IE52648B1 - Microprocessor system - Google Patents

Microprocessor system

Info

Publication number
IE52648B1
IE52648B1 IE340/82A IE34082A IE52648B1 IE 52648 B1 IE52648 B1 IE 52648B1 IE 340/82 A IE340/82 A IE 340/82A IE 34082 A IE34082 A IE 34082A IE 52648 B1 IE52648 B1 IE 52648B1
Authority
IE
Ireland
Prior art keywords
microprocessor
memory
bus
data
buses
Prior art date
Application number
IE340/82A
Other versions
IE820340L (en
Original Assignee
Plessey Co Plc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Plessey Co Plc filed Critical Plessey Co Plc
Publication of IE820340L publication Critical patent/IE820340L/en
Publication of IE52648B1 publication Critical patent/IE52648B1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/183Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components
    • G06F11/184Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components where the redundant components implement processing functionality
    • G06F11/185Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components where the redundant components implement processing functionality and the voting is itself performed redundantly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1604Error detection or correction of the data by redundancy in hardware where the fault affects the clock signals of a processing unit and the redundancy is at or within the level of clock signal generation hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/187Voting techniques

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Hardware Redundancy (AREA)

Abstract

A triple redundant microprocessor system has three microprocessors MPA, MPB, MPC, each of which includes a memory bus MA, MB, MC, to which is connected a program memory ROM and a data memory RAM which are addressed via an associated address bus AB. Each microprocessor also includes a data bus PA, PB, PC which is interconnected to the memory bus by associated majority voting circuits M1, M2, M3 which are also interconnected to the other microprocessor data buses and memory buses. The majority voting circuits function to provide majority voting on the respective microprocessor data bus and memory bus in response to the condition of signals present on the data buses and the memory buses connected thereto and to signals generated to the microprocessors. The system provides majority voting on bidirectional data buses only, and incorporates a phase locking arrangement for the internal clock generators CO of the microprocessor and also a hardware/software arrangement for instruction synchronism.

Description

The present invention relatesto microprocessor systems and in particular to a triple redundant microprocessor system which uses majority voting circuits.
The technique of using triple redundancy with majority voting to produce reliable systems from imperfectly reliable components is well known in the art, and when the technique is applied to commercially ; available microprocessors certain problems arise. The first problem is that only those signals that appear on ' external pin connections of the microprocessor areavailable for comparison. The second problem is that for majority voting to be meaningful, the microprocessors must operate in exact synchronism, and the third problem is that instruction synchronism must be maintained.
Accordingly an aim of the present invention is to provide a triple redundant microprocessor which overcomes the above mentioned problems in an efficient and effective manner.
According to the present invention there is provided a triple redundant microprocessor system wherein each - microprocessor includes a memory bus to which is connected a program memory and a data memory which are addressed via an associated address bus, each microprocessor also includes a data bus which is interconnected to the memory bus via associated majority - 3 voting circuits which are also interconnected to the other microprocessor data buses and memory buses and which function to provide majority voting on the respective microprocessor data bus and memory bus in response to the condition of signals present on the data buses and memory buses connected thereto.
An embodiment of the invention will now be described with reference to the accompanying drawings, of which Figure 1 shows a block diagram of a triple redundant microprocessor system, and, Figure 2 shows a schematic diagram of a majority voting circuit as used in Figure 1.
Referring to Figure 1, three microprocessors MPA, MPB and MPC are shown with all their associated circuitry. The circuitry for each is identical and will be described collectively. Each microprocessor has an associated clock oscillator CO and timer T. Oscillator CO has a clock fail indicator CF and timer T has a sync fail indicator SF. Timer T is used to provide an interrupt signal INT for its associated microprocessor via a majority gate. Each microprocessor has an address bus AB for addressing an associated random access memory RAM, a read only memory ROM and an input/output device I/O all of wh'ich output onto an associated memory bus MA, MB and MC. The memory buses MA, MB and MC are all connected to a respective input of one half the majority voting circuit Ml associated with each microprocessor.
The circuit Ml provides suitable gating logic which provides a read error signal RE and an ouput signal 0P1 which is delivered to a tristate buffer TB1. The associated microprocessor produces a directional control signal RD, the inverse of which is applied to the tristate buffer TB1 and to an error monitoring system SEL. The system SEE also receives the-associated read error signal RE and provides an indication for random access memory errors RAME, read only memory errors ROME and input/output errors l/OE. The output of the assoicated tristate buffer TB1 is applied to the associated microprocessordatabus PA, PB or PC. The data bus is applied to a second half of an associated majority voting circuit M2 which is connected also, to the other data buses. Majority voting circuit M2 provides . suitable gating logic which responds to the signals onthe data buses and the circuit M2 provides an output signal OP2 and a write error signal WE. The output -signal OP2 is applied to a tristate buffer TB2 together with an inverse directional controlsignalWR which is originated by the associated microprocessor. The output from the tristate buffer TB2 is applied to its associated λ memory bus MA, MB or MC. The control signal WR and the write error signal WC are applied to an error monitoring system MPE which provides an indication for microprocessor errors.
Referring to Figure 2, a bidirectional majority voting circuit is shown. Eight such circuits are provided for handling the eight bits of information which are present on each bus. The circuit shown is connected for use in association with microprocessor MPA and similar circuits are used for microprocessor MPB and MPC. The microprocessor memory data buses MA, MB and MC are connected to an array of gates consisting of AND gates G1 - G3, NAND gates G4 - G6 OR gate G7, and NOR gates G8, G9. The data buses PA, PB and PC are similarly connected to an array of gates consisting of AND gates GIO - G12, NAND gates, G13 - G15 OR gate G16 and NOR gates G17, G18. Gates Gl, G5 and GIO and G15 have one of their inputs inverted and gates G6 and G14 have two of their inputs inverted. The output of gate G2 provides the read error signal RE, and the output of gate G17 provides the write error signal WE. The outputs of gates G9 and G18 provide the respective ouput signals OP1, OP2 which are applied to tristate buffers TB1 and TB2 respectively. Gate Gl, G4 GIO and G13 are enabled by a signal EN which is produced by the respective microprocessor to enable/disable majority voting. The tristate buffers TB1, TB2 receive directional control signals RD and WR respectively which are produced by the respective microprocessor. The output of tristate buffer TBl is connected to the respective microprocessor data bus PA, PB, or PC and the output of tristate buffer TB2 is connected to the respective microprocessor memory bus MA, MB or MC.
The microprocessor system described overcomes the - .6 first mentioned problem,inthat any change that occurs within a microprocessor or its memories and peripheral devices will ultimately be reflected in signals on the data bus which connects the microprocessor and its memoriesand peripheral devices. An adequate method of error detection and correction is obtained by majority voting on the data bus, and the use of dummy read/writes of otherwise infrequently accessed memory locations will provide timely warning of faults in those locations.
Since the data bus is bi-directional,:a bi-directional majority voting circuit as discussed is used controlled by the read/write control signals RD, WR from the respective microprocessors.
The majority voting circuit has error output signals RE, WE which are asserted when the input from its own microprocessor system is different from the other two microprocessor systems. The error .signals are fed to the respective error counting systems SEL, MPE which operates warning and alarm signals at appropriate error rates.
Each microprocessor system therefore monitors its own errors.
In respect of the second problem discussed above, this is overcome by using the internal clock generators CO of the microprocessor and phase-locking them, A varactor diode is connected in series with the frequency determining crystal of each microprocessor which allows the crystal frequency to be pulled by the few-parts per million necessary to obtain synchronism. The bias on the - 7 varactor is derived from a conventional phase-locked loop circuit which compares the phase of the clock output of each microprocessor with a reference clock. The reference clock is obtained from the majority of the three clock outputs and continues to be available even if one clock generator fails completely or runs away. The microprocessor system is therefore referred to the clock generator of median phase. The controlling clock generator is synchronised to itself and the phase-locked loop is provided to be stable in this condition. The no clock and clock out-of-lock condition are detected and are used to drive a clock fail indicator CF.
The above mentioned third problem is related to the second in that microprocessor instruction synchronism is required and is achieved by the use of both hardware and software implementation. The hardware consists of an interval timer T attached to each microprocessor. The output of the timer T drives one of the program interrupt inputs of the associated microprocessor, via a majority gate. By use of the enable/disable signal EN the majority voting circuits can be made to revert to non-voting operation. The microprocessor outputs are arranged to assume the non-voting state at power on. The software consists of a HALT instruction which is inserted in the main loop of the operating system. The HALT instruction is preceded by instructions to set the non-voting state and is followed by instructions to set the voting state. 2 648 “ θ When the system is first switched on, the microprocessors MPA, MPB and MPC run asynchronously through an initalisation sequence until they read the HALT instruction whereupon they stop and wait until a : timer interrupt signal INT occurs. Since the interrupt signal is obtained from the majority of the three timer outputs, it occurs simultaneously in all three microprocessors, even though the timers were not necessarily initiated at the same instant. By the time the interrupt has occurred, the phase-locked loop will have synchronised and the microprocessors will be launched into an interrupt service routine in clock and . instruction synchronism. The service routines re-starts the timer and returns control to the instruction following the HALT instruction. The microprocessor will now be in the main'loop in synchronism and with the voting state set. If one microprocessor gets a few clock cycles out of step, when the other two microprocessors have reached the HALT instruction it will be running independently in the non-voting state and has an opportunity to catch up. The timer period is chosen so that only a small proportion of the time is spent in the HALT state. If one microprocessor gets a whole instruction cycle out of synchronism the correct op-code will be forced on the data bus by the majority voting circuit during the instruction fetch phase, and synchronism will be regained. 5264!

Claims (4)

1. A triple redundant microprocessor system wherein each microprocessor includes a memory bus to which is connected a program memory and a data memory which are addressed via an associated address bus, each microprocessor also includes a data bus which is interconnected to the memory bus via associated majority voting circuits which are also interconnected to the other microprocessor data buses and memory buses and which function to provide majority voting on the respective microprocessor data bus and memory bus in response to the condition of signals present on the data buses and memory buses connected thereto.
2. A triple redundant microprocessor system as claimed in claim 1 wherein each microprocessor is provided with an arrangement for synchronising the instructions which the microprocessors have to perform, said arrangement includes an interval timer associated with each microprocessor which drives, via a majority gate, a program interrupt input of the respective microprocessor, and the signals which each microprocessor generates include enable/disable signals which dictate the vote/non-vote state of the majority voting circuits, said enable/disable signals being generated by instructions which are inserted in the main operating loop of the microprocessor system, said instructions consisting of a HALT instruction preceded by an instruction to set the - 10 - . non voting state, and followed by an instruction to set the voting state, and each microprocessor runs through a sequence until each performs the HALT instruction, whereupon each microprocessor waits until a timer 5 interrupt signal occurs which is generated by said timers ' via said majority gate and thereby provide instruction synchronism for the system.
3. A triple redundant microprocessor system as claimed in claim 2 wherein each microprocessor includes a controllable 10 frequency clock oscillator which is maintained in synchronism with the other oscillators by a phase-locked loop arrangement which is used to provide a bias voltage for a varactor diode connected in series with each respective . oscillator to .permi t the majority voting circuits to function in 15 synchronism.
4. ' A triple redundant microprocessor substantially as described with reference to the accompanying drawings. Dated this 18th day of February, 13; 2. By; TQq
IE340/82A 1981-02-19 1982-02-18 Microprocessor system IE52648B1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB8105275A GB2093614B (en) 1981-02-19 1981-02-19 Triply redundant microprocessor system

Publications (2)

Publication Number Publication Date
IE820340L IE820340L (en) 1982-08-19
IE52648B1 true IE52648B1 (en) 1988-01-06

Family

ID=10519827

Family Applications (1)

Application Number Title Priority Date Filing Date
IE340/82A IE52648B1 (en) 1981-02-19 1982-02-18 Microprocessor system

Country Status (5)

Country Link
GB (1) GB2093614B (en)
IE (1) IE52648B1 (en)
NZ (1) NZ199770A (en)
PT (1) PT74338B (en)
ZA (1) ZA82160B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE457391B (en) * 1987-04-16 1988-12-19 Ericsson Telefon Ab L M PROGRAM MEMORY MANAGED REAL TIME SYSTEM INCLUDING THREE MAINLY IDENTICAL PROCESSORS
SE465056B (en) * 1989-05-12 1991-07-15 Ellemtel Utvecklings Ab PROCEDURE TO AVOID LATENT ERRORS IN A LOGIC FOR MAJORITY SELECTION OF BINARY SIGNALS
US5349654A (en) * 1992-02-20 1994-09-20 The Boeing Company Fault tolerant data exchange unit
EP1146423B1 (en) * 2000-04-11 2010-01-20 The Boeing Company Voted processing system
US7318169B2 (en) * 2002-05-15 2008-01-08 David Czajkowski Fault tolerant computer
US7260742B2 (en) * 2003-01-28 2007-08-21 Czajkowski David R SEU and SEFI fault tolerant computer
CN110928217A (en) * 2019-11-18 2020-03-27 天津津航计算技术研究所 CPU (Central processing Unit) triple-redundancy voting circuit applied to aviation electric heating control system

Also Published As

Publication number Publication date
PT74338A (en) 1982-02-01
PT74338B (en) 1984-07-30
IE820340L (en) 1982-08-19
NZ199770A (en) 1984-12-14
ZA82160B (en) 1982-11-24
GB2093614A (en) 1982-09-02
GB2093614B (en) 1984-10-17

Similar Documents

Publication Publication Date Title
US5185877A (en) Protocol for transfer of DMA data
US4251873A (en) Digital computing apparatus particularly for controlling a gas turbine engine
US5291494A (en) Method of handling errors in software
US5251227A (en) Targeted resets in a data processor including a trace memory to store transactions
US5381542A (en) System for switching between a plurality of clock sources upon detection of phase alignment thereof and disabling all other clock sources
US5355468A (en) System for halting synchronous digital modules
US5163138A (en) Protocol for read write transfers via switching logic by transmitting and retransmitting an address
US4580246A (en) Write protection circuit and method for a control register
US5065312A (en) Method of converting unique data to system data
JPH03182938A (en) Method and apparatus for controlling start of boot strap loading
JPS6112298B2 (en)
EP0415546A2 (en) Memory device
IE52648B1 (en) Microprocessor system
EP0411805B1 (en) Bulk memory transfer during resync
US4947478A (en) Switching control system for multipersonality computer system
US5305277A (en) Data processing apparatus having address decoder supporting wide range of operational frequencies
JPH0250735A (en) Function monitoring system based upon redundancy constitution of microprocessor
US5406472A (en) Multi-lane controller
EP0416732B1 (en) Targeted resets in a data processor
KR100459738B1 (en) Integrated circuit input / output processor with improved timer performance
JPH0616277B2 (en) Event distribution / combining device
US5745742A (en) Apparatus for coordinating clock distribution in a fully redundant computer system
KR0158491B1 (en) Circuit of malfunction check using program counter data
JP2645880B2 (en) System clock duplication method
SU1456996A1 (en) Device for monitoring memory units