A (en) * | 1990-12-07 | 1993-07-06 | Motorola, Inc. | Functional lockstep arrangement for redundant processors |
| WO1993025966A1 (en) * | 1992-06-10 | 1993-12-23 | Siemens Aktiengesellschaft | Computer system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2513409A1 (en) * | 1981-09-22 | 1983-03-25 | Alsthom Cgee | METHOD FOR SYNCHRONIZING TWO MICROPROCESSORS |
-
1998
- 1998-02-25 DE DE19809089A patent/DE19809089A1/en not_active Withdrawn
-
1999
- 1999-02-17 DE DE59900434T patent/DE59900434D1/en not_active Expired - Fee Related
- 1999-02-17 PL PL99342601A patent/PL342601A1/en unknown
- 1999-02-17 AU AU34070/99A patent/AU750613B2/en not_active Ceased
- 1999-02-17 AT AT99915491T patent/ATE208922T1/en not_active IP Right Cessation
- 1999-02-17 ES ES99915491T patent/ES2168860T3/en not_active Expired - Lifetime
- 1999-02-17 CN CN99804296A patent/CN1294708A/en active Pending
- 1999-02-17 WO PCT/DE1999/000498 patent/WO1999044135A1/en active IP Right Grant
- 1999-02-17 DK DK99915491T patent/DK1057109T3/en active
- 1999-02-17 EP EP99915491A patent/EP1057109B1/en not_active Expired - Lifetime
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0286856B1 (en) * | 1987-04-16 | 1993-05-19 | BBC Brown Boveri AG | Fault-tolerant computer arrangement |
| US5226152A (en) * | 1990-12-07 | 1993-07-06 | Motorola, Inc. | Functional lockstep arrangement for redundant processors |
| WO1993025966A1 (en) * | 1992-06-10 | 1993-12-23 | Siemens Aktiengesellschaft | Computer system |
Also Published As
| Publication number | Publication date |
|---|---|
| ES2168860T3 (en) | 2002-06-16 |
| CN1294708A (en) | 2001-05-09 |
| ATE208922T1 (en) | 2001-11-15 |
| DE19809089A1 (en) | 1999-08-26 |
| DK1057109T3 (en) | 2002-03-11 |
| WO1999044135A1 (en) | 1999-09-02 |
| AU3407099A (en) | 1999-09-15 |
| PL342601A1 (en) | 2001-06-18 |
| EP1057109B1 (en) | 2001-11-14 |
| EP1057109A1 (en) | 2000-12-06 |
| DE59900434D1 (en) | 2001-12-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6374364B1 (en) | Fault tolerant computing system using instruction counting | |
| US5777874A (en) | Programmable controller backup system | |
| EP0306244B1 (en) | Fault tolerant computer system with fault isolation | |
| US5255367A (en) | Fault tolerant, synchronized twin computer system with error checking of I/O communication | |
| EP0306252B1 (en) | Fault tolerant computer system input/output interface | |
| EP0306209B1 (en) | Dual rail processors with error checking at single rail interfaces | |
| EP1667024B1 (en) | Memory based cross compare for cross checked systems | |
| US4358823A (en) | Double redundant processor | |
| US4625307A (en) | Apparatus for interfacing between at least one channel and at least one bus | |
| WO1989008883A1 (en) | Record lock processor for multiprocessing data system | |
| GB2268817B (en) | A fault-tolerant computer system | |
| PT94055A (en) | UNIQUE PHYSICAL MAIN MEMORY SHARED BY TWO OR MORE PROCESSORS THAT EXECUTE RESPECTIVE OPERATING SYSTEMS | |
| JPH0683660A (en) | Modularized processor system | |
| US4691280A (en) | High performance multi-processor system | |
| AU750613B2 (en) | Synchronisation and/or data exchange method for secure, fault-tolerant computers and corresponding device | |
| US5696983A (en) | Decentralized system connected by individual buses and bus connection method | |
| US7788680B2 (en) | Method and system for event management | |
| Smith Jr et al. | Development and evaluation of a fault-tolerant multiprocessor (FTMP) computer. Volume 1: FTMP principles of operation | |
| US6484243B1 (en) | Shared memory tracing apparatus | |
| US6397243B1 (en) | Method and device for processing several technical applications each provided with its particular security | |
| SU752342A1 (en) | Multiprocessor computing system | |
| KR100218383B1 (en) | Multi-cpu module system | |
| SU1569843A1 (en) | Multicompressor computer system | |
| RU1798798C (en) | System of multiple computers | |
| JPH08212093A (en) | Fault tolerant computer system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| MK14 | Patent ceased section 143(a) (annual fees not paid) or expired |