RU2559767C2 - Method of providing fault-tolerance computer system based on task replication, self-reconfiguration and self-management of degradation - Google Patents

Abstract

FIELD: physics, computer engineering.

SUBSTANCE: invention pertains to computer engineering. Disclosed is a method of providing fault-tolerance of a computer system, based on task replication, self-reconfiguration and self-management of degradation, wherein the computer system includes four numbered computers BMi, where i=1,…,4 is the number of a computer, each connected to of the other computers through its own transmitting interface device with an information broadcast channel, wherein each computer in the operating cycle of the system receives input information, calculates its copy of output information and transmits said copy to every other computer of the system, calculates the correct output information by majoritising its own and all received copies, outputs the majoritisation result to an external medium, compares all available copies of output information with the majoritisation result; each computer further includes first, second, third and fourth program fault counters, first, second, third and fourth program fault seconds counters, first, second, third and fourth program blocking counters, a synchronisation timer, an inter-computer communication (MMO) synchronisation timer, an interruption request generation timer (Tmrgzp), a Tmrgzp preset register, a Tmrgzp counter, a synchronisation timer preset register, a synchronisation timer counter, a MMO preset register, a MMO synchronisation counter and a RFx fixing register.

EFFECT: faster operation of the computer system.

6 cl, 12 dwg

Description

The invention relates to the field of computer technology and can be used in the construction of highly reliable computing and control systems designed to solve the problems of controlling the onboard systems of a transport ship.

The known method of localization of "friendly" and "hostile" faults in the complexes of redundant VMs (computers) [1]. The method is based on the laws of the forms of manifestation of faults in the set of calculation results, which is used in the deterministic algorithm of mutual information consistency. For any VM in a complex of redundant VMs with direct connections that perform the same applied tasks, the calculation result can be represented by one number. The set of calculation results for each task, formed by means of inter-machine exchange in all VMs, forms an initial set (IN) that allows any VM to control the state of the complex. In the absence of malfunctions, the values of these elements of the ID are consistent or are in the range of permissible deviations. When a malfunction occurs, the values of one or more elements differ from the others. The meaning of localization is that all serviceable VMs simultaneously and unequivocally determine the number of the faulty one.

The computational process is periodically interrupted at control points (CT) to perform the process of ensuring fault tolerance. Using existing approaches to localization, the fault tolerance procedure is completely performed in the same CT where the manifestation of a malfunction is detected. Let N be the total number of VMs in the complex, k be the number of faulty ones. Localization of “friendly” faults is performed for N ≥ 2 k + 1 in a trivial way. When forming an ID, one round of exchange is performed, in each operational VM a vector of N elements is formed, the locations of the mismatched elements (RE) in it coincide with the numbers of the faulty machines [2]. Localization of all forms of manifestation of “hostile” faults is feasible only for N ≥ 3 k + 1 and is a non-trivial task. Under the form of the manifestation of a malfunction (FPN) is meant the nature of the location of the mismatched elements (RE) in the ID formed in the same CT by all serviceable machines. This is due to the fact that the ID has a more complex structure, in particular, multidimensional and sparse, the locations of the RE in various operational VMs do not coincide and are ambiguously associated with the numbers of the faulty machines. The localization method [3] is based on the fact that in the same CT all possible PDFs using the mutual information consistency (VIS) algorithm are converted to the same form established for "friendly" faults. In this transformation, the value of each element of the vector is formed using the majority choice for the majority of coinciding values in the groups of elements of the IN, so that the FPFs for which the number of REs is less than half of the total number of elements in the group are masked, i.e. can accumulate and cause complex failure. The proposed method consists in generating, for any FSF, a set of valid localization results in each operational VM (possibly ambiguous in some machines), after which, using several transformations over IDs and inconsistent localization results, eliminate the ambiguity in determining the number of the faulty machine. The localization procedure that implements this method is multi-stage, and for various FPFs it is completed at different stages. It is argued that despite the arbitrary nature of the data received from the faulty VM in each round of inter-machine exchange, the set of REs in the IDs generated by the working VMs are located naturally, which allows us to develop localization rules.

The disadvantages of this method are: firstly, the lack of a consistent account of the manifestations of malfunctions in the process of interchange of the results of calculations, which can delay localization for an indefinitely long time even at a relatively high frequency of manifestations of malfunctions.

Secondly, there is no consistent detection, accounting and identification of fault manifestations in the process of mutual information coordination of signs of fault detection and localization data for the construction of auxiliary sets. This increases the likelihood of an undetectable failure and a sudden failure of the entire system during the subsequent occurrence of a failure of another element of the system (since in this case a short malfunction can be fixed if a single one is permissible) even if there is a working reserve.

There is also known a method of fault-tolerant information coordination with identification of detected faults in a four-machine computer system [4], consisting of four VMs with numbers 1-4 connected by four communication channels of the bus architecture. A VM is connected to each channel by a separate interface device (US), with one of the VMs being a transmitter, and the other three USs of this VM being receivers. Each channel has one US transmitter and three US receivers. Information transfer from each VM to all others is carried out by broadcast method. Let BMi transmit some information to all other BMJ, k, l.

The fail-safe information matching algorithm is as follows:

• in the first round, each of BMi, where i = 1-4, transfers its value З _{i to} other VMs and receives their values from them;

• in the second (third) round, each BMi transfers to the other VMs the information received by it in the previous round, and once again its own value З _i ² (З _i ³ );

• in the fourth round, each BMi transfers to the other VMs all the information she received in the third round;

• each BMi determines the values of the elements of its vector of interactive matching, including the value of the vector of interactive matching With_i For each j (j = 1,4), majorization of all values of Z_j ^one, ... obtained by this VM in the first and second rounds, is determined by the value of C_j ^oneby majorizing all the values of Z_j ², ... obtained by this VM in the second and third rounds, the value C_j ² and finally, majorizing the values of Z_j ³ , ... obtained in the third and fourth rounds - the value of C_j ³. C value_jof vector interactive coordination of this BMi is formed by majorizing the values of C_j ^one, FROM_j ², FROM_j ³. If any of the majorities is impossible due to the inequality of all three initial values, the corresponding resulting value is assigned the value NULL.

Detection and identification of the revealed malfunctions is carried out independently in each of the VMs. In the process of all coordination rounds, BMi receive a certain sequence of values ordered in the order of the numbers of the rounds of their arrival, the numbers of VMs of their trajectories, and the sequence of values of k. We denote this sequence by S. Each BMi for some j and k performs a sequential comparison of the values of Z _j ^k , ... in its S with the value of C _j and upon detection of the first non-comparison (which is a sign of a malfunction) determines the suspected area of this malfunction. Such an analysis is performed for each of the values of j and k. The intersection of all received suspected areas and their analysis allows you to identify the manifest malfunction.

The disadvantage of this method is the difficulty of implementing it in real-time systems.

The objective of the invention is to increase speed and simplify the algorithms.

The essence of the claimed invention, the possibility of its implementation and industrial use are illustrated by the drawings and algorithms shown in FIG. 1 - 12, where

• in FIG. 1 is a structural diagram of a fault tolerant computing system with hardware and software implementation of fault tolerance and dynamic reconfiguration functions;

• in FIG. 2 is a state diagram of degradation and reconfiguration;

• figure 3 presents the algorithm for ensuring the failure and fault tolerance of the computing system, based on the possibility of self-configuration and self-degradation;

• in FIG. 4 shows an algorithm for tuning an inter-machine exchange controller (KMO);

• in FIG. 5 shows the algorithm for the functioning of the time reference system;

• in FIG. 6 shows a reference to an external time stamp;

• Fig.7 shows the synchronization algorithm in the absence of a time stamp;

• on Fig presents the calculation of the delay of the forecast in the absence of external MV;

• figure 9 presents the algorithm for majorizing;

• figure 10 shows the algorithm for the operation of the timer synchronization IMO;

• in FIG. 11 shows an algorithm for performing self-management by degradation;

• in FIG. 12 shows an algorithm for performing self-configuration.

  The indicated advantages of the proposed method over the prototype are achieved due to the fact that in a fault-tolerant computing system with hardware-software implementation of fault tolerance and dynamic reconfiguration functions, containing the first 1, second 2, third 3 and fourth 4 computers connected to the first 5, second 6, third 7 and fourth 8 serial data buses, the first 9, second 10, third 11 and fourth 12 secondary power supplies (VIP), the first 13, second 14, third 15 and fourth 16 inter-machine controllers ( KMMO), the first 17, second 18, third 19 and fourth 20 configuration management controllers (CCM), the first 21 groups of outputs of which are connected to the first groups of inputs zero 1, the first 2, second 3 and third 4 VMs, the second 22 groups of inputs which are connected with the first group of inputs of the system, the second 23, third 24, fourth 25, fifth 26 groups of inputs which are connected to the first groups of inputs KMMO1 (13) and KUK1 (17), KMMO2 (14) and KUK2 (18), KMMO3 (15) and KUK3 (19), KMMO4 (16) and KUK4 (20), respectively, the second 27 groups of inputs of which are connected to the first groups of outputs of the VM (1, 2, 3, 4), local 28 directional lines connected to KMMO local bi-directional lines (13, 14, 15, 16), the first 29 outputs of which are connected to the first inputs of the KUK controllers (17, 18, 19, 20), the second 30 groups of outputs of which are connected to the first groups of inputs VIP (9, 10, 11, 12), respectively, the output groups 31 of which are connected to the third groups of inputs of the VM (1, 2, 3, 4), and the first 32 group of outputs of the first 13 CMMO is connected to the third groups of inputs of the second 14, third 15 and the fourth 16 KMMO and the first 17, second 18, third 19 and fourth KUK 20, the first 33 gr oppa outputs of the second 14 KMMO is connected to the fourth groups of inputs of the first 13, third 15 and fourth KMMO 16 and the first 17, second 18, third 19 and fourth 20 KUK, the first 34 group of outputs of the third 15 KMMO is connected to the fifth groups of inputs of the first 13, second 14 and the fourth 16 KMMO and the first 17, the second 18, the third 19 and the fourth 20 KUK, the first 35 group of outputs of the fourth 16 KMMO is connected to the sixth groups of inputs of the first 13, second 14 and third 15 KMMO and the first 17, second 18, third 19 and fourth 20 KUK, and the sixth 36th group of system inputs is connected with second groups of inputs of the first 9, second 10, third 11 and fourth 12 VIP, the first inputs of which are connected to the seventh 37 group of inputs of the system, the eighth 38 group of inputs of which is connected to the second inputs of the first 9, second 10, third 11 and fourth 12 VIP, moreover, the second 39 groups of outputs of the CMMO (13, 14, 15, 16) are connected to the fourth groups of inputs of the VM (1,2,3,4), the first 40, the second 41, the third 42, the fourth 43 program counters of failures are additionally introduced into each computer (ERRi BMi), first 44, second 45, third 46, fourth 47 software counters of failed seconds (SECi BMi), p first 48, second 49, third 50, fourth 51 software lock counters (BLKi BMi), synchronization timer (TmrSn) 52, synchronization timer MMO (machine exchange) (Tmr MMO) 53, timer for generating an interrupt request (Tmrgsp) 54, register timer preset Tmrgzp RPGZP 55, counter RTGZP 56, register of preset timer RPsn 57, timer counter RTsn 58, register of preset MMO RPmmo 59, synchronization counter MMO RTmmo 60, register register RFx 61, inter-machine controller (KMMO) 13, 14, 15, 16, configuration management controller (KU K) 17,18,19,20 and the stages of turning on the system are determined, consisting of the initialization of the system, an initial check on switching on, the formation of a table of the technical condition of the TTC of the system, the installation of the initial working configuration of the system 62, the functional work with preserving the specified level of redundancy and mechanisms for ensuring failure - and fault tolerance of the computing system, consisting of tuning the CMMO, matching the system time, performing synchronization in the absence of an external time stamp, the functioning of the synchronization timer M Moscow Region, performing exchanges on MCO 65, detecting failures and failures 65.66 by majorizing their own and all received copies of the input information, performing self-management by degradation 67, and performing self-configuration 68.

The setup of the inter-machine exchange controller in a single-machine configuration 69 consists in switching 73 to the inputs “a”, “b”, “c” of the majorization element the output from its VM and allowing participation in the synchronization of input “a”, in the two-machine configuration 70 is to switch 74 to the input “a” of the majorization element the output from your VM, to the input “b” of the majority element the output from another VM, to the input “c” of the majority element the output from the “best” of the two VMs with the total program counter failures (40,41,42,43) and software o counter of bad seconds (44,45,46,47) has a minimum value, allow participation in the synchronization of inputs “a, b”, in the three-machine configuration 71 is to connect 75 to the input “a” of the majorization element the output from its VM , at the input “b” of the majorization element, exit from the second VM, at the input “c” of the majorization element, exit from the third VM and allow participation in synchronization of the inputs “a, b, c”, in the four-machine configuration 72 is to switch 76 to the input "a" of the element of majorization is the output from its VM, to the input "b »The element of majorization the output from the second VM, to the input“ c ”of the element of majorization the output from the third VM and allow participation in the synchronization of inputs“ a, b, c, d ”, where“ g ”is the output from the fourth VM.

The functioning of the time reference system is done by writing 77 to the timer preset register Tmrgpp rpgz 55 of the operation interval equal to 1,000,000 μs, the operation interval 78 is written to the counter rtgzp 56, which works by subtracting 80, tmrgzp 54 is triggered 81 when zeroing rtgzp 56, 82 interrupt request is generated and the interval from RPGZP 55 is rewritten 78 to RTGZP 56, the process is repeated, and if the counter RTGZP 56 is not equal to "0", then the subtraction of "1" from RTGZP 56 continues, and moreover, to the synchronization timer preset register AI RPsn 57 sets the response interval 83 equal to 0xFFFFFFFF, according to the external time stamp MV 84, the contents of the synchronization timer preset register RPsn 57 is copied 84 to the synchronization timer counter RTsn 58, which works by subtracting 86, and the synchronization timer counter 58 is copied 84 to the RFx latch register 61, and when the counter of the synchronization timer RTsn 58 is set to “0” 87, 88 signs of the activation of the synchronization timer and the presence of an external time stamp are generated and the contents of the counter of the synchronization timer 58 are overwritten in reg RFx 61 is locked, and the preset register RPsn 57 is copied 84 to the RTsn 58 counter and the process is repeated 85, and if there is no external MB time stamp 87 and the RTsn 58 counter is not “0”, subtraction “1” from clock 85 continues counter RTsn 58.

Synchronization in the absence of an external time stamp is performed when there is a request 89 for interruption from the timer Тmрзп for each BMi, then, if the current second number is even 90, then each BMi generates a synchronization byte and transmits 91 of it to two other VMs, each of the BMi analyzes the presence of bytes synchronization from other VMs and, if there are any, it captures the generalized synchronization indicator 92, calculates the time 93 from the timer to the generalized synchronization (T3Si), then gives the time value (T3Si) 94 from each VMi, if there is a generalized synchronization indicator If it is 95, then it calculates the median 96 of the three time values T3S0, T3S1 and T3S2, performs the procedure of majorizing 97 matched marks, then calculates the amendment 98 for the timer Тmрзп and corrects 99 the state of the timer Тмрзп by the calculated correction value.

The majorization procedure consists in the fact that each BMi forms a sign of necessity and switches to degradation mode 100, if the content of at least one ERRi failure counter is more than 8, then 101 generated sign is added to its consistent value and gives the result to all other VMs, if any of a feature of generalized synchronization 102 BMi performs majorization of 103 of its own and two received copies according to the formula M = (A & B) | (A & C) | (B & C), where A is an eigenvalue, then compares the available copies of B and C with the result of majorization 104,105,106, if the copies and the eigenvalue are equal to the result of majorization, and if there is a sign of degradation in M 107, then you need to perform the self-management process of degradation 112 and return the agreed value M 108, and if the copy from BM2 is not equal to M 105, then the contents of the failure counter ERR BM2 (41) is increased by one, and if the copy from BM3 is not equal to M 106, then the contents of the error counter ERR BM3 (42) is increased 111 per unit, and if own The values of the VM1 is not equal to M 104, the contents of counter ERR BM1 (40) 109 fault is increased by one, and if no characteristic degradation in M 107, then return agreed value M 108.

The functioning of the synchronization timer MMO 53 is carried out so that if there is data from two inputs of the inter-machine exchange controller (MMO) 113 and there is a clock pulse 114, then the contents of the synchronization counter MMO 60 is increased by 115 by "1", if there is data from three inputs of the controller MMO 116 then a generalized synchronization flag 117 is generated, and if there is no data from the three inputs of the MMO controller and the MMO synchronization counter 60 is equal to the register 59 of the MMO 118 preset, then a generalized synchronization flag 117 is generated if the MMO synchronization counter 53 is not equal to the register 59 of the MMO preset, then the transition to waiting for a clock pulse 114 and an increase of 115 the contents of the synchronization counter MMO 60 to "1" is performed.

The process of self-management of degradation consists in the fact that each BMi compiles a list of failed VM 119, for which the failure counter ERRi (40-43) has exceeded the limit of 8, agrees list 120, performing the majority procedure, if the agreed list is not empty 121, then according to the counters ERRi (40-43) consistently selects the worst BM for which the failure counter ERRi (40-43) has a maximum value, and if they are equal, then with a minimum BMi number, from list 122, prepares a new configuration, setting the degradation mode, consistently blocks selected BMi 123 and changes p press the working one, turn on standby power, configure the majorization of the configuration management controller, block all switched off and faulty VMs, designate the VMi as the master on the MCO in accordance with the configuration, if the selected BMi is locked 124, then the locked BMi adds to the contents of the lock counter (48-51) “1” 125, prepares a lock notification 126 for the software (software), the end of degradation, moreover, if the selected BMi is not blocked 124, it prepares a 127 degradation notification for the software, the end of the degradation, moreover, if agreed ovanny list is empty 121, the end of the degradation.

The self-reconfiguration procedure consists in the fact that if 128 times more than 10 s are allocated for reconfiguration, then all unnecessary VMs 129 (standby and faulty VMs) are turned off, if 130 times less than 60 s are allocated for reconfiguration, then 134 procedure must be completed, if more and in the current configuration there are three VMs 131, then it is necessary to complete the 134 procedure, if in the current configuration there are less than three VMs 131, then it is necessary to select 132 switched on VMs according to the minimum value of the BLKi counter (48-51) and if 133 suitable VMs were found (switched off and serviceable shut down and has a minimum value BLKi counter) then enable 135 BMi, transmit 136 the necessary information in the RAM BMi and perform a simultaneous and coordinated restart 137 software with the feature rewriting complete the procedure 134, and if not found a suitable virtual machine, it is necessary to complete the 134 procedure.

The way to ensure the failure and fault tolerance of computing systems based on task replication, the possibility of self-configuration and self-degradation is as follows.

A fault-tolerant computing system includes three working configuration VMs and one cold standby VM. The structural diagram of a fault-tolerant computing system with hardware-software implementation of the functions of fault tolerance and dynamic reconfiguration is presented in figure 1.

Each VMi of the working configuration solves the same target task of the software, with the help of fault tolerance software (VET), the results of the solution are transmitted to the other VMs of the working configuration and receive from them their copies of the solution results, and then it determines the correct result from its and the received copies of the solution. In a two-machine operating configuration, the correct solution is determined on the basis of two results and, if such a determination is impossible (there is no possibility of identifying a faulty VM by the results of the solution), then, depending on the available time resources, either a second solution of the software problem is performed, or transition to intermediate testing of channels followed by a second decision with a positive test result or a transition to a single-channel configuration based on a working channel of the system. If it is impossible to identify the faulty BMi, a transition to a safe shutdown of the system is carried out. The state diagram of degradation and reconfiguration is presented in figure 2.

The algorithm for ensuring the failure and fault tolerance of a computing system based on the possibility of self-configuration and self-management of degradation is presented in Fig.3.

At the initial verification stage, workable elements of the system are determined, the initial working configuration of the system is selected and installed, a table of technical condition (TTC) is formed, 62 mechanisms for ensuring system fail-safety and fault tolerance are initialized. If 63 4 cars are operational, then 4 cars turn off 64.

At the second stage, the tasks of the application software (PPO) of system 65 are performed. All the actions performed are accompanied by continuous and end-to-end functional diagnostics. In case of failures, 66 computational process recovery is performed. In case of failure identification, self-degradation self-control and system self-reconfiguration 68 are performed, ensuring the preservation of a given level of redundancy, and restoring the computing process.

The configuration algorithm of the machine-to-machine exchange controller (CMO) is presented in FIG. 4.

The configuration of the CMO is as follows:

• in a single-machine configuration 69, it is necessary to connect 73 to the inputs of the majorization element: “a” - output of its VM, “b” - output of its VM, “c” - output of its VM, allow participation in synchronization of input “a”;

in a two-machine configuration 70, it is necessary to connect 74 to the inputs of the majorization element: “a” - output from your VM, “b” - output from another VM, “c” - output from the “best” of two VMs (the result of majorization is data from “ the best ”VM), in which the sum of the software failure counter (40,41,42,43) and the software counter of failed seconds (44,45,46,47) has a minimum value, allow participation in the synchronization of inputs“ a ”,“ b ” ;

• in a three-machine configuration 71, it is necessary to connect 75 to the inputs of the majorization element: “a” - output from its VM, “b” - output from the second VM, “c” - output from the third VM, allow participation in synchronization of inputs “a”, “ b "," c ";

• in a four-machine configuration 72, it is necessary to connect 76 to the inputs of the majorization element: “a” - output from your VM, “b” - output from the second VM, “c” - output from the third VM, allow participation in synchronization of inputs “a”, “ b "," c "," g ", where" g "is the output from the fourth VM.

Failure-and fault-tolerant operation of VMs is based on two principles: the synchronized operation of all VMs in the working configuration and the consistency of decisions made by different VMs based on the consistency of the source data.

The synchronization of the software (software) of individual VMs that are part of the system, and the necessary coordination of data is carried out by common software programs (OPO) at key points in the computing process, called synchronization points.

   In particular, it is provided:

• coordinated management of system time in different BMi;

• coordinated launch of tasks (in each BMi at the current moment the same task is performed);

• coordinated exchange on the multiplexed channel of exchange (MCO);

• data matching upon request of software.

Two types of synchronization are provided:

• based on a single system time;

• synchronization in the absence of a time stamp (MV).

The algorithm of the functioning of the time reference system is presented in figure 5. The reference to an external time stamp is shown in FIG. 6.

The principle of operation of the timer Tmrgzp 54: in the register 55 of the preset (RPgzp) programmatically entered 77 interval operation, equal to 1,000,000 μs, and the timer 54 starts in cyclic mode. The operation interval is copied 78 to the counter RTGZP 56, which works to subtract 80, Tmrgzp 54 is triggered 81 when the counter RTgzp 56 is reset to zero, generating an interrupt request 82, and the interval 78 from RPgzp 55 is rewritten to RTgzp 56, the process is repeated.

The principle of operation of the synchronization timer 52 (TmrSn): the response interval equal to 0xFFFFFFFF is entered into the preset register of the synchronization timer RPsn 57, the timer works in a cyclic mode, the contents of the register RPsn of the preset synchronization timer 57 are copied 84 to the counter 58 of the synchronization timer RTsn, using the external time stamp MV which works by subtracting 86, and the counter 58 of the synchronization timer is copied 84 to the register register RFx 61, and when the counter 58 of the synchronization timer RTsn is set to "0" 87, 88 signs of srub are formed yvaniya timer 52 and the presence of an external synchronizing time stamps, then the contents of counter 58 sync timer 52 is rewritten into register 84 RFx fixing 61 that allows to measure the interval between two MV.

After the overflow of the counter 56 RTGZP or counter 58 RTsn VM calculates:

• the contents of the synchronization timer 52, subtracting the contents of the synchronization counter 58 from the contents of the preset register 57 TmpSn (RPsn - RTsn = TS);

• the contents of the timer Tmrgzp 54, subtracting the contents of the RTgzp 56 counter from the contents of the timer preset register 55 RРгзп 56 (RРгзп - RTгзп = ТМ);

• forecast lag (D = TS - TM);

• number of ticks per second (T1 = RPsn - RFx).

Then, it binds the forecast MV.

            The second type of synchronization is synchronization in the absence of an external time stamp (MV). The synchronization algorithm in the absence of an external time stamp is presented in Fig.7. The calculation of the forecast delay in the absence of an external MV is presented in FIG. 8.

System time synchronization is carried out periodically every second. The second time component (TS) and the microsecond component (Tmks) are matched. If a discrepancy between Tmks values is detected in different BMi, these values are averaged and the same Tmks values are set in all VMs.

TS values of different BMi are majorized. When the time changes, a new value is negotiated, and then the agreed time value is set in all VMs.

Synchronization in the absence of an external time stamp is performed when there is a request for interruption 89 from the timer Тmрзп 54 for each BMi, then, if the number of the current second is even 90, then each BMi generates a synchronization byte 91 and transmits it to two other VMs, each of the BMi analyzes the presence synchronization bytes from other VMs and, if any, fixes the generalized synchronization flag 92, calculates the time from the timer to the generalized synchronization (T3Si) 93, then outputs the time value (T3Si) 94 to all other VMs, if there is a generalized sign of s synchronization and time values (T3S1 and T3S2) 95, then calculates the median 96 of the three time values T3S0, T3S1 and T3S2, performs the majorization procedure 97 of matched marks, then calculates the amendment 98 for the timer Tmrgzp 54 and adjusts 99 the state of the timer Tmrgzp 54 to the calculated value amendments.

Figure 9 presents the algorithm for performing the majorization procedure.

The majorization procedure consists in the fact that each BMi forms a sign of necessity and switches to degradation mode 100, if the content of at least one ERRi failure counter is more than 8, then 101 generated characteristic is added to its consistent value and gives the result to all other VMs, after exchange 102 in the presence of a generalized sign of synchronization BMi performs majorization 103 of its and two received copies according to the formula M = (A & B) | (A & C) | (B & C), where A is an eigenvalue, then compares the available copies of B and C and the eigenvalue A with the result of majorization 105, 106, 104, if the copies and the eigenvalue are equal to the result of majorization, and if there is a sign of degradation in M 107, then you need to perform the self-management procedure by degradation 112 and return the agreed value M 108, and if the copy from BM2 is not equal to M 105, then the contents of the failure counter ERR BM2 110 is increased by one, if the copy from BM3 is not equal to M 106, then the contents of the failure counter ERR BM3 111 increases by one if sobs vennoe value of BM1 is not equal to 104 M, the content ERR BM1 failure counter 109 is incremented by one, wherein if there is no sign of degradation in M 107, then return agreed value M 108.

If the contents of the failure counters ERR BM1 40, ERR BM2 41 or ERR BM3 42 are greater than eight, then the corresponding BMi is blocked and the contents of the block counters BLK BM1 48, BLK BM2 49 or BLK BM3 50 are increased by “1”, respectively.

  The operation algorithm of the MMO synchronization timer is shown in FIG. 10.

The operation of the synchronization timer MMO 53 is carried out, if there is data from two inputs of the inter-machine exchange controller (MMO) 113 and there is a clock pulse 114, then the contents of the counter 60 synchronization MMO RTmmo increases by 115 by "1", if there is data from three inputs of the controller MMO 116, then a generalized synchronization flag 117 is generated, and if there is no data from the three inputs of the MMO controller and the MMO synchronization counter 60 is equal to the register 59 of the MMO preset 118, then a generalized synchronization flag 117 is generated if the MMO synchronization counter 60 is not equal to the register 59 of the MMO preset, then the transition to waiting for a clock pulse 114 and increasing the contents of the counter 60 synchronization MMO 115 to "1".

Coordination of the time value is also performed when reading and changing the time value at the request of the software.

   When reading time, the software program receives a consistent (identical) time value in all VMs.

   When the time changes, a new value is negotiated, and then the agreed time value is set in all VMs.

The synchronous execution of tasks in all VMs is ensured by matching the start vector and identifier when creating the task, and matching the identifier at each start and each task pause.

   When working out a software program request for an exchange on MCOs, information is prepared for transfer to MCOs in all VMs equally.

   Direct transfer to the MCO is carried out only in one VM (VM_vdsh).

   Before starting the transfer, the information prepared for the transfer is agreed upon, and after completion of the exchange to VM_vdsch, the exchange results and information received from the MCO are sent from VM_vdsch to the other VMs.

   The software task that initiated the exchange should get the same results in all VMs.

   VM_signal assignment to MCO is performed during the initialization of the SDE: VMs with the minimum number are selected as VM_signal.

   Software programs can change the VM_vdsh number using a special function of the on-board operating system (BOS).

Mechanisms for recovering a computational process after failures and failures are designed to isolate faulty elements of the working configuration and the computational processes that they perform in order to not propagate errors and distortions to other elements and computational processes of the system, restore interrupted computational processes, reconfigure computing tools to isolate failed elements and replace them with spare ones , health checks of connected spare elements, providing them with the necessary information th and involving in joint work as part of the working configuration.

An algorithm for performing self-degradation is shown in FIG. eleven.

The process of self-management of degradation consists in the fact that each BMi compiles a list of failed VMs 119, for which the ERRi failure counter has exceeded the limit of 8, agrees list 120 by performing the majority procedure, if the agreed list is not empty 121, then ERRi will select the worst BM , in which the failure counter ERRi (40-43) has the maximum value from the list 122, and if two VMs have the same counter values, then selects the VM with the lowest number, prepares a new configuration, setting the degradation mode, consistent enables selected VMi 123 and switches the operating mode to on, turns on standby power, sets majorization of the configuration management controller, blocks all switched off and faulty VMs, assigns the VMi to be the master on the MCO in accordance with the configuration, if the selected VMi is locked 124, then the contents of the locked BMi lock counter adds “1” 125, prepares a lock notification 126 for the software, end of degradation, and if the selected VM is not blocked 124, it prepares 127 degradation notice for the software, end of degra data, and if the agreed list is empty 121, then the end of degradation.

The self-reconfiguration algorithm is shown in FIG. 12.

The self-configuration procedure consists in the fact that if 128 times more than 10 s are allocated for reconfiguration, then all unnecessary VMs 129 (standby and faulty VMs) are turned off, if 130 times less than 60 s are allocated for reconfiguration, then 134 procedure must be completed, if more If there are three VMs 131 in the current configuration, then it is necessary to complete the 134 procedure, if in the current configuration there are less than three VMs 131, then it is necessary to select 132 VMs to be switched on according to the minimum value of the BLKi counter (48-51) and if 133 suitable VMi were found (switched off and serviceable and turned off and has the minimum value of the counter BLKi), then turn on 135 BMi, transfer 136 necessary information to RAM BMi and perform a synchronized and coordinated restart of 137 software with the sign of overwriting, complete procedure 134, and if no suitable BMi was found, then it is necessary to complete 134 procedure .

Information sources

[1] E.M. Mamedli, R.Ya. Samedov, N.A. Sobolev. The method of localization of "friendly" and "hostile" faults. // Technical diagnostics. 1992, No. 5, pp. 126 - 138.

[2] A Avizhenis. Fault tolerance - a property that ensures the continuous operation of digital systems // TIIER. 1978. T. 66. No. 10. S. 5-25.

[3] Lala / J /., Alger L.S., Ganthic R.J., Dzwonczyk M.J. A fault tolerant processor to meet rigorous failure requirements // Proc. 7th Dig. Avionics Syst. Conf., 1986. P. 555-562.

[four]. Lobanov A.V. Failure-proof informational coordination in a four-machine computing system with identification of detected faults // Autom&T, 1992. No. 2. P. 171-180.

Claims (6)

1. A method of ensuring the failure and fault tolerance of a computer system based on task replication, the possibility of self-configuration and self-management of degradation, while the computer system includes four numbered computers BMi, where i = 1-4 is the number of the computer (VM), each of which is connected to all other computers through its own transmitting interface device (US) with the channel for broadcasting information, in which each computer in the cycle of the system receives input information, calculates with a personal copy of the output information and transfers this copy of each other computer of the system, calculates the correct output information by majorizing one's own and all received copies, gives the result of majorization to the external environment, compares all available copies of the output information with the majorizing result, characterized in that in each computer additionally introduced the first, second, third, fourth software failure counters (ERRi BMi), the first, second, third, fourth software failure seconds counters (SECi BMi), the first, second, third, even locked software lock counters (BLKi BMi), synchronization timer (TmrSn), inter-machine synchronization timer (MMO) (tmr MMO), interrupt request generation timer (Tmrgzp), RPgp interrupt request generation timer preset register, interrupt request generation counter RTgzp, RPsn synchronization timer preset register, RTsn synchronization timer counter, MMO RPmmo preset register, MMM RTmmo synchronization counter, RFx latch register, inter-machine exchange controller (CMMO), configuration control controller (CCC) and determined the stages of system startup, consisting of the initialization of the system, an initial check on switching on, the formation of a table of the technical state of the TTC system, the installation of the initial working configuration of the system, functional work while maintaining a given level of redundancy and mechanisms for determining the failure and fault tolerance of a computer system, consisting of adjusting the CMMO, coordinating the system time, performing synchronization in the absence of an external time stamp, functioning of the MM synchronization timer , Fault detection and failure by mazhoritirovaniya own and all received copies of the input data, performing self-degradation, performance samorekonfiguratsii. 2. The method according to p. 1, characterized in that the coordination of the system time is carried out by writing to the preset register the timer for generating an interrupt request RPgzp of the operation interval equal to 1,000,000 μs, the mode is cyclic, the operation interval is overwritten into the counter for generating the interrupt request (RTgzp), which works for subtraction, Tmrgzp is triggered when the counter for generating an interrupt request is reset, generating an interrupt request, and the interval from RPgzp is written to RTgzp, the process repeats, and if the counter to generate an interrupt request is not equal to "0", then the clock continues to subtract "1" from RTgzp, and the response interval equal to 0xFFFFFFFF is entered into the preset register of the synchronization timer RPsn, the mode is cyclic, the contents of the preset register RPsn according to the external time stamp MB the synchronization timer is written to the RTsn synchronization timer counter, which works for subtraction, and the synchronization timer counter is written to the RFx commit register, and when the RTsn synchronization timer counter is set to “0 ”, The synchronization timer is triggered and there is an external time stamp, and the contents of the synchronization timer counter are written to the RFx latch register, and the preset register RPsn is written to the RTsn counter and the process is repeated, and if there is no external MB time stamp and the RTsn counter is not“ 0 ” , then the clock continues to subtract “1” from the counter RTsn. 3. The method according to claim 1, characterized in that synchronization in the absence of an external time stamp is performed when there is an interrupt request from the timer for generating an interrupt request for each BMi, then, if the current second number is even, then each BMi generates a synchronization byte and transmits it to two other VMs, each BMi analyzes the presence of synchronization bytes from other VMs and, if any, captures the generalized synchronization flag, calculates the time from the timer to the generalized synchronization (T3Si), then gives the time value (T3Si) from each BMi, if there is a generalized sign of synchronization, it computes the median of the three time values T3S0, T3S1 and T3S2, performs the majorization procedure for the agreed labels, then calculates the correction for the interrupt request generation timer and adjusts the status of the interrupt request generation timer by The calculated correction value. 4. The method according to p. 1, characterized in that the majorization procedure consists in the fact that each BMi forms a sign of necessity and transition to degradation mode, if the contents of at least one ERRi failure counter were more than 8, then the generated sign adds to its consistent value and outputs the result to all other VMs, after the exchange is completed, if there is a sign of generalized synchronization, BMi calculates the correct output information by majorizing its own and two received copies using the formula M = (A & B) | (A & C) | (B & C), where A is an eigenvalue, then compares the available copies of B and C with the result of majorization, if the copies and eigenvalue are equal to the result of majorization and if there is a sign of degradation in M, then it performs the process of self-management by degradation and returns the agreed value of M, moreover, if the copy from BM1 is not equal to M, then the contents of the failure counter ERR BM1 is increased by one, and if the copy from BM2 is not equal to M, then the contents of the failure counter ERR BM2 is increased by one, and if the eigenvalue from BM0 is not equal to M, then the contents of the error counter ERR BM0 is increased by one, and if there is no sign of degradation in M, then it returns the agreed value M. 5. The method according to p. 1, characterized in that the operation of the MMO synchronization timer is carried out so that if there is data from two inputs of the inter-machine exchange controller (IMO) and there is a clock pulse, then the content of the MMO synchronization counter is increased by "1", if any data from three inputs of the MMO controller, then a generalized synchronization indicator is generated, and if there is no data from three inputs of the MMO controller and the MMO synchronization counter is equal to the MMO preset register, then a generalized synchronization indicator is generated, and if the counter IMO synchronization is not equal to the register of the MMO preset, then the transition to waiting for a clock pulse and increasing the contents of the synchronization counter IMO by "1". 6. The method according to p. 1, characterized in that the self-degradation procedure consists in the fact that each BMi compiles a list of failed VMs for which the ERRi failure counter has exceeded a limit of 8, agrees the list, performing the majority procedure, if the agreed list is not empty then, according to the counters, ERRi consistently selects the worst BMi from the list, prepares a new configuration, sets the degradation mode, consecutively locks the selected BMi and changes the mode to working, turns on standby power, sets up majorization of the controller configuration, blocks all switched off and faulty VMs, assigns BMi the master on the MCO in accordance with the configuration, if the selected BMi is locked, then BMi adds “1” to the contents of the locked lock counter, prepares a block notification for the software (software), the end of degradation moreover, if the selected BMi is not blocked, it prepares a degradation notice for the software, the end of the degradation, and if the agreed list is empty, then the end of the degradation.

Images