RU2612569C2 - Method for automatic control of redundancy of heterogeneous computer system and devices for its implementation - Google Patents

Abstract

FIELD: measuring equipment.

SUBSTANCE: computer system, possibly heterogeneous, consists of processor nodes, which are used in parallel, with each of them is determined by the success rate of the implementation phase of the task. These figures, together with the signals of the authenticity of the processor nodes of a higher position in the hierarchy used in pairwise hierarchical arbitration. As a result of arbitration is determined by the new status of each processing node. The process of automatic control systems and redundant computing device for its implementation are applicable in computing and test equipment and can be used in complex digital data processing and management of the technical facilities to ensure their reliability and safety of operation.

EFFECT: increase reliability, fault tolerance and safety of the computing devices of complex airborne systems of technical objects.

4 cl, 3 dwg

Description

The invention relates to the field of computing and instrumentation and can be used in digital information processing and control systems for technical objects with redundant hardware and software developed and / or produced using independent executors and / or technologies in order to provide increased fault tolerance.

According to the generally accepted definition [http://slogos.ru/story/izbytochnost.html], the redundancy of a technical product refers to the presence of capabilities in it beyond those that could ensure its normal functioning. Such redundancy, depending on the purpose of the product, the nature of the problem being solved, and other circumstances, can be used either to increase its overall performance (by performing the appropriate functions in parallel) or to provide the necessary level of failure-free (by organizing hot or cold redundancy of various multiplicities).

As a technical product, a computing system (VS) is considered, generally heterogeneous, used to process information (collecting, receiving, analyzing, sending information, generating control actions, indication commands) as part of a complex technical system, often called a complex. The redundancy of the aircraft lies in the fact that the number of used processor nodes (PU), each of which consists of one processor, memory devices and providing a combination of other elements, is more than one. In this case, the aircraft may have heterogeneous hardware and software implementation, i.e. different controllers or their parts, as well as corresponding software components can be created by various developers and / or using various technologies.

A known method of increasing the reliability of computing and information systems by bitwise recovery of words (information) based on their functional redundancy [Shulga T.E. A method for constructing reconstructing sequences for systems without loss of information // Control Systems and Information Technologies. 2009. No3 (35). S. 407-411]. Such an approach potentially provides an opportunity to counter the adverse effects of malfunctions and partial failures of processors, but its practical application is limited by strict structural requirements both to the content of the processed information and the nature of the adverse effects.

There is a method of increasing the reliability and reliability of processing critical functions of a fault-tolerant computing system [Patent for the invention No. 2413975 of 11/17/2008], when the effect is achieved due to the multiple reservation of paths for the implementation of critical functions, in which the redundancy management processes and the computing process are separated in a real-time cycle and partially hardware. The so-called computing paths consisting of inextricably linked chains of the input interface, processor, and output interface are allocated as redundant units of the calculator. In each of the computing paths, a majority comparison of the signals passing through each path is performed. The ambiguity of the majority signal comparison in different paths is eliminated by the majority comparison of the signal comparison results. Reliability of majority control of signals is achieved by statistical processing of the random process of changing the critical parameter, calculating the residual variance and its majority comparison. This method and device for its implementation are selected as a prototype.

The disadvantages of this method include:

- low efficiency of majority comparison of signals with heterogeneous redundancy of computing facilities;

- deliberate overstatement of volumes of required redundancy due to the combination of several hardware components into one inextricable unit;

- too high a volume of calculations related to multi-level majority control in combination with statistical processing of path signals;

- the complexity of the device itself, which, together with the lack of built-in self-control, reduces the reliability of achieving the corresponding technical effect.

A device for managing module redundancy in a multiprocessor computing system is known [Patent US 4503534 A, G06F 11/00, publ. 03/05/1985] in the form of a matrix composed of a processor bus with error and line control lines; and memory buses with corresponding error lines and line control. Each node of the matrix has a means of recording errors in the above lines. Computing and interface modules of a computing system are divided into main and shadow and are associated respectively with the main and shadow nodes of the matrix, which control access to memory buses. In this case, the identity of all computing and interface modules is assumed. Management of the redundancy of the computing system consists in comparing the results of the main and shadow modules, as well as the “main - shadow” pairs, followed by blocking access to the memory of the modules with unconfirmed results. The main disadvantage is the inability to use the invention for systems with heterogeneous redundancy, when different modules of the same purpose are created by different developers on a different technological base.

The aim of the invention is to improve the technical and operational characteristics of a heterogeneous computing system (BC). Namely, the proposed method and device can provide increased fault tolerance of the aircraft, i.e. maintain the performance of aircraft with heterogeneous elements in the face of multiple diverse failures.

This goal is achieved by the fact that in a method for automatically controlling the redundancy of a heterogeneous computing system that contains many parallel meaningful calculations of the problem being solved, choosing the preferred solution on a competitive basis and distributing the control function across all processor nodes, the task’s meaningful calculations are divided into stages, including determining the value of the success rate completion of the current stage, while preserving the input internal and output data, then by comparing the values of the renders of the success of the stage carry out pairwise arbitration of the processor nodes according to the hierarchical scheme and reconfiguration of the computing system with the allocation of passive and leading processor nodes in pairs of all levels of the hierarchical scheme, and the leading processor node of the upper level generates and issues synchronization signals (SS) to all processor nodes, according to which all phases of the cyclic process corresponding to one current stage of the computation of the problem to be solved are performed, namely, data input and exchange, computation of the problem to be solved and arbitration of the processor nodes, and also outputs the results of the calculations to the primary and backup output channels of the computing system, each leading processor node, except for the upper level, receives synchronization and authentication signals from nodes of a higher level in its hierarchy branch, calculates the current stage of the problem being solved, generates an indicator of the success of the stage and issues an authentication signal to the lower levels of its branch of the hierarchy confirming the fulfillment of the assigned role, as well as with its indicator m the success of the stage is involved in arbitration for the right to receive the role of the leading processor node of a higher hierarchy, passive processor nodes receive synchronization and authentication signals from the nodes of their hierarchy branch, calculate the current stage of the task being solved, form an indicator of the success of the stage, as well as their indicators of the success of the stage are involved in arbitration for the right to obtain the status of the leading processor node of the first level of the hierarchy, in addition, each process A node can restore its input and internal data by accessing other processor nodes.

Additionally: stage success indicators can take only two values, while zero - the result of the stage is unsatisfactory, and one - the result of the execution is satisfactory.

The goal is also achieved by the fact that the results of calculations of any other node determined by the agreed rule are fed to the backup output channel.

In addition, to solve the same problem in a device for automatically controlling the redundancy of an inhomogeneous computing system containing several parallel processor nodes, an input buffer and a demultiplier, each processor node contains a processor, pools of input, internal and output data, as well as auxiliary inputs and outputs for signals synchronization, authentication and success rate of completion of the current stage, and managed channels of data exchange between pools.

The method for managing aircraft redundancy is based on periodic calculations and comparison of the success indicators of a stage (PUE). Depending on the content of the stage of the computational task, such indicators may be: various discrepancies or norms of the received data, confidence or guaranteed estimates of data errors, flags of the passage of requests or completion of certain operations, various indicator numbers such as checksums, etc.

The invention is illustrated by drawings.

FIG. 1 depicts a functional diagram of an aircraft according to the invention, where:

1 - Input buffer VhB;

2 - Processing units in an amount from P1 to PW;

3 - Input Input Pools;

4 - Pools of internal data of GNI;

5 - Pools of output data VD;

6 - Demultiplier of the output of DVD.

Figure 2 shows the structure of the main redundancy management duty cycle.

FIG. 3 - rules of action of PU based on the results of arbitration.

Since the method is implemented using the device (Fig. 1), its full description is given in the section explaining the operation of this device.

An aircraft with an automatic redundancy control device contains the main and backup channels of input data of the storage device connected to the input buffer VhB (1), which implements the main and backup data distribution. For this purpose, the VHB is connected to the input data pools of all the processor nodes of the control unit (2) from 1 to W. Each control unit contains three pools: the input data pool - the I / O Pool (3), the internal data pool - the VND Pool (4) and the output data pool - Pool VYD (5). The output data pools are connected to the DVYD output data demultiplier (6), intended for selective transfer of the main and backup output data from the controllers. For this, the DVYD block is connected to the main and backup channels of the output data of the KVYD of the computer system. Moreover, it is accepted that the input and output data are grouped in packets protected by control codes. It is believed that input and output are performed in a single action. After completion of the input and verification of the control code, the data is updated with the corresponding flag. Details of the data exchange operation (protocols, retrains) are not of fundamental importance. In the computing process, in addition to the input data, internal data located in the corresponding pools is used.

In addition, between the controllers there are interprocessor communications (conventionally shown with dashed arrows with semicircular endings in the drawing) that allow each control panel to access the pools of the same name of the other control panels to obtain their input and internal data in order to restore their data. Each PU does this independently in the absence of a flag from any of its pools in a certain period of time. It may turn out that there will be no necessary (VHD, VND) data at all. Then the computational cycle is interrupted and a fault message is issued in the service channel indication.

The device operates (Fig. 1) as follows.

Input channels (primary and backup) receive input data of the next stage of the computing process. These data enter the pools (primary and backup, respectively) of each of the 2 ^N launchers participating in the aircraft. At the beginning of each work cycle, all flags reflecting the relevance of the data are reset and set after the successful completion of the operation to fill the corresponding pool.

Moreover, their data are selected directly from the channels connected to the aircraft. The remaining data is selected from the channels of the inter-machine exchange (MO).

The main duty cycle of a computing system, as shown in FIG. 2, contains N + 4 phases, where N is the number of levels of the aircraft hierarchy. Phases are marked by SS, which are packets issued by VVPU (top-level leading processor node) to all available addresses. SSs are issued as datagrams without confirmation. If any package is lost, then the problem of entering synchronism is solved in the next cycle. Sync packets, in addition to signs of the type of packet and source address, include a cycle counter, which (in addition to timing) can be used to determine the integrity of the overall situation and serve as initial data for the test task.

The phases of the main work cycle are the following sequentially performed actions:

1. Getting CC1 from the current VVPU- defined in the previous cycle (this is indicated by the presence of a minus sign). Input through VhB of data from the main and reserve channels of KVhD. Exchange of input data in the absence of relevant relevance flags for any I / O pools.

2. Getting CC2 from the current VVPU-. Implementation of applied processes, including verification of data relevance, meaningful calculations of the problem to be solved, calculation of the success rate for solving the problem at the current stage (PUE).

3. Getting SS3 from the current VVPU-. Exchange of internal data, if necessary, restore the computing process in processors that have not reached the successful completion of the stage.

4. Getting CC4 from the current VVPU-. Arbitration PU at the first (lower) level of the aircraft hierarchy. Assigning the statuses of PUF and V1PU based on the comparison of PUE in pairs, taking into account the rules shown in FIG. 3. If there is no advantage of any of the control points, the decision is made on the basis of a discriminatory rule (for example, by the order number of the control points).

5. Getting SS5 from the current VVPU-. The issuance of CA from V1PU (confirmation of the role in accordance with the status) for the PPU of its pair. Arbitration of V1PU processors at the second level of the aircraft hierarchy for the role of V2PU according to the rules similar to clause 4.

N + 2. ...

N + 3. Getting CC (N + 3) from the current VPPU-. The issuance of PA from B (N + 3) PU for lower levels of the aircraft hierarchy. Arbitration for the role of VVPU according to the rules similar to clause 4.

N + 4. Getting CC (N + 4) from the newly defined VVPU (this is indicated by the absence of a minus sign). Issue of exit data from VVPU through DVYD to the main KVYD. Issuing data Vyd from B (N-1) PU through DVYD in the backup KVYD. After completion of data output, go to the beginning of the cycle.

Each control unit controls, on a timer, the time of receiving SS and CA coming from controllers of a higher hierarchy level. The absence of SS or CA at the expected time is interpreted by the PU as the basis for the restoration of calculations and re-arbitration. If at this point in the system there was at least one backup control unit, then the internal data stored in its pool allows you to restore calculations with a minimum delay.

The reconfiguration of the aircraft occurs in phases initiated by synchronization signals, starting from CC4 and ending with CC (N + 3) inclusive, depending on the status of each of the controllers. Initially, each PU is assigned the status of PUF. Further, the procedure involves two processes: the entry of PU into the cycle and the exit of PU from the cycle. The actions performed upon entering the cycle and the grounds for their implementation are shown in FIG. 3. At the same time, each control unit takes into account both its success in solving the problem at the current stage, and blocking caused by SA coming from higher-level VCPU. The output (shutdown) of the control panel does not affect the execution of the main cycle. The output (failure, malfunction or improper functioning) of any VCPU does not cause interruptions in the output of the calculation results, but destroys the structure (chain) of reserves, which is restored after the arbitration in the next cycle. The VVPU output leads to a failure in the output of the output data in the current cycle, the computational process is restored together with the new aircraft hierarchy in the next cycle.

Industrial applicability

The most successfully claimed method of automatic control of the redundancy of a computer system and a device for its implementation are industrially applicable in computer and instrumentation and can be used to create a fault-tolerant integrated computing environment in advanced complexes of on-board equipment of moving objects and complexes of automated control of the functioning of production and energy objects with the aim of ensure their reliability and safety functions oning.

An example of such an application is a functioning prototype of a fragment of an onboard integrated computing environment for aviation purposes, created at JSC Research Institute of Aviation Equipment) under a project under an agreement with the Ministry of Education and Science in accordance with Decree of the Government of the Russian Federation of 2010 No. 218.

Information sources

1. Redundancy concept, definition on Slogos.ru - http://slogos.ru/story/izbytochnost.html

2. Shulga T.E. A method for constructing reconstructing sequences for systems without loss of information // Control Systems and Information Technologies. 2009. No3 (35). S. 407-411.

3. Patent for the invention No. 2413975 with priority from 11/17/2008.

4. Volik B. G., Buyanov B. B., Lubkov N. V. et al. Methods of analysis and synthesis of structures of control systems / Ed. B.G. Volika. - M .: Energoatomizdat, 1988.S. 242-244.

5. Patents for the invention No. 2430400 with priority from 08/20/2010 and No. 2431174 with priority from 08/20/2010.

Claims (4)

1. A method for automatically controlling the redundancy of an inhomogeneous computing system, containing many parallel computations of the problem being solved, selecting the preferred solution on a competitive basis and distributing the monitoring function across all processor nodes, characterized in that, in order to provide increased fault tolerance, the task calculations are divided into stages, including determining the value of the success rate indicator for completing the current stage, while preserving the input, internal and output data, then by matching The values of the success indicator of the stage are carried out by pairwise arbitration of the processor nodes according to the hierarchical scheme and reconfiguration of the computing system with the allocation of passive and leading processor nodes in pairs of all levels of the hierarchical scheme, and the leading processor node of the upper level generates and issues synchronization signals to all processor nodes, according to which all phases of the cyclic process corresponding to one current stage of computing the problem to be solved, namely, data input and exchange, computing, we solve ith the task and arbitration of the processor nodes, and also outputs the results of the calculations to the primary and backup output channels of the computing system, each leading processor node, in addition to the upper level, receives synchronization and authentication signals from nodes of a higher level in its hierarchy branch, performs calculations of the current stage of the problem being solved, generates an indicator of the success of the stage execution and issues an authentication signal to the lower levels of its hierarchy branch confirming the fulfillment of the assigned role, as well as with its As an indicator of the success of the stage, it participates in arbitration for the right to receive the role of the leading processor node of a higher hierarchy, passive processor nodes receive synchronization and authentication signals from the nodes of its hierarchy branch, calculate the current stage of the task being solved, form an indicator of the success of the stage, as well as indicators of the success of the stage are involved in arbitration for the right to obtain the status of the leading processor node of the first level of the hierarchy, in addition, each a processor node can recover its input and internal data by accessing other processor nodes. 2. The method according to p. 1, characterized in that the success indicators of the stage can take only two values, while zero - the result of the stage is unsatisfactory, and one - the result of the execution is satisfactory. 3. The method according to claim 1, characterized in that the results of the calculations of any node determined by the agreed rule are fed to the backup output channel. 4. A device for automatically controlling the redundancy of a heterogeneous computing system, comprising a primary and backup input data channels connected to an input buffer that is connected to all processor nodes, characterized in that each processor node contains one processor and three memory pools connected to it for data storage : input pool, internal data pool and output pool, processor nodes are connected to the output data multiplier, the demultiplier is connected to the primary and backup channels As the output data of the computing system, there are interprocessor communications between the processor nodes, and each processor node contains auxiliary inputs and outputs used for transmitting and receiving synchronization signals, authentication, and a success indicator for completing the current stage, as well as controlled channels of interprocess data exchange.

Images