DE4332881A1 - Fault-tolerant multicomputer system - Google Patents

Abstract

The object of the invention is to provide a fault-tolerant multicomputer system which is implemented in a completely decentralised manner, both avoids the customary common resources, which are particularly at risk of failure, between the modules (assemblies), such as RAM, bus system and clock, and interconnects computer peripherals in a fault-tolerant manner, and which has automatic fault detection and fault elimination (recovery) within the network right up to the input and output points to the peripherals. The multicomputer system is characterised in that in order to tolerate M faults in computer nodes, there is an arrangement of at least N = 2M + 1 computer nodes (k0...k8) which are interconnected in such a way that every computer node (k0...k8) can reach every other node via a plurality of partially or completely different paths, in that a distributed communications system permits the reliable exchange of data, and in that at least (2Q + 1) input and output modules (p0...p5) are arranged for the toleration of Q faults in the input and output modules, each of the input and output modules (p0...p5) being connected to a different one of the computer nodes (k0...k8). <IMAGE>

Description

The invention relates to a fault-tolerant Multicomputer system in which there are several microcomputers can represent each other.

Many computing technology applications require a high level Level of reliability of the hardware and Software. The focus is on the aerospace sector or to be found in the power plant and chemical sector. Next protection against dangers from unreliable Computing technology in security-critical areas are in the In the course of extensive automation, however, increasingly Operators of complex industrial systems such as cycle lines or similar because of the high costs in the event of individual failure Components using fault-tolerant computing technology Interested.

Methods of correcting errors by using special Codes are useful for eliminating accidental Data errors, but separate for information processors Systems because there are no algorithms that use all processing functions are valid (W. W. Peterson, "Verifiable and Correctable Codes", R. Oldenbourg Verlag, Munich and Vienna, 1968). Likewise are these procedures are unsuitable when components or Sub-areas have a total failure.

A well-known basic principle of fault-tolerant computers consists in principle of the same multiple arrangement Computing units that are all the same at the same time Work on the task, whereby the majority decision correct result is selected.  

Such an arrangement consists of at least 3 Computing units with the same Input information work, and a "voter" who carries out the majority decision (R. Weiß, "Fault-tolerant computer systems", control engineering Praxis, 25th year, 1983, volume 10, pages 408-415). A weak point here is always the voter, who only once is present and is therefore itself not fault-tolerant. A failure of this component always has one Total failure of the entire system.

Simple systems that are already considered fault tolerant work with two quasi parallel processors. In case of inequality of the results, the last calculation step is repeated, which detects and eliminates random errors. There is also no repetition Agreement, the functionality is determined by Test routines checked and so the faulty computer determined. Such solutions are already on Circuit base realized (David Jones, "Fault Tolerance and reliability in microprocessor systems ", Electronics, issue 24/1990). But here is one too Comparison logic required that exists only once and is therefore not fault tolerant.

Systems with similar computing units that are loose over a connection network are coupled and without global Storage units work, have the basic Requirements for implementing more tolerant Properties. So z. B. known (DE 29 39 487) for Increase the performance of multiple computing units to connect to parallel computer systems, with several Microcomputers can solve the same tasks.  

Some of the microcomputers work in normal operation the tasks to be solved are other than Replacement modules (stand by) provided. Both are the input and output interfaces of all Microcomputers each have only one stage Coupling network with the peripheral device controllers connected. This central resource (one-step Coupling network) is just like a separate voter a weak point of the system because of a simple arrangement has no fault tolerance.

Fault-tolerant computer systems are also known (DE 36 39 055, DE 40 05 321) the multiple computers which can be represented in the event of an error. For The detection of faulty behavior is shared Computer shared resources, so grab z. B. on a shared memory and compare there stored calculation results. In the event of an error, over centrally located selection units the faulty Component eliminated and if available on a Replacement module switched. Such systems have that Disadvantage that shared resources, in particular Bus systems and global storage systems exist, too can fail and then to an immediate Complete failure.

There are no known solutions without a central one Resource for executing the voting function get along regardless of whether this feature is implemented in hardware or software. Therefore every central resource because of its exposed position particularly high demands on reliability Assemblies of this type are required complex and expensive.  

The object of the invention is a fault-tolerant Multicomputer system to create that completely is implemented decentrally, both the usual especially failure-prone shared resources between the Avoids assemblies like RAM, bus system and clock as well Integrates computer peripherals in a fault-tolerant manner automatic error detection and troubleshooting (Recovery) within the network down to the and output points to the periphery.

According to the invention the object is achieved in that for the tolerance of M errors in computer nodes at least N = 2M + 1 computer nodes are arranged which through a communication network in the form of several fixed specified and working according to the handshake process Point-to-point connections are interconnected. The computer nodes are in this way with each other connected that each other in part on several or completely different ways and if one or more communication paths fail further routes for data transport are available. There is a distributed communication system that in addition to the data transport services via functions for Failure detection, error elimination and reintegration disposes. Each sending computer node also monitors Help of a time-out condition the receipt of a shipment, directs the if there is no connection path activity Shipment and shares this state with all computer nodes using all active connection paths with. A Computer node is recognized as failed, though the last connection path leading to him as failed is recognized. To determine whether a connection path failed or is still failed, i.e. for cyclical monitoring of the system status, both  on flawless as well as on faulty marked connection routes in the same Time intervals test messages sent. That’s it System capable of local detection of one Change of state of the computer system each of the Computer nodes in the system the failure as well as the Reintegration upon detection of recovery Communicate activity of components and decentralized Determine the state of availability as well as a automatic adjustment of communication routes perform. This ensures trouble-free operation guaranteed for all error-free computer nodes.

This is through a system-wide addressing mechanism Communication system able to secure Data exchange between any network Computer nodes and input and output modules allow.

For the tolerance of Q errors in the inputs or Output modules are at least (2Q + 1) input or Output modules arranged. Each of the inputs or Output modules in turn have at least one connected to another of the computer nodes, the error-free data by a (Q + 1) -aus- (2Q + 1) majority decision can be determined.

There is a decentralized division of tasks Control for task distribution available. She poses sure that each subtask is parallel by at least (2M + 1) computer node is edited and after a (M + 1) -aus- (2M + 1) majority decision each subsequent subtask is started.  

It is advantageous if the computer system is constructed in the form of an N = A _* B tour with A columns and B rows, with at least A = (2Q + 1) columns having to be arranged for the tolerance of Q errors and each column in and out is connected on the output side to another input or output module. It is also advantageous if the input and output modules are constructed as intelligent components such that each input and output module consists of a controller and an input and output unit, the controller and the input and output unit being fully meshed to be ordered. This makes it possible to reconfigure the controller, input or output device assignments during operation.

The advantage of the invention is that fault-tolerant multicomputer system completely decentralized is realized. It avoids any kind of central Resources (Voter, RAM, bus system, clock ...). There are not any idle standby resources required that total computing power of all computer nodes in the trouble-free operation can be used. The Detection, localization and elimination take place automatically, with the degree of fault tolerance the Requirements of the individual case by scaling the Network sizes is customizable. By the multiplied Use of normal industrial assemblies as computer nodes instead of expensive special hardware there is a great cost advantage.

The fault-tolerant multicomputer system is supposed to be based on a Embodiment are explained in more detail.

Show in the accompanying drawing

Fig. 1 is a schematic diagram of a fault tolerant multi-computer system,

Fig. 2, an input network,

Fig. 3 an output network,

Fig. 4 a disturbed network of FIG. 1,

Fig. 5 is a configuration table for the example configuration of FIG. 1,

Fig. 6 shows a local routing table of computer nodes k4 the example configuration of FIG. 1,

Fig. 7 is a configuration table for the disturbed network of FIG. 4 and

Fig. 8 shows a local routing table of computer nodes k4 of the disturbed network according to Fig. 4.

Fig. 1 shows the basic diagram of a fault tolerant multi-computer system with the computer node kx, where x is the sequential index of the computer node. In this exemplary embodiment, 3 × 3 computer nodes (k0... K8) are shown, which are arranged in a matrix; For the tolerance of M errors in computer nodes at least N = 2M + 1 computer nodes are necessary. In principle, the computer nodes (k0... K8) are microcomputers which are constructed in the same way, are equipped with the same functionality and are fully self-sufficient. They each have a local memory and their own clock (and therefore time) and power supply. They have n (n <1), typically z. B. 4, as also shown in the exemplary embodiment, communication interfaces vxn (v00, v01, v02, v03, v10, v11, v12, v13... V80, v81, v82, v83) in the form of parallel or serial interfaces. The computer nodes (k0... K8) are connected to one another by a communication network in the form of several predetermined point-to-point connections which work according to the handshake method in such a way that each computer node can reach each other in several partially or completely different ways .

So it carries one of each of the interfaces Computer node connects to exactly one other the computer node (k0... k8) or to the Input or output modules (p0... P5), from the rest Interfaces of this computer node to others etc. about the emerging, spatially narrow Point-to-point connection network are the Computer nodes (k0... K8) as a result meshed that every computer node under every other Use of the distributed routing system on more than one Ways can reach. The failure of a connection can be tolerated as long as from any computer node (k0... k8) to each other at least one possible way exists. The network can be more inhomogeneous Be in shape, the initial level of fault tolerance but then different for the individual areas. Consequently stand in the event of failure of one or more Communication paths further routes for data transport to Available.

Each computer node (k0... K8) is able to derive from the local memory (RAM, local boot file system or similar) Information about how to boot his neighbors Win configuration files or system files and if necessary, every new neighbor boot. The failure of any other components of the Systems has no immediate because of the self-sufficient structure Impact on an individual's ability to work Computer node (k0... K8).

Not about the high fault tolerance within the network at central input and output points to the periphery destroying the periphery too redundant and connected redundantly. Around to be Q-fold fault tolerant with regard to the periphery, are for input or output (2Q + 1) input or  Output modules (p0... P5) provided, each of the Input or output modules (p0... P5) with another the computer node (k0... k5) is connected.

The periphery can advantageously be implemented as an input or output network ( 1; 2 ), the input network ( 1 ) according to FIG. 2 consisting of (2Q + 1) controllers (P0; P1; P2) and the same number of input units (E0 ; E1; E2) and the output network ( 2 ) according to FIG. 3 consists of (2Q + 1) controllers (P3; P4; P5) and the same number of output units (E3; E4; E5). So for the tolerance of Q errors in the input or output at least one (2Q + 1) controller (P0; P1; P2 or P3; P4; P5) is provided, which has the same number of input units (E0; E1 ; E2) or output units (E3; E4; E5) are fully networked. This makes it possible during operation to tolerate errors in the controller or input or output unit by reassigning a controller to an input or output unit.

The correct input and output data are confirmed by a (Q + 1) -aus- (2Q + 1) majority decision determined. Thereby will continue to work correctly if Q Input or output modules as well as in the event of Q failure computer nodes connected to the periphery secured.

To the distribution of tasks, the exchange of Administrative and user process data in one To be able to implement a multicomputer system basically a communication system as part of the System software needed. In the invention this is Communication system expanded by exactly the components the detection and elimination of defective components as well as the reintegration after transient errors.  

The communication system (also: routing system) works according to the following, completely decentralized principle: Each of the computer nodes (k0... K8) knows the entire connection list of the network, i.e. it knows which computer node is connected to which other via which interfaces. The initial connection list, the configuration table, FIG. 5, is determined at the configuration time and depends on the number of computer nodes and the number of communication interfaces per computer node. It is included in the form of a table with every computer node when the system is started

k (k number of nodes) columns and
n (n = number of interfaces / nodes) lines passed.

An example of such a configuration table is given for a 3 × 3 system according to FIG. 1 in FIG. 5. So z. B. the computer node k4 via the communication interface v40 with the computer node k1, via the communication interface v41 with the computer node k5, via the communication interface v42 with the computer node k7 and via the communication interface v43 with the computer node k3. During the initialization and after each detected change in the state of the network, this initial configuration table, or one modified by failure or reintegration, locally becomes the path length for a message from each of the computer nodes (k0... K8) to each other of the computer nodes (k0.. K8 ) is calculated in the network via each of the possible interfaces (v00... v83) and the path length minima are entered in a second table, the local routing table, FIG. 6. The path lengths (network hops) are the basis for choosing the optimal routing path for user messages.

The entry "NE" in the routing table means that the Computer nodes via this output the corresponding Target processor not reached. To detect errors the communication system makes the structural Take advantage of the hardware described. Basically, every computer node has its own local view of the network and just that Connections monitored with its immediate neighbors. To detect the failure of a connection (missing Activity z. B. due to defective component, Line interruption or the like) will affect all Communication interfaces (v00... V83) of the computer nodes test messages sent at equal intervals and their proper transmission by means of suitable Data logs and time-out monitored. So is one Error detection even without an active user program within the applied time grid (usually a few milliseconds) possible. Will one Transfer user message, this serves indirectly also proof of the functionality of the channel.

FIG. 4 shows a faulty network according to FIG. 1. If a connection is recognized as faulty (time-out condition becomes true or protocol error), e.g. B. the connection between two computer nodes (k4 and k5), it is deleted from the set of possible routes of these two neighboring computer nodes (k4 and k5). If the error in the transmission of a user message is detected, the communication system sends it to the receiver in another way and the user does not notice anything of this disturbance. As a second reaction to this error, the computer node that first recognizes the failure informs all others of the failure of the connection. This is done via a broadcast mechanism that securely distributes the corresponding information (message) to all active computer nodes in the network, by sending the message to all neighbors and from these back to the other neighbors, except for the one from whom the Message has been received, is being sent. The distribution terminates wherever the message is received again. The broadcast is repeated until the message receipt has returned to the initiator without errors.

This ensures complete information transmission in the event of simultaneous or immediate failure of several communication interfaces (v00... V83) or computer nodes (k0... K8). As a result of the distribution of the information, the modified configuration tables arise locally on each computer node (k0... K8), inactive communication interfaces being identified with "NE", shown in FIG. 7, and the routing tables, shown in FIG. 8. In FIG. 7 shows the connection v41 / v53 which has failed in the example by the "NE" entries in column k4 / line vx1 and in column k5 / line vx3. Fig. 8 shows the "NE" entries for the entire row v41 that more computer nodes reached via communication interface k4 v41 any other computer node.

In order to avoid transient connections (e.g. through Interference and without physical defects) Integrating back into the network is considered defective marked connection paths at equal intervals charged with synchronization messages. Will be from Neighboring node correctly a synchronization message received and remains this state for a certain time stable, the connection is again noted as valid and a broadcast in the same form as the failure about the regained activity of this component  sent. After receiving the notification of the failure or everyone re-establishes a connection Computer nodes the network status and thus the current Path lengths to all other computer nodes new. over this process becomes completely decentralized knowledge ensured via the current network status.

Errors in the computer nodes (k0... K8) themselves can do so be diverse in nature that identifying the cause through a neighbor who is only communicating can monitor, is not possible. Therefore any failures in the computer node due to faulty or lack of activity of its communication interfaces recognized. That means, for example, that the complete Failure of a computer node (k0... K8) the Broadcast messages about the failure of all connections to each of its neighbors to all computer nodes (k0... k8) in the network. In the subsequent The failure of the network is calculated Computer nodes as no longer accessible and therefore not marked more available. This attribute is before all for the rest of the process in terms of Task distribution in the network relevant.

On the one hand, the concrete cause of misconduct is not recognizable by neighbors, on the other hand not of future correct continuing work yourself abnormally behaving computer node may be no longer available for one labeled computer nodes the Reintegration attempts, d. H. the application of Test messages set until the strategy software, a user program that is also based on (2M + 1) different computer nodes runs and that over the Resource use and task allocation at user level decides to reboot completely  through a selection via majority procedure Instructs computer nodes.

The multi-computer system described in the invention is now through its hardware structuring able to full functionality of an application even after To ensure failure of any module. Around the fault tolerance also for the user software guarantee a decentralized working on also (2M + 1) various computer nodes running control intended for the distribution of tasks, which ensures that yourself, the strategy software and every subtask the application in parallel of at least (2M + 1) Computer node is edited. Final and Interim results of the subtasks are over (M + 1) -aus- (2M + 1) -Majority decisions evaluated and if necessary corrected locally. With the correct result, the next subtask started.

The strategy software has the task of recovery measures to initiate the restart of defective components and (2M + 1) times the parallel execution of the application guarantee on (2M + 1) different computer nodes. If an error is detected locally that affects the reaction of the Strategy software is required first Majority decision as in the application of validity the fault condition checked or in the event of your own error of Error status reset. Is a mistake from the Majority has been determined, this condition is for everyone Strategy programs running in parallel are valid. In this Each strategy program determines from its local case Context of who the action to fix the bug (e.g. re-booting a failed Computer node). Is about awarding the Orders on majority decision reached agreement has been started temporarily as the executor  excellent computer node the recovery measure. Of the Success is now decentralized again by for example a post-booted computer node at his Registers neighbors via the communication interfaces. These neighboring nodes report the resumption of the Connection activity, such as connection recovery to all other participants. In the Subsequent local network recalculation can be done for these reactivated computer nodes do not have the attribute " more available ". The computer node is thus included in the distribution of tasks.

Claims (4)

1. Fault-tolerant multicomputer system in which several microcomputers can represent each other, characterized in that
that at least N = 2M + 1 computer nodes (k0... k8) are arranged for the tolerance of M errors in computer nodes, which in this way are established by a communication network in the form of a plurality of predetermined point-to-point connections which work according to the handshake method are connected to each other so that each computer node (k0... k8) can reach each other in several partially or completely different ways and, if one or more communication paths fail, further routes are available for data transport,
that a distributed communication system is present, which has failure detection, error elimination and reintegration mechanisms, in that each sending computer node (k0... k8) monitors the receipt of a shipment with the aid of a time-out condition and the shipment if there is no connection path activity redirects and notifies this state to all computer nodes (k0... k8) using all active connection paths, whereby a failed computer node (k0... k8) is recognized by the failure of all connection paths leading to it and that both faultless and on as well Incorrectly marked connection paths are sent at regular intervals test messages for cyclical monitoring of the system status, whereby the system is able to detect the failure as well as the reintegration when recovery is detected, if a change in the status of the computer system is detected locally Communicate the activity of components and decentrally determine the state of availability as well as carry out an automatic adaptation of the communication routes and thereby the trouble-free operation for all error-free computer nodes (k0. . . k8) to ensure
that the communication system is able, via a system-wide addressing mechanism, to allow secure data exchange between two computer nodes (k0... k8) arranged arbitrarily in the network,
that at least (2Q + 1) input or output modules (p0... p5) are arranged for the tolerance of Q errors in the input or output modules and each of the input or output modules (p0... p5) is also arranged another of the computer nodes (k0... k8) is connected, the error-free data being determined by a (Q + 1) -out- (2Q + 1) majority decision and
that there is a decentralized control for task distribution, which ensures that each subtask is processed in parallel by at least (2M + 1) computer nodes (k0... k8) and after an (M + 1) -aus- (2M + 1) Majority decision the subsequent subtask is started. 2. Fault-tolerant multicomputer system according to claim 1, characterized in that the computer system is constructed in the form of an N = A _* B torus with A columns and B rows. 3. fault-tolerant multicomputer system according to claim 2, characterized in that for the tolerance of Q Errors at least A = (2Q + 1) columns are arranged and each input and output module (p0... p5) with one each Column is connected. 4. fault-tolerant multicomputer system according to claim 1, 2 or 3, characterized in that for the tolerance of Q errors in the input or output at least (2Q + 1) Controller for the input (P0; P1; P2) or (2Q + 1) Controller for the output (P3; P4; P5) of the Computer system are provided with the same Number of input units (E0; E1; E2) or Output units (E3; E4; E5) connected fully networked the controllers (P0; P1; P2 or P3; P4; P5) with each N = 2M + 1 different computer nodes (k0... k2 and k6. . . k8) are connected.