WO1987007793A1

WO1987007793A1 - Method for realizing a fault-tolerant electronic system and a corresponding system

Info

Publication number: WO1987007793A1
Application number: PCT/FI1986/000062
Authority: WO
Inventors: Tapio Antti Pulli
Original assignee: Valtion Teknillinen Tutkimuskeskus
Priority date: 1986-06-13
Filing date: 1986-06-13
Publication date: 1987-12-17

Abstract

Method for realizing a fault-tolerant electronic system, the said system comprising three or more similar modules and a voter for testing the output signals of the system and for choosing the output signals according to the majority of the modules. The invention also relates to a corresponding system. This system functions correctly outwards irrespective of fault in one of the system components. According to the invention, the respective outputs (5, 6, 7) of the modules (2, 3, 4) are combined into system outputs (8), the states whereof are determined according to the majority of the modules so that voting logics (15, 16, 17) connected to the modules compare the states of the system outputs (8) with the internal outputs (9, 10, 11) of the modules, and on the basis of this comparison there are set the signals for the outputs (12a, 13b, 14c) of the voting logics, by the aid of which and together with the signal received from the voting logic (15, 16) of a possibly preceding module (2, 3) and indicating the state of the module in question, or together with a corresponding predetermined signal, the voting logics (15, 16, 17) normally register the faultlessness of the system, and in fault situations detect the faulty module and prevent the module fault from affecting the system outputs (8). By processing the signals of the first outputs (12a, 13b, 14c) of the voting logics (15, 16, 17) of the modules, there is created in the second output (21a, 21b, 21c) of each module a signal, which signals are connected to a common output (21), the signal received wherefrom indicates the correctness or incorrectness of the states of the system outputs (8).

Description

METHOD FOR REALIZING A FAULT-TOLERANT ELECTRONIC SYSTEM AND A CORRESPONDING SYSTEM

The present invention relates to realizing a fault-tolerant electronic system, the said system comprising three or jpaore similar modules and a voter for testing the output signals of the system and for choosing the output signals in accordance with the majority of the modules. The invention also relates to a corresponding system. This system functions correctly outwards irrespective of failure in any of the components.

The fault-tolerance of the system is achieved by means of redundancy. Extra components or parts are added to the system, which components perform the respective tasks in case one of the system components or parts is damaged. Electronic systems can be provided with several different redundancy methods. These methods can be divided into static redundancy and dynamic redundancy.

In static redundancy, the effect,of the fault is masked or prevented immediately after the failure has occu red. One application is NMR ( _ ftodular Redundancy) : the redundancy of N modules, where a number of N modules perform the same task in parallel, and the binary output signals of the system are determined according to the majority of the modules. This kind of system allows part of the modules to be damaged. The system still functions correctly outwards, i.e. it is fault-tolerant. In addition to the modules, a voter is needed, which voter defines the output signals in accordance with the majority. Normally there is an odd number of modules, and the most common system is TMR (Triple Modular Redundancy): the redundancy of three modules, which is known in the prior art for example from the US patent 4,375,683. This system, as well as other known TMR systems, are composed of three modules, the output signals whereof are fed into a separate voter modul-e, wherefrom the output signals for the system, in accordance with the majority of the modules, are received. The system tolerates all possible faults in one module.

If indication of faults is desired to be included in the system, the module outputs must also be compared to the system outputs. In the system introduced in the above mentioned US patent, this is realized so that both the output signals and the signals from two other modules are fed Into each module, and the faults in any one module or in the system outputs are detected by means of comparison by software. The drawback of this arrangement is the location of the voter in a separate module, for instance a microcircuit, in which case, if for example the modules include 16 signals to be voted, there is needed a voter circuit of at least 66 pins (3 x 16 input signals from the modules, 16 output signals of the system plus the supply voltage and ground pins). Moreover, the feedback required by the fault indication means that in the system of the said US patent, there are needed 48 additional pins in the modules', which must also be provided with additional logic and additional programmes in order to realize the comparison and the fault indication tasks.

The fact that the voter is located in a separate module means that more space is needed on the circuit board. The fault indication likewise requires more circuit board space. If the number of the signals to be- voted is increased, the number of the voter pins is increased by four per each additional signal. Thus the voter should be realized by means of several microcircuits, because microcircuits with 66 or possibly even more pins are not in standard production at present. This, however, would reduce the reliability of the voter.

As regards realiability, the voter in the system is in series with respect to certain ways of suffering damage, so that the voter defines the reliability properties of the system, often during short mission times, because an ideal TMR is extremely reliable with such mission times that are short compared to the meantime to failure of the modules.

The method of the present invention for realizing a fault-tolerant electronic system, and the corresponding system, bring forth an improvement to the above described drawbacks. The method of the invention is mainly characterized in that the mutually corresponding outputs of the modules are combined into system outputs, the states whereof are determined according to the states of the majority of the outputs from the modules, so that the voting logics connected to the modules compare the states of the system outputs to the states of the internal outputs of the modules, and on the basis of this comparison there are set specific signals for the voting logic outputs, by the aid of which signals, and together with the signal received from the voting logic of a possible preceding module and indicating the state of the said module, or together with a corresponding predetermined signal, the voting logics in fault situations define the damaged module and prevent the module fault from affecting the system outputs.

Another characteristic feature of the method of the present invention is that by logically processing the signals of the first outputs from the voting logics of the modules in each voting logic, in the second output of each module there is created a signal, these signals are connected to a common output, and the signal received therefrom indicates the faultless or faulty condition of the system outputs.

The characteristic novel features of the system according to the present invention are enlisted in the patent claims 7-11.

As for the most important advantages of the invention, the following are pointed out: by means of the invention, a TMR system or more generally a NMR system can be realized, a separate voter module is not necessarily needed, and a fault indication is received from the system in most cases when there is a failure in the system outputs. A fault indication is also received if any of the modules functions incorrectly, even if the system outputs were faultless. All this can be realized with relatively small-scale arrangements, by connecting to the modules separate or directly integrated additional logics. I.e. voting logics. Irrespective of the amount of the signals to be voted, the number of additional pins needed In the integrated modules is only seven in the case of a three-module redundancy. If the system is realized as a redundancy of five, seven, etc. modules, the number of additional pins is always increased by one per each additional module. These are remarkable advantages with respect to the utilization of the circuit board space, compared to the prior art applications where even over a hundred additional pins as well as separate microcircuits are needed. Moreover, the integration of the voting logic to the modules means increased reliability, because it is a well-known fact that integration improves the reliability per each basic task. From the reliability point of view, the integrated voting logic is in series also with respect to certain fault mechanisms, but the fault frequency of such critical faults is comparable to the failure rate of the critical faults in a separate voter.

In the above described fashion it is possible to realize a fault-tolerant electronic system which, as regards reliability, is at least as good as the known systems, but simpler in practical applications and also more economical when manufactured in large series. The integration of the voter is extremely easy to realize for instance in custom circuits, which in the future will be increasingly utilized also in such applications where reliability is required. As regards custom circuits, the extra expenses caused by the integration of the voter may remain remarkably low in comparison with the other expenses. It is also pointed out that the system can be integrated, even as a whole, in one silicon chip to form a uniform fault-tolerant microcircuit.

Fault detection and repairs are most often easily arranged in the case of an integrated voter. The system can be made to directly indicate the faulty module, which can be replaced by a faultless one even during operation, or a by-pass module can be used during the replacement. Thus the replacing can be carried out extremely quickly, which is a remarkable advantage while aiming at a high degree of availability.

In the following the invention, its operation and other advantages are explained in detail with reference to the preferred embodiment represented in the appended drawings, where:

Figure 1 illustrates the fault-tolerant electronic system according to the present invention, composed of three modules and provided with voting logic;

Figure 2A, 2B and 2C are block diagrams of the voting logics connected to the modules of figure 1;

Figure 3 is a detailed illustration of a voting logic connected to a module;

Figure 4 illustrates an electronic system of the invention, integrated into one microcircuit;

Figure 5 illustrates an output buffer which can also be used as an input buffer or as an output buffer connected to a bus of several users.

The system according to the invention, which in figure 1 is indicated by the dotted lines and marked with the reference number 1, is formed of three modules 2, 3 and 4. The system may also be composed of a greater number of modules, .advantageously an odd number i.e. n modules (n = 5, 7, 9...), in which case the system is i'n principle operated in similar fashion as in the case of three modules. The modules 2, 3 and 4 contain the module logics 29, 30 and 31 proper, the voting logics 15, 16 and 17 and the output buffers 18, 19 and 20. The mutually corresponding outputs 5, 6 and 7 of the modules are wired together to form the system output 8. In this case the said outputs are binary outputs, so that the voltage of the output is either positive, five volts (logical "1", or state one according to positive logic) or zero volts (logical "0", or state zero according to positive logic). In addition to these, in case the output buffers 18, 19 and 20 are three-state buffers, a high-impedance state is possible. The output buffers 18, 19 and 20 can also be of the open-collector type, in which case each separate system output must, after a known fashion, be connected to the supply voltage by means of a pull-up resistor. The number of the output signals in the module outputs 5, 6 and 7 and in the system output 8 is not limited in any way.

The block diagrams of each voting logic 15, 16 and 17 are illustrated in figures 2A, 2B and 2C. The voting logics are similar in structure. Differences occur only in the couplings between their internal elements, which will be explained further below. The voting logics 15, 16 and 17 comprise the majority indicators 60a, 60b and 60c, the status register 61a, 61b, and 61c and the comparator 35a, 35b and 35c. A detailed Illustration of the voting logic 15 connected to the module 2 is provided in figure 3. The separate components thereof are marked with reference numbers without letters.

The module logics proper 29, 30 and 31, contained in the modules 2, 3 and 4, may be any kind of electronic devices provided with binary outputs or equivalent logic outputs - for example microprocessors, analog to digital converters, memories etc. The information to be processed in the module logics 29, 30 and 31 is fed, in the form of binary or analogic signals or the like, into these devices for instance through the inputs 9', 10' and 11'. Each module 2, 3 or 4 as a whole can be an integrated circuit, whereto the corresponding voting logic 15, 16 or 17 is also integrated. Moreover, the modules 2, 3 or 4 can be Integrated Into one fault- tolerant microcircult.

The couplings between the separate parts of the system of the present invention are in essential elements as follows (figures 1, 2 and 3). The outputs 5, 6 and 7 from the output buffers 18, 19, 20 are combined, as was stated above, to form the system output 8, and this is further connected to the first inputs of the comparator 35; 35a, 35b, 35c of the voting logic 15, 16, 17. The internal outputs 9, 10, 11 of each module logic 29, 30, 31 is connected to the respective output buffer 18, 19, 20, and to the corresponding inputs of the comparator of the voting logic. The output of the comparator in each voting logic, for instance the output 12a of the comparator 35a in the voting logic 15, is connected to the inputs 12a', 12b, 12c of the majority indicators 60a, 60b, 60c of all of the voting logics. The majority indicators, for instance 60 (figure 3) are in turn connected to the respective status register 61, and the status registers 61a, 61b and 61c of the voting logics 15, 16 and 17 of the separate modules 2, 3 and 4, are interconnected at the outputs 28a, 28b and at the inputs 27b, 27c.

In the system 1, the comparator 35; 35a, 35b, 35c of each voting logic compares the states of the system outputs 8 to the states of the Internal outputs 9, 10 and 11 of the modules 2, 3 and 4, and on the basis of this comparison it gives a signal to the majority indicators 60; 60a, 60b, 60c of every voting logic, and the said majority indicators transmit the information concerning the states of the outputs 9, 10 and 11 of the modules 2, 3 and 4 further to the status registers 61; 61a, 61b, 61c, by means of which register, and together with the signals possibly received from other status registers and Indicating the state of the respective modules, the faulty module is detected in case of a fault, and the influence of this fault to the system outputs 8 is prevented by sending a masking signal to the output buffer 18, 19, 20 through the output 53a,. 53b, 53c of the status register of the module in question.

The comparator 35a, 35b, 35c, the majority detector 60a, 60b, 60c and the status register 61a, 61b, 61c of each voting logic 15, 16 and 17 can be realized for instance in the fashion represented in the appended drawings. Each comparator 35 (figure 3) is composed of a required number of exclusive-or gates 351, 352, 353..., to the first input whereof there are connected the external outputs 5; 501, 502, 503... of a module, for instance 2, and to the second input whereof there are connected the external outputs 9; 91, 92, 93... from the same module. The majority indicator 60; 60a, 60b, 60c of each voting logic 15, 16 and 17 is composed of an or-gate 38, 40 and of an inverter 39. To the inputs of the first or-gate 38 there are connected, through the inputs 12a, 13a, 14a (figure 3) of the voting logic, the outputs 12a, 13b, 14c of the comparators 35 (figure 3) of the separate voting logics 15, 16, 17. To the inputs of the second or-gate 40 there are directly connected the outputs 13b, 14c (figure 1) of those comparators 35b, 35c, which are located in the other voting logics 16, 17, as well as through the inverter 39 the output 12a' of the comparator 35 (35a) which belongs to the same voting logic 15 as the said majority indicator 60 (60a) and the outputs 384, 404 of the or-gates 38, 40 whereof serve as the outputs of the majority indicator 60 and are connected to the inputs 54, 55 of the status register 61.

The status register 61 comprises the Inputs 27, 34, 54, 55, the clock C2 and the outputs 21, 28 and 53, as well as the or-gates 41, 48, the and-gates 42, 44, 45, 49, the inverter 43 and two flip-flops or corresponding intermediate registers, the first 46 being advantageously a flip-flop of the D-type, and the second 47 advantageously of the JK-type. In the status register 61, the iput 27 is connected to the first input 411 of the or- gate 41 and to the input 431 of the inverter 43; the input 34 is connected to the reset input CLR of both flip-flops 46 and 47; the input 54 is connected to the second input 482 of the or-gate 48 and to the second input 492 of the and-gate 49; the input 55 Is connected to the second input

412 of the or-gate 41, to the first input 441 of the and- gate 44 and to the first input 491 of the and-gate 49.

The first input 461 of the first flip-flop 46 is connected to the output 53 of the status register and to the clock input 471 of the second flip-flop 47. The second inverted output 462 of the first flip-flop 46 is connected to the first input 481 of the or-gate 48. The output 474 of the second flip-flop 47 is connected to the third input 423 of the and-gate 42 and to the third input 453 of the and-gate 45. The J-input 472 of the flip-flop 47 is connected to five volts and the K-input 473 to zero volts. The output

413 of the or-gate 41 is connected to the first input 421 of the and-gate 42. The output 483 of the or-gate 48 is connected to the second input 422 of the and-gate 42 and to the second input 442 of the and-gate 44. The output 443 of the and-gate 44 is connected to the data input D of the first flip-flop 46. The output 432 of the inverter 43 is connected to the first input 451 of the and-gate 45, and the clock C2 to the second input 452 of the and-gate 45. The output 454 of the and-gate 45 is connected to the clock input CK of the first flip-flop 46. The output 424 of the and-gate 42 is connected to the output 28 of the status register, and the output 493 of the and-gate 49 is connected to the output 21 of the status register.

The structure and operation of the fault- tolerant electronic system according to the present invention will be explained in detail below with reference to the figures 1, 2 and 3. In figure 1, the input 27a (in figures 1 and 2, the respective inputs of the modules 3 and 4 are 27b and 27c) of the module 2 is coupled to zero voltage, i.e. to the ground reference, and the output 28a (in figures 1 and 2 the respective outputs of the modules 3 and 4 are 28b and 28c) is coupled to the input 27b of the module 3, and the output 28b of the module 3 is coupled to the input 27c of the module 4. The output 28c of the module 4 is coupled to the ground through the resistor 23. When the operation of the system is started, a set pulse is fed to the input 34a of every module (in figures 1 and 2, the inputs of the modules 3 and 4 are marked 34b and 34c), which set pulse sets the output 53 of the status register 61, i.e. the "Q-output 461 of the D- type flip-flop 46 (figure 3), to zero. Now the Q^"-output of the flip-flop 46, i.e. its complement 462 sets to state one, and the Q-output 474 of the JK-type flip-flop 47 also sets to state one. The Q-output 461 of the D-type flip- flop 46, i.e. the output 53a (53b, 53c) of the status register, is coupled to all output buffers 18 (19, 20) of the module 2 (3, 4), among the k number of which buffers (k = 1, 2, 3...) only three are illustrated in figure 3, provided with the reference numbers 181, 182 and 183. Consequently, while the signal In the output 53 is in state zero, the outputs 501, 502, 503 of the buffers 181, 182, 183 are either in the high-impedance state (three- state buffers) or in state one (open-collector buffers). While the signal at the output 53 is In state one, the external outputs (in figure 3 outputs 501, 502, 503) of the module 2 follow, in their inverted form, the Internal output signals of the module (in figure 3 marked 91, 92, 93) so that any possible changes in the outputs 501, 502, 503 take place on the leading edge of the pulse of the clock Cl. After the set" pulse is fed to the input 34 (figure 1), the external outputs 5, 6, 7 from the modules 2, 3, 4, i.e. also the system outputs 8, are either in the high-impedance state or in state one.

If the module logics 29, 30, 31 proper (figure 1) are in the start-up of the electronic system 1 set to the same state, then the comparison of the output signals of the outputs 9, 10 and 11 of the internal, i.e. proper module logics, with the output signals of the external outputs 5, 6 and 7, i.e. the system outputs 8, in the comparator 35 gives the same result in all modules. The comparator 35 is formed of open-collector type exclusive- or-gates 351, 352, 353... (figure 3). The outputs of the exclusive-or-gates 351, 352, 353 are coupled to one output 12a of the comparator 35. The respective outputs of the comparators 35b, 35c of the modules 3 and 4 are in figure 1 marked with the reference numbers 13b and 14c. These outputs must be coupled to the supply voltage +V in a known fashion by means of an external pull-up resistor. The outputs 12a, 13b and 14c of the comparators 35a, 35b, 35c are connected to all of the modules 2, 3, 4 as is apparent from figure 1, and inside the modules, in the voting logics 15, 16 and 17, the outputs 12a, 13b and 14c are coupled to the inputs of the majority Indicator 60 at the or-gates 38 and 40. The specific internal comparison signal of the module 2 is transmitted, through the input 12a' (in the module 3 input 13b' and in the module 4 input 14c') to the gate 40, inverted by the inverter 39. Thus, after the set pulse is fed into the input 34, at least one case of state one is obtained in each module at the or- gate 40 of the majority indicator, so that the output of the or-gate 40 and the second output of the majority indicator are also in state one. Now the output 462 of the D-type flip-flop 46 of the status register 61 is also in state one, and therefore every module has state one-in the output of the or-gate 48. Thus both of the inputs of the and-gate 44 are in state one, and consequently its output, i.e. the data input D of the D-type flip-flop 46 is also in state one. in the Q-output 474 of the JK-type flip-flop 47 there is state one in every module, too, but because the input 27a has state zero only in the module 2 (outputs 28a and 28b are In state one, for all inputs of the and-gate 42 are In state one), the output of the Inverter 43 is in state one only in the module 2. Thus two of the inputs of the and-gate 45 are in state one in the module 2, and consequently the pulse of the clock C2 gains access to the clock input of the D-type flip-flop 46, and on the leading edge sets the output 461 of the flip-flop, as well as the output 53a of the status register, to state one. Now the outputs 5; 501, 502 and 503 of the module 2 are activated, and the signals contained in the internal outputs 9; 91, 92, 93, which were stored in the output buffers 18; 181, 182, 183 on the leading edge of the pulse of the clock Cl, gain access to the outputs 5; 501, 502 and 503.

The signals of the outputs 5; 501, 502, 503, i.e. of the system outputs 8, now follow, in inverted form, the signals of the internal outputs 9; 91, 92, 93 of the module 2. When all of the module logics 29, 30 and 31 (figure 1) are set to the same state and later perform the same task simultaneously, the comparison signals of the outputs 12a, i3b and 14c remain in state one, with the exception of the time between the change of the internal signals 9, 10 and 11 and the successive change of the states of the system outputs 8 controlled by the clock Cl. During the said interval, the internal outputs and the system output differ, and the signals in the outputs 12a, 13b and 14c are set to zero. But when the changes occur also in the system outputs, the signals in the outputs 12a, 13b and 14c are also set to state one. The phase difference of the pulses of the clocks Cl and C2 must be such that the signals in the outputs 12a, 13b and 14c, as well as the rest of the voting logic, have sufficient time to be set by the time of the leading edge of the pulse of the clock C2. The pulses of the clock C2 are best formed in each module 2, 3 and 4, with a suitable delay, of the pulses of the clock Cl, which in turn are formed for instance by means of the clock pertaining to the module logics^" 29, 30, 31.

In accordance with what has been said above, in a normal situation the outputs 5 of the module 2 are active and determine the. system outputs 8. The outputs 6 and 7 of the modules 3 and 4 are masked (either by three- state buffers, i.e. output buffers 19, 20 to be in the high-impedance state or by open-collector buffers to be in state one), but the module logics 30 and 31 are continuously operated in a normal fashion, and the voting logics 16 and 17 compare the internal outputs 10 and 11 with the system outputs 8.

The signal obtained from the second output of each module 2, 3, 4, i.e. at the same time from the second output 21a, 21b, 21c of each voting logic 15, 16, 17, or from their common output 21 (figure 1) Indicates the faultless or faulty condition of the system outputs 8.

In the preferred embodiment illustrated in the drawings, the and-gate 49 (figure 3), the output whereof ^■ is marked with the reference number 21a, is of the open- collector type, and the outputs 21a, 21b, 21c of each module 2, 3, 4 are wired together (figure 1). When all of the modules function correctly, the signal in the output 21 (figure 1) is in state one (except for changes), because the signals in the outputs of the gates 38 and 40 are in state one, and appear as inputs in the and-gate 49.

In case of fault in the module logics 29, 30 and 31, two different cases can be distinguished:

1. The fault occurs in the module logic which determines the system outputs.

2. The fault occurs in either one of the module logics with masked outputs.

If in the first case the outputs of the module 2 are active, and the fault occurs in the module logic 29, then the system outputs 8, or part of them, also become erroneous on the successive leading edge of the pulse of the clock Cl. The correctly functioning modules 3 and 4 notice this, and the comparison signals of their voting logics 16 and 17 in the outputs 13b and 14c are set to zero, because there is a disagreement between the system outputs 8 and the internal outputs 10, 11 of the modules 3 and 4.

Now all Inputs of the or-gate 40 of the module 2 are set to zero, because the state one signal in the output 12a is sent to the gate 40 via the inverter 39. Thus the output signal of the gate 40 in the module 2 is set to zero, and simultaneously the output signals of the and-gate 44 and the or-gate 31 in the module 2 are also set to zero, and on the successive leading edge of the pulse of the clock C2 the signal in the output 53 of the module 2 is set to zero. This causes the outputs 5 of the module 2 to be masked (to be in the high-impedance state or in state one), and at the same time the trailing edge of the signal being set to zero in the output 53a or in the internal output 461 of the status register sets to zero the Q-output 474 of the JK-type flip-flop, which output 474, being at the same time one input of the and- gate 45, when set to zero prevents the pulse of the clock C2 from entering the clock input of the D-type flip-flop 46. Now the outputs of the module 2 remain masked until the successive set pulse fed into the input 34.

When a signal in the output of the gate 41 in the module 2 is set to zero (input 27a in zero and the output of gate 40 in zero), the signal in the output 28a and thereby in the input 27b of the voting logic 16 of the module 3 is set to zero, so that the output signal of the Inverter 43 In the module 3 sets to state one. Now in the module 3, the two inputs of the and-gate 45 are in state one (the signal in the output 474 and in the output of the inverter 43), so that the pulse of the clock C2 gains access to the clock input of the D-type flip-flop 46, the data input D of the said flip-flop being in state one in the module 3 (the inputs of the and-gate 44 are in state one). Accordingly, on the same leading edge of the pulse of the clock C2 where the signal of the module 2 in the output 53 was set to zero and the outputs 5 were masked, the signal of the output 53 of the voting logic of the module 3 sets to state one. Now the signals of the internal outputs 10 of the faultless module 3, which are stored on the leading edge of the pulse of the clock Cl, to the D-type flip-flops 62 (figure 5) of the output buffe-rs 19, gain access to the output 632 of the inverter 63, i.e. determine the signals of the system outputs 8. Now also the faultless module 4 notices that the signals in the output 8 are faultless, and the comparison signals 13b and 14c of the modules 3 and 4 are set to state one. Thus in each module at least one of the inputs of the or- gates 38 and 40 is in state one, and consequently their output signals are likewise in state one, i.e. the signal in the output 21 is also five volts indicating the faultless condition of the signals in the system output 8. By using a sufficiently low clock frequency and a suitable pulse ratio in the clock Cl, it can be ensured that the above described repair procedure is carried out within one clock period, and the following stage can read the respective information for instance on the trailing edge of the pulse of the clock Cl, by which time the possible corrections have already taken place.

If in the module 2 there is a permanent fault and a continuous disagreement with the signals of the system outputs 8, the signal in the output 12a remains continuously In state zero. If, however, the module 2 only has a transient fault or such a permanent fault which is not all the time apparent in its internal outputs 9, the signal in the output 12a may occasionally or even permanently be set to state one. The module 2 still remains masked, unless a new set pulse is fed to the input 34, because the signal in the output 474 of the JK-type flip-flop of the status register 61 in the module 2 Is set to zero and prevents any changes of state in the output 461 of the D-type flip-flop 46, and simultaneously in the output 53a of the status register 61.

In the description above we observed a situation where the outputs from the module 2 were initially active. This is normally the case, for the outputs from the module 2 remain active until the first failure in the system outputs 8.

Thereafter the strategy is to replace the faulty module as quickly as possible, and the system is reset by means of the set pulse through the input 34, so that the outputs 5 from the module 2 are active, i.e. the states of the output 5 determine the states of the system output 8. In case the module 2 had a transient fault, which later disappears, the system tolerates a new fault, and if this new fault occurs in the module 3, then the outputs from the module 4 are activated according to the previously described mechanism. Thereafter a new cycle will be successful only after the set pulse is fed into the input 34.

In another fault situation, the fault occurs In one of the module logics with masked outputs. In that case the fault does not proceed to the system outputs 8, but it is only apparent in the internal signals of the faulty module. Let us for instance suppose that the module logic 31 of the module 4 is faulty, and the outputs from the module 2 are active; now the comparator 35c of the module 4 notices the dlsageement, and the signal in the output 14c is set to zero. The rest of the comparison signals in the outputs 12a and 13b remain in state one. Thus in every module the inputs of the or-gates 38 and 40 receive at least one signal in state one, so that the output signals of the or-gates are In state one in every one of the modules 2, 3, and 4. Consequently the signal is not changed in the output 53 of the status register 61 in any of the modules. The signals fed into the inputs of the and-gate 49 remain in state one in every module. Thus the signal in the output 21 is not set to zero at any stage, which is not even necessary, because the signals in the system outputs 8 all the time conform to the majority.

In another fault situation, the fault may also occur in the module logic 30, in which case the system functions in the above described fashion.

As a conclusion, the operation of the system is fault-tolerant in case of fault in any of the module logics 29, 30 or 31. In the modules 2, 3 and 4, there may also occur faults in the voting logics 15, 16 and 17, or in the output buffers 18, 19 and 20. Among the possible faults in the voting logics, the majority is of a type which does not in itself cause a failure in the system outputs, but part of them do not give fault indication either. The situation is similar in the prior art NMR systems. Among the faults in the voting logic, the critical ones are such that cause a signal be erroneously ' set to zero in the output 21, because this signal is used for fault indication and for instance for interrupting the operation. Latent faults can be revealed by means of occasional testing.

The output buffers 18, 19 and 20 are the most critical elements in all NMR systems of n modules. Failure in the outputs always causes a system fault in the prior art NMR systems. In the system of the present invention, however, part of the faults in the output buffers can also be masked. Thus, If all or part of the output buffers 18, 19 or 20 are in any of the modules 2, 3 or 4 remain permanently in state one or in the high- impedance state, then the respective buffer of another module is able to control the output in question. If the faulty buffer is included in a module with inactive outputs, the situation does not require any particular treatment, but on the other hand the fault is unfortunately not even detected without separate testing. If the said fault occurs in those output buffers that are active (supposedly for instance the buffers 18 in the module 2), the comparison signals of the comparators 35a, 35b and 35c in the outputs 12a, 13b and 14c are set to zero, because the signals or the states in the output 8 are in disagreement with all states of the internal outputs 9, 10 and 11. Then all signals In the outputs of the or-gate 38 are in state zero, i.e. the second input of the and-gate 49 is set to zero and consequently sets also the signal in the output 21 to zero. The output signal of the or-gate 48 is also set to zero in the module 2, so that one of the input signals of the and-gate 44 is set to zero, which causes the output signal of the gate to be set to zero and the signal entering the data Input of the D- type flip-flop 46 to be set to zero. On the successive leading edge of the pulse of the clock C2, the signal in the output 53 of the status register 61 is set to zero, and the outputs 5 of the module 2 are masked. At the same time the output signal of the or-gate 48 in the module 2 has, while setting to zero, also set to zero the output signal of the and-gate 42, i.e. the signal in the output 28a, which in turn sets to zero the signal in the input 27b in the module 3, where both of the input signals of the and-gate 44 are now in state one, the two input signals of the and-gate 45 are in state one, and the third signal, i.e. the clock pulse from the clock C2 gains access to the clock input of the D-type flip-flop 46. When the output signal of the and-gate 44, i.e. the signal of the data input of the D-type flip-flop 46 is in state one, the signal in the output 461 of the D-type flip-flop in the module 3, i.e. in the output 53b of the voting logic 16 sets to state one, so that the Internal signals 10 now determine the states of the system output 8. In this situation all modules agree on the faultlessness of the states of the outputs 8, because the initial fault occurred in the output buffers 18 of the module 2, and its effect was masked. Consequently the system still remains fault-tolerant. If a fault now occurs In the module 3, its outputs are masked and the active outputs are transferred to the module 4 in the above described fashion.

In a situation with a permanent failure in the outputs 8, the signal in the output 21 must be used so that it prevents erroneous information from proceeding to the successive stages after the system 1. The or-gate 38 of the majority indicator 60 ensures that the signal of the output 21 remains in state zero when one of the output buffers 18, 19 or 20 is damaged so that all states of the internal outputs 9, 10 and 11 are in continuous disagreement with the states of the outputs 8. This is the situation for instance when one of the output buffers 181, 182, 183... permanently and erroneously remains in state zero. Then all modules are successively masked in the above described fashion, without being able to correct the fault, and finally the output signals of the or-gates 40 are in state one in all of the modules 2, 3 and 4, but the or-gate 38 gives a zero signal to the and-gate 49, which means that the signal in the output 21 remains in state zero thus indicating a failure in the signals of the outputs 8.

One of the problems with TMR systems is the synchronizing of all modules so that the same signals to be voted in the separate modules appear simultaneously. and so that It is possible to know the right moment for voting. The present invention does not include improvements as regards synchronizing, but the synchronizing must be carried out according to prior art methods, for instance those described in the US patent 4,375,683. In connection to this, also the pulse frequency and synchronizing of the clocks Cl and C2 must be realized so that the phenomena connected to the changes in the internal signals 9, 10 and 11 and occurring in the voting logics 15, 16 and 17 have been balanced by the time the leading edges of the pulses of the clock C2 enter the clock inputs of the D-type flip-flops 46 of the status registers 61 in the separate modules.

Figure 4 illustrates a method of the present invention integrated into one microcircuit. Then the system of figure 1 is integrated on one silicon chip, and only 3 extra pins are needed in the circuit: the output 21, the input 34 for the set pulse, and the fault indication output"24 of one of the module logics 29, 30 or 31, the said fault indication output being formed in the outputs 12a, 13b and 14c of the comparators 35a, 35b and 35c, at the and-gate 50. The set pulse in the input 34 may also be arranged in common with the set pulses of the module logics 29, 30 and 31.

The comparison signals of the comparators 35a, 35b and 35c in the outpus 12a, 13b and 14c can be utilized in the realization of a fault register to be supplied in the system. ' The fault register includes a logic and memory circuit, where all faults occurring in the module logics are registered on the basis of the signals 12a, 13b and 14c in a desired fashion, so that for instance by means of an alarm signal and a light indication the control or maintenance personnel is informed of the faulty module. -The signal in the output 21 may also be used to give an alarm in case there is a failure in the outputs 8.

One possible solution for the output buffers is illustrated in figure 5. The output buffer is marked with the reference number 181; let us assume that it is the first unit of the output buffer 18 in the module 2. A normal output buffer comprises an intermediate register such as the D-type flip-flop 62 and the inverting gates 63. The first signal output 91 of the internal output 9 in the module 2 is connected to the D-input of the flip- flop 62, the output of the clock Cl is connected to the clock input and the output of the status register 61a is connected to the control input 633 of the inverting gate 63. The input 631 of the gate 63 is connected to the Q- output of the flip-flop 62, and the output 632 is connected to the first signal output 501 of the external output 5 in the module 2. While the output buffer is active, the internal signal output 91 determines the state of the external signal output 501. When a masking signal is received from the status register 61a of the voting logic 15 through the output 53a to the input 633 of the gate 63, the gate is closed either in the high-impedance state or in state one, and thus prevents the internal signal output 91 from affecting the external signal output 501. The same happens with all units 181, 182, 183... of the output buffers 18. ,

The significance of an intermediate register in the output buffer, such as the Dr-type flip-flop 62, is that when on the leading edge of the pulse of the clock Cl the internal outputs 9, 10, 11 of all modules are registered in the D-type flip-flops 62 of the respective output buffers, then the faults occurring thereafter and before the following leading edge of the pulse of the clock Cl in the module logics 29, 30, 31 (and particularly in the one which has active outputs) cannot proceed to the system outputs 8. This secures that the successive stage after the system receives correct information irrespective of a fault occurring in the module logics 29, 30, 31 at a random moment.

If part or all of the signal outputs of the system output 8 are connected to a bus of several users, inverting gates are coupled in parallel with the output buffers 181, 182, 183 in question in the opposite direction, an example of such a gate being the gate 64 in figure 5. The input 641 of the gate 64 is connected to the first signal output 501, and the output 642 is connected to the first signal output 91 of the internal output in the module 2, as well as to the D-input of the flip-flop 62. The control input 643 of the gate 64 is connected to the input 37a of the output buffer 181.

The three-state gate 64 can be controlled by means of a control signal received from the module logic 29, which signal is fed Into the input 37a of the output buffer 18 so that when the bus is occupied by others, the gate 64 serves as an inverter. Thus erroneous changes in the signals are avoided in the outputs 12a, 13b and 14c of the comparators 35a, 35b and 35c.

The output buffer provided with the gate 64 and other corresponding means can also be used as the input buffer of the modules. Then the possible external inputs 9', 10', 11' of the module logics 29, 30, 31 can be replaced by the said input buffer.

The invention is by no means limited to the preferred embodiment described above, for example the different synchronization requirements of various electronic appliances result in that the system can be realized even without the clocks Cl and C2. As.for other respects, the voting logics 15, 16 and 17 can be realized in various different ways, and figures 2 and 3 illustrate only one practicable application. Nor is the invention limited to systems utilizing three module redundancy, but within the basic idea of the invention, redundancy systems of more than three modules can also be realized. It is likewise possible to construct a hybrid system where one or several modules are arranged to be in the reserve.

Claims

PATENT CLAI S

1. A method for realizing a fault-tolerant electronic system, which system (1) comprises three or several similar modules (2, 3, 4) and a voter for testing the output signals of the system and for choosing the output signals in accordance with the majority of the modules, c h a r a c t e r i z e d in that the mutually corresponding outputs (5, 6, 7) of the respective modules (2, 3, 4) are combined into system outputs (8), the states whereof are determined according to the majority of the outputs of the modules, so that the voting logics (15, 16, 17) connected to the modules compare the states of the system outputs (8) with the states of the internal outputs (9, 10, 11) of the modules, and on the basis of this comparison there are set the specific signals (12a, 13b, 14c) for the outputs of the voting logics, by means of which signals, and together with a signal received from the voting logic (15, 16) of a possible preceding module (2, 3) and indicating the state of the moduie in question, or together with a similar predetermined signal, the voting logics (15, 16, 17) normally state the faultlessness of the system, and in fault situations detect the faulty module and prevent the module fault fr'om affecting the system outputs (8).

2. The method of claim 1, c h a r a c t e ¬ r i z e d in that by logically processing the signals of the first outputs (12a, 13b, 14c) of the voting logics (15, 16, 17) of the modules (2, 3, 4) in each voting logic (15, 16, 17), there is created a signal in the second output (21a, 21b, 21b) of each module, which signals are then combined into a common output (21), and the signal received therefrom indicates the correctness or incorrectness of the states of the system outputs (8),.

3. The method of claim 1 or 2, c h a r a c t e r i z e d in that the system outputs (8) or part of them, and respectively the outputs (5, 6, 7) of the modules (2, 3, 4) or part of them are arranged to function also as the inputs of the modules, or as outputs or outputs and inputs connected to a bus of several users. 4. The method of claim 1, 2 or 3, c h a r a c t e r i z e d in that in the output buffers (18, 19, 20) arranged in the outputs (5, 6, 7) of the modules (2, 3,

4) there are stored the output signals from the internal outputs (9, 10, 11) of the modules, which output signals are, when desired, obtained to the system output (8) by means of a signal received from the module output (53).

5. The method of claim 2, 3 or 4, c h a r a c t e r i z e d In that the signals received from the first outputs (12a, 13b, 14c) and the second outputs (21a, 21b, 21c) of the voting logics (15, 16, 17), or from the combined output (21) of the second outputs, are read into a fault register, wherefrom, if desired, a signal is obtained indicating the faultiness of one of the modules (2, 3, 4) and/or the signals indicating which of the modules (2, 3, 4) is faulty.

6. The method of any of the preceding claims, c h a r a c t e r i z e d in that the system (1) is integrated into one module (33) so that the module includes the system outputs (8), an output (21) for receiving the signal indicating the incorrectness or correctness of the states of the system outputs, and/or an output (24) for receiving the signal indicating the faultiness of one of the modules (figure 4).

7. A fault-tolerant electronic system, which comprises three or more similar modules (2, 3, 4) and a voter for testing the output signals of the system and for choosing the output signals in accordance with the majority of the modules, c h a r a c t e r i z e d in that

- each module (2, 3, 4) includes the module logics proper (29, 30, 31), the voter logics (15, 16, 17) and the output buffers (18, 19, 20);

- the voter logics (15, 16, 17) include a comparator (35; 35a, 35b, 35c), a majority indicator (60; 60a, 60b, 60c) and a status register (61; 61a, 61b, 61c);

- the outputs (5, 6, 7) of the output buffer (18, 19, 20) are combined into a system output (8), and this is connected to the first inputs of the comparator (35; 35a, 35b, 35c) of the voting logic. (15, 16, 17);

- the Internal output (9, 10, 11) of each module logic (29, 30, 31) is connected to a respective output buffer (18, 19, 20) and to the other inputs of the comparator (35; 35a, 35b, 35c) of the voting logic (15, 16, 17);

- the output (12a) of the comparator (35a) of each voting logic (for Instance 15) connected to the inputs (12a', 12b, 12c) of the majority indicators (60a, 60b, 60c) o£ all voting lgics;

- the majority indicators (for instance 60) are connected to the respective status register (for instance 61), and the status registers (61a, 61b, 61c) of the voting logics (15, 16, 17) of the separate modules (2, 3, 4) are connected to each other;

- and that in the said system the comparator (35a, 35b, 35c) of each voting logic compares the states of the system outputs (8) with the states of the Internal outputs (9, 1_#0, 11) of the module (2, 3, 4), and on the basis of this comparison gives a signal to the majority indicators (60a, 60b, 60c) of all voting logics, which majority indicator further informs the status register (61a, 61b, 61c) of the module (2, 3, 4), by the aid of which, and together with the signals possibly received from other status registers (61a, 61b, 61c) and indicating the status of the respective modules (2, 3, 4), the faultlessness of the system is normally notified, and in fault situations the faulty module is detected and the influence of the fault to the system outputs (8) is prevented by giving a signal through the output (53a, 53b, 53c) of the status register of the module in question to the output buffer (18, 19, 20).

8. The method of claim 7, c h a r a c t e r i ¬ z e d in that the output buffers (18, 19, 20) of the modules (2, 3, 4) are provided with intermediate registers (62), whereto the signals received from the internal outputs (9, 10, 11) of the modules are stored, and which stored signals are when necessary fed to the system output (8) in the control signal received from the outputs (53a, 53b, 53c) of the voting logic (15, 16, 17).

9. The method of claim 7 and.8, c h a r a c t e r i z e d in that each comparator (35; for Instance 35a) is formed of exclusive-or-gates (351, 352, 353...), to the first Inputs whereof are connected the inputs (5; 501, 502, 503... ) of the module (for instance 2), and to the second input whereof are connected the Internal outputs (9; 91, 92, 93... ) of the module (2), and that the outputs of the said exclusive-or-gates are combined (for example 12a).

10. The method of claim 7, 8 or 9, c h a r a c t e r i z e d in that the majority indicator (60; 60a, 60b, 60c) of each voting logic (15, 16, 17) is formed of an or-gate (38, 40) and an inverter (39), and that to the inputs of the first or-gate (38) there are connected the outputs (12a, 13b, 14c) of the comparators (35; 35a, 35b, 35c) of the different voting logics (15, 16, 17), and that to the inputs (13a, 14a) of the second or-gate (40) there are connected directly the outputs (13b, 14c) of those comparators (35b, 35c) that are located in other voting logics (16, 17) and through the inverter (39) the output (12a) of the comparator (35a) which belongs to the same voting logic (15) as the said majority indicator (60a), and that the outputs (384, 404) of the said or-gates (38, 40) serve as the outputs of the majority indicator (60) and are connected to the inputs (54, 55) of the status register (61) .

11. The method of claim 7, 8, 9 or 10, c h a r a c t e r i z e d in that the status register (61) comprises the inputs (27, 34, 54, 55 and the clock C2) and the outputs (21, 28, 53) as well as the or-gates (41, 48), the and-gates (42, 44, 45, 49), the inverter [ 43 ) and two flip-flops or equivalent intermediate registers, the first (46) being advantageously of the D- type and the second (47) of the JK-type, and that in the said status register (61)

- the input (27) is connected to the first input (411) of the or-gate (41) and to the input (431) of the Inverter (43);

- the input (34) is connected to the reset input (CLR) of both flip-flops (46, 47); - the input (54) is connected to the second input (482) of the or-gate (48) and to the second input (492) of the and-gate (49);

- the input (55) is connected to the second input (412) of the or-gate (41), to the first input (441) of the and-gate (44) and to the first input (491) of the and-gate (49);

- the first output (461) of the first flip-flop (46) is connected to the output (53) of the status register and to the clock input (471) of the second flip- flop (47);

- the second inverted output (462) of the first flip-flop (46) is connected to the first input (481) of the or-gate (48);

- the output (474) of the second flip-flop (47) is connected to the third input (423) of the and-gate (42) and to the third input (453) of the and-gate (45);

- the output (413) of the or-gate (41) is connected to the first input (421) of the and-gate (42);

- the output (483) of the or-gate (48) is connected to the second input (422) of the and-gate (42) and to the second input (442) of the and-gate (44);

- the output (443) of the and-gate (44) is connected to the input (D) of the f^*irst flip-flop (46);

- the output (432) of the inverter (43) is connected to the first input (451) of the and-gate (45) and the clock (C2) is connected to the second input (452) of the and-gate (45);

- the output (454) of the and-gate (45) is connected to the clock input of the first flip-flop (46);

- the output (424) of the and-gate (42) is connected to the output (28) of the status register;

- the output (493) of the and-gate [ 43 ) is connected to the output (21) of .the status register.