Fault-tolerant computer system with online recovery and reintegration of redundant components

US 5,295,258 A
Filed: 01/05/1990
Issued: 03/15/1994
Est. Priority Date: 12/22/1989
Status: Expired due to Term

First Claim

Patent Images

1. A method of operating a computer system having multiple CPUs executing the same instruction stream, the CPUs each having local memory and also each accessing multiple global memory units storing identical data, comprising the steps of:

a) detecting an error in one of said CPUs;

b) isolating said one CPU from the system and continuing to execute said instruction stream and accessing said global memory units by the other ones of said CPUs;

c) reintegrating said one CPU after rendering said CPU operative by first bringing said one CPU into sync with said other ones of said CPUs by soft-resetting all of said multiple CPUs prior to continuing normal operation of said multiple CPUs, said soft-resetting non-destructively preserving the current state and the local memory of each said multiple CPU, then restoring the state and the local memory of said one CPU to be identical to the state and the local memory of the said other ones of the CPUs.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system in a fault-tolerant configuration employs multiple identical CPUs executing the same instruction stream, with multiple, identical memory modules in the address space of the CPUs storing duplicates of the same data. The system detects faults in the CPUs and memory modules, and places a faulty unit offline while continuing to operate using the good units. The faulty unit can be replaced and reintegrated into the system without shutdown. The multiple CPUs are loosely synchronized, as by detecting events such as memory references and stalling any CPU ahead of others until all execute the function simultaneously; interrupts can be synchronized by ensuring that all CPUs implement the interrupt at the same point in their instruction stream. Memory references via the separate CPU-to-memory busses are voted at the three separate ports of each of the memory modules. I/O functions are implemented using two identical I/O busses, each of which is separately coupled to only one of the memory modules. A number of I/O processors are coupled to both I/O busses. I/O devices are accessed through a pair of identical (redundant) I/O processors, but only one is designated to actively control a given device; in case of failure of one I/O processor, however, an I/O device can be accessed by the other one without system shutdown.

389 Citations

29 Claims

1. A method of operating a computer system having multiple CPUs executing the same instruction stream, the CPUs each having local memory and also each accessing multiple global memory units storing identical data, comprising the steps of:
- a) detecting an error in one of said CPUs;
  
  b) isolating said one CPU from the system and continuing to execute said instruction stream and accessing said global memory units by the other ones of said CPUs;
  
  c) reintegrating said one CPU after rendering said CPU operative by first bringing said one CPU into sync with said other ones of said CPUs by soft-resetting all of said multiple CPUs prior to continuing normal operation of said multiple CPUs, said soft-resetting non-destructively preserving the current state and the local memory of each said multiple CPU, then restoring the state and the local memory of said one CPU to be identical to the state and the local memory of the said other ones of the CPUs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A method according to claim 1 wherein any one of the global memory units may be designated as primary for the purpose of supplying read data to said multiple CPUs and the others of the said global memory units are designated backup.
  - 3. A method according to claim 1 wherein said step of restoring the state and the local memory includes;
    - a) copying each state variable of the other ones of the CPUs to global memory and then copying each state variable from global memory to the appropriate state register in all of said multiple CPUs;
      
      b) copying a portion of local memory of the other ones of the CPUs to global memory and then copying said portion from global memory to local memory in all of said multiple CPUs;
      
      c) repeating step b) for different portions of local memory of the other ones of the CPUs until all variables stored in local memory of the other ones of the CPUs have been copied to global memory and then copied from global memory to all of said multiple CPUs.
  - 4. A method according to claim 1 including the steps of;
    - a) removing said one CPU from said computer system without shutdown of said system and while the other ones of the CPUs continue execution of said instruction stream;
      
      b) replacing said one CPU in said computer system also without shutdown and while instruction execution continues.
  - 5. A method according to claim 1 wherein there are three said CPUs and two said global memory units.
  - 6. A method according to claim 1 comprising the steps of:
    - a) detecting an error in one of said global memory units;
      
      b) isolating said one of said global memory units and continuing to execute said instruction stream and accessing a remaining global memory unit of said global memory units;
      
      c) reintegrating said one global memory unit by restoring the state and memory contents of said one global memory unit to be identical to the state and memory contents of each remaining global memory unit of the global memory units;
      
      d) and thereafter continuing to execute said instruction stream accessing said multiple global memory units including said one global memory unit.
  - 7. A method according to claim 6 wherein there are two said global memory units either one of which is designated primary and the other is designated backup.
  - 8. A method according to claim 9 wherein said steps of reading each global memory unit processor board state variable and reading each local memory data word stored in global memory includes checking the validity of the data in each of said multiple global memory units.
  - 9. A method according to claim 6 wherein said step of restoring the state and the memory contents of global memory includes:
    - a) configuring said one global memory unit to ignore all access requests from I/O Processors;
      
      b) reading each global memory unit processor board state variable from the primary global memory unit to said multiple CPUs and storing said processor board state variable from the multiple CPUs to all global memory units including said one global memory unit;
      
      c) reading each local memory data word stored in the primary global memory unit to said multiple CPUs and storing said local memory data word from the multiple CPUs to all global memory units including said one global memory unit;
      
      d) repeating step c;
      
      e) configuring said one global memory unit to execute all access requests from I/O Processors.
  - 10. A method according to claim 8 including the step of changing the designations of the global memory units if an error is detected in the global memory unit previously designated as primary.

11. A fault-tolerant computer system, comprising:
- a) first, second and third CPUs of substantially identical configuration each having local memory, said first, second and third CPUs executing substantially the same instruction stream;
  
  b) first and second global memory modules of substantially identical configuration, said first and second memory modules storing substantially the same data;
  
  c) busses coupling each of the first, second and third CPUs individually to each of said first and second global memory modules whereby said first, second and third CPUs access said first and second global memory modules separately and in duplicate;
  
  d) said CPUs continuing to execute said instruction stream even though one of said first, second and third CPUs is inoperative and continuing to access one of said first and second global memory modules even though the other is inoperative;
  
  e) said one of said first, second and third CPUs which is inoperative being replaceable into the system without shutdown of the system while the other ones of said CPUs continue execution of said instruction stream;
  
  f) said one of said first, second and third CPUs which is inoperative being rendered operative and restored to normal function in the system without shutdown of the system while the other ones of said CPUs continue execution of said instruction stream, all of said first, second and third CPUs being soft-reset prior to restoration of said inoperative CPU, said soft-reset non-destructively preserving the current state and local memory of said first, second and third CPUs;
  
  g) said other of the global memory modules which is inoperative being replaceable into the system without shutdown of the system while said first, second and third CPUs continue to access the global memory module which is operative;
  
  h) said other of the global memory modules which is inoperative being rendered operative and restored to normal function in the system without shutdown of the system while said first, second and third CPUs continue to access the global memory module which is operative.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 12. A system according to claim 11 wherein said first, second and third CPUs are operating on independent clocks so that said execution is asynchronous.
  - 13. A system according to claim 11 wherein either of said global memory modules is designated as primary and the other is designated backup, and wherein write operations by the CPUs are executed in both of said global memory modules but in read operations said CPUs receive data from only the primary global memory module;
    - and wherein the backup global memory module may be designated primary and the primary may be designated backup, at any time.
  - 14. A system according to claim 11 wherein said first, second and third CPUs are loosely synchronized upon the event of a reference to the global memory modules.
  - 15. A system according to claim 14 wherein said first, second and third CPUs are loosely synchronized upon the event of a reference to the global memory modules by detecting an access to said first and second global memory modules and stalling any CPUs for which the access occurs earlier to wait until the last one of said CPUs executes said access, then allowing the access to occur.
  - 16. A system according to claim 14 wherein said global memory module include means for voting said reference to said global memory modules, and wherein data is voted only for writes in said means for voting said references to said global memory modules, and addresses and commands are voted for both read and write references to said global memory modules.
  - 17. A system according to claim 11 further including:
    - i) a first input/output bus coupled to said first global memory module and a second input/output bus coupled to said second global memory module; and
      
      j) a first input/output processor coupled to both said first and second input/output busses, and a second input/output processor coupled to both said first and second input/output busses.
  - 18. A system according to claim 17 further including:
    - k) one I/O bus coupled to said first input/output processor and a second I/O bus coupled to said second input/output processor;
      
      l) one or more Bus Interface Modules coupled to both said first and second I/O bussesm) one I/O Controller coupled to each Bus Interface Modulen) one or more I/O devices coupled to each I/O Controller.
  - 19. A system according to claim 18 wherein a faulty I/O Controller can be taken off-line and placed in reset.
  - 20. A system according to claim 18 wherein a faulty disk drive module attached to an I/O Controller can be isolated and powered down until said disk drive is removed and replaced.
  - 21. A system according to claim 18 further including:
    - o) dual power subsystems providing normal operational power for the redundant modules in the system such that normal system operation can continue in the event of a failure of one power subsystem component;
      
      p) dual battery backup power subsystems providing sufficient power to allow graceful shutdown of the system in the event of a loss of mains power even when one of said battery backup power subsystems is inoperative;
      
      q) redundant cooling systems with cooling efficiency sensors on each cooling module such that the efficiency of all remaining cooling modules can be increased to compensate for a faulty cooling module.
  - 22. A system according to claim 18 further including additional input/output processors, each coupled to an additional I/O bus.
  - 23. A system according to claim 22 wherein each said input/output processor functions as an independent entity providing controlled access between said assigned I/O Controllers and said global memory modules.
  - 24. A system according to claim 18 wherein:
    - a) each said I/O controller is assigned to one of the two said input/output processors coupled via said I/O bus and said Bus Interface Module; and
      
      b) each input/output processor coordinates global memory accesses for its assigned I/O controllers; and
      
      c) each input/output processor monitors said assigned I/O Controllers for incorrect behavior and reports software and firmware errors associated with each said assigned I/O controller to the CPUs via interrupts.
  - 25. A system according to claim 24 wherein a faulty input/output processor can be isolated, held in a Reset state, and its assigned I/O Controllers reassigned to the other input/output processor which is coupled to the said I/O Controllers.

26. A method of operating a computer system including the steps of:
- a) executing the same instruction stream in first, second and third CPUs;
  
  b) generating global memory accesses in each of said first, second and third CPUs at separate first, second and third global memory access busses;
  
  c) storing duplicative data in first and second global memory modules having substantially identical address spaces within the address range of said CPUs, including executing accesses to each one of said first and second global memory modules via said first, second and third global memory access busses;
  
  d) voting each one of said accesses in said first and second global memory modules when received from said first, second and third global memory access busses, said voting including comparing information representing said accesses;
  
  e) allowing said accesses to be completed only where at least two of said global memory access busses present the same such information;
  
  f) placing offline one of said first, second and third CPUs when a global memory access from said one is different from the other two upon said voting, then placing said one CPU back online without shutdown of the system after said one of the CPUs is rendered operative, said first, second and third CPUs being soft-reset such that the current state and local memory of each of said first, second and third CPUs are non-destructively preserved prior to continuing normal operation of said first, second and third CPUs.
- View Dependent Claims (27, 28, 29)
- - 27. A method according to claim 26 including the step of placing offline one of said first and second global memory modules when an error is detected in global memory access, then replacing said one of said global memory modules into the system without shutdown of the system after said one of the global memory modules is rendered operative.
  - 28. A method according to claim 26 including the step of synchronizing said first, second and third CPUs whereby said CPUs are substantially simultaneously executing the same instruction stream, and wherein said step of synchronizing said CPUs includes stalling execution of global memory accesses until all three of the first, second and third CPUs are executing the same global memory access at the same time.
  - 29. A method according to the claim 28 wherein said step of synchronizing also includes timing the implementation of external interrupts of the CPUs so that all three of the first, second and third CPUs are executing the same instruction at the time the interrupt is presented.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Tandem Computers Incorporated (HP Inc.)
Inventors
Pozdro, John, Fey, Kyran W. Jr., Jewett, Douglas E., Banton, Randall G., Cutts, Richard W. Jr., Bereiter, Tom, Mehta, Nikhil A., Debacker, Kenneth C., Westbrook, deceased, Donald C., Vetter, Brian
Primary Examiner(s)
Baker, Stephen M.

Application Number

US07/461,250
Time in Patent Office

1,530 Days
Field of Search

371/7, 371/8.1, 371/9.1, 371/10.1, 371/68.1, 371/68.3, 371/12, 371/11.1, 371/11.3, 364/228.3, 364/268.4, 364/268.5, 364/268.6, 364/268.8, 364/269, 364/269.1, 364/285.2, 364/285.3, 364/268.1, 364/268.9
US Class Current

714/12
CPC Class Codes

G06F 1/12   Synchronisation of differen...

G06F 1/30   Means for acting in the eve...

G06F 11/0709   in a distributed system con...

G06F 11/0724   in a multiprocessor or a mu...

G06F 11/073   in a memory management cont...

G06F 11/0793   Remedial or corrective acti...

G06F 11/1441   Resetting or repowering

G06F 11/1658   Data re-synchronization of ...

G06F 11/1666   where the redundant compone...

G06F 11/1683   at instruction level

G06F 11/1687   at event level, e.g. by int...

G06F 11/1691   using a quantum

G06F 11/181   Eliminating the failing red...

G06F 11/185   and the voting is itself pe...

G06F 11/20   using active fault-masking,...

G06F 11/2005   using redundant communicati...

G06F 11/2007   using redundant communicati...

G06F 11/2015   Redundant power supplies po...

G06F 11/22   Detection or location of de...

G06F 11/2736   using a dedicated service p...

Fault-tolerant computer system with online recovery and reintegration of redundant components

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

389 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Fault-tolerant computer system with online recovery and reintegration of redundant components

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

389 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links