FI72396C - Procedure for providing an electronic system that tolerates errors and the corresponding system. - Google Patents

Description

72396 METHOD OF IMPLEMENTING A FAIL-RESISTANT ELECTRONIC SYSTEM AND A SIMILAR SYSTEM

The invention relates to a method for implementing a fault-tolerant electronic system 5, which system comprises three or more similar modules and a loudspeaker for testing the output signals of the system 1 and selecting the output signals according to the majority of the modules. The invention also relates to a similar system. Such a system works properly outwardly despite failure of any component of the system.

Fault tolerance is achieved through certification, or redudance. Additional components 15 or parts are added to the system that, in the event of a failure of a component or part of the system, perform those functions. There are many different authentication methods in electronic systems. The methods can be divided into operational verification and replacement verification.

20 During operation, the effect of the fault is masked or prevented immediately after it occurs. One embodiment of this is NMR (N 2 Klodular Redundancy): redundancy of N modules, where N modules perform the same task in parallel and the binary output signals of the system are determined by the majority of the modules. Such a system allows some of the modules to fail. The system still works properly on the outside, which means it is fault-tolerant. In addition to the modules, the system requires a loudspeaker that determines the majority of the output signals. There are usually an odd number of modules, and the most common system is TMR (Triple Modular Redundancy): the redundancy of three modules, which is already known e.g. U.S. Patent No. 4,375,683. Such a system and other known TMR systems consist of three modules, the output signals of which are applied to a separate receiver module, from which the output signals of the system according to the majority of modules are obtained. The system tolerates all faults in one module.

5 If the system also requires an indication of fault cases, the outputs of the modules must still be compared with the system outputs. In the system according to said US patent revision, this is implemented in such a way that both the output signals and the signals of the other two modules are input to each module, and a software comparison of these reveals the inaccuracy of one of the modules or also the system outputs. The weakness of such a solution is the location of the speaker in a separate module, e.g. a microcircuit, where, e.g., if the modules have 16 signals to be voted, at least 66 1-pin speaker circuits (3 x 16 input signals from modules, 16 system 1 output signals and operating voltage and ground terminals) are required. In addition, the feedback required by the fault indication requires, in the system according to said patent publication, 48 internal connection pins to the modules, which must in addition have 1 parent logic and additional programs for implementing the comparison and the fault indication.

The location of the speaker in a separate module results in e.g. increase in the need for circuit1. The implementation of fault indication 25 also requires additional circuit board space. Increasing the number of signals to be voted on means increasing the connection pins of the speaker by four for each additional signal. Thus, voting should often take place with several microcircuits, because 66-pin and possibly larger 30-microcircuits, for example, are not currently standard products. In this case, the reliability of the voter also suffers.

The voter is technically in series with the system for some failure modes, with the voter often determining the reliability of the system in short viewing periods, because the ideal TMR is very reliable for viewing periods that are small compared to the average failure rate of the modules.

The method according to the invention for implementing a fault-tolerant electronic system and a corresponding system provide an improvement in the above-mentioned aspects. The method according to the invention is mainly characterized in that the corresponding outputs of the modules are combined into system-10 outputs, the states of which are determined by the states of the majority of module outputs, so that the voting logics of the modules compare the states of the system outputs to the internal outputs of the modules. by means of which and in conjunction with a signal obtained from the possible logic of the previous module and indicating the status of this module, or a corresponding predetermined signal, the logic logic determines a faulty module in the event of a fault and prevents the module fault from affecting system outputs.

The method according to the invention is also characterized in that by logically processing the signals of the first outputs of the module logics in each voting logic, a signal is obtained at the second output of each module, which signals can be combined with a common output indicating signal error or error status.

The characteristic features of the system according to the invention are set out in claims 7-11.

35 4 72396

The most important advantages of the invention are that the invention can be used to implement an NMR or NMR system in general and that a separate voice module is not necessarily required and the system provides a fault indication in most system output fault situations. The indication is also obtained from a malfunction of a module, even if the system outputs are error-free. All of this can be accomplished with relatively few separate or directly integrated 101 ancillary logics, i.e., voter logic11a that can be connected to the modules. Regardless of the number of signals to be sampled, only seven terminal pins are required in integrated modules in the case of three-module redundancy. If the system is implemented as a redun-15 dance of five, seven, etc. modules, the number of additional connection pins required will always increase by one for each additional module. These are considerable advantages in terms of circuit board use compared to known solutions, which require up to another hundred additional connection pins and separate microcircuits. In addition, when integrated into the mo-20 modules, the voice logic is made very reliable, because it is known that the integration increases the reliability calculated per basic function. The integrated voter logic is also technically in series with some fault mechanisms, but the fault frequency of such critical faults is comparable to the fault frequency of a separate voter.

In this way, a fault-tolerant electronic system can be implemented, which has at least 30 as good reliability properties as known systems, but is also simpler in practical implementation and, in large series, also more economically advantageous. The integration of the speaker is very easy to implement e.g. in customer circles, which will be increasingly used in the future also in applications requiring reliability. For customer districts

II

72396 5 The additional cost of integrating the voter may remain very small compared to other costs. It should also be noted that the entire system can be fully integrated into a single chip piece as a single fault-tolerant microcircuit.

Troubleshooting and repair are most often easily arranged in the case of an integrated speaker. The system can be directly reported as a faulty module, which can be replaced intact even during operation, or a bypass module can be used during replacement. Module replacement can thus be performed very quickly, which is of considerable importance in the pursuit of high availability.

In the following, the invention, its operation and other advantages will be explained in detail with reference to a preferred embodiment of the invention shown in the accompanying drawings, in which:

Figure 1 shows a fault-tolerant electronic system implemented with voice logic 1a consisting of three modules 20 according to the invention;

Figures 2A, 2B and 2C are block diagrams of the voting logic associated with the modules of Figure 1;

Figure 3 shows in detail one of the voting logic connected to the module;

Figure 4 shows an electronic system according to the invention integrated into one microcircuit;

Figure 5 shows an output buffer that can also be used as an input buffer or as a multi-user bus-related output buffer.

The system according to the invention, delimited in dashed lines in Figure 1 and indicated by reference numeral 1, consists of three modules 2, 3, 4. The system may also consist of several 35 modules, most preferably an odd number, i.e. n kappa, 72396 pallets (n = 5, 7 , 9, ...), in which case the operation is basically similar to that of the three modules. Modules 2, 3 and 4 contain the actual module logics 29, 30 and 31, the voter logics 15, 16 and 17 and the output buffers 18, 19 and 5 20. The corresponding outputs 5, 6, 7 of the modules are wired together into an output 1 of the system. are in this case binary outputs, the output being either at a positive voltage (according to the positive logic agreement in the first state, i.e. as one) or at a zero voltage 10 (according to the positive logic agreement in the zero state, i.e. at zero). In addition, if the output buffers 18, 19, 20 are moth auxiliary buffers, it is possible to have so-called a high-impedance test-la. The output buffers 18, 19, 20 can also be of the open-collector type, in which case each individual system output 15 must be known to be connected to a pull-up resistor 11a to the operating voltage. The number of output signals at the outputs 5, 6 and 7 of the modules and the system 1 at the output 8 is not limited in any way.

20 Block diagrams of each of the voter logic 15, 16 and 17 are shown in Figures 2A, 2B and 2C. The voting logics are similar in structure. There are only differences in the connections between those parts, which will be clarified later. The voting logics 15, 16, 17 consist of a majority of indicators 60a, 60b, 60c, a status register 61a, 61b, 61c and a comparator 35a, 35b and 35c. Figure 3 shows in detail the voting logic 15 associated with module 2. The various parts of this are indicated by non-alphabetical reference numerals 1-1a.

30

The actual module logics 29, 30 and 31 contained in modules 2, 3 and 4 may be any electronic devices with binary outputs or similar logic outputs, such as microprocessors, ana / digital-35 converters, memories, etc. In module logics 29, 30 and 31 7 the information to be processed is input as binary or analog signals or the like, for example via inputs 9 ', 10' and 11 'to these devices. Each module 2, 3 or 4 can be a fully integrated circuit in which the corresponding voting logic 15, 16 or 17 is also integrated. Furthermore, modules 2, 3 and 4 can be integrated into a single fault-tolerant integrated circuit.

The connections 10 between the different parts of the system according to the invention are essentially as follows (Figures 1, 2 and 3).

The outputs 5, 6, 7 of the output buffer 18, 19, 20 are connected, as already stated above, to the system output 8 and this voter 15, 16, 17 of the comparator 35; 35a, 35b, 35c to the first inputs. The internal outputs 9, 10, 11 of each module logic 29, 30, 31 are connected to the corresponding output buffer 18, 19, 20 and the other inputs of the vote logic comparator. The output 12a of the comparator 35a of each voter logic, e.g., 15, is connected to the inputs 12a ', 12b, 12c of most of the voter logics!] Landscapes 60a, 60b, 60c.

The majority identifiers, e.g. 60, (Fig. 3) are in turn connected to the corresponding status register 61 and the status registers 61a, 61b, 61c of the voting logics 15, 16, 17 of the different modules 2, 3, 4 are connected to each other from outputs 28a, 28b and inputs 27b, 27c.

25 In system 1, a comparator 35 for each voting logic 35; 35a, 35b, 35c compare the states of the system outputs 8 with the states of the internal outputs 9, 10, 11 of the module 2, 3,4 and, on the basis of the comparison, give a signal to the majority 1 of all voters 30; 60a, 60b, 60c, which further provides information on the states of the outputs 9, 10, 11 of the module 2, 3, 4 to the state register 61; 61a, 61b, 61c, by means of which, together with signals from other status registers and corresponding modules indicating the status of the corresponding modules, determine a faulty module in case of a fault and prevent fault 8 72396 from affecting system outputs 8 by blocking tSmSn module status register output 53a, 53b 18, 19, 20.

The comparator 35a, 35b, 35c, the majority 60a, 60b, 60c and the status register 61a, 61b, 61c of each voting logic 15, 16 and 17 can be implemented, for example, as shown in the accompanying drawings. Each comparator 35 (Fig. 3) is formed of the required number of absolute-or-gates 10 351, 352, 353, ..., the first input of which is connected to the external outputs 5 of the module, e.g. 2; 501, 502, 503, ... and the second inputs of the module 9 to the second input; 91, 92, 93, ...

The majority of each voter logic 15, 16, 17 is 60; 60a, 60b, 60c are formed by or gate 38, 40 and inverter 15 blades 39. The inputs of the first or gate 38 are connected via different input logics 15, 16, 17 via inputs 12a, 13a, 14a (Fig. 3) of the voter logic. the outputs 12a, 13b, 14c of the comparators 35 (Fig. 3). Connected directly to the inputs of the second or gate 40 are the outputs 13b, 14c (Fig. 1) of the comparators 35b, 35c 20 located in the second speaker logics 16, 17 and via the inverter 39 the output 12a 'of the comparators 35 (35a) consumed by to the same voting logic 15 as said majority sensor 60 (60a) and whose outputs 384, 404 of the gate ports 38, 40 act as outputs of the majority detector 60 and are connected to the inputs 54, 55 of the status register 61.

The status register 61 comprises inputs 27, 34, 54, 55 and a clock C2 and outputs 21, 28, 53, as well as or gates 41, 48, and gates 42, 30 44, 45, 49, an inverter 43 and two flip-flops or a corresponding intermediate register, preferably a first D-type 46 and a second JK-type 47 flip-flop. In the state register 61, the input 27 is connected to the first input 411 of the or gate 41 and the input 431 of the inverter 43; input 34 is connected to the reset input CLR of each flip-flop 46, 47; input 54 is connected to second input 482 of or gate 48 and to second input 492 of and gate 49; input 55 is connected to the second input 412 11 9 72396 of the or gate 41 to the first input 441 of the je gate 44 and to the first input 491 of the and gate 49. The first output 461 of the first flip-flop 46 is connected to the status register output 53 and the clock input 471 of the second flip-flop 47. 46, the second inverter-5 output 462 is connected to the first input 481 of the or gate 48. The output 474 of the second flip-flop 47 is connected to the third input 423 of the and gate 42 and to the third input 453 of the and gate 45. The J-input 472 of the flip-flop 47 is connected and K input 473 to zero. The output 413 of the gate 41 is connected to the first input 421 of the gate 42. The output 483 of the gate 48 is connected to the second input 422 of the gate 42 and the second input 442 of the and gate 44. The output 443 of the 3a gate 44 is connected to the data input D of the first flip-flop 46. The output 432 of the inverter 43 is connected to the first input 451 of the gate 45 and the second input 452 of the clock C2 and the gate 45 and the output 454 of the gate 45 is connected to the clock input CK of the first flip-flop 46. The output 424 of the and gate 42 is connected to the output 28 of the status register and the output 493 of the and gate 49 is connected to the output 21 of the status register.

20

The structure and operation of the fault-tolerant electronic system according to the invention will now be described in detail with reference to Figures 1, 2 and 3. In Fig. 1 the input 27a of the module 2 (in Figs. 1 and 2 the corresponding inputs of the modules 3 and 4 are 27b and 27c) is connected to zero voltage, i.e. the ground plane and the output 28a (in Figs. 1 and 2 the respective outputs of the modules 3 and 4 are 28b and 28c) is connected to the module 3 to input 27b and module 3 to output 28b is connected to module 4 input 27c. The output 28c of the module 4 is connected via a resistor 23 to the ground plane. When the system is started, a setting pulse is applied to the input 34a of each module (the inputs of the modules 3 and 4 in Figures 1 and 2 are marked 34b and 34c), which resets the output 53 of the status register 61, i.e. the Q output 461 of the D-type flip-flop 46 (Fig. 3). In this case, the Q output of the flip-flop 46, i.e. its complement 462, rises to one, and the Q output 474 of the JK-type flip-flop 47 also rises to one. The Q output 461 of the D-flip-flop 46, i.e. the output 53a (53b, 53c) of the status register, is connected to all the output buffers 18, (19, 20) of the module 2 (3, 4), of which k (k = 1, 2, 3, ... ) in Fig. 3 only 5 three pieces are numbered 181, 182 and 183. In this case, when the signal at the output 53 is in the zero state, the outputs 501, 502, 503 of the buffers 181, 182, 183 are either in high impedance mode (coil mode buffers) or in the single state (open collector -pus-counters). When the signal at the output 53 is in the first state, the external outputs of the module 2 (outputs 501, 502, 503 in Fig. 3) are inverted by the internal output signals of the module 1 (marked 91, 92, 93 in Fig. 3) so that possible changes of the outputs 501, 502, 503 C1 on the rising edge of the pulse. The external outputs 5, 6, 7 of the modules 2, 3, 4 of the setting pulse j S1 to 15 introduced into the input 34 (Fig. 1), i.e. also the system outputs 8, are either in the high-impedance state or in the first state.

When the actual module logics 29, 30, 31 (Fig. 1) are set to the same state when the electronic system 1 is started, then the comparison of the output signals of the outputs 9, 10 and 11 of the internal or actual module logics with the outputs of the external outputs 5, 6 and 7 8 with the output signals in comparator 35 gives the same result in all modules. Comparator 35 is formed open! 1-sector type absolute-or-gates 351, 352, 353, ... (Figure 3). The outputs of absolute gates 351, 352, 353 are connected to one output 12a of comparator 35. The corresponding output of the comparator 35b, 35c of the modules 3 and 4 is denoted in Fig. 1 by reference numerals 13b and 14c. As is known, these outputs must be connected to the operating voltage + V via an external pull-up resistor. The outputs 12a, 13b and 14c of the comparators 35a, 35b, 35c are connected to each module 2, 3, 4 as shown in Figure 1 and within the modules, in the voice logs 35, 15 and 17, the outputs 12a, 13b and 14c are connected by a majority] to the inputs or gates of the corn 60 60 e 38 and 40.

Il 11 72396

The module 2's own internal reference signal is applied via input 12a ', (input 13b1 in module 3 and input 14c' in module 4) to port 40 inverted by inverter 39. Thus, after the setting pulse applied to input 34, at least one one is obtained for each detector or gate 40 in each module. so the output of the or gate 40 and the second output of the majority detector are also number one. Since the output 462 of the D-flip-flop 46 of the status register 61 is now also one, each module also has one at the output of the or gate 48. Thus, both inputs of the -10 port 44 are ones, so its output, i.e. the data input D of the flip-flop 46, is also one. The Q output 474 of the JK flip-flop 47 is also one in each module, but since input 27a is zero only in module 2 (outputs 28a and 28b are one, since all inputs of and gate 42 are one to 15), the inverter 43 the output is one only in module 2. Thus, the two inputs of and gate 45 are one in module 2, so the pulse of clock C2 enters the clock input of D-flip-flop 46 and at the rising edge sets flip-flop output 461 and status register output 53a to one. Then the outputs 5 of the module 2; 20 501, 502 and 503 are activated and at internal outputs 9; 91, 92, 93 at the rising edge of the clock C1 pulse stored in the output buffers 18; 181, 182, 183 access outputs 5; 501, 502 and 503.

25 Outputs 5; 501, 502, 503, i.e. the signals of the system outputs 8 now follow inverted the internal outputs 9 of the module 2; 91, 92, 93 signals. When all the module logics 29, 30 and 31 (Fig. 1) are set to the same state and later perform the same task at the same time, the reference signals of the outputs 30 12a, 13b and 14c now remain number one except for the change of the internal signals 9, 10 and 11. and the time between the subsequent change of states of the system outputs 8 controlled by the clock C1. After all, the internal outputs and the system output differ from each other, and the signals 35 at outputs 12a, 13b and 14c are reset. But when changes 12 72396 also occur at the system outputs, the signals at outputs 12a, 13b and 14c also become number one. The phase difference of the pulses of clocks C1 and C2 must be such that the signals at outputs 12a, 13b and 14c and other voting logic 5 have time to settle by the rising edge of the pulse of clock C2. The pulses of the clock C2 are best generated in each module 2, 3, 4 with a suitable delay from the pulses of the clock C1, which in turn are formed e.g. by the own clock of the module logics 29, 30, 31.

10

As described above, normally the outputs 5 of the module 2 are active and dominant system outputs 8. The outputs 6 and 7 of the modules 3 and 4 are masked or covered (with the mimic state buffers, i.e. the output buffers 11, 19, 20 to the high impedance mode or the open sector buffer 1). ), but the module logics 30 and 31 operate normally at all times and the voting logics 16 and 17 compare the internal outputs 10 and 11 to the system outputs 8.

The signal from the second output of each module 2, 3, 4, i.e. at the same time from the second output 21a, 21b, 21c of each voter logic 15, 16, 17 or their common output 21 (Fig. 1), indicates the error-free status of the system outputs 8.

25

In the embodiment of the invention shown in the drawings, port 49 (Fig. 3), the output of which is denoted by reference numeral 21a, is of the open-collector type, and the outputs 21a, 21b, 21c of each module 2, 3, 4 are wired together (Fig. 1).

30 When all modules are working properly, the signal at output 21 (Figure 1) is one (except for change situations) because the signals at the outputs of ports 38 and 40 are one and are at inputs and gate 49.

35

II

13 72396

In the event of faults in the module logics 29, 30 and 31, two cases can be distinguished: 1. The fault occurs in the module logic that determines the system outputs.

2. The fault occurs in one of the module logics whose outputs are masked.

If in the first case the outputs of the module 2 are active and the fault occurs in the module logic 29, then on the next rising edge of the pulse of the clock C1 also the system outputs 8 or part of them become erroneous. Properly functioning modules 3 and 4 detect this and the reference signals of their speaker logics 16 and 17 at outputs 13b and 13 14c are reset because there is a discrepancy between the system outputs 8 and the internal outputs 10, 11 of the modules 3 and 4.

In this case, all inputs of the module 2 or gate 40 are reset, because the number one signal at the output 12a is applied to the gate 20 40 via the inverter 39. Thus, the output signal of gate 40 in module 2 is reset and at the same time the output signals of gate 44 and or gate 41 in module 2 and the rising edge of the pulse of clock C2 are reset at output 53 in module 2. This causes the outputs 5 of module 2 to mask (i.e. high impedance state or one state) and at the same time the falling edge of the reset signal of the output 53a or the state register internal output 461 resets the J output of the JK flip-flop 474, which, as one of the inputs of the J-gate 45, prevents the clock C2 The outputs of module 2 now remain masked until a setting pulse is applied to the next input 34.

When the signal at the output of port 41 in module 2 is reset (input 27a at zero and the output of port 40 at zero), the signal 35 at output 28a and thereby at input 27b of logic 16 14 7 2 396 of module 3 is reset, causing the output signal of inverter 43 in module 3 to rise to one. Then in module 3 and the two inputs of gate 43 are in the first state (signal at output 474 and output of inverter 43), so the pulse of clock C2 reaches the clock input of 3 D flip-flop 46, whose flip-flop data input D is one in module 3 (and the inputs of gate 44 are ONE state). Thus, on the same rising edge of the pulse of clock C2, where the signal of module 2 at output 53 was reset and the outputs 5 were masked, the signal of output logic output 53 of module 3 rises to one. In this case, the signals of the internal outputs 10 of the error-free module 3 stored on the rising edge of the clock C1 pulse in the output flip-flops 62 (Fig. 5) in the output buffers 19 reach the output 632 of the inverter 63, i.e. determine the signals of the system outputs 8. Now also the error-free module 4 detects that the signals at output 8 are error-free and the reference signals 13b and 14c of the modules 3 and 4 rise to one. Thus, in each module, at least one of the inputs of the gate gates 38 and 40 is in the one state, so their output signals are also one, i.e. the signal at the output 21 is also the one at the signal output system 8 using a sufficiently low clock frequency and a suitable pulse rate in the clock. Cl, it can be ensured that the above-described corrective action takes place within one clock cycle, and the next stage can read the data 25 e.g. at the falling edge of the clock C1 pulse, by which time any corrective actions have taken place.

If there is a permanent fault in module 2 and a constant conflict with the signals of the system outputs 8, then the signal at output 12a remains continuously zero. However, if there was only a transient fault in module 2 or a permanent fault that is not continuously visible in its internal outputs 9, the signal output 12a may temporarily or permanently rise to one. However, module 2 remains masked unless a new set pulse is applied to input 34 because the signal at state 3 of the register 61 at the 3K flip-flop output 474 of module 2 is reset and prevents status changes at output 461 of D-flip-flop 46 and at the same time output 53a of status register 61.

15 72396

The situation in which the outputs of module 2 were initially active was considered above. This is normally the case, as the outputs of module 2 remain active until the first error at the system outputs Θ.

5 The faulty module is then tried to be replaced as quickly as possible and the system is reset by a setting pulse via input 34 so that the outputs 5 of module 2 are active, i.e. the states of output 5 determine the states of output 8 of system-10. If there was a transient fault in module 2, which later disappears, then the system tolerates a new fault and if it occurs in module 3, the outputs of module 4 are activated by the mechanism described above. After this, the new cycle is successful only after the setting pulse 13 applied to the input 34 remains.

In the second case, the fault occurs in one of the module logics whose outputs are masked. In this case, the fault cannot propagate to the system outputs 8, but is only visible in the internal signals of the faulty module. For example, if the module logic 31 of module 4 is assumed to be faulty, and the outputs of module 2 are active, then the comparator 35c of module 4 will notice the discrepancy and the signal at output 14c will be reset. The other reference signals at outputs 12a and 13b py-25 are deep as ones. Thus, at all the inputs of all modules or gates 38 and 40, at least one signal enters the one state, so the output signals of the or gates 1 are one in each module 2, 3, 4. Thus, no signal change occurs at the output 53 of the state register 61 in any module. 30 Also, the signals applied to the inputs of the and gate 49 in each module remain one. In this way, the signal at output 21 is not reset at any stage, which is not necessary either, because the signals at system output 8 are always in accordance with the majority.

35 16 72396

In the second case, the fault may also be in the module logic 30, in which case the system 1 operates as described above.

Thus, the system operates in a fault tolerant manner in the event of a failure of any of the mode logic 29, 30 or 31. However, faults may also occur in modules 2, 3, 4 in the voice logics 15, 16 and 17 or in the output buffers 18, 19 and 20. Most of the faults in the voice logics are those that alone do not damage the system outputs 8, but 10 do not receive a fault indication. . The situation is also the same in known NMR systems. Voter n logic faults are critical to those that cause an erroneous reset of the signal at output 21, because this signal is used to indicate a fault and e.g. to stop operation. Latent defects can be detected by periodic testing.

The output buffers 18, 19, 20 form the most critical part of the N-modulus redundancy NMR systems. Failure of the outputs 20 always causes a system failure in known NMR systems. Instead, in the system according to the invention, some of the faults in the output buffers can also be covered. Namely, if all or part of the output states of the output buffers 18, 19 or 20 in one of the modules 2, 3, 4 remains permanently one or in the high-impedance state, then the corresponding buffer of the other module is able to control the the check-out. If the faulty buffer is in a module whose outputs are not active, then no action is taken as a result, although unfortunately the fault is not detected 30 without separate testing. If the above fault occurs in those output buffers that are active (e.g., the buffers 18 of module 2 are assumed), then the reference signals of comparators 35a, 35b and 35c at outputs 12a, 13b and 14c are reset because the signals or states at output 8 are cross-35. in dispute with the premises of all internal outputs 9, 10 and 11.

il 17 72396 Then all signals at the inputs of the gate 38 are zero, i.e. the second input of the gate 49 is reset and also resets at the signal output 21. The output signal of the or gate 48 is also reset in the module 2, so one input signal 5 of the and gate 44 is reset, followed by resetting the output signal of the gate and resetting the signal entering the data input of the D-flip-flop 46. At the next rising edge of the pulse of the clock C2, the signal at the output 53 of the status register 61 is reset and the outputs 5 of the module 2 are covered, i.e. masked. At the same time, the output signal of the module 2 or gate 48 has also reset the output signal of the and gate 42 at signal output 28a, which in turn resets the signal at input 27b in module 3, where both input signals of and gate 44 are now ones and two input signals of and gate 45 there are ones 15 and the third signal, i.e. the clock pulse from the clock C2, reaches the clock input of the D-flip-flop 46. When the output signal of the And gate 44, i.e. the data input signal of the D-flip-flop 46, is one, the signal at the D-flip-flop 46 output 461 in the module 3, i.e. the output logic 16 output 53b, rises to one, whereby the internal signal 20 now determines the system output 8 states. In this situation, all modules agree on the error-free state of the outputs 8, because the fault was in the output buffers 18 of the module 2 and its effect was masked. This way, the system remains fault-tolerant. If a fault occurs in module 3, its outputs are masked and the active outputs are transferred to module 4 as described above.

When the outputs 8 fail permanently, the signal at the output 21 must be used in such a way as to prevent the erroneous information 30 from advancing to the stages following the system 1. The majority gate 60 or gate 38 ensures that the output 21 signal remains at zero when one of the output buffers 18, 19, 20 has failed so that all states of the internal outputs 9, 10 and 11 are in constant conflict with the states of the outputs 8. This is the case e.g.

18 72 3 9 6 when one of the output buffers 181, 182, 183, ... has permanently failed to zero. In this case, all modules are sequentially covered as described above without being able to correct the error, and finally the output signal 5 of the gates 40 is one in all modules 2, 3, 4, but the gate 38 provides a zero signal to the gate 49, so the signal at output 21 remains zero. the inaccuracy of the signals at outputs 8.

10 One problem with TMR systems is to synchronize all modules so that the same signals to be voted on occur in different modules simultaneously and so that it is known at what point the voting should take place. No improvements have been made in the present invention with respect to synchronization, but the synchronization must be carried out using known methods, e.g., those disclosed in U.S. Pat. No. 4,375,683. In this connection, the clocks C1 and C2 must also be re-synchronized and the synchronization must be carried out in such a way that the phenomena associated with changes in the internal signals 9, 10 and 11 in the logic 20 15, 16, 17 have leveled off as the rising edges of the C2 pulses enter the D registers. 46 clock inputs in different modules.

Figure 4 shows a system according to the invention integrated into one microcircuit. In this case, the system according to Fig. 1 is integrated on one silicon piece and only 3 additional connection pins are needed in the circuit: output 21, input 34 for setting pulse and fault indication output 24 of some module logic 29, 30, 31 formed by outputs 12a of comparators 35a, 35b, 35c, 13b and 14c and gate 50. The setting pulse at input 34 may also be common to the setting pulses of the module logics 29, 30 and 31.

The reference signals of comparator 35a, 35b, 35c at outputs 12a, 35b and 14c can be used to implement a current detector to be added to the system. The fault detector includes a logic and memory circuit in which all faults in the module logics are registered on the basis of signals 12a, 13b, 14c and 21 and the faulty module is notified to the control room or service personnel in the desired manner, e.g. by alarm and $ fault indication. The signal at output 21 can also be used to alert that outputs 8 are incorrect.

A possible output buffer solution is shown in Figure 5. The output buffer is denoted by reference numeral 181; assume that it is the first unit of the output buffer 18 of module 2 1. The normal output buffer comprises an intermediate register such as a D-type flip-flop 62 and inverting gates 63. The first signal output 91 of the internal output 9 of the module 2 13 is connected to the flip-flop 62 D-input, clock C1 output to clock input and status register 61a output to inverting gate 63 control input 633. Gate 63 input 631 is connected to the Q output of flip-flop 62 and the output 632 to the first sig-20 signal output 501 of the external output 3 of the module 2. When the output buffer is active, the internal signal output 91 determines the state of the external signal output 501. When an obstacle signal is received from the status logic 61a of the voice logic 15 via the output 53a to the input 633 of the gate 63, the gate closes to either the high impedance state or the first state and prevents the internal signal output 91 from affecting the external signal output 501. All units 183, 182 ... at.

The significance of an intermediate register in the output buffer, such as D-flip-flop 62 30, is that when the internal outputs 9, 10, 11 of all modules are stored on the D-flip-flops 62 of the respective output buffers 1 on the rising edge of the clock C1, then and before the next rising edge of the clock C1 pulse faults in module logics 29, 30, 31 (especially those whose outputs are active) do not access system outputs 8 to 72396. This ensures that the next stage of the system receives information error-free despite an error at any time in module logics 29, 30, 31.

5

If some or all of the signal outputs of system output 8 are connected to a multi-user bus, invertable gates are connected in opposite directions alongside those output buffers 181, 182, 183, such as port 64 in Figure 5. Input 641 of port 64 is connected to first signal output 501 and output 642 the internal output 9 of the module 2 to the first signal output 91 and the D input of the flip-flop 62. The control input 643 of the gate 64 is connected to the input 37a of the output buffer 181.

The co-operation report 64 can be controlled by a control signal from the module logic 29, which is applied to the input 37a of the output buffer 18 so that when the bus is used by others, the port 64 acts as an inverter. This avoids incorrect signal changes at the outputs 20 12a, 13b and 14c of the comparators 35a, 35b, 35c.

An output buffer with port 64 and the like can also be used as an input buffer for modules. In this case, the possible normal external inputs 9 ', 10', 11 'of the module logics 29, 30, 31 can be replaced by the respective an input buffer.

The invention is not limited in any way to the implementation example presented above, but e.g. the different synchronization requirements of different electronic devices mean that the system can be implemented even without clocks C1 and C2. Otherwise, the voting logics 15, 16, 17 can be implemented in different ways, only one working solution is shown in Figures 2 and 3. The invention is also not limited to systems using redundancy of three modules, but redundancy systems of several modules can be implemented within the basic idea of the invention. A hybrid system can also be implemented in which one or more modules are arranged in reserve.

Il

Claims (11)

21 72396 A method for implementing a fault-tolerant electronic system, the system (1) comprising three or more similar modules (2, 3, 4) and a loudspeaker for testing the output signals of the system and selecting the output signals according to the majority of the modules, characterized in that the modules (2, 3, 4) the corresponding outputs (5, 6, 7) are combined into system outputs (B), the states of which are determined by the states of the majority of the module outputs so that the voting logics (15, 16, 17) associated with the modules compare the system outputs ( 8) states to the states of the internal outputs (9, 10, 11) of the modules and, on the basis of the comparison, set the signals of the outputs 15 (12a, 13b, 14c) of the voting logics, by means of which and together with the voting logic of the possible previous module (2, 3) , 16) with the received signal indicating the status of this module, or a corresponding predetermined signal, the logics (15, 16, 17) normally detect the error-free nature of the system and in the event of a fault, determine the faulty module and prevent the module fault from affecting the system outputs (8). A method according to claim 1, characterized in that the signals of the first outputs (12a, 13b, 14c) of the voting logics (15, 16, 17) of the modules (2, 3, 4) are logically in each voting logic (15, 16, 17). ) provides a signal at the second output (21a, 21b, 21c) of each module, which signals are connected to a common output (21), the signal from which indicates the error-free status of the system outputs (8). Method according to Claim 1 or 2, characterized in that the system outputs (8) or part 22 7 2 3 9 6 thereof and the outputs (5, 6, 7) of the modules (2, 3, 4) or part thereof, respectively, are arranged to operate. also as module inputs or multi-user bus-related outputs or outputs and inputs. 5 Method according to Claim 1, 2 or 3, characterized in that 1 output signals from the internal outputs 10 (9) of the modules are stored in the output buffers (18, 19, 20) arranged in the outputs (5, 6, 7) of the modules (2, 3, 4). 10, 11), said output signals being obtained, if necessary, from a signal 1a available to the system output (8) from the output (53) of the module. Method according to Claim 2, 3 or 4, characterized in that the combined outputs (12a, 13b, 14c) and second outputs (21a, 21b, 21c) of the logics (15, 16, 17) or the second outputs of the second outputs (21), the signals obtained are read into an error recorder, which, if desired, provides a signal indicating the failure of one of the modules (2, 3, 4) and / or signals indicating which of the modules (2, 3, 4) is defective. Method according to one of the preceding claims, characterized in that the system (1) is integrated into a single module (33) so that the module has a system! outputs (8), an output (21) for receiving a signal indicative of a fault or error in the states of the system outputs, and / or an output (24) for receiving a signal indicative of a fault in a module (Figure 4). 30 A fault-tolerant electronic system comprising three or more similar modules (2, 3, 4) and a loudspeaker for testing the output signals of the system and selecting the output signals according to the majority of the modules, characterized in that 23 7239 6 - each module (2, 3, 4) includes the actual module logics (29, 30, 31), voter logics (15, 16, 17) and output buffers (18, 19, 20); the voting logics (15, 16, 17) include a comparator (35; 35a, 35b, 35c), a majority detector (60; 60a, 60b, 60c) and a status register (61; 61a, 61b, 61c); - the outputs (5, 6, 7) of the output buffer (18, 19, 20) are connected as a system output (8) and this to the first inputs of the comparator (35; 35a, 35b, 35c) of the voting logic (15, 16, 17); - the internal output (9, 10, 11) of each module logic (29, 30, 31) is connected to a corresponding output buffer (18, 19, 20) and a comparator (35; 35a, 35b, 35c) of the vote logic (15, 16, 17) other income; - the output (12a) of each comparator (35a) of the voter logic (e.g. 15) is connected to the inputs (12a ', 12b, 12c) of the majority of the voter logics (60a, 60b, 60c); - the majority detectors (eg 60) are connected to the corresponding status register (eg 61) and the various modules (2, 3, 4) voted! the status registers (61a, 61b, 61c) of the logs (15, 16, 17) are interconnected; and in which system the comparator (35a, 35b, 35c) of each voting logic compares the states of the system outputs (8) with the states of the internal outputs (9, 10, 11) of the module (2, 3, 4) and on the basis of the signal outputs the majority detectors 1e ( 60a, 60b, 60c), which further provides information to the status register (61a, 61b, 61c) of the module (2, 3, 4), by means of which and together with any other modules (2, 3) obtained from other status registers (61a, 61b, 61c) , 4) with the status signals, a system error is normally detected and in the event of a fault a faulty module is determined and the effect of the fault on the system outputs (8) is prevented by signaling to the output buffer (18, 19, 20) via the status register output (53a, 53b, 53c) of this module. 2 «72 396 System according to Claim 7, characterized in that the output buffers (18, 19, 20) of the modules (2, 3, 4) have intermediate registers (62) in which the signals from the internal sources (9, 10, 11) of the modules are stored. 3 and which stored signals are output to the system output (8), if necessary, by a control signal from the output (53a, 53b, 53c) of the voice logic (15, 16, 17). A system according to claims 7 and 8, characterized in that each comparator (35; e.g. 35a) is formed by absolute gates (351, 352, 353, ...), the first input of which is connected to the outputs (5; 501, 502, 503, ...) of the module (eg 2) and the internal outputs (9; 91, 92, 93, ...) of the module (2) to the second input and whose absolute-15 or gates the outputs are connected (e.g. 12a). A system according to claim 7, 8 or 9, characterized in that the multi-function detector (60; 60a, 60b, 60c) of each voting logic (15, 16, 17) is formed by a gate (38, 40) and an inverter ( 39), whose inputs of the first or gate (38) are connected to the outputs (12a, 13b, 14c) of the comparators (35; 35a, 35b, 35c) of the different speaker logics (15, 16, 17) and whose second or gate (38) 40) the inputs (13a, 14a) are directly connected to the outputs (13b, 14c) of the comparators (35b, 35c) located in the second voting logics (16, 17) and the output of its comparator (35a) via the inverter (39) ( 12a) belonging to the same voting logic (15) as said majority detector (60a) and having the outputs (384, 404) 30 of the or gates (38, 40) acting as outputs of the majority detector (60) and connected to the inputs of the status register (61) ( 54, 55). A system according to claim 7, 8, 9 or 10, characterized in that the status register (61) comprises inputs (27, 34, 54, 55 and clock C2) and outputs (21, 28, 53) and gates (41, 48), and gates (42, 44, 45, 49), II 25 7 2 3 9 6 inverter (43) and two flip-flops or a corresponding selector register, preferably a first D-type (46) and a second JK-type (47) flip-flop, and in which the status register (61) - input (27) is connected to the first input (411) of the or gate (41) and the input (431) of the inverter (43) »- input (34) is connected a reset input (CLR) of each flip-flop (46, 47); - the input (54) is connected to the second input (482) of the or gate (48) and to the second input (492) of the and gate (49); - the input (55) is connected to the second input (412) of the or gate (41), the first input (441) of the and gate (44) and the first input (491) of the and gate (49); - the first output (461) of the first flip-flop (46) is connected to the output (53) of the status register and to the clock input (471) of the second flip-flop (47); - the second inverted output (462) of the first flip-flop (46) is connected to the first input (481) of the or gate (48); - the output (474) of the second flip-flop (47) is connected to the third input (423) of the and gate (42) and to the third input (453) of the and gate (45); - the output (413) of the or gate (41) is connected to the first input (421) of the and gate (42); - the output (483) of the or gate (48) is connected to the second input (422) of the and gate (42) and to the second input (442) of the and gate (44); - the output (443) of the and gate (44) is connected to the input (D) of the first flip-flop (46) - the output (432) of the inverter (43) is connected to the first input (451) of the and gate (45) and the clock (C2), and a gate (45) to the second input (452); - the output (454) of the and gate (45) is connected to the first clock input of the flip-flop (46); - the output (424) of the and gate (42) is connected to the output (28) of the status register; - the output (493) of the and gate (49) is connected to the output (21) of the status register. ί "~ '' 26 72396