Hybrid multiple redundant computer system

US 6,550,018 B1
Filed: 02/18/2000
Issued: 04/15/2003
Est. Priority Date: 02/18/2000
Status: Expired due to Term

First Claim

Patent Images

1. A hybrid multiple redundant computer system comprising:

a) a first, a second, and a third processing unit operating in parallel, each of which includes a central processor module connected to an input and an output module for receiving an input data from said input module and for using the input data as input to a control program to provide output data by execution of said control program, each central processor module has a data bus for transferring said output data to output modules in a such manner that the central processor module associated with the first processing unit transmits output data to the associated output module and to the output module associated with the second processing unit, the central processor module associated with the second processing unit transmits output data to the associated output module and to the output module associated with the third processing unit, the central processor module associated with the third processing unit transmits output data to the associated output module and to the output module associated with the first processing unit, said output module having no single point of failure;

b) means in the output module for providing its output as a logical product of output data received from two central processor modules, said output modules connected to each other for generating system output as a logical sum of the outputs produced by said output modules to provide a two-out-of-three vote among output data produced by three central processor modules;

c) the processing unit further comprising a watchdog controller connected to the associated central processor module for detecting the occurrence of a fault within said central processor module and for activating an alarm signal in the event that said central processor module fails;

d) the output module in each processing unit further connected to the associated watchdog controller and connected to watchdog controllers in the other processing units for receiving alarm signal from any of said watchdog controllers in the event that the associated central processor module fails;

e) means in the output module for producing the output of said output module as a logical product of output data received from the associated central processor module and from neighbor central processor module if said alarm signal in each processing unit is not activated, means for disabling said output if alarm signal received from the associated watchdog controller is activated, for generating said output by only using the output data received from the associated central processor module if at least one out of two alarm signals produced by the neighbor watchdog controllers is activated, thereby allowing the system to reconfigure from the triple processing unit configuration with two-out-of-three voting to a two-out-of-two diagnostic dual processing unit configuration in the event that the associated central processor module fails, to a single processing unit configuration in the event that the associated and any neighbor central processor modules concurrently fail, and to the predetermined safe output condition in the event that each central processor module fails;

f) wherein said means in the output module associated with the first processing unit for producing its output as a logic product of output data received by said output module from central processor modules associated with first and third processing units if said alarm signal in each processing unit is not activated, and generates said output by only using the output data received from the central processor module associated with the first processing unit if at least one out of two alarm signals associated with second and third processing units is activated, and for disabling the output of said output module if the alarm signal associated with the first processing unit is activated;

g) wherein said means in the output module associated with the second processing unit for producing its output as a logic product of output data received by said output module from central processor modules associated with second and first processing units if said alarm signal in each processing unit is not activated, and generates said output by only using the output data received from the central processor module associated with the second processing unit if at least one out of two alarm signals associated with first and third processing units is activated, and for disabling the output of said output module if the alarm signal associated with the second processing unit is activated;

h) wherein said means in the output module associated with the third processing unit for producing its output as a logic product of output data received by said output module from central processor modules associated with third and second processing units if said alarm signal in each processing unit is not activated, and generates said output by only using the output data received from the central processor module associated with the third processing unit if at least one out of two alarm signals associated with first and second processing units is activated, and for disabling the output of said output module if the alarm signal associated with the third processing unit is activated;

i) means in each central processor module for reading status of the associated output module to disable output of said output module if a fault of that module is discovered;

j) means in each central processor module for reading status of the associated input module and disabling input data received from said input module if a fault of that module is discovered.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A hybrid multiple redundant computer system (10) having at least three parallel operating processing units (12) including input module (14), central processor module (16), and output module (50) in each processing unit is disclosed. The central processor module (16) is connected to the associated input module (14) and connected to primary and secondary output circuits (18, 20) located in the associated output module (50) and in the neighboring output module (50) respectively. Each processing unit (12) further includes a watchdog controller (30) that monitors the associated central processor module (16) and transfers an alarm signal (44) to each output module (50) in the event that a central processor module (16) fails. Primary and secondary output circuits (18, 20) in each output module (50) control an output voter network (22) and perform selectable but different logical functions among output data of the respective central processor modules (16) and alarm signals (44) for providing no single point of failure within the output module (50). If alarm signals (44) are not activated, the system generates an output (180) using two-of-three vote among output data produced by three central processor modules (16). In the event that one or two central processor modules (16) fail, the system is reconfigured to a two-of-two and to a one-of-one vote configuration respectively. Each central processor module (16) in turn monitors the status of all of the system components and disables faulty outputs by opening a fault recovery switch (54) in the respective output module (50) allowing continued system operation in the face of as many as two faults within any system components.

186 Citations

13 Claims

1. A hybrid multiple redundant computer system comprising:
- a) a first, a second, and a third processing unit operating in parallel, each of which includes a central processor module connected to an input and an output module for receiving an input data from said input module and for using the input data as input to a control program to provide output data by execution of said control program, each central processor module has a data bus for transferring said output data to output modules in a such manner that the central processor module associated with the first processing unit transmits output data to the associated output module and to the output module associated with the second processing unit, the central processor module associated with the second processing unit transmits output data to the associated output module and to the output module associated with the third processing unit, the central processor module associated with the third processing unit transmits output data to the associated output module and to the output module associated with the first processing unit, said output module having no single point of failure;
  
  b) means in the output module for providing its output as a logical product of output data received from two central processor modules, said output modules connected to each other for generating system output as a logical sum of the outputs produced by said output modules to provide a two-out-of-three vote among output data produced by three central processor modules;
  
  c) the processing unit further comprising a watchdog controller connected to the associated central processor module for detecting the occurrence of a fault within said central processor module and for activating an alarm signal in the event that said central processor module fails;
  
  d) the output module in each processing unit further connected to the associated watchdog controller and connected to watchdog controllers in the other processing units for receiving alarm signal from any of said watchdog controllers in the event that the associated central processor module fails;
  
  e) means in the output module for producing the output of said output module as a logical product of output data received from the associated central processor module and from neighbor central processor module if said alarm signal in each processing unit is not activated, means for disabling said output if alarm signal received from the associated watchdog controller is activated, for generating said output by only using the output data received from the associated central processor module if at least one out of two alarm signals produced by the neighbor watchdog controllers is activated, thereby allowing the system to reconfigure from the triple processing unit configuration with two-out-of-three voting to a two-out-of-two diagnostic dual processing unit configuration in the event that the associated central processor module fails, to a single processing unit configuration in the event that the associated and any neighbor central processor modules concurrently fail, and to the predetermined safe output condition in the event that each central processor module fails;
  
  f) wherein said means in the output module associated with the first processing unit for producing its output as a logic product of output data received by said output module from central processor modules associated with first and third processing units if said alarm signal in each processing unit is not activated, and generates said output by only using the output data received from the central processor module associated with the first processing unit if at least one out of two alarm signals associated with second and third processing units is activated, and for disabling the output of said output module if the alarm signal associated with the first processing unit is activated;
  
  g) wherein said means in the output module associated with the second processing unit for producing its output as a logic product of output data received by said output module from central processor modules associated with second and first processing units if said alarm signal in each processing unit is not activated, and generates said output by only using the output data received from the central processor module associated with the second processing unit if at least one out of two alarm signals associated with first and third processing units is activated, and for disabling the output of said output module if the alarm signal associated with the second processing unit is activated;
  
  h) wherein said means in the output module associated with the third processing unit for producing its output as a logic product of output data received by said output module from central processor modules associated with third and second processing units if said alarm signal in each processing unit is not activated, and generates said output by only using the output data received from the central processor module associated with the third processing unit if at least one out of two alarm signals associated with first and second processing units is activated, and for disabling the output of said output module if the alarm signal associated with the third processing unit is activated;
  
  i) means in each central processor module for reading status of the associated output module to disable output of said output module if a fault of that module is discovered;
  
  j) means in each central processor module for reading status of the associated input module and disabling input data received from said input module if a fault of that module is discovered.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The hybrid multiple redundant system of claim 1, wherein:
3. The hybrid multiple redundant system of claim 1 wherein:
- a) the data bus associated with the central processor module further connected to each neighbor central processor module for allowing the central processor module to transmit said input data to each neighbor central processor module at the same time;
  
  b) each central processor module has means for reading input data transmitted from two neighbor central processor modules via data bus respectively associated with said neighbor central processor modules, and for implementation two-out-of-three software voting of said input data and using the voted data as input to the control program;
  
  c) each central processor module has means for transmitting its status to both neighbor central processor modules over the associated data bus and means for reading the status of both neighbor central processor module via data bus respectively associated with said neighbor central processor modules;
  
  d) each central processor module has means for transmitting the status of the associated input and output module to both neighbor central processor modules over the associated data bus and means for reading said status from both neighbor central processor module via data bus respectively associated with said neighbor central processor modules;
  
  e) each central processor module has means for synchronizing its operation with the operation of neighbor central processor modules and for providing scan-based mode of said hybrid multiple redundant system operation to perform control program execution on a cyclical basis.
4. The hybrid multiple redundant system of claim 3, wherein:
- a) the output module in each processing unit comprising a primary output circuit and a secondary output circuit connected to the associated central processor module and to other central processor module respectively for receiving output data from said central processor modules;
  
  b) the output module in each processing unit further comprising an output voter network connected to outputs of associated primary and secondary output circuits for producing a logic product of said outputs on the output of said output module, thereby producing said output as a logical product of the output data received by said primary and secondary output circuits from the corresponding central processor modules;
  
  c) wherein the output of said output voter network connected with corresponding outputs of two other output voter networks for producing system output as a result of two-out-of-three voting among output data of said three central processor modules;
  
  d) said primary and secondary output circuits in the output module associated with the first processing unit are connected over the associated data buses to the central processor modules associated with first and third processing unit respectively for receiving output data from said central processor modules, e) said primary and secondary output circuits in the output module associated with the second processing unit are connected over the associated data buses to the central processor modules associated with second and first processing unit respectively for receiving output data from said central processor modules;
  
  f) said primary and secondary output circuits in the output module associated with the third processing unit are connected over the associated data buses to the central processor modules associated with third and second processing unit respectively for receiving output data from said central processor modules;
  
  g) the primary output circuit in each processing unit is further connected to the associated watchdog controller for receiving said alarm signal from said watchdog controller;
  
  h) the secondary output circuit in the output module associated with the first processing unit is further connected to the watchdog controllers associated with the second and the third processing units respectively for receiving said alarm signal from each of said watchdog controllers;
  
  i) the secondary output circuit in the output module associated with the second processing unit is further connected to the watchdog controllers associated with the first and the third processing units respectively for receiving said alarm signal from each of said watchdog controllers;
  
  j) the secondary output circuit in the output module associated with the third processing unit is further connected to the watchdog controllers associated with the second and the first processing units respectively for receiving said alarm signal from each of said watchdog controllers;
  
  k) the primary output circuit in each output module further connected to the associated secondary output circuit for transferring output data of the associated central processor module to said secondary output circuit if at least one of said alarm signals received by the associated secondary output circuit is activated;
  
  l) the primary output circuit has means for transferring output data of the associated central processor module to the associated output voter network if said alarm signal is not activated and disabling outputs of said output voter network if said alarm signal is activated;
  
  m) the secondary output circuit associated with the first processing unit has means for transferring output data of the central processor module associated with the third processing unit to the associated output voter network if both alarm signals produced by the watchdog controllers associated with second and third processing units are not activated, for producing an output as a logic sum of output data received from central processor modules associated with first and third processing units and transferring said output to the associated output voter network if an alarm signal produced by the watchdog controller associated with the second processing unit is activated, and for transferring output data of the central processor module associated with the first processing unit to the associated output voter network if an alarm signal produced by the watchdog controller associated with the third processing unit is activated;
  
  n) the secondary output circuit associated with the second processing unit has means for transferring output data of the central processor module associated with the first processing unit to the associated output voter network if both alarm signals produced by the watchdog controllers associated with first and third processing units are not activated, for producing an output as a logic sum of output data received from central processor modules associated with first and second processing units and for transferring said output to the associated output voter network if an alarm signal produced by the watchdog controller associated with the third processing unit is activated, and transferring output data of the central processor module associated with the second processing unit to the associated output voter network if an alarm signal produced by the watchdog controller associated with the first processing unit is activated;
  
  o) the secondary output circuit associated with the third processing unit has means for transferring output data of the central processor module associated with the second processing unit to the associated output voter network if both alarm signals produced by the watchdog controllers associated with first and second processing units are not activated, for producing an output as a logic sum of output data received from central processor modules associated with second and third processing units and for transferring said output to the associated output voter network if an alarm signal produced by the watchdog controller associated with the first processing unit is activated, and for transferring output data of the central processor module associated with the third processing unit to that output voter network if an alarm signal produced by the watchdog controller associated with the second processing unit is activated.
5. The hybrid multiple redundant system of claim 4, wherein:
- a) each central processor module has means for periodically producing the output data, each bit of which corresponding to the system input;
  
  b) each output voter network comprising multiple pairs of first and second electronic valves, within in each pair connected in series and each of said pairs connected by one side to an external power supply, and each of said pairs separately connected by other side to output of the associated output module for providing said single-bit output that is energized if both first and second electronic valves ON and de-energized if at least one of said electronic valves OFF;
  
  c) said primary and secondary output circuit in each output module connected to said first and second electronic valves respectively for setting said first and second electronic valve in any pair of said valves in a state according to the output of said primary and secondary output circuit respectively;
  
  d) each primary output circuit has means for transferring each output of the associated central processor module to the associated first electronic valve if alarm signal received from the associated watchdog controller is not activated and setting each first electronic valve OFF if said alarm signal activated, thereby de-energize all outputs of the associated output module in the event that associated central processor module fails and its fault is recognized by the associated watchdog controller;
  
  e) the secondary output circuit associated with the first processing unit has means for transferring each output of the central processor module associated with the third processing unit to the associated second electronic valve if both alarm signals received by said secondary output circuit from the watchdog controllers associated with second and third processing unit are not activated, means for producing a logic sum of the corresponding bits of the output data received from central processor modules associated with first and third processing units and transferring said logic sum to the second electronic valve if an alarm signal produced by the watchdog controller associated with the second processing unit is activated, and means for transferring output data of the central processor module associated with the first processing unit to the second electronic valve if an alarm signal produced by the watchdog controller associated with the third processing unit is activated;
  
  f) the secondary output circuit associated with the second processing unit has means for transferring each output of the central processor module associated with the first processing unit to the associated second electronic valve if both alarm signals received by said secondary output circuit from the watchdog controllers associated with first and third processing unit are not activated, means for producing a logic sum of the corresponding bits of the output data received from central processor modules associated with first and second processing units and transferring said logic sum to the second electronic valve if an alarm signal produced by the watchdog controller associated with the third processing unit is activated, and means for transferring output data of the central processor module associated with the second processing unit to the second electronic valve if an alarm signal produced by the watchdog controller associated with the first processing unit is activated;
  
  g) the secondary output circuit associated with the third processing unit has means for transferring each output of the central processor module associated with the second processing unit to the associated second electronic valve if both alarm signals received by said secondary output circuit from the watchdog controllers associated with first and second processing unit are not activated, means for producing a logic sum of the corresponding bits of the output data received from central processor modules associated with second and third processing units and transferring said logic sum to the second electronic valve if an alarm signal produced by the watchdog controller associated with the first processing unit is activated, and means for transferring output data of the central processor module associated with the third processing unit to the second electronic valve if an alarm signal produced by the watchdog controller associated with the second processing unit is activated.
6. The hybrid multiple redundant system of claim 5, wherein:
- a) the output module further includes a fault recovery valve connected by one side to an external power supply and connected by other side to one side of each pair of said first and second electronic valves, other side of each said pair is separately connected to the output of said output module;
  
  b) in each processing unit the watchdog controller further connected to the fault recovery valve for sending said alarm signal to said fault recovery valve OFF for de-energizing all outputs of the associated output module from the system output in the event that the associated central processor module fails;
  
  c) each output voter network further comprising a current sensor in each pair of first and second electronic valves, said current sensor connected in series with said first and second electronic valves and connected to the associated primary output circuit for producing a logic feedback data transmitted to the associated central processor module over the associated primary output circuit to inform said associated central processor module about a value of current flowing through said first and second electronic valves;
  
  d) means in each primary output circuit for reading said feedback data from each of said current sensors simultaneously and for transferring said feedback data to the associated central processor module;
  
  e) means in each central processor module for receiving said feedback data from the associated primary output circuit, comparing said feedback data with recent output data and sending a command to the associated watchdog controller for activating said alarm signal to de-energize each output of the associated output module from system output by setting the associated fault recovery valve OFF if a fault in any pair of said first and second electronic valves is discovered;
  
  f) means in each primary output circuit for producing an acknowledge signal and for transferring said acknowledge signal to the associated central processor module;
  
  g) means in each central processor module for reading said acknowledge signal from the associated primary output circuit for evaluating condition of said primary output circuit and sending a command to the associated watchdog controller for activating said alarm signal to de-energize each output of the associated output module from system output by setting the associated fault recovery valve OFF if a fault in said primary output circuit is discovered.
7. The fault tolerant system of claim 6, wherein:
- a) each primary output circuit comprising a parallel programmable interface communicated with the associated central processor module over the associated data bus, a primary control circuit connected to said programmable interface for receiving and storing output data of the associated central processor module via said parallel programmable interface, said primary output circuit further includes a primary logic circuit connected to outputs of said control circuit to receive output data of said central processor module, outputs of said primary logic circuit connected to the associated first electronic valves;
  
  b) each secondary output circuit comprising a parallel programmable interface communicated with the certain central processor module, a secondary control circuit connected with said programmable interface for receiving and storing output data of said central processor module via said parallel programmable interface and providing asynchronous data communications between said central processor module and said parallel programmable interface, said secondary output circuit further includes a secondary logic circuit connected with outputs of said control circuit to receive output data of said central processor module, outputs of said secondary logic circuit connected to the associated second electronic valves;
  
  c) the primary logic circuit in each primary output circuit further connected to the associated watchdog controller for receiving the alarm signal from said watchdog controller;
  
  d) the secondary logic circuit in the secondary output circuit associated with the first processing unit further connected to watchdog controllers associated with second and third processing units respectively for receiving said alarm signal each of said watchdog controllers;
  
  e) the secondary logic circuit in the secondary output circuit associated with the second processing unit further connected to watchdog controllers associated with first and third processing units respectively for receiving said alarm signal from each of said watchdog controllers;
  
  f) the secondary logic circuit in the secondary output circuit associated with the third processing unit further connected to watchdog controllers associated with first and second processing units respectively for receiving said alarm signal from each of said watchdog controllers;
  
  g) the primary output circuit in each output module further connected to the associated secondary output circuit for transferring output data of the associated central processor module to said secondary output circuit if at least one of said alarm signal received by the associated secondary logic circuit is activated;
  
  h) the primary logic circuit in each primary output circuit has means for transferring output data of the associated central processor module to the associated first electronic valves if alarm signal produced by the associated watchdog controller is not activated and setting each first electronic valve OFF if said alarm signal is activated, thereby de-energizing all outputs of the associated output module from the system outputs in the event that associated central processor module fails and its fault is recognized by the associated watchdog controller;
  
  i) the secondary logic circuit in the secondary output circuit associated with the first processing unit has means for transferring output data of the central processor module associated with the third processing unit to the associated second electronic valves if both alarm signals received by said secondary logic circuit from the watchdog controllers associated with second and third processing units are not activated, for producing a logic sum of the corresponding bits of the output data received from central processor modules associated with first and third processing units and transferring said logic sum to the second electronic valve if an alarm signal produced by the watchdog controller associated with the second processing unit is activated, and for transferring output data of the central processor module associated with the first processing unit to the second electronic valve if an alarm signal produced by the watchdog controller associated with the third processing unit is activated;
  
  j) the secondary logic circuit associated with the second processing unit has means for transferring each output of the central processor module associated with the first processing unit to the associated second electronic valve if both alarm signals received by said secondary output circuit from the watchdog controllers associated with first and third processing unit are not activated, for producing a logic sum of the corresponding bits of the output data received from central processor modules associated with first and second processing units and transferring said logic sum to the second electronic valve if an alarm signal produced by the watchdog controller associated with the third processing unit is activated, and for transferring output data of the central processor module associated with the second processing unit to the second electronic valve if an alarm signal produced by the watchdog controller associated with the first processing unit is activated;
  
  k) the secondary logic circuit associated with the third processing unit has means for transferring each output of the central processor module associated with the second processing unit to the associated second electronic valve if both alarm signals received by said secondary output circuit from the watchdog controllers associated with first and second processing unit are not activated, for producing a logic sum of the corresponding bits of the output data received from central processor modules associated with second and third processing units and transferring said logic sum to the second electronic valve if an alarm signal produced by the watchdog controller associated with the first processing unit is activated, and for transferring output data of the central processor module associated with the third processing unit to the second electronic valve if an alarm signal produced by the watchdog controller associated with the second processing unit is activated.
8. The fault tolerant system of claim 7, wherein:
- a) each primary logic circuit comprising an inverter for receiving and inverting the alarm signal from the associated watchdog controller and further comprising a plurality of AND gates and a pluralities of drivers, the output of each AND gate connected to the corresponding driver, the driver in turn connected to the corresponding first electronic valve, a first input of all said AND gates connected together to the output of said inverter, while another input of each AND gate separately connected to the corresponding output of the primary control circuit for receiving output of said control circuit and transfer said output to the corresponding first electronic valve when said alarm signal is false and setting said first electronic valve OFF when said alarm signal is true;
  
  b) the secondary logic circuit in the output module associated with the first processing unit comprising an OR-gate connected to the watchdog controllers associated with second and third processing unit for receiving alarm signal from each of said watchdog controllers and further comprising an inverter for receiving and inverting alarm signal from the watchdog controller associated with the third processing unit and further comprising a plurality of first AND-gates and a plurality of second AND-gates, first inputs of all first AND-gates connected together to output of said OR-gate and second output of each first AND-gate connected separately to the corresponding output of the AND-gate in the primary logic circuit associated with the same output module for transferring each output of the associated primary control circuit to the corresponding input of said first AND-gate when at least one alarm signal received by said OR-gate is true, first inputs of all second AND-gates connected together to output of said inverter and the second output of each second AND-gate connected separately to the corresponding output of the secondary control circuit for receiving said output if said inverted alarm signal is true;
  
  c) said secondary logic circuit in the output module associated with the first processing unit further comprising a plurality of OR-gates and a plurality of drivers, an output of each OR-gate in said plurality of OR-gates connected to the corresponding driver, that in turn connected to the corresponding second electronic valve, first input of each said OR-gate separately connected to output of said first AND-gate and second input of each said OR-gate separately connected to output of said second AND-gate for transferring corresponding output of the associated secondary control circuit to the corresponding second electronic valve if both alarm signals received by said secondary logic circuit from the watchdog controllers associated with second and third processing units are false, for producing an output as a logic sum of the corresponding bits of the output data received from the associated primary and secondary control circuits and for transferring said output to the second electronic valve if an alarm signal received from the watchdog controller associated with the second processing unit is true, while an alarm signal received from the watchdog controller associated with the third processing unit is false, and for transferring each output of the associated primary control circuit to the corresponding second electronic valve if the alarm signal received from the watchdog controllers associated with the third processing unit is true;
  
  d) the secondary logic circuit in the output module associated with the second processing unit comprising the same components as said secondary logic circuit in the output module associated with the first processing unit, wherein said OR-gate connected to the watchdog controllers associated with first and third processing units for receiving alarm signal from each of said watchdog controllers and said inverter is used for receiving and inverting alarm signal from the watchdog controller associated with the first processing unit, each AND-gate is used for transferring corresponding output of the associated secondary control circuit to the corresponding second electronic valve if both alarm signals received by said secondary logic circuit from the watchdog controllers associated with first and third processing units are false, for producing an output as a logic sum of the corresponding bits of the output data received from the associated primary and secondary control circuits and for transferring said output to the corresponding second electronic valve if an alarm signal received from the watchdog controller associated with the third processing unit is true, while an alarm signal received from the watchdog controller associated with the first processing unit is false, and for transferring each output of the associated primary control circuit to said second electronic valve if the alarm signal received from the watchdog controllers associated with the first processing unit is true;
  
  e) the secondary logic circuit in the output module associated with the third processing unit comprising the same components as said secondary logic circuit in the output module associated with the first processing unit, wherein said OR-gate connected to the watchdog controllers associated with first and second processing units respectively for receiving alarm signal from each of said watchdog controllers and said inverter is used for receiving and inverting alarm signal from the watchdog controller associated with the second processing unit, each second AND-gate is used for transferring corresponding output of the associated secondary control circuit to the corresponding second electronic valve if both alarm signals received by said secondary logic circuit from the watchdog controllers associated with first and second processing units are false, for producing an output as a logic sum of the corresponding bits of the output data received from the associated primary and secondary control circuits and for transferring said output to the corresponding second electronic valve if an alarm signal received from the watchdog controller associated with the first processing unit is true, while an alarm signal received from the watchdog controller associated with the second processing unit is false, and for transferring each output of the associated primary control circuit to said second electronic valve if the alarm signal received from the watchdog controller associated with the second processing unit is true.
9. The hybrid multiple redundant system of claim 8, wherein:
- a) each parallel programmable interface comprises in one chip a data buffer and control register, said data buffer connected to the associated data bus for receiving said output data from the associated central processor module over said data lines and for transmitting said feedback data to the associated central processor module over said data lines, said control register connected to the associated data bus for receiving address signals and write/read signals from the associated central processor module over said address and control lines respectively;
  
  b) said parallel programmable interface further comprising an A-port a B-port, and a C-port, said A-port has an output buffer for storing output data received from the associated central processor module, said B-port has a multiple inputs for receiving feedback data from the associated current sensors and for transferring said feedback data to the associated central processor module over the associated data lines, said C-port has an output for producing a logic “
  
  0”
  
  output buffer full signal when said A-port received output data from the associated central processor module;
  
  c) said C-port in each parallel programmable interface associated with the primary output circuit further has first input for receiving a logic “
  
  0”
  
  acknowledge signal producing by the primary control circuit and second input for receiving a logic “
  
  0”
  
  acknowledge signal from the second control circuit;
  
  d) said C-port in each parallel programmable interface associated with the secondary output circuit further has first input for receiving a logic “
  
  0”
  
  acknowledge signal producing by the secondary control circuit and second input for receiving a logic “
  
  0”
  
  acknowledge signal from the primary control circuit, e) each primary control circuit and each secondary control circuit comprising a plurality of flip-flops, an inverter and a clock, input of each flip-flop connected to the corresponding output of said A-port for receiving output data from the corresponding central processor module, said control circuit further comprising first and second flip-flop, outputs of said flip-flops initialized for a logic “
  
  1”
  
  level, output of said clock connected to a clock input of the first flip-flop and connected to a clock input of the second flip-flop over said inverter, data input of the first flip-flop connected to the output of said C-port for receiving said output buffer full signal, for producing then a logic “
  
  0”
  
  output signal on the nearest positive edge on a clock impulse received by the first flip-flop from the clock, output of the first flip-flop connected to clock input of each flip-flop in said plurality of flip-flops for writing each single-bit output of the A-port to the corresponding flip-flop in said plurality of flip-flops on the negative edge of said logic “
  
  0”
  
  output signal, output of the first flip-flop further connected to an input of the second flip-flop, said second flip-flop generates its output as a logic “
  
  0”
  
  acknowledge signal on the nearest positive edge of the inverted clock impulse;
  
  f) output of said second flip-flop in the primary control circuit connected to the first input of said C-port in the associated parallel programmable interface and further connected with the second output of said C-port in the parallel programmable interface associated with the secondary output circuit in the same output module for transferring said logic “
  
  0”
  
  acknowledge signal to both said parallel programmable interfaces at the same time to inform the corresponding central processor modules that each of them can transfer the next output data to the corresponding parallel programmable interface, outputs of flip-flops in said plurality of flip-flops connected to AND-gates in the associated primary logic circuit for transferring said output data of the associated central processor module to said primary logic circuit;
  
  g) output of said second flip-flop in the secondary control circuit connected to the first input of said C-port in the associated parallel programmable interface and further connected with the second output of said C-port in the parallel programmable interface associated with the primary output circuit in the same output module for transferring said logic “
  
  0”
  
  acknowledge signal to both said parallel programmable interfaces at the same time to inform the corresponding central processor modules that each of them can transfer the next output data to the corresponding parallel programmable interface, outputs of flip-flops in said plurality of flip-flops connected to AND-gates in the associated secondary logic circuit for transferring said output data of the corresponding central processor module to said secondary logic circuit;
  
  h) the central processor module has means for reading said acknowledge signal from each corresponding parallel programmable interface via the associated data bus for getting information if both corresponding control circuits received output data from corresponding central processor modules.
10. A method for detecting and recovering faults in the output module in the hybrid multiple redundant system of claim 9, comprising in every scan cycle of said system operation the steps of:
- a) checking in each output module the ability of all electronic valve to switch ON at the same time as a response to the corresponding command received from the corresponding central processor modules;
  
  b) checking in each output module the ability of all electronic valve to switch OFF at the same time as a response to the corresponding command received from the corresponding central processor modules;
  
  c) checking in each output module the ability of each electronic valve in each pair of said electronic valves separately to switch from ON to OFF according to the corresponding command received from the corresponding central processor module for detecting hidden faults not detected by checking the ability of all electronic valve switching to ON and switching to OFF;
  
  d) if no faults are detected in steps a), b), and c), transferring output data of the central processor module to the associated parallel programmable interface.
11. A method as defined in claim 10, wherein:
- a) the step of checking the ability of all electronic valve switching to ON at the same time includes communication among central processor modules to transfer a command by each central processor module to its associated parallel programmable interfaces for applying control signal to each electronic valve which would force said electronic valve ON, for reading said feedback data by each central processor module from all associated current sensors via the parallel programmable interface associated with the primary output circuit and measuring the actual current which passes through each pair of electronic valves for checking if the value of said current is an error condition if the value of said current in any of said pair of electronic valves does not match the expected HIGH level;
  
  b) the step of checking the ability of all electronic valve to switch ON at the same time, further includes communication among said central processor for sending by each central processor module the results of said checking to both neighbor central processor modules for comparing the checking results related to the same output in each first output module and generating a message to indicate an error condition of the external device connected to said output if the current in any of said pair of electronic valves related to the same output module does not match the expected HIGH level;
  
  c) the step of checking the ability of all electronic valves to switch OFF at the same time includes communication among said central processor modules to transfer a command by each central processor module to its associated parallel programmable interfaces for applying control signal to each electronic valve which would force said electronic valve OFF, reading said feedback data by each central processor module from all associated current sensors via the parallel programmable interface associated with the primary output circuit for measuring the actual current which passes through each pair of two serial connected electronic valves for checking if the value of said current is below than a predetermined LOW level, writing a command by the central processor module to the associated watchdog controller for activating its alarm signal for setting associated fault recovery valve OFF to de-energize all outputs of the associated output module from system output and generating a message to indicate an error condition if the value of said current in any of said pair of electronic valves does not match the expected LOW level;
  
  d) checking in each output module the ability of each electronic valve in each pair of said electronic valves separately to switch from ON to OFF includes communication among said central processor modules for transferring a command by each central processor module to the parallel programmable interface associated with the primary output circuit to apply a control signal to each first electronic valve which would force said electronic valve OFF and for transferring a command from the central processor module to the parallel programmable interface associated with the secondary output circuit to apply control signal to each second electronic valve which would force said electronic valve ON, reading said feedback data by the central processor module from all associated with the primary output circuit for measuring the actual current which passes through each pair of said electronic valves for checking if the valve of said current is below than a predetermined LOW level and generating a message to indicate an error condition if the value of said current in any of said pair of electronic valves does not match the expected LOW level, the next step of communication among central processor modules is used for writing a command by each central processor module to the parallel programmable interface associated with the primary output circuit to apply control signal to each first electronic valve which would force said electronic valve ON and for writing a command by each central processor module to the parallel programmable interface associated with the secondary output circuit to apply control signal to each second electronic valve which would force said electronic valve OFF, reading said feedback data by the central processor module from all associated current sensors via the associated primary output circuit for measuring the actual current which passes through each pair of two serial connected electronic vales for checking if the value of said current is below than a predetermined LOW level and generating a message to indicate an error condition if the value of said current in any of said pair of electronic valves does not match the expected LOW level.
12. The method as defined in claim 10 or 11, wherein:
- a) the step of checking the ability of said electronic valves to switch ON at the same time and the step of checking the ability of said electronic valves to switch OFF at the same time further includes means in each central processor module for reading said acknowledge signal producing by the parallel programmable interface associated with the primary output circuit and reading said acknowledge signal produced by the parallel programmable interface associated with the secondary output circuit, said central processor module generating a message to indicate an error condition of any acknowledge signal does not appear within the predetermined time interval and writing a command to the associated watchdog controller for activating an alarm signal for setting associated fault recovery valve OFF disconnecting all outputs of the output module from system output if the parallel programmable interface associated with the primary output circuit does not produce said acknowledge signal within the predetermined time interval.
13. The hybrid multiple redundant system of claim 9 wherein:
- a) said first, second, and third processing units provide dissimilar data processing with respect to each other by utilizing dissimilar hardware in each input module, dissimilar hardware in each central processor module, and dissimilar hardware in each output module for decreasing influence of possible generic hardware faults to the ability of said system operating properly; and
  
  b) said central processor modules provide dissimilar data processing with respect to each other by utilizing dissimilar software in each central processor module for decreasing influence of possible generic software faults to the ability of said system operating properly.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
University of Akron
Original Assignee
University of Akron
Inventors
Freydel, Lev, Abonamah, Abdullah A.
Primary Examiner(s)
Beausoliel, Robert
Assistant Examiner(s)
Wilson, Yolanda L.

Application Number

US09/506,849
Time in Patent Office

1,152 Days
Field of Search

714/6, 714/11, 714/12, 714/13, 714/10, 714/55
US Class Current

714/6.32
CPC Class Codes

G05B 9/03   with multiple-channel loop,...

G06F 11/165   with continued operation af...

G06F 11/1683   at instruction level

G06F 11/18   using passive fault-masking...

G06F 11/181   Eliminating the failing red...

G06F 11/185   and the voting is itself pe...

G06F 11/187   Voting techniques

G06F 11/2017   where memory access, memory...

G06F 11/202   where processing functional...

G06F 11/2035   without idle spare hardware

Hybrid multiple redundant computer system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

186 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Hybrid multiple redundant computer system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

186 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links