NZ199770A - Triply redundant microprocessor system - Google Patents

Triply redundant microprocessor system

Info

Publication number
NZ199770A
NZ199770A NZ199770A NZ19977082A NZ199770A NZ 199770 A NZ199770 A NZ 199770A NZ 199770 A NZ199770 A NZ 199770A NZ 19977082 A NZ19977082 A NZ 19977082A NZ 199770 A NZ199770 A NZ 199770A
Authority
NZ
New Zealand
Prior art keywords
microprocessor
memory
signals
majority
instruction
Prior art date
Application number
NZ199770A
Inventor
T H Hesketh
Original Assignee
Plessey Co Plc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Plessey Co Plc filed Critical Plessey Co Plc
Publication of NZ199770A publication Critical patent/NZ199770A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/183Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components
    • G06F11/184Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components where the redundant components implement processing functionality
    • G06F11/185Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components where the redundant components implement processing functionality and the voting is itself performed redundantly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1604Error detection or correction of the data by redundancy in hardware where the fault affects the clock signals of a processing unit and the redundancy is at or within the level of clock signal generation hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/187Voting techniques

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Hardware Redundancy (AREA)

Description

1 997 7 P;..(1 . , , CC:::i ..'—-'Jon Filed: (?' ^ Ck.;ss: Q0.*??I*h°) ^ 1 PubSicEticn D ;;; .,.. „U.A DEC ,19B4^ l£lb& Joan PATE13TS POEM NO. 5 PATENTS ACT 1955 COMPLETE SPECIFICATION TEIPLT BEDUNDANT MICEOPROCESSOE SYSTEM We, THE PliESSEY COMPANY pic, a British Company of Vicarage Lane, Ilford, Essex, England, IG1 4AQ, hereby declare the invention, for which we pr.ay that a patent may be granted to us, and the method by which it is to be performed, to be particularly described in and by the following statement:- I '^97 TITLE: TRIPLY REDUNDANT MICROPROCESSOR SYSTEM The present invention relates to microprocessor systems and in particular to a triple redundant 5 microprocessor system which uses majority voting circuits.
The technique of using triple redundancy with majority voting to produce reliable systems from imperfectly reliable components is well known in he art, 10 and when the technique is applied to commercially available microprocessors certain problems arise. The first problem is that only those signals that appear on external pin connections of the microprocessor are available for comparison. The second problem is that for 15 majority voting to be meaningful, the microprocessors must operate in exact synchronism, and the third problem is that instruction synchronism must be maintained.
Accordingly an aim of the present invention is to provide a triple redundant microprocessor which overcomes 20 the above mentioned problems in an efficient and effective manner.
According to the present invention there is provided a triple redundant microprocessor system wherein each microprocessor includes a memory bus to which is 25 connected a program memory and a data memory which are addressed via an associated address bus, each microprocessor also includes a data bus which is interconnected to the memory bus via associated majority 1 9 97 7 voting circuits which are also interconnected to the other microprocessor data buses and memory buses and which function to provide majority voting on the respective microprocessor data bus and memory bus in 5 response to the condition of signals present on the data buses and memory buses connected thereto, and to signals generated by the respective microprocessor.
An embodiment of the invention will now be described with reference to the accompanying drawings, of which 10 Figure 1 shows a block diagram of a triple redundant microprocessor system, and, Figure 2 shows a schematic diagram of a majority voting circuit as used in Figure 1.
Referring to Figure 1, three microprocessors MPA, 15 MPB and MPC are shown with all their associated circuitry. The circuitry for each is identical and will be described collectively. Each microprocessor has an associated clock oscillator CO and timer T. Oscillator CO has a clock fail indicator CF and timer T has a sync 20 fail indicator SF. Timer T is used to provide an interrupt signal INT for its associated microprocessor via a majority gate. Each microprocessor has an address bus AB for addressing an associated random access memory RAM, a read only memory ROM and an input/output device 25 I/O all of which output onto an associated memory bus MA, MB and MC. The memory buses MA, MB and MC are all connected to a respective input of one half the majority voting circuit Ml associated with each microprocessor. 199770 The circuit Ml provides suitable gating logic which provides a read error signal RE and an ouput signal 0P1 which is delivered to a tristate buffer TBI. The associated microprocessor produces a directional control 5 signal RD, the inverse of which is applied to the tristate buffer TBI and to an error monitoring system SEL. The system SEL also receives the associated read error signal RE and provides an indication for random access memory errors RAME, read only memory errors ROME 10 and input/output errors I/OE. The output of the assoicated tristate buffer TBI is applied to the associated microprocessor data bus PA, PB or PC. The data bus is applied to a second half of an associated majority voting circuit M2 which is connected also to the 15 other data buses. Majority voting circuit M2 provides suitable gating logic which responds to the signals on the data buses and the circuit M2 provides an output signal OP2 and a write error signal WE. The output signal OP2 is applied to a tristate buffer TB2 together 20 with an inverse directional control signal WR which is originated by the associated microprocessor. The output from the tristate buffer TB2 is applied to its associated memory bus MA, MB or MC. The control signal WR and the write error signal WC are applied to an error monitoring 25 system MPE which provides an indication for microprocessor errors.
Referring to Figure 2, a bidirectional majority voting circuit is shown. Eight such circuits are \<wni provided for handling the eight bits of information which are present on each bus. The circuit shown is connected for use in association with microprocessor MPA and similar circuits are used for microprocessor MPB and MPC. The microprocessor memory data buses MA, MB and MC are connected to an array of gates consisting of AND gates G1 - G3, NAND gates G4 - G6 OR gate G7, and NOR gates G8, G9. The data buses PA, PB and PC are similarly connected to an array of gates consisting of AND gates G10 - G12, • NAND gates, G13 - G15 OR gate G16 and NOR gates G17, G18. Gates Gl, G5 and G10 and G15 have one of their inputs inverted and gates G6 and G14 have two of their inputs inverted. The output of gate G8 provides the read error signal RE, and the output of gate G17 provides the write error signal WE. The outputs of gates G9 and G18 provide the respective ouput signals 0P1, 0P2 which are applied to tristate buffers TBI and TB2 respectively. Gate Gl, G4. G10 and G13 are enabled by a signal EN which is produced by the respective microprocessor to enable/disable majority voting. The tristate buffers \ \ TBI, TB2 receive directional con trolN signals RD and WR respectively which are produced by the respective microprocessor. The output of tristate buffer TBI is ^ connected to the respective microprocessor data bus PA, ^ PB, or PC and the output of tristate buffer TB2 is connected to the respective microprocessor memory bus MA, MB or MC.
The microprocessor system described overcomes the 1 9977 first mentioned problem, in that any change that occurs within a microprocessor or its memories and peripheral devices will ultimately be reflected in signals on the data bus which connects the microprocessor and its memories and peripheral devices. An adequate method of error detection and correction is obtained by majority voting on the data bus, and the use of dummy read/writes of otherwise infrequently accessed memory locations will provide timely warning of faults in those locations.
Since the data bus is bi-directional, a bi-directional majority voting circuit as discussed is used controlled by the read/write control signals RD, WR from the respective microprocessors. ' The majority voting circuit has error output signals RE, WE which are asserted when the input from its own microprocessor system is different from the other two microprocessor systems. The error signals are fed to the respective error counting systems SEL, MPE which operates warning and alarm signals at appropriate error rates.
Each microprocessor system therefore monitors its own errors.
In respect of the second problem discussed above, this is overcome by using the internal clock generators CO of the microprocessor and phase-locking them. A varactor diode is connected in series with the frequency determining crystal of each microprocessor which allows the crystal frequency to be pulled by the few-parts per million necessary to obtain synchronism. The bias on the 1 9 97 varactor is derived from a conventional phase-locked loop circuit which compares the phase of the clock output of each microprocessor with a reference clock. The reference clock is obtained from the majority of the 5 three clock outputs and continues to be available even if one clock generator fails completely or runs away. The microprocessor system is therefore referred to the clock generator of median phase. The controlling clock generator is synchronised to itself and the phase-locked 10 loop is provided to be stable in this condition. The no clock and clock out-of-lock condition are detected and are used to drive a clock fail indicator CF.
The above mentioned third problem is related to the second in that microprocessor instruction synchronism is 15 required and is achieved by the use of both hardware and software implementation. The hardware consists of an interval timer T attached to each microprocessor. The output of the timer T drives one of the program interrupt inputs of the associa-ted microprocessor, via a majority 20 gate. By use of the enable/disable signal EN the majority voting circuits can be made to revert to non-voting operation. The microprocessor outputs are arranged to assume the non-voting state at power on. The software consists of a HALT instruction which is inserted 25 in the main loop of the operating system. The HALT instruction is preceded by instructions to set the non-voting state and is followed by instructions to set the voting state. 1 997 When the system is first switched on, the microprocessors MPA, MPB and MPC run asynchronously through an initalisation sequence until they read the HALT instruction whereupon they stop and wait until a 5 timer interrupt signal INT occurs. Since the interrupt signal is obtained from the majority of the three timer outputs, it occurs simultaneously in all three microprocessors, even though the timers were not necessarily initiated at the same instant. By the time 10 the interrupt has occurred, the phase-locked loop will have synchronised and the microprocessors will be launched into an interrupt service routine in clock and instruction synchronism. The service routines re-starts the timer and returns control to the instruction 15 following the HALT instruction. The microprocessor will now be in the main loop in synchronism and with the voting state set. If one microprocessor gets a few clock cycles out of step, when the other two microprocessors have reached the HALT instruction it will be running 20 independantly in the non-voting state and has an opportunity to catch up. The timer period is chosen so that only a small proportion of the time is spent in the HALT state. If one microprocessor gets a whole instruction cycle out of synchronism the correct op-code 25 will be forced on the data bus by the majority voting circuit during the instruction fetch phase, and synchronism will be regained. '">'97

Claims (5)

WHAT WE CLAIM IS:
1. A triple redundant microprocessor system wherein each microprocessor includes a memory bus to which is connected a program memory and a data memory which are addressed via an associated address bus, each microprocessor also includes a data bus which is interconnected to the memory bus via associated majority voting circuits which are also interconnected to the other microprocessor data buses and memory buses and which function to provide majority voting on the respective microprocessor data bus and memory bus in response to the condition of signals present on the data buses and memory buses connected thereto, and to signals generated by the respective microprocessor.
2. A triple redundant microprocessor system as claimed in claim 1 wherein each microprocessor is provided with an arrangement for synchronising the instructions which the microprocessors have to perform, said arrangement includes an interval timer associated with each microprocessor which drives, via a majority gate, a program interrupt input of the respective microprocessor, and the signals which each microprocessor generates include enable/disable signals which dictate the vote/non-vote state of the majority voting circuits, said enable/disable signals being generated by instructions which are inserted in the main operating loop of the microprocessor system, said instructions consisting of a HALT instruction preceded by an instruction to set the 10 ! 9977 non voting state, and followed by an instruction to set the voting state, and each microprocessor runs through a sequence until each performs the HALT instruction, whereupon each microprocessor waits until a timer interrupt signal occurs which is generated by said timers via said majority gate and thereby provide instruction synchronism for the system.
3. A triple redundant microprocessor system as claimed in claim 2 wherein each microprocessor includes a frequency clock oscillator which is maintained in synchronism with the other oscillators by a phase-locked loop arrangement which is used to provide a bias voltage for a variable conductive semiconductor device connected in series with each respective oscillator to permit the majority voting circuits to function in synchronism.
4. A triple redundant microprocessor as claimed in claim 3 wherein the (variable conductive semiconductor device is a varactor diode.
5. A triple redundant microprocessor substantially as described with reference to the accompanying drawings.
NZ199770A 1981-02-19 1982-02-18 Triply redundant microprocessor system NZ199770A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB8105275A GB2093614B (en) 1981-02-19 1981-02-19 Triply redundant microprocessor system

Publications (1)

Publication Number Publication Date
NZ199770A true NZ199770A (en) 1984-12-14

Family

ID=10519827

Family Applications (1)

Application Number Title Priority Date Filing Date
NZ199770A NZ199770A (en) 1981-02-19 1982-02-18 Triply redundant microprocessor system

Country Status (5)

Country Link
GB (1) GB2093614B (en)
IE (1) IE52648B1 (en)
NZ (1) NZ199770A (en)
PT (1) PT74338B (en)
ZA (1) ZA82160B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
SE457391B (en) * 1987-04-16 1988-12-19 Ericsson Telefon Ab L M PROGRAM MEMORY MANAGED REAL TIME SYSTEM INCLUDING THREE MAINLY IDENTICAL PROCESSORS
SE465056B (en) * 1989-05-12 1991-07-15 Ellemtel Utvecklings Ab PROCEDURE TO AVOID LATENT ERRORS IN A LOGIC FOR MAJORITY SELECTION OF BINARY SIGNALS
US5349654A (en) * 1992-02-20 1994-09-20 The Boeing Company Fault tolerant data exchange unit
ATE456092T1 (en) * 2000-04-11 2010-02-15 Boeing Co PROCESSING SYSTEM WITH MAJORITY DECISION
US7318169B2 (en) * 2002-05-15 2008-01-08 David Czajkowski Fault tolerant computer
US7260742B2 (en) * 2003-01-28 2007-08-21 Czajkowski David R SEU and SEFI fault tolerant computer
CN110928217A (en) * 2019-11-18 2020-03-27 天津津航计算技术研究所 CPU (Central processing Unit) triple-redundancy voting circuit applied to aviation electric heating control system

Also Published As

Publication number Publication date
GB2093614A (en) 1982-09-02
PT74338B (en) 1984-07-30
ZA82160B (en) 1982-11-24
GB2093614B (en) 1984-10-17
IE52648B1 (en) 1988-01-06
PT74338A (en) 1982-02-01
IE820340L (en) 1982-08-19

Similar Documents

Publication Publication Date Title
US5185877A (en) Protocol for transfer of DMA data
EP0415545B1 (en) Method of handling errors in software
US4251873A (en) Digital computing apparatus particularly for controlling a gas turbine engine
US4757442A (en) Re-synchronization system using common memory bus to transfer restart data from non-faulty processor to failed processor
US5784551A (en) Duplicate control and processing unit for telecommunications equipment
US5948111A (en) Real time comparison of integrated circuit operation
US5163138A (en) Protocol for read write transfers via switching logic by transmitting and retransmitting an address
US4580246A (en) Write protection circuit and method for a control register
EP0514075A2 (en) Fault tolerant processing section with dynamically reconfigurable voting
KR101606289B1 (en) Programmable controller
US5787265A (en) Bus arbitration system having a pair of logic networks to control data transfer between a memory and a pair of buses
NZ199770A (en) Triply redundant microprocessor system
EP1476800B1 (en) Seamless clock
US5406472A (en) Multi-lane controller
EP0416732B1 (en) Targeted resets in a data processor
JPH10129487A (en) Computer system for vehicle control
JPH0616277B2 (en) Event distribution / combining device
JPH096725A (en) Asynchronous data transfer receiver
JP2645880B2 (en) System clock duplication method
JP2941387B2 (en) Multiplexing unit matching control method
JPS62187901A (en) Method for controlling duplex controller
Proerzza et al. A low-cost fail-safe circuit for fault-tolerant control systems
SU1456996A1 (en) Device for monitoring memory units
JPH0635562A (en) Abnormal operation preventing circuit for microcomputer
JPS639691B2 (en)