DE3328405A1 - Control elements of a fault-tolerant multicomputer system - Google Patents

Abstract

Control elements of a multicomputer system (PROC) having a duplicate multi-wire system bus (CSB), the control lines being provided doubled once again and parity lines additionally being provided. The computers (PROC), which are also doubled, are connected to a bus interface circuit (BIC), which consists in each case of two identical parts and checks the information received from the computer pair (PROC) and its own signals, which are to be sent to the system bus (CSB), by comparison, it being the case that in the event of inequality the bus interface circuit (BIC) switches off itself and thus also the connected computer pair (PROC) from the system bus (CSB) and checks the control and information signals received from each system bus (CSB). An allocation is performed when a request has been made on both system buses (CSB), while in the case of failure of one of the two system buses (CSB) the request to the remaining intact system bus (CSB) suffices. The bus control centre safeguards operation by collecting the alarms from the bus interface circuits (BIC) by switching them on and off, by switching on and off one of the two system buses (CSB), by test orders to the bus interface circuits (BIC), by switching off a computer pair or memory (pair), by system start, and by communication using safety processes which run on any of the computer pairs (PROC). <IMAGE>

Description

Control organs of a # fault-tolerant multi-computer system.

The invention is based on what is mentioned in the preamble of claim 1 Subject matter known for itself through a variety of publications and is familiar to the devit specialist.

The invention was in particular for the central control computer Telephone switching system developed, which a particularly secure operation of the multi-computer system consisting of several individual computers.

However, the invention can also be used in other multi-computer systems applicable where data integrity and fault tolerance are important.

The invention and its developments offer a particularly convenient one Safety principle for the cooperation of several computers via a bus system. These Arrangements according to the invention do not allow fault-tolerant multiprocessors from Assemble secure individual computers. Through the invention and its developments it is possible to build multi-computer systems that are both powerful and efficient as well as in their safety-related behavior modularly to the most diverse Requirements can be customized.

Up to now, special computers have mostly been used when fault tolerance is required built that are tailored to their use. It is not yet possible to use in use commercially available computers in such cases. With the usual development up to now Fault-tolerant computers are usually tried by making changes to modules To achieve improvement. That ultimately leads But too little flexible solutions and, moreover, each at high development costs.

The invention focuses on the functions of security technology few hardware components that are outside of the computer to be backed up. the Invention provides a standardized interface for connecting the various Calculator before. The invention largely retains its security properties through security-related hardware measures, particularly in the case of further training the effort for additional backup software can be reduced considerably.

The invention or its further development reduces the error tolerance without RETRY or BACK TRACING and is transparent for user programs. The system prevents computer or memory errors from spreading through the system. Faulty computers and / or memories are switched off. The participants-individual System bus controls are self-monitored.

The system bus and its control center ensure that data integrity is maintained during transfer and are also designed to be fault-tolerant. This ensures that the transferred data is always correct and also in the event of transmission errors - apart from the rare double errors - a correct transfer of the Information succeeds. The cause of the error can be localized later will. Two similar participants (computer or memory) can be dynamic - Depending on requirements - can be configured in the fault-tolerant mode (TWIN). At the Failure of a system bus control of a TWIN participant during a system bus transfer the transfer can be continued without gaps, which is due to the structure and the transfer protocol the system bus is made possible. In the event of failure one fault tolerant operated computer or memory can run the programs without any loss of information be continued.

The most significant data integrity benefits become achievable by the measures specified in claim 1. The in the subclaims specified measures allow additional special advantages, namely the measure according to claim 2, above all to enable fault-tolerant operation, 3, above all to enable asynchronous operation, -4 and 5, the system bus if possible appropriately designed, 6, to enable serial communication via the system bus, and 7, to operate a central storage unit safely without having to install it twice.

The invention and its developments are based on -the in the Figures shown examples further explained, with Figure 1 an overview via the control organs together with the central system bus, 2 other aspects of the in the example shown in Fig. 1, 3 a data processor, 4 an interface processor, 5 a doubled array memory, 6 an unduplicated array memory, 7 one possible signal routing on the central system bus, 8 signals on the central one System bus decoupling assembly, 9 a table of variants of the BIC status, 10 a Block diagram of the BIC, 11 a block diagram of one half of the BAS (right Half), 12 a possible arbitration logic, 13 a timing diagram with regard to bus allocation, FIG. 14 a timing diagram with regard to a write cycle, 15 shows a time diagram with regard to a read cycle for non-duplicated participants, 16 shows a timing diagram for modified read-write cycle, and FIG. 17 shows a timing diagram for a write cycle of a TWIN pair to point to another TWIN pair, where the invention is not limited to the specific examples shown.

Fig. 1 shows an example of the concept of the invention Control organs. Several PROC computers work via a multi-core CSB system bus together, possibly also with a central unit connected to the CSB system bus Storage unit MU. The CSB duplex bus is duplicated, i.e. it forms a System bus pair, with the control lines to secure the transmission on each system bus CSB are doubled again, see also FIGS. 7 and 8. In addition to the information lines parity lines are also used to increase security.

The PROC computers - and generally also the central ones Memories MU - are each doubled for themselves, cf. FIG. 1 and thus each form a pair of computers working in parallel, or a pair of memories, each of which connected to a bus interface circuit BIC / BIC via its own local bus LB. are.

The bus interface circuit consisting of two identical parts BIC For security reasons, BIC / B1C checks the data from the computer pair or memory (pair) PROC, MU received information as well as its own to be sent on the system bus CSB Signals through a same. In the event of inequality, the Bus interface circuit BIC / BIC 'itself and thus also the connected pair of computers or memory (pair) PROC, MU from the CSB system bus and reports this shutdown of the Bus central unit BAS as an alarm.

The control and Information signals are also checked by the bus interface circuit BIC / BIC, whereby the information is only sent to the receiving computer pair or

Memory pair) PROC, MU, if at least on one of the two system buses CSB the transmission was error-free.

When requested by the bus interface circuit BIC / BIC divides the bus center BAS via lines of this bus interface circuit that are doubled in each system bus CSB BIC / BIC to the relevant system bus CSB, with the bus release within a maximum occupancy time.

When both CSB system buses are operated, an allocation is only made if a request was made on both system buses CSB. If one of them fails of the two system buses CSB, however, the requirement on the remaining intact one is sufficient System bus CSB.

The bus center BAS takes its own lines to the bus interface circuits BIC central security functions come true in a variety of ways, e.g. through the collection of alarms from the bus interface circuits BIC / BIC, through the and disconnection of bus interface circuits BIC / BIC and thus of pairs of computers and memory (pair) PROC, MU, by switching one of the two on and off System buses CSB, through test orders to the bus interface circuits BIC / BIC, with which System bus errors can be localized and by switching off a computer pair or memory (pair) PROC, MU maintain the system bus redundancy can also be done, e.g. by starting the system and communicating with security-related Processes that run on any of the PROC pairs of computers.

The bus central unit BAS consists of two equal parts, each for are assigned to the two system buses CSB, with all signals to be sent being compared and with the registration of an inequality leading to a shutdown the bus central unit BAS performs what is reported to a replacement bus central unit BAS. the Replacement bus center BAS is determined by the status of the bus signals and messages the active bus central unit BAS is always kept up to date. If this message is a a certain time is missing, or if the active central bus unit reports a failure BAS, or when the functions of the two BAS bus central units are routinely exchanged the previous BAS replacement bus center can take on the role of the active bus center Take over BAS completely.

The IO organs are preferably connected to an IO interface circuit via two standard IO buses CIC / CIC connected. The IO interface circuit CIC / CIC can use the two local Buses LB with the pair of computers running in parallel PROC and the bus interface circuit BIC / BIC communicate, see Figs. 1 and 2.

The IO interface circuit CIC / CIC consists of two equal parts, assigned to the two local buses. In them all are also up the signals to be sent to the IO bus are compared. If there is an inequality, the bus interface circuit switches itself BIC / BIC from the CSB system bus and reports the alarm to the BAS bus center.

The IO interface circuit CIC / CIC sends with an IO TransSer in usually only on a single IO bus, but they usually have a single IO bus received information each to both local buses LB of the parallel working pair of computers PROC or the bus interface circuit BIC / BIC forwards.

The bus center BAS, the bus interface circuit BIC / BIC and the IO interface circuits CIC / CIC monitor their own functionality in the Rule yourself.

You register errors yourself, e.g. voltage errors, clock failure and Watch Dog-Qblauf, whereby they switch themselves off as in the case of a comparator error and report the alarm.

A development of the invention contains, for a fault tolerant Operation with the program sequence in the event of failure of a computer PROC or central memory MU is not disturbed in the system, two pairs of computers and two pairs of memories PROC, MU, each working in parallel. If a PROC computer fails, one of the computer pairs the other intact pair of computers PROC initially performs the current task alone away. If a memory MU fails, one of the memory pairs leads to the intact memory pair MU initially carry out the current task alone. This means that there are in the intact memory pair MU continues to provide correct data.

Two bus interface circuits can be used on the same CSB system bus at the same time Send BIC / BIC, with an active potential marked on the system bus CSB that prevails when different potentials are applied.

The bus center BAS shares the system bus CSB with the two pairs of computers PROC belonging bus interface circuit BIC / BIC only then if both bus interface circuit services BIC / BIC of the pair of computers PROC willing to send have made a request to faulty, unevenly working computers, i.e. the failure of one of the computer pairs, already recognizable at this point in time.

The bus center BAS registers the in the fault-tolerant operating mode Associated bus interface circuits BIC / BIC, which in principle can be selected at will and cancels the duplication in the event of failure of one pair of PROC computers, so that the remaining pair of computers PROC can be allocated the system bus SCB.

The IO organs are each connected to an IO interface circuit pair CIC / CIC connected via the local buses with two pairs of computers running in parallel PROC and two bus interface circuits BIC / BIC can communicate. Usually Sends only one IO interface circuit CIC / CIC of the IO interface circuit pair CIC / CIC on an IO bus. The information received from an IO bus is preferably via crossover lines from one IO interface circuit CIC / CIC to the other IO interface circuit CIC / CIC of an IO interface circuit pair CIC / CIC transmitted. The bus central unit BAS provides those that belong together in the fault-tolerant operating mode IO interface circuits CIC / CIC as IO interface circuit pair ClC / CIC on and switches in the event of failure of an IO interface circuit CIC / CIC or an associated one Computer PROC or the associated bus interface circuit BIC / BIC in the IO interface circuit CIC / CIC the fault-tolerant operating mode.

The invention can be developed so that it is an asynchronous Operation permitted that does not burden with the problems of a fully synchronous system and which allows any commercially available computer and memory to be used. For this purpose, the bus lines controlling the data transfer are Address Valid "AV Data Valid DV and Transfer Aknowledge TK from the am Transfer involved Bus interface circuits BIC / BIC set to the active state as soon as possible.

The bus interface circuits BIC / BIC - including the BIC / BIC that is currently transmitting - evaluate the level transitions actively after passive those controlling the data transfer Bus lines so that fault tolerant pairs through these transitions of control signals are kept synchronous on the CSB system bus. The signals that control the data transfer Bus lines are made by the bus interface circuit BIC / BIC on their own clock synchronized. But if after a waiting period of e.g. 3. 1 or 2 bars on the other system bus CSB this signal is not also received, then ignores the Bus interface circuit BPGBBIC for the ongoing transfer to the other system bus COD to avoid total interruption.

To maintain the command sequence in computers working in parallel PROC the interrupts - e.g.

from the timer - be masked, except for an interrupt that came from a Derives counter whose counter reading is permanently linked to the command sequence as when counting the address latch enable pulses. When this counter is interrupted all interrupts pending on the interrupt controller from computers PROC der Bus interface circuit BPC / BIC communicated. The computer then reads PROC again both the interrupts sent by both to a bus interface circuit BIC / BIC belonging computers PROC are communicated, as well as those interrupts that are reported via the CSB system bus for the PROC computer; he also reads when an IO interface circuit CIC / CIC is still connected to the local buses, the interrupts collected here for the PROC computer. The PROC from its bus interface circuit BIC / BIC and - if available - IO interface circuit CIC / CIC read interrupts are in these circuits BIC / BIC, CIC / CIC deleted, with a time monitoring in the bus interface circuit BIC / BIC ensures that not only one of the two computers working in parallel PROC reports an interrupt, which is otherwise from the bus interface circuit BIC / BIC is regarded as an error that causes the PROC pair of computers to be switched off from the system bus CSB leads. The two bus interface circuits BIC / BIC leading to two fault tolerant operated computers PROC belong, swap after the computers PROC give them the Have reported interrupts, send these interrupt messages via the CSB system bus, only those interrupts are read in again by the PROC computers which communicated by all computers involved here PROC and by the associated CIC / CIC became.

If the bus interface circuit or IO interface circuit BIC / BIC, CIC / CIC receives a message on a local bus LB and when this circuit BIC / BIC, CIC / CIC after a specified maximum waiting time from the other local But bus LB has still not received a message, causes the bus interface circuit BIC / BIC the switching off of the computer or memory pair PROC, MU from the system bus CSB, because then there is an error.

The functions of the lines of each system bus are now exemplified CSB explained with reference to FIGS. 7 and 8: On e.g. 32 information lines Addresses and operation code, the latter on e.g. 4 lines, and then on data are sent to the same lines, the information e.g. with additional, e.g. four to seven, parity lines are secured. As long as a bus interface circuit BIC / BIC keeps the LOCK line doubled for each system bus CSB in the active state, several data transfers can be carried out one after the other on the CSB system bus without, resp.

before the bus central unit reassigns the CSB system bus.

Various lines are available for serial communication: The bus central unit BAS sends a signal to a bus interface circuit via the common serial line BIC / BIC addressed message, arrive via individual serial lines ISC Messages from the individual bus interface circuits BIC / BIC to the active bus center BAS; and the active bus center communicate via two central serial lines SAC and the replacement bus center with each other.

The active bus center BAS can use any bus interface circuit BIC / BIC by sending the active level on its reset line in the one disconnected from the CSB system bus Hold the status while the active bus central unit BAS through the change in potential a reset of the bus interface circuit BIC / BIC from active to passive level and the associated computer or memory pair PROC, MU, as well as switching on the bus interface circuit BIC / BIC to the system bus CSB.

Each CSB system bus consists, for example, of a multi-layer circuit board, to the multiple, e.g. sixteen, bus decoupling assemblies of the bus interface circuits via plugs BIC / BIC and the two BAS bus central units can be connected.

The information and control lines are at both ends of the line provided with line terminations that also have the function in the passive state to apply the associated potential with high resistance. The bus interface circuit BIC / BIC can be connected to the bus decoupling assemblies containing the line drivers via cables, connected and supply them electrically.

The serial communication on the CSB system bus will now be explained in more detail A serial message consists of packets which, in addition to the start and stop bit further, e.g. eight, information bits and an additional bit, the additional bit only with the first packet of a message the bus center BAS on the common serial line GSI is set, while the additional bit is otherwise for parity protection is used. The bus interface circuit BIC / BIC, which is always ready messages Receiving on the common serial line initially only registers one Packet, if the additional bit is set, this packet being in the first, e.g. four, Bits contains the address of the addressed bus interface circuit BIC / BIC and only the addressee registers the first packet and the further packets of a message. The replacement bus center BAS is always ready to send messages to one of the two central serial lines to receive SAC. The bus interface circuit BIC / BIC or the Replacement bus center BAS may only have a permanent signal on an individual serial line ISC or on one of the two central serial lines SAC Send to indicate a communication request to the active bus center BAS. So long the active bus central unit communicates with an intact bus interface circuit BIC / BIC, will not be a continuous signal on the individual serial line, but one there response packets are sent to the active bus control center BAS, while in the event of failure of a Bus interface circuit BIC the permanent signal is present statically. The active bus center BAS instructs a bus interface circuit after an order has been completed BIC / BIC first the replacement bus center BAS and then the bus interface circuit BIC / BIC, which then withdraws the continuous signal, if there are no further orders are present. If the active bus central unit BAS fails while processing a The previous replacement bus center finds a job from a bus interface circuit BIC / BIC BAS, which is now active, applies the continuous signal again and thus processes the order all over again, with acknowledgments and additional parity bits to secure the transmission and time monitoring of the transfer can be provided.

A secure storage unit MU, but without doubling the storage unit MU or of the memory content is obtained when the information in the memory MU is sufficient Number of parity bits is secured so that one-bit errors are corrected and Two-bit errors can be detected. The memory controller preferably consists of two identical, synchronously operated control units MCU, each at their local Bus LB are connected. The memory MU is only used by a single controller actively described, but when reading, both controls correct the error and testing, wherein the detection of an uncorrectable error in at least one of the two controls can be interpreted as a memory failure.

The concept of the invention thus allows "normal" computers and store to build a fault-tolerant multi-computer system. Special meaning has the continued ~ ve ## terminability of the possibly already existing system software to use the computer as a control computer, especially of highly complex systems, e.g.

of telephone switching systems. Through standardized interfaces It is then even possible to progress in the development of the system participants to use without affecting the overall concept.

Essential parts of the concept are illustrated again with reference to FIG. 1 - now from a different point of view - explained. The concept therefore consists of the system bus CSB and various participants. Security functions are in particular fulfilled by the components marked with broken lines. These include the COD, the bus center BAS, the two similar parts BIC of the bus interface circuit BIC / BIC and IO interface circuit CIC / CIC, which in turn consist of the similar Share CIC is made up.

Each participant is internally duplicated. The duplication does not serve that Increasing the availability - on the contrary, it actually decreases - but the error detection; reliable error detection is an indispensable part of everyone usable multi-computer system. Undetected, possibly across multiple computers Delayed errors, if they are noticed at all, cannot be retrospectively localized and therefore not repaired.

However, if one assumes that every mistake will be noticed immediately and its effect is limited to that participant in which it occurred there can be different requirements in terms of computing security, availability and fault tolerance are met.

If only a high level of computational security is required, it is sufficient to stop after a (participant-internal) comparator alarm and the aborted Restart the program after the repair. But there are high demands on the availability of the system can be a redundant participant or a Step in for participants entrusted with other tasks. When a program aborts is permissible, the disturbed program can be restarted.

However, actual fault-tolerant properties are required if namely, once a program has been started, it must not be aborted, then the invention offers the possibility of synchronizing two participants so that if one participant fails, the other participant takes on the common task continues on its own, in such a way that the environment does not notice it (twin operation). The invention offers such a high degree of security-related modularity by the fact that different requirements on the safety-related behavior not only be met statically can, but that the configuration even made dynamically and individually adjustable for different programs can be.

If one disregards the internal duplication of participants, the result is a computer architecture or an arrangement of their switching elements for an example is given by FIG.

This structure allows the tasks to be carried out equally on all processors, or processor-bound to distribute. Data and programs can be stored in the local memory of the processors, as well as in shared memories The power required determines the number of processors, anyway as long as there are no signs of saturation on the COD or in the common storage tank CM.

Participants in the CSB system bus are DP data processors and interface processors IP, which in addition to the data processors DP via two equal parts CIC existing IO interface circuit CIC / CIC have connections to the I0 # buses to which IO processors IOP can be connected, furthermore common memory CM. the Participants are on the system bus via bus interface circuits consisting of two equal parts BIC BIC / BIC connected. Two BAS bus control centers are provided for centralized tasks.

An example of a multi-computer system is given in FIG. here there are two interface processors IP, which have access to the various IO processors IOP, which serve e.g. a switching periphery VT, and for IO bus extensions Have BEU. Both the data processors DP and the memory CM can be dynamic selectable - be treated as fault-tolerant pairs (TWINs).

The CSB can e.g. connect a maximum of 16 participants with each other; this can then e.g. be 16 processors if no shared memory is required, or any mix of processors and memories.

Which processor is selected for IP or DP is initially for the Concept of the invention is irrelevant.

The structure of the interface to the BIC is important. See also the data processor DP in FIG. 3 and the interface processor IP in FIG. 4. These figures show examples the structure using a clock generator C, of local storage units LMU, processor units PU together with the doubled system bus CSBO, CSB1. All Processors that have the same local bus LB can be served by the BIC or CIC series. If you want to use a commercially available computer and memory, you may also use the Determination of the local bus LB made no further demands on the participants will. Therefore, at least in the case of further developments of the invention, clock synchronism must be used the participant's internal processors are dispensed with.

FIG. 5 shows a memory example with doubled and FIG. 6 with unduplicated Memory array AY. The memory control is always duplicated. As from Figs. 5 and 6 can be seen, in this example the Comman Memory CM also has an inter NEN bus, which is expediently identical to the LB of the processors. The CM can be structured differently depending on the size of the storage medium. If only If an array is available, the MCU should, if possible, also have safety functions provide.

The structure of the control organs should have as few security requirements as possible Set the type to the respective hardware and software of the participants.

The bus signals are structured in different line areas of the CSB, namely into the lines in the multilayer and into the lines of the ribbon cable between the bus decoupling assembly AK and BIC of the subscriber. from In terms of function, a distinction can be made, for example, between common bus lines to which Each participant has access and in individual lines, which each participant lead to the left BAS BASl and right BAS BA5r, or which the two BAS together connect, see Fig. 7 and 8. Fig. 7 shows the signal routing on the CSB, where because of the doubling of the COD was not shown for the sake of clarity.

Also shown are multilayer signals MLS and signals on the subscriber cable STK to the participants TLN. Fig. 8 shows signals on a CSB decoupling assembly with individual lines IndL and real bus signals EBS on the subscriber cable STK and multilayer ML, with lines in the multilayer, including the common bus lines, E.g. 32 address / data lines / bidirectional (bd), 4 parity lines / bd, 3 reserve lines for possible expansion of the parity bits for ECC / bd, 2 reserve lines for Possible interrupts / bd, furthermore 8 control lines, namely 2 Address Valid (AV) / bd, 2 Data Valid (DV) / bd, 2 Transfer Acknowledge (TK) / bd; 2 Lock (LOCK) / bd, in addition 1 serial communication line with 1 Global Serial Interface (GSI) / unidirectional: BAS - TLN; as well as the individual lines, e.g. 1 request (RQ) / unidirectional (ud): TLN - BAS, 2 Grant (GT) / ud: BAS-TLN, 1 Individual Serial Channel (ISC) / ud: TLN - BAS, 1 Res tRS) / ud: BAS - TLN and 2 Serial Arbiter Communication (SAS) / ud: hASl - BASr.

The lines in the cable between the bus decoupling and the BIC are e.g. 32 Address / data lines, 4 parity lines, 5 reserve lines, 12 control lines with 2 AVH / ud, 2 AVZ / ud, 2 DVH / ud, 2 DVZ / ud, 2 TKH / ud, 2 TKZ / ud and 2 Lock / bd, also 1 Global Serial Interface GSI / ud: BAS - TLN, 1 Request / ud: TLN - BAS, 2 Grant / ud: BAS - TLN, 1 Individual Serial Channel ISC / ud: TLN - BAS, 1 Reset RS / ud: BAS - TLN, 1 transmitter lock / ud: TLN - bus decoupling, 2 power supply lines SV (to ensure the tri-state output when plugging in the uncoupling module), 3 transmitter control signals SST / ud: TLN - bus decoupling with 1 transmitter block ADR / DAT lines, 1 transmitter lock control lines and 1 direction changeover: send / receive.

As can be seen from FIG. 1, the BIC in each case forms the interface between participant and system bus.

Fig. 10 shows the basic circuit diagram of a BIC example.

The data flow and control sequence depend on the bus operation and the BIC status according to the table shown in FIG. To explain the principle Functions when receiving the CSB, the action PW in particular should be explained in more detail: A participant sends data on the CSB. Any inactive participant takes over with AV or DV this data into the CADR or CDAT register. Simultaneously with the Latching into the CADR is checked by CSB-CONTROL CCT when the address is pushed, whether it is is an address relevant to the recipient. If not, will no further activities initiated. However, if the CCT recognizes the address as in belonging to its own area, then it triggers the BIC-CONTROL BCT. This switches as soon as the I-bus is free, the address is checked for parity. The process in the BCTs of the BICs (of a participant) is achieved by crossing out all relevant event signals synchronized. Only if both BCTs have not detected a parity error will the checked addresses are transferred to the MADR register. Then in analog Deal with the data in a wise manner; they are transferred from CDAT to the MDAT register.

Finally, the BCT initiates the multibus control MCT, which is stored in MADR and MDAT provided data to the subscriber in accordance with the Multibus protocol forward.

If a BCT found an error during the parity check, both BCTs remain on the alarm query. This leads to one in both BICs Time-out alarm that is sent as an interrupt to the control processor CP. This first blocks the command lines of the BCT and evaluates the alarm and status signals.

The connection takes place in the BIC in which the parity alarm was recognized of the X-Bus to the I-Bus and the transfer to the corresponding Multibus register by the CP, provided the partner BIC has received the correct parity and on own 1 bus no new parity alarm has occurred. Then the CP releases the coemand lines of the BCT again and clears the parity alarm. In the BIC, who received without errors, the CP returns control to the BCT without to carry out own measures. As soon as the parity alarm is cleared, set both BCT continue to control the process. Both halves of the participant receive this the information received without errors. If both BICs have received the wrong parity, or occurs again when crossing the one-sided correctly received information Parity alarm, the received data will not be forwarded to the participant. In all cases of failure, the CP transmits via the individual serial channel ISC sends a corresponding alarm message to the BAS.

The sending process as part of the AW campaign then runs e.g.

as follows: The MCT control listens to the messages sent on the multibus Addresses with. Shows an address on the common Memory or into the BIC-individual IO room, the MCT activates the BIC-CONTROL. This causes Sending a REQUEST on the CSB via the CCT. If the GRANT arrives from BAS, this first causes the asynchronous connection of the MB address by MADR and CADR on the CSB, the switching of the parity network to "generate parity" and arming the AV signal.

At the same time, the MCT is caused to complete the MB cycle. The GRANT signal is synchronized; both BCT run with the same clock go and switch the address on your own I-bus to the X-bus, where the information from both BICs is superimposed (wired or).

The address overlaid in this way is matched with the address on its own I-bus compared; If the case is good, the BCT sends the CCT the request for the AV signal take away and thereby validate the address. The CCT checks whether the AV signal also disappears on the CSB and sends as soon as this is the case, the acknowledgment to the BCT that the address has been declared valid.

The data is then handled in an analogous manner. Finally, the cycle at the CSB ends when the TK signal is removed.

If an alarm occurs during the comparison, the BCT remains on the alarm query stand. This leads to a time-out alarm that causes an interrupt on the CP. The CP takes over control and first causes the address and / or address codes to be disabled. Data sender for the CSB. The control signals are then switched off with a delay, so that in the case of a twin configuration no errors are accepted by the receiving Participants can arise.

The serial interface to the BAS is operated as follows, for example: Sends the BAS via the serial line GSI, an interrupt occurs in the CP, if this recognized his own address. Since it cannot be guaranteed that both BIC (from both CSBs) received the message must have this before can be crossed out for further processing. This is preferably done by the CP controlled via the X bus.

When sending the BIC via the serial ISC channel (to the BAS) A distinction is made between two states: Alarm state (call waiting at BAS): On the line ISC is placed statically active potential. This leads to an interrupt in the BAS and in the course of interrupt handling for the reception selection of the alarming BIC.

Information status (data transmission to the BAS): the BIC is via the GSI channel requested to send messages, a pending call waiting signal (Alarm) taken from the ISC line and the data transferred from the CP '.

In this case, the synchronization is of particular importance Interrupt states too. Interrupts must be in both the not synchronously running Computers of a participant, as well as between participants in TWIN mode, synchronized will. Interrupts should therefore only be permitted if all are affected Computers have the same command count; in addition, it should be ensured that all computers receive the same interrupts. Within a participant can the interrupt synchronization can be implemented e.g. in the following way: Local Interrupts: These occur within a computer, e.g. when the internal timer expires. In the interrupt controller of both computers of the participant are except for masked all interrupts one level. The unmasked interrupt is handled by a Generates counter that has a certain number, e.g. 104, of address latch-enable (ALE) cycles of the PROC, e.g. 8086, counts down. This counter should be on the module, e.g. ISBC 86 / 12A the From Siemens. He will start a participant reset in both computers and thus generates signals that are command-synchronous (not synchronously!) in the two computers of a participant. In the associated The (masked) interrupts pending at the interrupt controller become the interrupt routine transferred to the BIC using the OUT command. This OUT command generates an interrupt in the CP of the BIC. The multibus cycle of the OUT command is not immediately acknowledged by the BIC, so that the subscriber computer does not continue with the program (= interrupt routine) can. The CP in the BIC now crosses the interrupt bits in the BICs via the X bus and forms the intersection of the interrupts pending in both halves of the subscriber. Then the BIC (controlled by the CP) acknowledges the multibus cycle, so that now both subscriber computers continue with the interrupt routine synchronously with the commands.

The IN command following the OUT command transmits the in the BICs pending symmetrical interrupts in the subscriber computer, where they are accordingly their priority can be processed. Does the CP have unequal interrupts detected by both subscriber computers, it checks whether the next ALE counter interrupt occurs the previously different interrupt bits have become the same; is not this the case, there is a participant hardware error, which-via an alarm to the BAS is reported.

External interrupts (interrupts from the BIC): Such interrupts arise due to winter Processor Commands "(IPC). IPCs that are recognized in a BIC, first generate an interrupt in the CP, which analyzes the received command and, if it is a message to the subscriber computer, an interrupt bit then sets this at the next ALE counter interrupt handling with the local Interrupts are read in and processed.

If two computers are running in TWIN mode, all interrupts must also be performed be synchronized in the two participants. The following procedure is used: First of all, each participant synchronizes its interrupts in the BIC as before described. The CPs (in all four BICs involved) recognize by querying one Ports that twin operation is present and apply for one by creating the Ru signal COD cycle. This cycle is (as the only one) not symmetrical in the twins. The twin identified by a configuration bit as "leading" sends its first Interrupts after the BUS allocation to the 1'non-leading "twin. Then the Interrupts pending on the "not £ while" twin are sent to the touching twin. First After the exchange via the CSB has been completed, the BICs acknowledge receipt of the OUT command on the multibus, so that now all four subscriber computers are synchronized with the commands can use interrupt handling, which only takes interrupts into account, which are present in both twins.

As can be seen from Fig. 1, the bus center BAS forms the conclusion of the COD; i.e. CSB always contains a »Left BAS" BASl and a "Right BAS" BASr. BASl and BASr are duplicated again and monitored by comparison. While the system is running, one BAS is active, the other is in hot standby mode and is able to take over the CSB control without interruption at any time.

The BAS has the following tasks, for example: The CSB supply line, #configuration handling of the COD and the participants, routine test of the COD, control of the test in the Participants, localization of defects on the CSB or in the participants, implementation the core run, as well as maintenance of the operating system interface to the security technology.

The functions of the BAS can best be explained using an example for the construction of a BAS in Fig. 11, which for the sake of simplicity only the right half of the BAS example shows: The hardware can e.g.

be divided into three essential parts, namely the arbitration unit, serial communication and the BAS processor. The arbitration unit receives e.g. from a maximum of 16 participants one hquest RQ per CSB.

Each request first runs through to synchronize with the BAS clock a register that simultaneously converts ECL (CSB) to TTL level. The second synchronization stage is located in the arbitration logic ABL or AC, an example of which is shown in Fig. 12; there mean: STE or STD single / twin encoder or decoder, PRE or PRC priority encoder or counter, as well as ABC abitration Control.

To keep the BAS halves synchronized, the .RQ lines are connected between the halves crossed out. The AC carries out the COD allocation for undoubted (single) and double (twin) operation.

The COD allocation can be set using the BP software under the condition: Fixed priority with the choice of the highest-priority participant, or rotating Priority for fair allocation. If an RQ arrives, it performs synchronously in both BAS halves at the start of the arbitration control ANY RQ. A new request is accepted when the controller is in the IDLE state. The arbitration is forward-looking, i.e., while the grant signal for the predecessor is still pending, the new GT signal becomes determined.

When fully expanded, the RQs stored in RQSYN are used by the SINGLE-TWIN ENCODER RAM STE only passed on if both RQ signals for the individual TWINS issue. The following PRIORITY working with rotating priority ENCODER PRE selects the participant with the highest priority. Finally, the SINGLE / TWIN takes care of it DECODER RAM STD for the fact that with a selected TWIN both participants get a GT signal. If the number of participants is small, a single RAM module is sufficient. to perform the functions described above in one step. The GTs will switched through to the system bus if a certain time since the RQ takeover ran and - with ongoing arbitration - the end of the last bus cycle with TK (and LOCK) was signaled. In addition, at this point in time, the BAS halves internally determined GTs match (MP GT - otherwise an alarm reported to the processor BP, and there must also be no other alarm, otherwise further arbitration is stopped).

The bus transfer is monitored e.g. with a BUS TIMEOUT COUNTER. If this counter expires, the arbitration is stopped immediately and a corresponding one Alarm reported to the BP.

The assignment of twins can be freely changed as SINGLE / TWIN-ENCODER and -DECODER STE, STD are connected to the address and data bus of the BP and at all times can be reprogrammed. If a GT # signal is placed on the CSB, it takes place at the same time storage in the LAST-GT register. The LAST-GT can be read by the BP and is used in the Error in the determination of the participant who requested the COD cycle. the GT signals are duplicated for safety reasons and sent to each participant, compare GT and G 5. A sender error for a GT bit could otherwise with single-CSB operation lead to total failure.

The Serial Channel Control SCHCONT controls the transmission or. Receive direction for serial communication: - In the Individual Serial Channel ISC e.g .: every participant sends on this line to every BAS; First of all, the participant reports a message to be issued Message by applying a continuous signal, i.e. alarm. At the request of the The participant sends the message to BAS. - In the Global Serial Interface GSI: Up The BAS sends this line to a subscriber selected by the address News. - In the Serial Arbiter Communication SAC: The SAC consists of two lines for communication between the two BAS. - In the Intra-BAS-Communication IBC: The IBC consists of two lines for communication between the two halves within the BAS.

The comparator CMP SCH for the outgoing serial is part of the SCHCONT Lines GSI and SAC. If an active potential occurs on one of the serial channels, an alarm signal arises which causes an interrupt.

The alarm signal is static. As it is not guaranteed that an alarm message is received on both CSBs, the BAS crosses the in both halves Existing information ALC overrides the IBC interface, at least in duplex mode. As a rule, the BAS then requests the alarming subscriber via GSI or SAC interface to send detailed information. The reception selection is tuned to the corresponding station. After a timer for the The BP internal buffer register is the maximum waiting time for the subscriber response the serial interface and its content is read out mutually via the IBC exchanged. The interrupt can then be reset and, if necessary, the associated alarm can be masked.

Apart from the arbitration, the BAS processor BP provides all other BAS line features to disposal.

It has an external program memory PROM and a data memory R.A.M. The following IO ports are controlled via an address decoder: Status logic (STATE); the STAT contains flip-flops that relate to the BAS-internal configuration. For example, from which RQ receiver is to be synchronized, or by which BAS half it is, etc .. The status logic can be read and partially loaded via the BP bus.

Alarm collection (ALC); in the ALC, external alarms are set on the BAS clock synchronized and stored with the BAS internal alarm. One OR signal from all Alarms lead to the interrupt input after a second clock synchronization trigger stage of the BP. The interrupt is synchronized between the BAS halves. the external Alarms can be blocked individually. To differentiate the cause of the interruption the BP reads the content of the ALC onto its bus.

Arbitration logic (AC); Serial Channel Control (SCHCONT); Reset logic (RSL); the reset logic contains a port for e.g. 16 individual lines for resetting each participant and a comparator for each RS line.

Only if the comparison result is positive will the transmitters for the RS Signals unlocked.

Each data cycle on the CSB is processed by the active participant with the REQUEST signal registered. The arbitration takes place centrally with BAS. The assignment of the CSB is given by the GRANT signal GT. The GRANT line GT is for safety reasons doubled. The requesting participant only accesses the CSB if both GRANT lines have an active potential. The participant who completes a COD cycle, reports the completion of the transfer to the BAS with an acknowledgment signal (TK). Fig. 13 shows an example of the introduction and the end of the COD cycle, where n, m bus cycles, tw waiting times for bus allocation (it depends on the Priority of the participant and the number of simultaneous requests RQ), a Q off switch-off time for the request for bus allocation, t delay until the acknowledgment signal TACK (TK) is being prepared, tTK, min minimum duration for TK, tA arbitration time, tT Transfer time on the bus and tc mean bus cycle time.

Depending on the mode of operation of the participants, you can also use the CSB data protocol differentiate between a protocol for non-duplicated participants and a protocol for twins. Both protocols are - what the one or the duplicated Participant concerns - identical; i.e., a participant does not need to do so in this regard knowing whether or not he has a partner twin.

Only the BAS knows about the configuration.

If a twin sends a request, it waits until the partner twin also RQ sends and then grants both of them the GRANT signal. Further measures are not necessary.

There are two different COD cycles for non-duplicated participants. Fig. 14 shows an example of the timing of the write cycle, where (S) Sender, (R) Receiver, ts AD set up time address, tAD address availability time, th hold time Address, tS, D set up time data, th D hold time data, tAR address recognition time in the receiver and tDP mean data processing time in the receiver.

As soon as GT is received (from the BAS), (asynchronously from the participant) the addresses are applied and the control signals AV and DV are prepared. Are the addresses settled and correct (comparison), they become valid by removing AV explained. The data is created after the hold time and after the settling time validated by removing DV if the comparison positive war, When the receiving subscriber has recognized the address, he sets the TC signal until it has saved the data and is ready for a new COD cycle is. This ends the write cycle.

The BAS removes the GT signal and issues a new one if necessary. Cycle.

If the comparison of the addresses or data was negative, the A / D and parity transmitters blocked. The lines go into the passive state, cf. LOW in Fig. 14.

After the settling time, AV and / or DV are switched to passive. Of the The recipient takes over addresses or

Incorrect parity data and separates them out in the BIC. The cycle will terminated by the receiver as usual by removing the TC signal.

15 shows an example of the timing of the read cycle. The names and time specifications apply analogously as in FIG. 14, where tDA is the data availability time the recipient means. As with writing, the addresses placed on the lines. At the same time the signals AV and TK are prepared. As soon as the addressed recipient recognizes the address (and the operation code) he creates the DV signal. According to the data access time and the data setup time DV is taken away. The BIC of the reading participant (S) accepts the data and acknowledges receipt by removing the TK signal as soon as it has sent the data to the Participant and is thus free for the next COD cycle. For the In the event of a comparator alarm, the statements on the write cycle apply accordingly Fig. 14.

The CSB can be reserved for the implementation of read-modify-write cycles will. For this purpose, the LOCK signal generated in the PROC iSBC86 is activated when the bus is allocated laid the COD. As long as the LOCK signal is present, the BAS ignores the TK signal. The following applies as the end criterion: TK and LOCK are passive. Fig. 16 shows an example of the timing of a read-write access with a reserved bus. the The number of reserved bus cycles is only limited by the time monitoring in the bus. The CSB remains reserved until the reserving participant receives the LOCK signal takes away again.

If participants are operated in twin mode, they must mutually synchronize. In addition, it should be possible at any point in time during a bus cycle to continue the protocol with the remaining computer after a twin fails, without this being noticed by the partner participant (who can also be e, .n twin) will.

The CSB data protocol is synchronized via the control lines, which are also required for the non-duplicated operation. Two send in twin mode Participants at the same time on the CSB, i.e. addresses or

The data and parities of both twins are superimposed on the bus. As already explained in connection with FIG. 13, shares in the present example BAS To each twin of a pair the grant signal as soon as it receives the request from both received. The TK signal of the Twins or is based on the CSB; only when TK is passive the BAS takes both GRANT paths and issues the next cycle of data exchange is synchronized via AV or DV.

The control signals are also ored (active high) on the CSB. A Twin does not continue the CSB cycle until it is recognized by listening to the control signals has that its associated twin has reached the same place in the protocol. To this To enable each BIC to access the signals AV and DV directly on the CSB to have. That is why the transmission and reception path for AV and DV are between bus decoupling and BIC executed separately, see also FIG. 8.

Fig. 17 shows an example of the timing for a write cycle with Twins as sender (processor) and twins as receiver (memory). The ones marked with x Signals are present at the respective input of the CSB driver.

Since AV and DV can also be listened to in non-duplicated operation, there is no difference for the BIC control between non-duplicated operation and twin mode in the present example.

Claims (7)

Patent claims. Control organs of a secure multi-computer system with several, over a multi-core system bus (CSB) interconnected computers (PROC) and possibly with central storage unit (MU) connected to the system bus (CSB), g e k Indicated by a single characteristic, by a combination of several Features or by all the features listed below, namely that X the system bus (CSB) is duplicated, i.e. it forms a system bus pair, with to secure the transmission on each system bus (CSB) the control lines for are doubled again and, in addition to the information lines, parity lines are appropriate, the computer (PROC) - and generally preferably also the central one Memory (MU) - each of which is doubled for itself, i.e. each one that works in parallel Form computer pair or memory pair, each via a local bus (LB) are connected to a bus interface circuit (BIC / BIC), - each off two similar parts (BIC) existing bus interface circuit (BIC / BIC) the Information received from the pair of computers or memory (pair) (PROC, MU) and their own signals to be sent on the system bus (CSB) are checked by comparison, with Inequality the bus interface circuit (BIC / BIC) itself and thus also the connected Computer pair or Memory (pair) (PROC, MU) switches off and the central bus (BAS) as an alarm, - The control system received from each individual system bus (CSB) and information signals from the bus interface circuit (BIC / BIC) are checked, whereby the information is only sent to the computer pair or memory (pair) (PROC, MU) may be passed on if at least on one system bus (CSB) the transmission was error-free on a request from the bus interface circuit (BIC / BIC) the central bus (BAS) via lines doubled in each system bus (CSB) this bus interface circuit (BIC / BIC) allocates the system bus (CSB), the Bus release takes place within a maximum occupancy time when both are in operation System buses (CSB) an allocation only takes place if on both system buses (CSB) a request was made, while in the event of a failure of one of the two system buses ~ (CSB) the request on the remaining intact system bus (CSB) is sufficient for the central bus (BAS) via its own lines to the bus interface circuits (BIC / BIC) central Performs security functions in particular through the generation of alarms from the bus interface circuits (BIC / BIC), by switching the bus interface circuits on and off (BIC / BIC) and thus of computer pairs and memory (pairs) (PROC, MU), through the Switching on and off one of the two system buses (CSB) by means of test jobs the bus interface circuits (BIC / BIC), which localizes system bus errors, and by switching off a computer pair or memory (pair) (PROC, MU) the system bus redundancy can be obtained by starting the system and communicating with security-related Processes that run on any of the pairs of computers (PROC), the central bus (BAS) consists of two equal parts (BASe BASr) 6 that connect the two system buses (CSB) are assigned and compare all signals to be sent, with the registration an inequality leads to a shutdown of the bus center tBAS;) what the replacement bus center (BAsr5 is reported to the replacement bus center (BASr) by the status of the bus signals and is always kept up to date by messages from the active bus central unit (BASI), where, if this message is missing for a certain period of time, or at a failure message from the active bus central unit (3AS1), or in the event of a routine replacement the functions of the two bus centers (BAS) 1 the previous replacement bus center (BASr) can completely take over the task of the active central bus (BASi), which IO organs usually via two standard 10 buses to an IO interface circuit (CIC / CIC) are connected via the two local buses (LB) with the parallel the pair of computers (PROC) and the bus interface circuit (BIC / BIC) communicate can, the IO interface circuit (CIC / CIC) consists of two equal parts (CIC), which are assigned to the two local buses (LB) and all to be sent on the IO bus Compare signals; if they do not match, the bus interface circuit (BIC / BIC) switches itself off from the system bus (CSB) and reports the alarm to the central bus (BAS), the IO interface circuit (CIC / CIC) usually only opens during an IO transfer actively sends a single IO bus and usually from a single IO bus Information received via both local buses to the pair of computers working in parallel (PROC) or the bus interface circuit (BIC / BIC) forwards the bus central unit (BAS), the bus interface circuits (BIC / BIC) and the IO interface circuits (CIC / CIC) usually monitor their own functionality themselves, where they register voltage errors, clock failure and watchdog expiration and how in the event of a comparator error, in this case switch itself off and the alarm Report. 2. Control organs according to claim 1, g e k e n n n z e i c h n e t by at least one of the following features, namely that - for a fault tolerant Operation of the multi-computer system, whereby in the event of a computer failure (PROC) or central memory (MU), the program flow in the system is not disturbed will, two pairs of computers and two pairs of memories (PROC, MU) each work in parallel and if a computer (PROC) fails, one of the pairs of computers will keep the other intact Computer pair (PROC) initially continue the current task alone or in the event of a failure of a memory (MU) one of the memory pairs the intact memory pair (mol) the continues the current task on its own, which means that in the intact memory pair (MIT) correct data are still available on the same system bus (CSB) two Bus interface circuits (BIC / 31C) can send simultaneously by on the system bus (CSB) an active potential that prevails when different Potentials are applied, the central bus (BAS) the system bus (CSB) to the bus interface circuits (BIC / BIC) belonging to both computer pairs (PROC) only then assigned when both bus interface circuits (BIC / BIC) make a request the central bus (BAS) that belong together in the fault-tolerant operating mode Bus interface circuits (BIC / BIC), which in principle can be selected at will, registered and if a pair of computers (PROC) fails, the duplication is canceled, so that the remaining pair of computers (PROC) can be assigned the system bus, the IO organs are each connected to a to interface circuit pair (CIC / CIC) that is via the local buses with two pairs of computers running in parallel (PROC-) and two bus interface circuits (BIC / BIC) communi- can adorn - Usually only one IO interface circuit (CIC / CIC) of the IO interface circuit pair (CIC / CIC) sends on an IO bus, - the information received from an IO bus preferably via crossover lines from an IO interface circuit (CIC / CIC) to the other IO interface circuit (CIC / CIC) of an IO interface circuit pair (CIC / CIC) is transmitted, - the central bus (BAS) operating in fault-tolerant operating mode Corresponding I0 interface circuits (CIC / CIC) as an IO interface circuit pair (CIC / CIC) and, in the event of failure of an IO interface circuit (CIC / CIC) or an associated computer (PROC) or the associated bus interface circuit BIC / BIC) switches off the fault-tolerant operating mode. 3. Control organs according to claim 1 or 2, g e k e n n z e i c h n e t by at least one of the following features, namely that - for an asynchronous Operation of the multi-computer system, which does not deal with the problems of a fully synchronous System is loaded and allows any computer and memory to be used, - the bus lines controlling the data transfer ~ Address Valid ', (AV), "Data Valid" (DV) and Transfer Acknowledge '(TK) from the bus interface circuits involved in the transfer (BIC / BIC) are set to the active state as soon as possible, - the bus interface circuits (BIC / BIC) - also the one currently transmitting (BIC / BIC) - the level transitions active to passive of the bus lines controlling the data transfer, so that fault-tolerant pairs through these transitions of the control signals on the system bus (CSB) are kept synchronous, - The signals of the bus lines controlling the data transfer from the bus interface circuit (BIC / BIC) are synchronized to their own clock, whereby, if after a waiting time of e.g. 1 or 2 cycles, this on the other system bus (CSB) Signal was not also received by the bus interface circuit (BIC / BIC) for the ongoing transfer ignores the other system bus (CSB), - to maintain the command sequence in computers working in parallel (PROC) that masks interrupts - e.g. from the timer are except for an interrupt, which is derived from a counter, its counter reading is permanently linked to the command sequence as when counting the address latch enable pulses, if this counter is interrupted, all interrupts pending on the interrupt controller are communicated by the computer (PROC) to the bus interface circuit (BIC / BIC), whereby then the computer (PROC) reads in the interrupts that both of them have computers (PROC) belonging to a bus interface circuit (BIC / BIC) are communicated, this computer (PROC) also reads in the interrupts transmitted via the system bus (CSB) for the computer (PROC) are reported, and if there is still an IO interface circuit (CIC / CIC) is connected to the local buses, the computer (PROC) also has the reads in the interrupts collected here for the computer (PROC) that are sent by the computer (PROC) from its bus interface circuit (BIC / BIC) and - if available - IO interface circuit (CIC / CIC) read interrupts in these circuits (BIC / B? IC ', cia / a.ia) are deleted time monitoring in the bus interface circuit (BIC / BIC) monitors that not only one of the two computers working in parallel (PROC) receives an interrupt reports what is considered to be an error by the bus interface circuit (BIC / BIC), which leads to the switching off of the pair of computers (PROC) from the system bus (CSB), both of them Bus interface circuits (BIC / BIC) that connect to two fault-tolerant computers (PROC) after the computers (PROC) give them (BIC / BIC) the Interrupts have communicated, exchange these interrupt messages via the system bus (CSB), and only those interrupts are read in again by the computers (PROC), which each of the four computers (PROC) has communicated - if the bus interface circuit or IO interface circuit (BIC / BIC, CIC / CIC) a message on a local bus (LB) receives and if this circuit (BIC / BIC, CIC / GIC) according to a predetermined maximum waiting time has not yet received a message from the other local bus (LB), the bus interface circuit (BIC / BIC) switching off the computer or memory pair (PROC, MU) initiated by the system bus (CSB). 4. Control organs according to one of the preceding claims, g e k e n n z e i c h n e t by at least one of the following features, namely that - to operate the lines Each system bus (CSB) of the multi-computer system, - to, e.g. 32, information lines, addresses and operation codes, the latter on e.g. 4 Lines, and then data is sent on the same lines, with the information with additional, e.g. four to seven parity lines is secured, - as long as one Bus interface circuit (BIC / BIC) the line doubled for each system bus (CSB) (LOCK) holds in the active state, several data transfers on the system bus (CSB) one after the other can be carried out before the central bus (BAS) disconnects the system bus (CSB) from New assignments - various lines are available for serial communication stand, whereby - via-the common serial line (GSI) the central bus (BAS) sends a message addressed to a bus interface circuit (BIC / BIC), - Via individual serial lines (ISC) messages from the individual bus interface circuits (BIC / BIC) to the active central bus (BAS), and - via two central serial Lines (SAC) the active # S :) and ve bus center e.g. (BAS1) and the di replacement bus center (BASr> communicate with each other, - the active bus center (BAS) Every bus interface circuit (BIC) by sending the active level on its reset line in the system bus (CSB) can hold switched-off state while the active central bus unit (BAS) through the change in potential from the active to the passive level resets the bus interface circuit (BIC / BIC) and the associated computer or Memory pair (PROC, MU) and switching on the bus interface circuit (BIC / BIC) on the system bus (CSB). 5. Control organs according to one of the preceding claims, g e k e n n z e i c h n e t by at least one of the following features, namely that - Each system bus (CSB) consists of a preferably multi-layer, e.g. 33 cm long, circuit board to which several, e.g. sixteen, bus decoupling assemblies of the bus interface circuits are connected via plugs (BIC / BIC) and the two central bus units (BAS) can be connected, - the information and provide control lines with line terminations at both ends of the line are, which also have the function, in the passive state the associated potential, e.g. high-resistance, to apply - the bus interface circuit (BIC / BIC), e.g. via two, e.g. 1 m long cable to the bus decoupling modules that contain the line drivers, is connected and this is electrically supplied. 6. Control organs according to one of the preceding claims, g e k e n n z e i c h n e t by at least one of the following features, namely that - for serial communication on a system bus. (CSB) of the multi-computer system - a serial ~ message consists of packets which, in addition to the start and stop bit, contain other, E.g. eight, information bits and one additional bit, the additional bit only with the first packet of a message from the bus center (BAS) on the common serial Line (GSI) is set, while the additional bit is on the other serial lines is used for parity protection, - the bus interface circuit (BIC / BIC), the is always ready to receive messages on the common serial line Package initially only registered if the additional bit is set, whereby this package in the first, e.g. four, bits the address of the addressed bus interface circuit (BIC / BIC) and only the addressee contains the first packet and the other packets a message, - the replacement # -bus center (BAS) is always ready to send messages to receive on one of the two central serial lines (SAC) - a bus interface circuit (BIC / BIC) or the replacement bus center (BAS) only emits a continuous signal an individual serial line (ISC) or on one of the two central ones serial lines (SAC) may send a communication request to the active central bus unit (BAS) - as long as the active bus center (BAS) with an intact bus interface circuit (BIC / BIC) communicates, no continuous signal on the individual serial line (ISC) but response packets are reported to the active central bus station (BAS) while at Failure of a bus interface circuit (BIC) the permanent signal is statically present, - the active bus center (BAS), after completing an order from a bus interface circuit (BIC / BIC), first the replacement bus center (3AS) and then the bus interface circuit (BIC / BIC), which then withdraws the continuous signal, if not yet there are further orders, - if the active central bus unit (BAS) fails during the processing of an order from a bus interface circuit (BIC / BIC) is the previous one Replacement bus center (BAS), which is now active, finds the continuous signal again and thus processed the order again - to secure the transfer Acknowledgments, additional parity bits and time monitoring of the transfer are provided are. 7. Control organs according to one of the preceding claims, but In each case without doubling the memory (MU) or the memory content, g e k e n n z e i c h n e t by at least one of the following features, namely that - the information is secured in the memory (MU) by a sufficient number of parity bits, so that one-bit errors can be corrected and two-bit errors can be detected, - the storage control from two identical, synchronously operated controls (BCU) which are each connected to their local bus (LB), - the memory (MU) is only actively written to by a single controller ((MCU), while with Read both controllers (MCU) to perform error correction and checking, whereby the detection of an uncorrectable error in at least one of the two Controllers (MCU) is interpreted as a memory failure.