Multiple-redundant fault detection system and related method for its use

US 4,967,347 A
Filed: 04/03/1986
Issued: 10/30/1990
Est. Priority Date: 04/03/1986
Status: Expired due to Term

First Claim

Patent Images

1. A multiple-redundant computer system, comprising:

a plurality of synchronized computational devices, each of which has a processor and a memory, and a data path between its processor and its memory;

an equal plurality of data buses associated one with each of the computational devices;

means in each computational device for intercepting data on the data path between the memory and its associated processor, and transmitting the intercepted data to the data bus associated with the computational device;

an equal plurality of voter circuits associated one with each of the computational devices and each connected to receive inputs from all of the plurality of data buses and to supply a single voted output to its associated computational device;

an equal plurality of fault determination logic circuits associated one with each of the computational devices, and each connected to receive inputs from all of the plurality of data buses and to each generate a fault status word indicative of any fault conditions in the system; and

means associated with each computational device, for periodically reading the fault status word from the fault determination logic onto the associated data bus and through the associated voter circuit to the associated computational device, wherein each of the computational devices is periodically supplied with a voted fault status word indicative of any fault conditions in the system as determined by a majority of the fault determination logic circuits.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A multiple-redundant computer system having multiple computational devices operating in synchronism, multiple voter circuits to provide voted memory reading operations for the devices, and multiple fault detection logic for the detection of failures of the computational devices. Fault status words generated by the fault detection logic are also subject to a voted read by the multiple computational devices, thereby permitting detection of errors in the fault detection logic itself, as well as in the computational devices. The module structure of the invention also permits removal and replacement of circuit modules, each including a computational device and fault detection logic, without disconnecting power from the entire system.

Citations

20 Claims

1. A multiple-redundant computer system, comprising:
- a plurality of synchronized computational devices, each of which has a processor and a memory, and a data path between its processor and its memory;
  
  an equal plurality of data buses associated one with each of the computational devices;
  
  means in each computational device for intercepting data on the data path between the memory and its associated processor, and transmitting the intercepted data to the data bus associated with the computational device;
  
  an equal plurality of voter circuits associated one with each of the computational devices and each connected to receive inputs from all of the plurality of data buses and to supply a single voted output to its associated computational device;
  
  an equal plurality of fault determination logic circuits associated one with each of the computational devices, and each connected to receive inputs from all of the plurality of data buses and to each generate a fault status word indicative of any fault conditions in the system; and
  
  means associated with each computational device, for periodically reading the fault status word from the fault determination logic onto the associated data bus and through the associated voter circuit to the associated computational device, wherein each of the computational devices is periodically supplied with a voted fault status word indicative of any fault conditions in the system as determined by a majority of the fault determination logic circuits.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A computer system as defined in claim 1, wherein:
    - the number of computational devices is three.
  - 3. A computer system as defined in claim 1, wherein:
    - the system has an electrical load that is divided into a plurality (N) of loads;
      
      the system further includes a plurality of (M) of separate power supplies and a plurality of power sharing circuits, for coupling all of the power supplies to each of the loads in such a manner that each load can receive power from any selected combination of the power supplies.
  - 4. A computer system as defined in claim 3, wherein each of the power sharing circuits includes:
    - a plurality (M) of current limit circuits, connected one in each power supply line to limit the current supplied by any of the power supplies in the event of a short circuit in a load; and
      
      a plurality of (M) of diodes connected one in each power supply line to prevent flow of current from one power supply to another.
  - 5. A computer system as defined in claim 1, wherein each fault determination logic circuit includes:
    - bus comparison logic connected to receive signals from the data buses and to generate bus comparison output signals indicative of whether or not there is agreement as to data values carried by the plurality of data buses;
      
      fault status logic, including means for interpreting the bus comparison output signals from the bus comparison logic, and generating therefrom the fault status word for each computational device.
  - 6. A computer system as defined in claim 5, wherein:
    - the number of computational devices is three.
  - 7. A computer system as defined in claim 5, wherein:
    - the fault status logic in each fault determination logic circuit also includes a test register addressable by the associated computational device and coupled to the fault determination logic circuit, and means for selectively setting the bus comparison output signals, to facilitate the detection of faults in the fault determination logic.
  - 8. A computer system as defined in claim 7, wherein:
    - the number of computational devices is three.

9. A triple-redundant computer system, comprising:
- three synchronized computational devices, each of which has a processor and a memory, and a data path between its processor and its memory;
  
  three data buses associated one with each of the computational devices;
  
  means for intercepting data on the data path between the memory and the processor, and transmitting it to be corresponding data bus;
  
  three voter circuits associated one with each of the computational devices and connected to receive inputs from all three of the data buses and to supply a single voted output to its computational device;
  
  three bus comparison logic circuits, each connected to the three data buses and providing three bus comparison output signals indicative of the agreement or lack of agreement between each possible pairing of data bus signals;
  
  three fault determination logic circuits associated one with each of the computational devices, each connected to receive as inputs the bus comparison signals from its associated bus comparison logic circuit, and each operative to generate a fault status word indicative of any fault conditions in the system; and
  
  means associated with each computational device, for periodically reading the fault status word from the fault determination logic onto the associated data bus and through the associated voter circuit to the associated computational device, wherein each of the computational devices is periodically supplied with a voted fault status word indicative of any fault conditions in the system as determined by a majority of the fault determination logic circuits.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A computer system as defined in claim 9, wherein:
    - each fault determination logic circuit also includes a test register addressable by its associated computational device and coupled to the fault determination logic circuit, and means for selectively setting the bus comparison output signals, to facilitate the detection of faults in the fault determination logic.
  - 11. A computer system as defined in claim 10, wherein:
    - the system is constructed to include three modules, each including a computational device, bus comparison logic and fault determination logic; and
      
      each module further includes means permitting removal and replacement of the module without disconnection of power from the entire system.
  - 12. A computer system as defined in claim 11, wherein:
    - the means permitting removal and replacement of a module includes an extended-length power connector pin to ensure connection of power before other connections during insertion of the module, and to ensure disconnection of power after disconnection of other lines during removal of the module.
  - 13. A computer system as defined in claim 11, wherein:
    - the means permitting removal and replacement of the module includes an electromechanical interlock for generating an electrical interrupt signal prior to actual removal of the module, whereby the interrupt signal may be employed to terminate operations of the module in an orderly manner.
  - 14. A computer system as defined in claim 9, wherein:
    - the system has an electrical load that is divided into a plurality (N) of loads;
      
      the system further includes a plurality (M) of separate power supplies and a plurality of power sharing circuits, for coupling all of the power supplies to each of the loads in such a manner that each load can receive power from any or all of the power supplies.
  - 15. A computer system as defined in claim 14, wherein each of the power sharing circuits includes:
    - a plurality (M) of current limit circuits, connected one in each power supply line to limit the current supplied by any of the power supplies in the event of a short circuit in a load; and
      
      a plurality (M) of diodes connected one in each power supply line to prevent flow of current from one power supply to another.
  - 16. A computer system as defined in claim 15, wherein:
    - the number of power supplies is three (M=3); and
      
      each power sharing circuit has three current limit circuits, connected to the three respective power supplies, and three diodes connected in series with the respective current limit circuits, the diodes being connected in common to one of the electrical loads.

17. A method for detecting errors in fault determination logic in a triple-redundant computer system, comprising the steps of:
- simulating an error condition in one of three synchronized computational subsystems;
  
  generating a resultant set of first fault status conditions in fault determination logic associated with each of the three subsystems;
  
  reading the first fault status conditions onto three associated data buses and thence by majority vote into each of the three computational systems; and
  
  generating a second fault status condition in the fault determination logic as a result of reading the first fault status conditions, the second fault status condition providing the identity of any improperly operating fault determination logic.
- View Dependent Claims (18, 19)
- - 18. A method as defined in claim 17, wherein:
    - the step of simulating a fault condition includes writing onto a selected one of the data buses an intentionally incorrect data word, whereby the bus comparison of the data buses should generate an indication of error in the computational subsystem associated with the selected bus, and the step of reading the first fault status condition will reveal any improperly operating fault determination logic.
  - 19. A method as defined in claim 17, wherein:
    - the step of simulating a fault condition includes injecting a selected set of bus comparison signals into the fault determination logic, whereby the step of reading the first fault status conditions reads the result expected from the bus comparison signals, and the step of reading the first fault status conditions generates second fault status conditions indicative of any errors in the fault determination logic.

20. Apparatus for detecting errors in fault determination logic in a triple-redundant computer system, the apparatus comprising:
- means for simulating an error condition in one of three synchronized computational subsystems;
  
  means for generating a resultant set of first fault status conditions in fault determination logic associated with each of the three subsystems;
  
  means for reading the first fault status conditions onto three associated data buses and thence by majority vote into each of the three computational systems; and
  
  means for generating a second fault status condition in the fault determination logic as a result of reading the first fault status conditions, the second fault status condition providing the identity of any improperly operating fault determination logic.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ics Triplex Technology Ltd. (Rockwell Automation, Inc.)
Original Assignee
Bh-F (Systems), Inc.
Inventors
Murphy, Kenneth J., Smith, Steven E.
Primary Examiner(s)
Shaw, Gareth D.
Assistant Examiner(s)
Loomis, John C.

Application Number

US06/847,956
Time in Patent Office

1,671 Days
Field of Search

371/67, 371/68, 371/36, 371/3, 371/8, 371/9, 371/11, 371/16, 371/36, 371/71, 371/25, 371/16.1, 371/23, 364/184, 364/185, 364/186, 364/200 MS File, 364/900 MS File, 364/300
US Class Current

714/12
CPC Class Codes

G06F 11/184 where the redundant compone...

G06F 11/2215 to test error correction or...

Multiple-redundant fault detection system and related method for its use

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple-redundant fault detection system and related method for its use

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links