WO2001080009A2 - Fault-tolerant computer system with voter delay buffer - Google Patents

Fault-tolerant computer system with voter delay buffer Download PDF

Info

Publication number
WO2001080009A2
WO2001080009A2 PCT/US2001/012063 US0112063W WO0180009A2 WO 2001080009 A2 WO2001080009 A2 WO 2001080009A2 US 0112063 W US0112063 W US 0112063W WO 0180009 A2 WO0180009 A2 WO 0180009A2
Authority
WO
WIPO (PCT)
Prior art keywords
cpu
data output
output stream
buffer
peripheral devices
Prior art date
Application number
PCT/US2001/012063
Other languages
French (fr)
Other versions
WO2001080009A3 (en
Inventor
Jeffrey S. Somers
Mark Tetreault
Timothy M. Wegener
Wen-Yin Huang
Original Assignee
Stratus Technologies Bermuda, Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Stratus Technologies Bermuda, Ltd. filed Critical Stratus Technologies Bermuda, Ltd.
Priority to AU2001255351A priority Critical patent/AU2001255351A1/en
Publication of WO2001080009A2 publication Critical patent/WO2001080009A2/en
Publication of WO2001080009A3 publication Critical patent/WO2001080009A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/165Error detection by comparing the output of redundant processing systems with continued operation after detection of the error
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components

Definitions

  • the present invention is related to fault-tolerant computer systems and, in particular, to a method for efficiently providing reliable operation in a computer system.
  • the computer system may include at least one redundant, or backup, central processing unit (CPU), where the CPUs perform the same operations and provide the same data output stream.
  • CPU central processing unit
  • I/O input/output
  • a voting device applies predetermined criteria to identify one of the CPUs as malfunctioning.
  • the voting device may identify the CPU having a history of greater cumulative error correction as the malfunctioning CPU.
  • this method has an unacceptably low accuracy rate.
  • Another method used in computer systems having only two redundant CPUs is to have each CPU revert to an idle state and/or lose output data while diagnostic procedures are initiated to determine which CPU is malfunctioning. Based on the results of the diagnostic procedure, one CPU may be identified as malfunctioning.
  • One undesirable side effect of this approach is that the operation of the computer system is impacted and may be severely disrupted while the
  • the present invention comprises a fault-tolerant computer system which includes a pair of CPUs that produce essentially identical data output streams, a voter delay buffer having first and second FIFO buffers; and an I/O module interconnecting the CPUs and the FIFO buffers.
  • the I/O module compares the data output streams from the two CPUs for differences. If both CPU output streams remain identical, the data output of a selected CPU is transmitted to one or more peripheral devices. Otherwise, if the comparator indicates differences, the data output stream from one CPU is rerouted to the first FIFO, and the data output stream from the other CPU is rerouted to the second FIFO. Meanwhile, the CPUs continue processing operations and ongoing diagnostic procedures identify one of the CPUs as malfunctioning.
  • the FIFOs provide buffering for the data output streams which would otherwise be discarded. Additionally, use of the FIFOs allows the CPUs to continue operation and avoid a disruption to the computer system. If neither CPU is diagnosed as malfunctioning, the I/O module uses data from a priority module to determine which CPU has a higher assigned priority, and identifies the higher-priority CPU as the correctly-fuiictioning CPU. In either case, the computer system then provides the data held in the FIFO associated with the correctly-functioning CPU to the peripheral devices. By thus buffering the data output streams, the present invention allows the computer system to utilize the diagnostic procedures for increasing the probability of correctly identifying a CPU as malfunctioning.
  • Fig. 1 is a functional block diagram of a fault-tolerant computer system in accordance with the present invention
  • Fig. 2 is a functional block diagram of a CPU in the fault-tolerant computer system of Fig. 1 ; and Fig. 3 is a flow diagram illustrating the operation of the fault-tolerant computer system of Fig. 1.
  • the computer system 10 includes a first CPU 11 and a second CPU 21.
  • the first CPU 11 and the second CPU 21 are configured to operate in lock-step, or cycle-by-cycle synchronism with one another, as exemplified by a system clock 17.
  • the first CPU 11 includes a maintenance and diagnostic subsystem 15, and the second CPU 21 includes a maintenance and diagnostic subsystem 25.
  • the maintenance and diagnostic subsystems 15 and 25 function to identify and, if possible, correct internal processing errors detected in the operations of the respective CPUs 11 and 21.
  • the system also includes an I/O module 40 that controls data transfers between the CPUs 11 and 21 and associated peripheral devices (not shown).
  • the first CPU 11 communicates with the I/O module 40 over a first I/O bus 13. Data flowing between the first CPU 11 and the peripheral devices are transmitted over the first I/O bus 13 to the I/O module 40, through the I/O module 40, and to the peripheral devices via a system I/O bus 19. Similarly, data flowing between the peripheral devices and the second CPU 21 is transmitted over a second I/O bus 23 com ected to the I/O module 40. It should be understood that the respective data streams on the I/O buses 13 and 23 are essentially identical when both the first CPU 11 and the second CPU 21 are operating error-free.
  • transient errors may occur within either or both the first CPU 11 and the second CPU 21. Many of the errors are detected and some corrected internally, such as by using error correction logic or parity protocol logic, before transmission over either the first I/O bus 13 or the second I/O bus 23. An ongoing maintenance history as to the occurrence of these transient errors in the first CPU 11 is retained in a first priority register 16. The first priority register 16 is kept updated by the maintenance and diagnostic subsystem 15. Similarly, transient errors occurring in the second CPU 21 are tracked with a second priority register 26 which is kept updated by the maintenance and diagnostic subsystem 25. This maintenance information is made available to a priority module 60 via either a first CPU priority line 61 or a second CPU priority line 62.
  • the priority module 60 includes a software program 63 to assign relative priorities to the two CPUs 11 and 21 based on their relative operational performance parameters.
  • Such statistical data may include, for example, the history of detected transient errors or the length of time a given CPU has been operating in the computer system 10. These statistical data are used to assign relative priorities to the first CPU 11 and the second CPU 21. These assigned priorities are provided to the I/O module 40.
  • the I/O module 40 includes a comparator 43 which performs a bit-by-bit cycle compare procedure on the data output streams passing into the I/O module 40 on the I/O buses 13 and 23.
  • the comparator may be, for example, an XOR gate or any other known component for comparing two bit values. If the cycle compare procedure detects a difference between the two data output streams, this may be an indication that one of the CPUs 11 and 21 is malfunctioning. Accordingly, the I/O module 40 responds by issuing a STOP command to both the first CPU 11 and the second CPU 21 over a first command line 41 and a second command line 42 respectively.
  • the I/O module 40 stops transmitting output data on the system I/O bus 19 and routes the data output streams on the I/O buses 13 and 23 to a voter delay buffer 50 via a delay buffer line 47. Specifically, the data received from the first CPU 11 is sent to a first FIFO buffer 51, and the data received from the second CPU 21 is sent to a second FIFO buffer 52. This action serves to prevent the peripherals from being sent data which may have been corrupted by the malfunctioning CPU, and also serves to save data which otherwise may have been lost or discarded while the malfunctioning CPU was being identified. In a preferred embodiment, the maintenance and diagnostic subsystems 15 and 25 continually run their respective diagnostic procedures.
  • the I/O module 40 continues to forward input data streams sent by the peripheral devices to the CPUs 11 and 21.
  • the CPUs 11 and 21 continue to process the data while running the diagnostic procedures, in accordance with normal operational procedures.
  • the computer system 10 is thus seen by the peripheral devices as functioning normally.
  • the first CPU 11 preferably includes a microprocessor 71, a chipset 73, and a bus interface processor 75.
  • a memory 77 is provided for internal storage of data, as required.
  • the microprocessor 71 receives data from and outputs data to either the memory 77 or the first I/O bus 13 via the chipset 73.
  • Output data to be transmitted by the bus interface processor 75 is held in a buffer 85.
  • the STOP command is transmitted on the first command line 41 to the bus interface processor 75, the data present in the buffer 85 is retained and not transmitted to the I/O module 40. Because there is finite propagation delay incurred before the STOP signal reaches the bus interface processor 75, some possibly corrupted data may be sent from the first CPU 11 before the STOP signal is received. This data is sent to the voter delay buffer 50, as described above.
  • the second CPU 21 (not shown) has an internal configuration similar to that of the first CPU 11, described above, and functions in a similar manner.
  • the data output streams on the I/O buses 13 and 23 are bit-by-bit compared by the comparator 43, at box 81, to provide a comparative reading from which it can be determined if there are differences between the monitored data output streams. If there are no such differences detected, the comparator 43 continues to monitor the data output streams. If differences are detected, the STOP command is issued, at box 82. Subsequently, the data output streams on the I/O buses 13 and 23 are diverted to the voter delay buffer 50, at step 83.
  • the first CPU 11 continues executing its ongoing diagnostic procedure, at box 84. If the diagnosis indicates that the first CPU 11 is malfunctioning, the first CPU 11 is isolated, at box 85, and operation of the computer system 10 continues with the second CPU 21.
  • the data stored in the second FIFO buffer 52 is output over the system I/O bus 19, at box 86, and thereafter subsequently processed data from the second CPU 21 is output over the system I/O bus 19.
  • the second CPU 21 Contemporaneously with the ongoing diagnosis procedure in the first CPU 11, at box 84, the second CPU 21 also continues diagnosis, at box 87. If, on the other hand, the resulting diagnosis indicates that the second CPU 21 is malfunctioning, the second CPU 21 is isolated, at box 88, and operation of the computer system 10 continues with the first CPU 11.
  • the data stored in the first FIFO buffer 51 is output over the system I/O bus 19, at box 89, and subsequent processed data from the first CPU 11 is output over the system I/O bus 19.
  • the relative CPU priorities are used as the determinative factor.
  • the relative priorities are read to establish which of the first CPU 11 or the second CPU 21 has the higher priority, at box 90.
  • the relative priorities of the CPUs have been determined by one or more criteria, such as their operational histories or the comparative cumulative record of their internal error corrections. If the second CPU 21 has been assigned the higher priority, for example, the computer system 10 selects the first CPU 11 as the malfunctioning CPU and continues to operate with only the second CPU 21, at box 91. Accordingly, the data stored in the second FIFO buffer 52 is output, at box 92, and so forth.
  • the computer system 10 selects the second CPU 21 as the malfunctioning CPU and the operation of the computer system 10 continues with the first CPU 11, at box 91. Subsequently, the data stored in the first FIFO buffer 51 is output, at box 92.

Abstract

A fault-tolerant computer system includes first and second central processing units (CPUs) producing essentially identical data output streams, a voter delay buffer having a first FIFO buffer and a second FIFO buffer, and an I/O module connected to the CPUs. The I/O module includes a comparator for bitwise comparing the CPU data output streams. The first CPU data output stream is transmitted to peripheral devices if both CPU outputs remain substancially identical. Otherwise, if the comparator indicates differences, queued first and second CPU data are routed to the first and second FIFOs respectively (83), and subsequent data are retained in respective CPU buffers. While the CPUs continue processing, ongoing diagnostic (84,87) procedures attempt to identify one or the other of the CPUs as malfunctioning and the remaining CPU as correctly-functioning. If the resulting diagnosis is inconclusive, the CPU having the lower rate of error correction is identified as being correctly-functioning. In either case, the buffered output and the subsequently processed data output stream from the correctly-functioning CPU are thereafter transmitted to the peripheral devices (86,89).

Description

FAULT-TOLERANT COMPUTER SYSTEM WITH VOTER
DELAY BUFFER
Field of the Invention
The present invention is related to fault-tolerant computer systems and, in particular, to a method for efficiently providing reliable operation in a computer system. Background Information
5 In most data processing applications, reliable performance of a computer system is critical. To provide for a specified level of reliability, the computer system may include at least one redundant, or backup, central processing unit (CPU), where the CPUs perform the same operations and provide the same data output stream. The input/output (I/O) buses of the CPUs are continually monitored and compared to identify any differences in their respective data
[0 streams. If signal differences are detected, a voting device applies predetermined criteria to identify one of the CPUs as malfunctioning. In a redundant computer system having two CPUs, for example, the voting device may identify the CPU having a history of greater cumulative error correction as the malfunctioning CPU. However, experience has shown that this method has an unacceptably low accuracy rate.
[5 The accuracy rate improves with the addition of a second redundant CPU to the computer system. All three CPU outputs are monitored and, when differences are detected, the CPU determined to be malfunctioning is the CPU producing an output not in agreement with the other two CPUs. This approach, however, incurs the additional expense and complexity of integrating the third CPU into the computer system.
.0 Another method used in computer systems having only two redundant CPUs is to have each CPU revert to an idle state and/or lose output data while diagnostic procedures are initiated to determine which CPU is malfunctioning. Based on the results of the diagnostic procedure, one CPU may be identified as malfunctioning. One undesirable side effect of this approach is that the operation of the computer system is impacted and may be severely disrupted while the
.5 CPUs are in the idle state.
It is therefore an object of the present invention to provide a computer system achieving a high degree of reliability with a redundant CPU. It is a further object of the present invention to provide such a computer system in which a malfunctioning CPU can be identified without first placing the CPU into an idle state.
It is a still further object of the present invention to provide such a computer system in which computational data is not lost while the malfunctioning CPU is identified. It is yet another object of the present invention to provide such a system in which a malfunctioning CPU can be identified with a high degree of reliability. Other objects of the invention will be obvious, in part, and, in part, will become apparent when reading the detailed description to follow.
SUMMARY OF THE INVENTION The present invention comprises a fault-tolerant computer system which includes a pair of CPUs that produce essentially identical data output streams, a voter delay buffer having first and second FIFO buffers; and an I/O module interconnecting the CPUs and the FIFO buffers. The I/O module compares the data output streams from the two CPUs for differences. If both CPU output streams remain identical, the data output of a selected CPU is transmitted to one or more peripheral devices. Otherwise, if the comparator indicates differences, the data output stream from one CPU is rerouted to the first FIFO, and the data output stream from the other CPU is rerouted to the second FIFO. Meanwhile, the CPUs continue processing operations and ongoing diagnostic procedures identify one of the CPUs as malfunctioning. The FIFOs provide buffering for the data output streams which would otherwise be discarded. Additionally, use of the FIFOs allows the CPUs to continue operation and avoid a disruption to the computer system. If neither CPU is diagnosed as malfunctioning, the I/O module uses data from a priority module to determine which CPU has a higher assigned priority, and identifies the higher-priority CPU as the correctly-fuiictioning CPU. In either case, the computer system then provides the data held in the FIFO associated with the correctly-functioning CPU to the peripheral devices. By thus buffering the data output streams, the present invention allows the computer system to utilize the diagnostic procedures for increasing the probability of correctly identifying a CPU as malfunctioning.
BRIEF DESCRIPTION OF THE DRAWINGS The invention description below refers to the accompanying drawings, of which: Fig. 1 is a functional block diagram of a fault-tolerant computer system in accordance with the present invention;
Fig. 2 is a functional block diagram of a CPU in the fault-tolerant computer system of Fig. 1 ; and Fig. 3 is a flow diagram illustrating the operation of the fault-tolerant computer system of Fig. 1.
DETAILED DESCRIPTION OF AN ILLUSTRATIVE EMBODIMENT There is shown in Fig. 1 a fault-tolerant computer system 10 in accordance with the present invention. The computer system 10 includes a first CPU 11 and a second CPU 21. The first CPU 11 and the second CPU 21 are configured to operate in lock-step, or cycle-by-cycle synchronism with one another, as exemplified by a system clock 17. The first CPU 11 includes a maintenance and diagnostic subsystem 15, and the second CPU 21 includes a maintenance and diagnostic subsystem 25. The maintenance and diagnostic subsystems 15 and 25 function to identify and, if possible, correct internal processing errors detected in the operations of the respective CPUs 11 and 21.
The system also includes an I/O module 40 that controls data transfers between the CPUs 11 and 21 and associated peripheral devices (not shown). The first CPU 11 communicates with the I/O module 40 over a first I/O bus 13. Data flowing between the first CPU 11 and the peripheral devices are transmitted over the first I/O bus 13 to the I/O module 40, through the I/O module 40, and to the peripheral devices via a system I/O bus 19. Similarly, data flowing between the peripheral devices and the second CPU 21 is transmitted over a second I/O bus 23 com ected to the I/O module 40. It should be understood that the respective data streams on the I/O buses 13 and 23 are essentially identical when both the first CPU 11 and the second CPU 21 are operating error-free.
During normal operation, transient errors may occur within either or both the first CPU 11 and the second CPU 21. Many of the errors are detected and some corrected internally, such as by using error correction logic or parity protocol logic, before transmission over either the first I/O bus 13 or the second I/O bus 23. An ongoing maintenance history as to the occurrence of these transient errors in the first CPU 11 is retained in a first priority register 16. The first priority register 16 is kept updated by the maintenance and diagnostic subsystem 15. Similarly, transient errors occurring in the second CPU 21 are tracked with a second priority register 26 which is kept updated by the maintenance and diagnostic subsystem 25. This maintenance information is made available to a priority module 60 via either a first CPU priority line 61 or a second CPU priority line 62. The priority module 60 includes a software program 63 to assign relative priorities to the two CPUs 11 and 21 based on their relative operational performance parameters. Such statistical data may include, for example, the history of detected transient errors or the length of time a given CPU has been operating in the computer system 10. These statistical data are used to assign relative priorities to the first CPU 11 and the second CPU 21. These assigned priorities are provided to the I/O module 40.
The I/O module 40 includes a comparator 43 which performs a bit-by-bit cycle compare procedure on the data output streams passing into the I/O module 40 on the I/O buses 13 and 23. The comparator may be, for example, an XOR gate or any other known component for comparing two bit values. If the cycle compare procedure detects a difference between the two data output streams, this may be an indication that one of the CPUs 11 and 21 is malfunctioning. Accordingly, the I/O module 40 responds by issuing a STOP command to both the first CPU 11 and the second CPU 21 over a first command line 41 and a second command line 42 respectively.
When the STOP command is issued, the I/O module 40 stops transmitting output data on the system I/O bus 19 and routes the data output streams on the I/O buses 13 and 23 to a voter delay buffer 50 via a delay buffer line 47. Specifically, the data received from the first CPU 11 is sent to a first FIFO buffer 51, and the data received from the second CPU 21 is sent to a second FIFO buffer 52. This action serves to prevent the peripherals from being sent data which may have been corrupted by the malfunctioning CPU, and also serves to save data which otherwise may have been lost or discarded while the malfunctioning CPU was being identified. In a preferred embodiment, the maintenance and diagnostic subsystems 15 and 25 continually run their respective diagnostic procedures. It should be understood that, even after the STOP command has been issued to the CPUs 11 and 21, the I/O module 40 continues to forward input data streams sent by the peripheral devices to the CPUs 11 and 21. The CPUs 11 and 21 continue to process the data while running the diagnostic procedures, in accordance with normal operational procedures. The computer system 10 is thus seen by the peripheral devices as functioning normally.
As shown in Fig. 2, the first CPU 11 preferably includes a microprocessor 71, a chipset 73, and a bus interface processor 75. A memory 77 is provided for internal storage of data, as required. The microprocessor 71 receives data from and outputs data to either the memory 77 or the first I/O bus 13 via the chipset 73. Output data to be transmitted by the bus interface processor 75 is held in a buffer 85. When the STOP command is transmitted on the first command line 41 to the bus interface processor 75, the data present in the buffer 85 is retained and not transmitted to the I/O module 40. Because there is finite propagation delay incurred before the STOP signal reaches the bus interface processor 75, some possibly corrupted data may be sent from the first CPU 11 before the STOP signal is received. This data is sent to the voter delay buffer 50, as described above.
As the first CPU 11 continues its processing and diagnostic operations, output data is retained in the buffer 85. If the buffer 85 becomes full, the bus interface processor 75 sends a BUSY signal to the chipset 73, and further processed data is then stored in a chipset buffer 83. If the chipset buffer 83 becomes full, the data output stream is stored in a microprocessor buffer 8i. The output data stored in the buffers 81, 83, and 85 is not output to the peripherals unless the first CPU has been identified as the correctly-functioning CPU, as described in greater detail below. The second CPU 21 (not shown) has an internal configuration similar to that of the first CPU 11, described above, and functions in a similar manner.
Operation of the computer system 10 can best be described with reference to the flow diagram of Fig. 3. The data output streams on the I/O buses 13 and 23 are bit-by-bit compared by the comparator 43, at box 81, to provide a comparative reading from which it can be determined if there are differences between the monitored data output streams. If there are no such differences detected, the comparator 43 continues to monitor the data output streams. If differences are detected, the STOP command is issued, at box 82. Subsequently, the data output streams on the I/O buses 13 and 23 are diverted to the voter delay buffer 50, at step 83.
The first CPU 11 continues executing its ongoing diagnostic procedure, at box 84. If the diagnosis indicates that the first CPU 11 is malfunctioning, the first CPU 11 is isolated, at box 85, and operation of the computer system 10 continues with the second CPU 21. The data stored in the second FIFO buffer 52 is output over the system I/O bus 19, at box 86, and thereafter subsequently processed data from the second CPU 21 is output over the system I/O bus 19. Contemporaneously with the ongoing diagnosis procedure in the first CPU 11, at box 84, the second CPU 21 also continues diagnosis, at box 87. If, on the other hand, the resulting diagnosis indicates that the second CPU 21 is malfunctioning, the second CPU 21 is isolated, at box 88, and operation of the computer system 10 continues with the first CPU 11. The data stored in the first FIFO buffer 51 is output over the system I/O bus 19, at box 89, and subsequent processed data from the first CPU 11 is output over the system I/O bus 19.
If the diagnostic procedures fail to detect problems with either the first CPU 11 or the second CPU 21 , the relative CPU priorities are used as the determinative factor. The relative priorities are read to establish which of the first CPU 11 or the second CPU 21 has the higher priority, at box 90. As discussed above, the relative priorities of the CPUs have been determined by one or more criteria, such as their operational histories or the comparative cumulative record of their internal error corrections. If the second CPU 21 has been assigned the higher priority, for example, the computer system 10 selects the first CPU 11 as the malfunctioning CPU and continues to operate with only the second CPU 21, at box 91. Accordingly, the data stored in the second FIFO buffer 52 is output, at box 92, and so forth. On the other hand, if the first CPU 11 has been assigned the higher priority, the computer system 10 selects the second CPU 21 as the malfunctioning CPU and the operation of the computer system 10 continues with the first CPU 11, at box 91. Subsequently, the data stored in the first FIFO buffer 51 is output, at box 92.
While the invention has been described with reference to particular embodiments, it will be understood that the present invention is by no means limited to the particular constructions and methods herein disclosed and/or shown in the drawings, but also comprises any modifications or equivalents within the scope of the claims. What is claimed is:

Claims

CLAIMS 1. A fault-tolerant computer system suitable for exchanging data with peripheral devices, said computer system comprising: a first central processing unit (CPU) having at least one first CPU buffer; a second CPU having at least one second CPU buffer, said second CPU being operationally coupled to said first CPU, such that the output of said second CPU is essentially identical to the output of said first CPU; a voter delay buffer having a first FIFO buffer and a second FIFO buffer; an I/O module connected to receive data output streams from said first CPU and said second CPU, said I/O module having, a comparator for comparing said first CPU data output stream to said second CPU data output stream so as to produce a comparative reading; transmission means responsive to said comparator, for sending said first CPU data output stream to the peripheral devices, if said comparison reading indicates no difference between said first CPU data output stream and said second CPU data output stream; and routing means responsive to said comparator, for routing at least a part of said first CPU data output stream to said first FIFO buffer if said comparison reading indicates a difference between said first CPU data output stream and said second CPU data output stream, and for routing at least a part of said second CPU data output stream to said second FIFO buffer if said comparison reading indicates a difference between said first CPU data output stream and said second CPU data output stream.
2. The computer system of claim 1 further comprising a first diagnostic logic resident in said first CPU and a second diagnostic logic in said second CPU.
3. The computer system of claim 2 wherein said I/O module further comprises identification means responsive to said first diagnostic logic and said second diagnostic logic, for identifying one of said first and second CPUs as malfunctioning.
4. The computer system of claim 3 wherein said transmission means is further responsive to said identification means such that the contents of said first FIFO buffer is transmitted to the peripheral devices if said second CPU is identified as malfunctioning, or the contents of said second FIFO buffer is transmitted to the peripheral devices if said first CPU is identified as malfunctioning. 5. The computer system of claim 3 wherein said transmission means is further responsive to said identification means such that the contents of said first CPU buffer is transmitted to the peripheral devices if said second CPU is identified as malfunctioning, or the contents of said second CPU buffer is transmitted to the peripheral devices if said first CPU is identified as malfunctioning. 6. The computer system of claim 1 further comprising: a priority module for receiving first error correction information from said first CPU and second error correction information from said second CPU; and priority logic for assigning relative priorities to said CPUs, said assigned relative priorities being determined as a function of said first and second error correction information. 7. The computer system of claim 6 wherein said priority logic assigns a higher priority to selected one of said first and second CPUs if the indicated error rate in said correction information corresponding to said selected CPU is less than the indicated error rate in said correction information corresponding to the other one of said first and second CPUs. 8. The computer system of claim 6 wherein said priority logic assigns a higher priority to a selected one of said first and second CPUs if said selected CPU has been operating in said computer system for a greater length of time than the length of time the other one of said first and second CPUs has been operating in said computer system. 9. The computer system of claim 6 wherein said transmission means is further responsive to said priority logic such that the contents of said first FIFO buffer is transmitted to the peripheral devices if said first CPU has been assigned a higher said relative priority, or the contents of said second FIFO buffer is transmitted to the peripheral devices if said second CPU has been assigned a higher said relative priority.
1 10. The computer system of claim 6 wherein said transmission means is further
2 responsive to said priority logic such that
3 the contents of said first CPU buffer is transmitted to the peripheral devices if said
4 first CPU has been assigned a higher said relative priority, or
5 the contents of said second CPU buffer is transmitted to the peripheral devices if
6 said second CPU has been assigned a higher said relative priority.
1 11. A method for reliably exchanging data between peripheral devices and a computer
2 system having a first CPU with a buffer operating in lock-step with a second CPU with a buffer,
3 said method comprising the steps of:
4 comparing a data output stream from the first CPU with a contemporaneous data
5 output stream from the second CPU to obtain a comparative reading;
6 transmitting said first CPU data output stream to the peripheral devices if said
7 comparative reading indicates no difference between said first CPU data
8 output stream and said second CPU data output stream; and
9 transmitting at least a part of said first CPU data output stream to a first FIFO
[0 buffer if said comparative reading indicates a difference between said first
[ 1 CPU data output stream and said second CPU data output stream, and
12 transmitting at least a part of said second CPU data output stream to a second
[3 FIFO buffer if said comparative reading indicates a difference between
14 said first CPU data output stream and said second CPU data output stream.
1 12. The method of claim 11 further comprising the step of executing contemporaneous
2 respective diagnostic procedures in the first CPU and in the second CPU.
1 13. The method of claim 12 further comprising the steps of:
2 transmitting the contents of said second FIFO to the peripheral devices if said
3 diagnostic procedures indicate the first CPU to be malfunctioning; and
4 transmitting the contents of said first FIFO to the peripheral devices if said
5 diagnostic procedures indicate the second CPU to be malfunctioning.
1 14. The method of claim 13 further comprising the steps of:
2 isolating the first CPU if said diagnostic procedures indicate the first CPU to be
3 malfunctioning; and
4 isolating the second CPU if said diagnostic procedures indicate the second CPU
5 to be malfunctioning.
1 15. The method of claim 11 further comprising the steps of: accessing a first error correction history for the first CPU; accessing a first error correction history for the second CPU; if said error correction histories indicate that the second CPU has a higher error correction rate than the first CPU, assigning a higher priority to the first CPU; and if said error correction histories indicate that the first CPU has a higher error correction rate than the second CPU, assigning a higher priority to the second CPU. 16. The method of claim 15 further comprising the steps of: transmitting the contents of said first FIFO to the peripheral devices if the first CPU has been assigned a higher priority; and transmitting the contents of said second FIFO to the peripheral devices if the second CPU has been assigned a higher priority. 17. The method of claim 12 further comprising the steps of: retaining at least a second portion of said first CPU data output stream in the first CPU buffer if said diagnostic procedures indicate the first CPU to be malfunctioning; and retaining at least a second portion of said second CPU data output stream in the second CPU buffer if said diagnostic procedures indicate the second CPU to be malfunctioning. 18. The method of claim 17 further comprising the steps of: transmitting the contents of said first CPU buffer to the peripheral devices if said diagnostic procedures indicate the second CPU to be malfunctioning; and transmitting the contents of said second CPU buffer to the peripheral devices if said diagnostic procedures indicate the first CPU to be malfunctioning.
PCT/US2001/012063 2000-04-13 2001-04-12 Fault-tolerant computer system with voter delay buffer WO2001080009A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001255351A AU2001255351A1 (en) 2000-04-13 2001-04-12 Fault-tolerant computer system with voter delay buffer

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/548,528 2000-04-13
US09/548,528 US6820213B1 (en) 2000-04-13 2000-04-13 Fault-tolerant computer system with voter delay buffer

Publications (2)

Publication Number Publication Date
WO2001080009A2 true WO2001080009A2 (en) 2001-10-25
WO2001080009A3 WO2001080009A3 (en) 2002-03-21

Family

ID=24189225

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/012063 WO2001080009A2 (en) 2000-04-13 2001-04-12 Fault-tolerant computer system with voter delay buffer

Country Status (3)

Country Link
US (1) US6820213B1 (en)
AU (1) AU2001255351A1 (en)
WO (1) WO2001080009A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1672501A2 (en) * 2004-12-20 2006-06-21 NEC Corporation Fault tolerant duplex computer system and its control method
EP3252606A1 (en) * 2016-05-31 2017-12-06 IG Knowhow Limited Methods for synchronisation of independent data handling system
WO2019001796A1 (en) * 2017-06-28 2019-01-03 Volkswagen Aktiengesellschaft Method, apparatus and computer-readable storage medium having instructions for cancelling a redundancy of two or more redundant modules
WO2021104904A1 (en) * 2019-11-29 2021-06-03 Volkswagen Aktiengesellschaft Module-prioritization method, module-prioritization module, motor vehicle

Families Citing this family (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6971043B2 (en) * 2001-04-11 2005-11-29 Stratus Technologies Bermuda Ltd Apparatus and method for accessing a mass storage device in a fault-tolerant server
DE10317650A1 (en) * 2003-04-17 2004-11-04 Robert Bosch Gmbh Program-controlled unit and method
US7287184B2 (en) * 2003-09-16 2007-10-23 Rockwell Automation Technologies, Inc. High speed synchronization in dual-processor safety controller
US20050240806A1 (en) * 2004-03-30 2005-10-27 Hewlett-Packard Development Company, L.P. Diagnostic memory dump method in a redundant processor
US7237144B2 (en) * 2004-04-06 2007-06-26 Hewlett-Packard Development Company, L.P. Off-chip lockstep checking
US7296181B2 (en) * 2004-04-06 2007-11-13 Hewlett-Packard Development Company, L.P. Lockstep error signaling
US7290169B2 (en) * 2004-04-06 2007-10-30 Hewlett-Packard Development Company, L.P. Core-level processor lockstepping
CN100520731C (en) * 2004-10-25 2009-07-29 罗伯特·博世有限公司 Method and device for changing mode and comparing signal in a computer system having at least two processing units
KR100728220B1 (en) * 2005-09-29 2007-06-13 한국전자통신연구원 Apparatus and Method of Fault Diagnosis and Data Management for Satellite Ground Station
US7933211B2 (en) * 2006-12-19 2011-04-26 Nokia Corporation Method and system for providing prioritized failure announcements
US8161311B2 (en) 2007-08-23 2012-04-17 Stratus Technologies Bermuda Ltd Apparatus and method for redundant and spread spectrum clocking
CA2754967A1 (en) * 2009-03-12 2010-09-16 Eric Chenu secure checking of the exclusivity of an active/passive state of processing units
WO2012144043A1 (en) * 2011-04-21 2012-10-26 ルネサスエレクトロニクス株式会社 Semiconductor integrated circuit and method for operating same
DE102013202253A1 (en) * 2013-02-12 2014-08-14 Paravan Gmbh Circuit for controlling an acceleration, braking and steering system of a vehicle
EP3218826A4 (en) 2014-11-13 2018-04-11 Virtual Software Systems, Inc. System for cross-host, multi-thread session alignment
US9734006B2 (en) * 2015-09-18 2017-08-15 Nxp Usa, Inc. System and method for error detection in a critical system
JP6083480B1 (en) * 2016-02-18 2017-02-22 日本電気株式会社 Monitoring device, fault tolerant system and method
EP3428748B1 (en) * 2017-07-13 2020-08-26 Siemens Aktiengesellschaft Method and assembly for operating two redundant systems
US11645178B2 (en) * 2018-07-27 2023-05-09 MIPS Tech, LLC Fail-safe semi-autonomous or autonomous vehicle processor array redundancy which permits an agent to perform a function based on comparing valid output from sets of redundant processors

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4633467A (en) * 1984-07-26 1986-12-30 At&T Bell Laboratories Computer system fault recovery based on historical analysis
EP0742507A1 (en) * 1995-05-12 1996-11-13 The Boeing Company Method and apparatus for synchronizing flight management computers
WO1999066406A1 (en) * 1998-06-15 1999-12-23 Sun Microsystems, Inc. Processor bridge with posted write buffer

Family Cites Families (216)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
NL282320A (en) 1961-08-22
DE1200155B (en) 1964-06-11 1965-09-02 Johannes Van Keuk Chain guard housing for bicycles
US3533082A (en) 1968-01-15 1970-10-06 Ibm Instruction retry apparatus including means for restoring the original contents of altered source operands
US3533065A (en) 1968-01-15 1970-10-06 Ibm Data processing system execution retry control
US3548176A (en) 1968-01-18 1970-12-15 Ibm Probable future error detector
US3544973A (en) 1968-03-13 1970-12-01 Westinghouse Electric Corp Variable structure computer
AT285689B (en) 1968-03-29 1970-11-10 Siemens Ag Centrally controlled switching system for telecommunications, in particular telephone technology
US3665173A (en) 1968-09-03 1972-05-23 Ibm Triple modular redundancy/sparing
US3593307A (en) 1968-09-20 1971-07-13 Adaptronics Inc Redundant, self-checking, self-organizing control system
US3641505A (en) 1969-06-25 1972-02-08 Bell Telephone Labor Inc Multiprocessor computer adapted for partitioning into a plurality of independently operating systems
GB1253309A (en) 1969-11-21 1971-11-10 Marconi Co Ltd Improvements in or relating to data processing arrangements
US3710324A (en) 1970-04-01 1973-01-09 Digital Equipment Corp Data processing system
US3688274A (en) 1970-12-23 1972-08-29 Ibm Command retry control by peripheral devices
US3736566A (en) 1971-08-18 1973-05-29 Ibm Central processing unit with hardware controlled checkpoint and retry facilities
US3820079A (en) 1971-11-01 1974-06-25 Hewlett Packard Co Bus oriented,modular,multiprocessing computer
US3783250A (en) 1972-02-25 1974-01-01 Nasa Adaptive voting computer system
GB1422952A (en) 1972-06-03 1976-01-28 Plessey Co Ltd Data processing system fault diagnostic arrangements
US3840861A (en) 1972-10-30 1974-10-08 Amdahl Corp Data processing system having an instruction pipeline for concurrently processing a plurality of instructions
US3805039A (en) 1972-11-30 1974-04-16 Raytheon Co High reliability system employing subelement redundancy
US3795901A (en) 1972-12-29 1974-03-05 Ibm Data processing memory system with bidirectional data bus
IT1014277B (en) 1974-06-03 1977-04-20 Cselt Centro Studi Lab Telecom CONTROL SYSTEM OF PROCESS COMPUTERS OPERATING IN PARALLEL
US4369494A (en) 1974-12-09 1983-01-18 Compagnie Honeywell Bull Apparatus and method for providing synchronization between processes and events occurring at different times in a data processing system
US3991407A (en) 1975-04-09 1976-11-09 E. I. Du Pont De Nemours And Company Computer redundancy interface
US4015246A (en) 1975-04-14 1977-03-29 The Charles Stark Draper Laboratory, Inc. Synchronous fault tolerant multi-processor system
IT1036311B (en) 1975-06-17 1979-10-30 Cselt Centro Studi Lab Telecom DUPLICATE SYSTEM FOR SUPERVISION AND CONTROL OF DUPLICATED TELECOMMUNICATION SYSTEMS
US3997896A (en) 1975-06-30 1976-12-14 Honeywell Information Systems, Inc. Data processing system providing split bus cycle operation
US4032893A (en) 1976-01-23 1977-06-28 Sperry Rand Corporation Reconfigurable data bus
US4228496A (en) 1976-09-07 1980-10-14 Tandem Computers Incorporated Multiprocessor system
US4099234A (en) 1976-11-15 1978-07-04 Honeywell Information Systems Inc. Input/output processing system utilizing locked processors
US4358823A (en) 1977-03-25 1982-11-09 Trw, Inc. Double redundant processor
IT1111606B (en) 1978-03-03 1986-01-13 Cselt Centro Studi Lab Telecom MULTI-CONFIGURABLE MODULAR PROCESSING SYSTEM INTEGRATED WITH A PRE-PROCESSING SYSTEM
US4176258A (en) 1978-05-01 1979-11-27 Intel Corporation Method and circuit for checking integrated circuit chips
US4275440A (en) 1978-10-02 1981-06-23 International Business Machines Corporation I/O Interrupt sequencing for real time and burst mode devices
US4263649A (en) 1979-01-05 1981-04-21 Mohawk Data Sciences Corp. Computer system with two busses
US4245344A (en) 1979-04-02 1981-01-13 Rockwell International Corporation Processing system with dual buses
US4309754A (en) 1979-07-30 1982-01-05 International Business Machines Corp. Data interface mechanism for interfacing bit-parallel data buses of different bit width
US4326250A (en) 1979-10-10 1982-04-20 Magnuson Computer Systems, Inc. Data processing apparatus with serial and parallel priority
FR2470996B1 (en) 1979-11-30 1986-01-31 Quinquis Jean Paul IMPROVEMENTS IN MULTIPROCESSOR ELECTRONIC SYSTEMS FOR PROCESSING DIGITAL AND LOGICAL DATA
US4323966A (en) 1980-02-05 1982-04-06 The Bendix Corporation Operations controller for a fault-tolerant multiple computer system
EP0044765B1 (en) 1980-07-08 1985-06-05 Thomson-Csf Telephone Method and apparatus for arbitrating between a plurality of sub-systems
US4375683A (en) 1980-11-12 1983-03-01 August Systems Fault tolerant computational system and voter circuit
EP0057756B1 (en) 1981-02-11 1985-02-20 Siemens Aktiengesellschaft Data exchange unit in multi-microcomputer systems operating in parallel
EP0077328A4 (en) 1981-04-27 1985-06-26 Textron Inc Multi-master processor bus.
US4486826A (en) 1981-10-01 1984-12-04 Stratus Computer, Inc. Computer peripheral control apparatus
US4866604A (en) 1981-10-01 1989-09-12 Stratus Computer, Inc. Digital data processing apparatus with pipelined memory cycles
ATE25779T1 (en) 1981-10-01 1987-03-15 Stratus Computer Inc DIGITAL DATA PROCESSING SYSTEM WITH RELIABILITY BUS PROTOCOL.
US4597084A (en) 1981-10-01 1986-06-24 Stratus Computer, Inc. Computer memory apparatus
US4926315A (en) 1981-10-01 1990-05-15 Stratus Computer, Inc. Digital data processor with fault tolerant peripheral bus communications
US4449182A (en) 1981-10-05 1984-05-15 Digital Equipment Corporation Interface between a pair of processors, such as host and peripheral-controlling processors in data processing systems
US4467436A (en) 1981-10-26 1984-08-21 United States Robots, Inc. Robot arm controller with common bus memory
IT1151351B (en) 1982-01-19 1986-12-17 Italtel Spa CIRCUIT PROVISION SUITABLE TO CARRY OUT THE EXCHANGE OF DATA BETWEEN A COUPLE OF OPERATING PROCESSORS ACCORDING TO THE MASTER-SLAVE PRINCIPLE
DE3317642A1 (en) 1982-05-21 1983-11-24 International Computers Ltd., London DATA PROCESSING DEVICE
US4648031A (en) 1982-06-21 1987-03-03 International Business Machines Corporation Method and apparatus for restarting a computing system
US4503535A (en) 1982-06-30 1985-03-05 Intel Corporation Apparatus for recovery from failures in a multiprocessing system
US4608631A (en) 1982-09-03 1986-08-26 Sequoia Systems, Inc. Modular computer system
US4484273A (en) 1982-09-03 1984-11-20 Sequoia Systems, Inc. Modular computer system
JPS5985153A (en) 1982-11-08 1984-05-17 Hitachi Ltd Redundancy controller
US4590554A (en) 1982-11-23 1986-05-20 Parallel Computers Systems, Inc. Backup fault tolerant computer system
US4543628A (en) 1983-01-28 1985-09-24 Digital Equipment Corporation Bus for data processing system with fault cycle operation
US4644498A (en) 1983-04-04 1987-02-17 General Electric Company Fault-tolerant real time clock
US4872106A (en) 1983-04-06 1989-10-03 New Forney Corp. Industrial process control system with back-up data processors to take over from failed primary data processors
US4562575A (en) 1983-07-07 1985-12-31 Motorola, Inc. Method and apparatus for the selection of redundant system modules
US4610013A (en) 1983-11-08 1986-09-02 Avco Corporation Remote multiplexer terminal with redundant central processor units
US4654846A (en) 1983-12-20 1987-03-31 Rca Corporation Spacecraft autonomous redundancy control
US4633394A (en) 1984-04-24 1986-12-30 International Business Machines Corp. Distributed arbitration for multiple processors
US4589066A (en) 1984-05-31 1986-05-13 General Electric Company Fault tolerant, frame synchronization for multiple processor systems
US4669056A (en) 1984-07-31 1987-05-26 International Business Machines Corporation Data processing system with a plurality of processors accessing a common bus to interleaved storage
DE3432165A1 (en) 1984-08-31 1986-03-06 Messerschmitt-Bölkow-Blohm GmbH, 8012 Ottobrunn DEVICE FOR AUTOMATIC RECONFIGURATION OF AN INTACT DEVICE COMBINATION
EP0179936B1 (en) 1984-10-31 1990-01-03 Ibm Deutschland Gmbh Method and apparatus for global bus control
US4622667A (en) 1984-11-27 1986-11-11 Sperry Corporation Digital fail operational automatic flight control system utilizing redundant dissimilar data processing
US4703420A (en) 1985-02-28 1987-10-27 International Business Machines Corporation System for arbitrating use of I/O bus by co-processor and higher priority I/O units in which co-processor automatically request bus access in anticipation of need
US4805091A (en) 1985-06-04 1989-02-14 Thinking Machines Corporation Method and apparatus for interconnecting processors in a hyper-dimensional array
US4686677A (en) 1985-08-02 1987-08-11 Unisys Corporation Apparatus and method for detecting time-related faults
US4994960A (en) 1986-01-16 1991-02-19 Jupiter Technology, Inc. Interrupt system for transmitting interrupt request signal and interrupt vector based upon output of synchronized counters representing selected priority value
US4736377A (en) 1986-02-11 1988-04-05 Bradley Telcom Corp. Method for determining reliability of high speed digital transmission by use of a synchronized low speed side channel
US4799140A (en) 1986-03-06 1989-01-17 Orbital Sciences Corporation Ii Majority vote sequencer
US4809169A (en) 1986-04-23 1989-02-28 Advanced Micro Devices, Inc. Parallel, multiple coprocessor computer architecture having plural execution modes
US4827409A (en) 1986-07-24 1989-05-02 Digital Equipment Corporation High speed interconnect unit for digital data processing system
US4816990A (en) 1986-11-05 1989-03-28 Stratus Computer, Inc. Method and apparatus for fault-tolerant computer system having expandable processor section
US5020024A (en) 1987-01-16 1991-05-28 Stratus Computer, Inc. Method and apparatus for detecting selected absence of digital logic synchronism
SE457391B (en) 1987-04-16 1988-12-19 Ericsson Telefon Ab L M PROGRAM MEMORY MANAGED REAL TIME SYSTEM INCLUDING THREE MAINLY IDENTICAL PROCESSORS
US4905181A (en) 1987-04-20 1990-02-27 Wang Laboratories, Inc. Interactive system with state manager subsystem
AU1671688A (en) 1987-06-03 1988-12-08 Honeywell Bull Inc. Peripheral controller and adapter interface
EP0306244B1 (en) 1987-09-04 1995-06-21 Digital Equipment Corporation Fault tolerant computer system with fault isolation
CA1320276C (en) 1987-09-04 1993-07-13 William F. Bruckert Dual rail processors with error checking on i/o reads
EP0306211A3 (en) 1987-09-04 1990-09-26 Digital Equipment Corporation Synchronized twin computer system
US4914580A (en) 1987-10-26 1990-04-03 American Telephone And Telegraph Company Communication system having interrupts with dynamically adjusted priority levels
CA2003338A1 (en) 1987-11-09 1990-06-09 Richard W. Cutts, Jr. Synchronization of fault-tolerant computer system having multiple processors
AU616213B2 (en) 1987-11-09 1991-10-24 Tandem Computers Incorporated Method and apparatus for synchronizing a plurality of processors
US5179663A (en) 1988-02-19 1993-01-12 Hitachi, Ltd. Data transfer controller
US4907232A (en) 1988-04-28 1990-03-06 The Charles Stark Draper Laboratory, Inc. Fault-tolerant parallel processing system
US4985830A (en) 1988-09-27 1991-01-15 Universities Research Association, Inc. Interprocessor bus switching system for simultaneous communication in plural bus parallel processing system
US4965717A (en) 1988-12-09 1990-10-23 Tandem Computers Incorporated Multiple processor system having shared memory with private-write capability
AU625293B2 (en) 1988-12-09 1992-07-09 Tandem Computers Incorporated Synchronization of fault-tolerant computer system having multiple processors
US5251303A (en) 1989-01-13 1993-10-05 International Business Machines Corporation System for DMA block data transfer based on linked control blocks
US5089958A (en) 1989-01-23 1992-02-18 Vortex Systems, Inc. Fault tolerant computer backup system
JPH0693688B2 (en) 1989-03-31 1994-11-16 松下電器産業株式会社 Electronic device with communication function
US5117486A (en) 1989-04-21 1992-05-26 International Business Machines Corp. Buffer for packetizing block of data with different sizes and rates received from first processor before transferring to second processor
US5155809A (en) 1989-05-17 1992-10-13 International Business Machines Corp. Uncoupling a central processing unit from its associated hardware for interaction with data handling apparatus alien to the operating system controlling said unit and hardware
US5243704A (en) 1989-05-19 1993-09-07 Stratus Computer Optimized interconnect networks
US5136704A (en) 1989-06-28 1992-08-04 Motorola, Inc. Redundant microprocessor control system using locks and keys
JPH03137757A (en) 1989-10-24 1991-06-12 Mitsubishi Electric Corp Priority control system
US5193162A (en) 1989-11-06 1993-03-09 Unisys Corporation Cache memory with data compaction for use in the audit trail of a data processing system having record locking capabilities
US5119480A (en) 1989-11-13 1992-06-02 International Business Machines Corporation Bus master interface circuit with transparent preemption of a data transfer operation
JPH03180936A (en) 1989-12-08 1991-08-06 Matsushita Electric Ind Co Ltd Testing circuit for internal bus
US5295258A (en) 1989-12-22 1994-03-15 Tandem Computers Incorporated Fault-tolerant computer system with online recovery and reintegration of redundant components
DE69029084D1 (en) 1990-02-27 1996-12-12 Ibm Message routing device by several computers that are coupled by means of a shared intelligent memory
EP0455922B1 (en) 1990-05-11 1996-09-11 International Business Machines Corporation Method and apparatus for deriving mirrored unit state when re-initializing a system
DE69019822T2 (en) 1990-06-27 1995-12-14 Ibm Method and device for checking the content and address of a memory device.
US5231640A (en) 1990-07-20 1993-07-27 Unisys Corporation Fault tolerant processor/memory architecture
US5255372A (en) 1990-08-31 1993-10-19 International Business Machines Corporation Apparatus for efficiently interconnecing channels of a multiprocessor system multiplexed via channel adapters
US5220668A (en) 1990-09-21 1993-06-15 Stratus Computer, Inc. Digital data processor with maintenance and diagnostic system
US5157663A (en) 1990-09-24 1992-10-20 Novell, Inc. Fault tolerant computer system
US5136498A (en) 1990-09-26 1992-08-04 Honeywell Inc. Method for enacting failover of a 1:1 redundant pair of slave processors
US5263034A (en) 1990-10-09 1993-11-16 Bull Information Systems Inc. Error detection in the basic processing unit of a VLSI central processor
JP3516344B2 (en) 1990-10-22 2004-04-05 株式会社日立製作所 Multiple data processing method for distributed processing system
US5247522A (en) 1990-11-27 1993-09-21 Digital Equipment Corporation Fault tolerant bus
US5226152A (en) * 1990-12-07 1993-07-06 Motorola, Inc. Functional lockstep arrangement for redundant processors
US5392302A (en) 1991-03-13 1995-02-21 Quantum Corp. Address error detection technique for increasing the reliability of a storage subsystem
CA2068048A1 (en) 1991-05-06 1992-11-07 Douglas D. Cheung Fault tolerant processing section with dynamically reconfigurable voting
EP0513519A1 (en) 1991-05-15 1992-11-19 International Business Machines Corporation Memory system for multiprocessor systems
US5271023A (en) 1991-06-03 1993-12-14 Motorola, Inc. Uninterruptable fault tolerant data processor
US5193180A (en) 1991-06-21 1993-03-09 Pure Software Inc. System for modifying relocatable object code files to monitor accesses to dynamically allocated memory
US5317697A (en) 1991-07-31 1994-05-31 Synernetics Inc. Method and apparatus for live insertion and removal of electronic sub-assemblies
US5379381A (en) 1991-08-12 1995-01-03 Stratus Computer, Inc. System using separate transfer circuits for performing different transfer operations respectively and scanning I/O devices status upon absence of both operations
US5270699A (en) 1991-08-13 1993-12-14 Rockwell International Corporation Fault tolerant signaling
US5283870A (en) 1991-10-04 1994-02-01 Bull Hn Information Systems Inc. Method and apparatus for avoiding processor deadly embrace in a multiprocessor system
US5313627A (en) 1992-01-02 1994-05-17 International Business Machines Corp. Parity error detection and recovery
US5465340A (en) 1992-01-30 1995-11-07 Digital Equipment Corporation Direct memory access controller handling exceptions during transferring multiple bytes in parallel
US5361267A (en) 1992-04-24 1994-11-01 Digital Equipment Corporation Scheme for error handling in a computer system
GB2268817B (en) 1992-07-17 1996-05-01 Integrated Micro Products Ltd A fault-tolerant computer system
US5404361A (en) 1992-07-27 1995-04-04 Storage Technology Corporation Method and apparatus for ensuring data integrity in a dynamically mapped data storage subsystem
US5748873A (en) * 1992-09-17 1998-05-05 Hitachi,Ltd. Fault recovering system provided in highly reliable computer system having duplicated processors
JP2833387B2 (en) 1992-11-30 1998-12-09 日本電気株式会社 Switch bus monitor circuit
US5428766A (en) 1992-12-01 1995-06-27 Digital Equipment Corporation Error detection scheme in a multiprocessor environment
US5675579A (en) 1992-12-17 1997-10-07 Tandem Computers Incorporated Method for verifying responses to messages using a barrier message
JPH0773059A (en) 1993-03-02 1995-03-17 Tandem Comput Inc Fault-tolerant computer system
US5581750A (en) 1993-03-15 1996-12-03 International Business Machines Corporation System and method for improving data recovery performance
GB2276737A (en) 1993-03-30 1994-10-05 Ibm Fault-tolerant transaction-oriented data processing
US5812748A (en) 1993-06-23 1998-09-22 Vinca Corporation Method for improving recovery performance from hardware and software errors in a fault-tolerant computer system
JP3237736B2 (en) 1993-09-07 2001-12-10 ヒュンダイ エレクトロニクス アメリカ Matrix structure of data storage device
JPH0793273A (en) 1993-09-20 1995-04-07 Fujitsu Ltd Multi-cpu system provided with fault monitor mechanism
DE4497149T1 (en) 1993-09-24 1996-10-17 Oracle Corp Method and device for replicating data
DE69435165D1 (en) 1993-12-01 2008-12-18 Marathon Techn Corp Error-safe / fault-tolerant computer operating method
JPH07175700A (en) 1993-12-20 1995-07-14 Fujitsu Ltd Database management system
GB2290891B (en) 1994-06-29 1999-02-17 Mitsubishi Electric Corp Multiprocessor system
US5701457A (en) 1994-09-08 1997-12-23 Hitachi, Ltd. Method of designated time interval reservation access process of online updating and backing up of large database versions without reserving exclusive control
US5630056A (en) 1994-09-20 1997-05-13 Stratus Computer, Inc. Digital data processing methods and apparatus for fault detection and fault tolerance
US5838899A (en) 1994-09-20 1998-11-17 Stratus Computer Digital data processing methods and apparatus for fault isolation
US5828903A (en) 1994-09-30 1998-10-27 Intel Corporation System for performing DMA transfer with a pipeline control switching such that the first storage area contains location of a buffer for subsequent transfer
US5574865A (en) 1994-12-01 1996-11-12 Unisys Corporation System for data transfer protection during module connection/disconnection onto live bus
US5586253A (en) 1994-12-15 1996-12-17 Stratus Computer Method and apparatus for validating I/O addresses in a fault-tolerant computer system
US5555372A (en) 1994-12-21 1996-09-10 Stratus Computer, Inc. Fault-tolerant computer system employing an improved error-broadcast mechanism
US5613162A (en) 1995-01-04 1997-03-18 Ast Research, Inc. Method and apparatus for performing efficient direct memory access data transfers
FR2730074B1 (en) 1995-01-27 1997-04-04 Sextant Avionique FAULT-TOLERANT COMPUTER ARCHITECTURE
US5671443A (en) 1995-02-21 1997-09-23 International Business Machines Corporation Direct memory access acceleration device for use in a data processing system
US5701409A (en) 1995-02-22 1997-12-23 Adaptec, Inc. Error generation circuit for testing a digital bus
EP0732659B1 (en) 1995-03-17 2001-08-08 LSI Logic Corporation Controlling (n+i) I/O channels with (n) data managers in a homogeneous software programming environment
US5696905A (en) 1995-03-20 1997-12-09 International Business Machines Corporation System and method for providing merchant information and establishing links to merchants while presenting a movie
JP3611894B2 (en) 1995-03-30 2005-01-19 富士通株式会社 System controller with dual configuration
US5682513A (en) 1995-03-31 1997-10-28 International Business Machines Corporation Cache queue entry linking for DASD record updates
US5621885A (en) 1995-06-07 1997-04-15 Tandem Computers, Incorporated System and method for providing a fault tolerant computer program runtime support environment
US5694541A (en) 1995-10-20 1997-12-02 Stratus Computer, Inc. System console terminal for fault tolerant computer system
US5790775A (en) 1995-10-23 1998-08-04 Digital Equipment Corporation Host transparent storage controller failover/failback of SCSI targets and associated units
KR100244836B1 (en) 1995-11-02 2000-02-15 포만 제프리 엘 Error recovery by isolation of peripheral components in a data processing system
US5758065A (en) 1995-11-30 1998-05-26 Ncr Corporation System and method of establishing error precedence in a computer system
US5802265A (en) 1995-12-01 1998-09-01 Stratus Computer, Inc. Transparent fault tolerant computer system
US5774680A (en) 1995-12-11 1998-06-30 Compaq Computer Corporation Interfacing direct memory access devices to a non-ISA bus
US5721918A (en) 1996-02-06 1998-02-24 Telefonaktiebolaget Lm Ericsson Method and system for fast recovery of a primary store database using selective recovery by data type
US6141769A (en) 1996-05-16 2000-10-31 Resilience Corporation Triple modular redundant computer system and associated method
US6073196A (en) 1996-06-05 2000-06-06 Compaq Computer Corporation Using communication cycles for connecting and disconnecting devices in a computer system
US6047343A (en) 1996-06-05 2000-04-04 Compaq Computer Corporation Method and apparatus for detecting insertion and removal of a memory module using standard connectors
US6032271A (en) 1996-06-05 2000-02-29 Compaq Computer Corporation Method and apparatus for identifying faulty devices in a computer system
US5915082A (en) * 1996-06-07 1999-06-22 Lockheed Martin Corporation Error detection and fault isolation for lockstep processor systems
US5809256A (en) 1996-06-11 1998-09-15 Data General Corporation Soft power switching for hot installation and removal of circuit boards in a computer system
US6000043A (en) 1996-06-28 1999-12-07 Intel Corporation Method and apparatus for management of peripheral devices coupled to a bus
DE19626184C2 (en) * 1996-06-29 1998-07-30 Alexander Ernst Erdwin Lahmann Device for operating a system with two processors which are functionally connected in parallel in a computer
US5701410A (en) 1996-09-09 1997-12-23 Ford Motor Company Method and system for detecting fault conditions on multiplexed networks
JP3181515B2 (en) 1996-09-11 2001-07-03 株式会社沖データ Data transfer method and data transfer device using the method
US5862145A (en) 1996-09-12 1999-01-19 Advanced Micro Devices, Inc. Method and system for identifying an error condition due to a faulty cable connection in an ethernet network
US5781910A (en) 1996-09-13 1998-07-14 Stratus Computer, Inc. Preforming concurrent transactions in a replicated database environment
US5790397A (en) 1996-09-17 1998-08-04 Marathon Technologies Corporation Fault resilient/fault tolerant computing
US5787485A (en) 1996-09-17 1998-07-28 Marathon Technologies Corporation Producing a mirrored copy using reference labels
US5881251A (en) 1996-10-10 1999-03-09 Bay Networks, Inc. Hot swap control circuit
EP0837397B1 (en) 1996-10-18 2006-04-05 Matsushita Electric Industrial Co., Ltd. Data transfer apparatus and data transfer system for arbitrating a plurality of I/O ports in DMA
US5982672A (en) 1996-10-18 1999-11-09 Samsung Electronics Co., Ltd. Simultaneous data transfer through read and write buffers of a DMA controller
US5956476A (en) 1996-10-31 1999-09-21 Hewlett Packard Company Circuitry and method for detecting signal patterns on a bus using dynamically changing expected patterns
US5953538A (en) 1996-11-12 1999-09-14 Digital Equipment Corporation Method and apparatus providing DMA transfers between devices coupled to different host bus bridges
US6021456A (en) 1996-11-12 2000-02-01 Herdeg; Glenn Arthur Method for communicating interrupt data structure in a multi-processor computer system
US6148377A (en) 1996-11-22 2000-11-14 Mangosoft Corporation Shared memory computer networks
US5978866A (en) 1997-03-10 1999-11-02 Integrated Technology Express, Inc. Distributed pre-fetch buffer for multiple DMA channel device
US6067550A (en) 1997-03-10 2000-05-23 Microsoft Corporation Database computer system with application recovery and dependency handling write cache
US5933838A (en) 1997-03-10 1999-08-03 Microsoft Corporation Database computer system with application recovery and recovery log sequence numbers to optimize recovery
US5903717A (en) 1997-04-02 1999-05-11 General Dynamics Information Systems, Inc. Fault tolerant computer system
US5964855A (en) 1997-04-07 1999-10-12 International Business Machines Corporation Method and system for enabling nondisruptive live insertion and removal of feature cards in a computer system
US5892928A (en) 1997-05-13 1999-04-06 Micron Electronics, Inc. Method for the hot add of a network adapter on a system including a dynamically loaded adapter driver
US5896523A (en) 1997-06-04 1999-04-20 Marathon Technologies Corporation Loosely-coupled, synchronized execution
US5875308A (en) 1997-06-18 1999-02-23 International Business Machines Corporation Peripheral component interconnect (PCI) architecture having hot-plugging capability for a data-processing system
US6009535A (en) 1997-06-30 1999-12-28 Emc Corporation SCSI adaptor failover for a disk drive system
US5983371A (en) 1997-07-11 1999-11-09 Marathon Technologies Corporation Active failure detection
US5944800A (en) 1997-09-12 1999-08-31 Infineon Technologies Corporation Direct memory access unit having a definable plurality of transfer channels
US6026458A (en) 1997-10-14 2000-02-15 International Business Machines Corporation System with pluggable adapter card and hot-swap interface controller
US6125417A (en) 1997-11-14 2000-09-26 International Business Machines Corporation Hot plug of adapters using optical switches
US6055584A (en) 1997-11-20 2000-04-25 International Business Machines Corporation Processor local bus posted DMA FlyBy burst transfers
US6085200A (en) 1997-12-23 2000-07-04 Unisys Corporation System and method for arranging database restoration data for efficient data recovery in transaction processing systems
US6065017A (en) 1997-12-31 2000-05-16 Novell, Inc. Apparatus and method for identifying and recovering from database errors
US6119128A (en) 1998-03-30 2000-09-12 International Business Machines Corporation Recovering different types of objects with one pass of the log
US6115829A (en) 1998-04-30 2000-09-05 International Business Machines Corporation Computer system with transparent processor sparing
US5996035A (en) 1998-05-22 1999-11-30 International Business Machines Corporation Hot-plug voltage and power management control using detected connection status
US5991900A (en) 1998-06-15 1999-11-23 Sun Microsystems, Inc. Bus controller
US6141718A (en) * 1998-06-15 2000-10-31 Sun Microsystems, Inc. Processor bridge with dissimilar data registers which is operable to disregard data differences for dissimilar data direct memory accesses
US6199171B1 (en) * 1998-06-26 2001-03-06 International Business Machines Corporation Time-lag duplexing techniques
US6062480A (en) 1998-07-20 2000-05-16 Vlsi Technologies, Inc. Hot docking system and methods for detecting and managing hot docking of bus cards
US6357024B1 (en) * 1998-08-12 2002-03-12 Advanced Micro Devices, Inc. Electronic system and method for implementing functional redundancy checking by comparing signatures having relatively small numbers of signals
US6393582B1 (en) * 1998-12-10 2002-05-21 Compaq Computer Corporation Error self-checking and recovery using lock-step processor pair architecture
US6604177B1 (en) * 2000-09-29 2003-08-05 Hewlett-Packard Development Company, L.P. Communication of dissimilar data between lock-stepped processors

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4633467A (en) * 1984-07-26 1986-12-30 At&T Bell Laboratories Computer system fault recovery based on historical analysis
EP0742507A1 (en) * 1995-05-12 1996-11-13 The Boeing Company Method and apparatus for synchronizing flight management computers
WO1999066406A1 (en) * 1998-06-15 1999-12-23 Sun Microsystems, Inc. Processor bridge with posted write buffer

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1672501A2 (en) * 2004-12-20 2006-06-21 NEC Corporation Fault tolerant duplex computer system and its control method
EP1672501A3 (en) * 2004-12-20 2012-06-20 NEC Corporation Fault tolerant duplex computer system and its control method
EP3252606A1 (en) * 2016-05-31 2017-12-06 IG Knowhow Limited Methods for synchronisation of independent data handling system
WO2019001796A1 (en) * 2017-06-28 2019-01-03 Volkswagen Aktiengesellschaft Method, apparatus and computer-readable storage medium having instructions for cancelling a redundancy of two or more redundant modules
CN110799949A (en) * 2017-06-28 2020-02-14 大众汽车有限公司 Method, apparatus, and computer-readable storage medium having instructions for eliminating redundancy of two or more redundant modules
US11188428B2 (en) 2017-06-28 2021-11-30 Volkswagen Aktiengesellschaft Method, apparatus, and computer-readable storage medium having instructions for cancelling a redundancy of two or more redundant modules
WO2021104904A1 (en) * 2019-11-29 2021-06-03 Volkswagen Aktiengesellschaft Module-prioritization method, module-prioritization module, motor vehicle

Also Published As

Publication number Publication date
WO2001080009A3 (en) 2002-03-21
US6820213B1 (en) 2004-11-16
AU2001255351A1 (en) 2001-10-30

Similar Documents

Publication Publication Date Title
US6820213B1 (en) Fault-tolerant computer system with voter delay buffer
US7065672B2 (en) Apparatus and methods for fault-tolerant computing using a switching fabric
US6523140B1 (en) Computer system error recovery and fault isolation
US7085959B2 (en) Method and apparatus for recovery from loss of lock step
US6496940B1 (en) Multiple processor system with standby sparing
US7539897B2 (en) Fault tolerant system and controller, access control method, and control program used in the fault tolerant system
US9052887B2 (en) Fault tolerance of data processing steps operating in either a parallel operation mode or a non-synchronous redundant operation mode
US5944838A (en) Method for fast queue restart after redundant I/O path failover
US6971043B2 (en) Apparatus and method for accessing a mass storage device in a fault-tolerant server
US8667372B2 (en) Memory controller and method of controlling memory
US7500139B2 (en) Securing time for identifying cause of asynchronism in fault-tolerant computer
EP0514075A2 (en) Fault tolerant processing section with dynamically reconfigurable voting
EP1376356A1 (en) Error reporting network in multiprocessor computer
US6389554B1 (en) Concurrent write duplex device
US5905875A (en) Multiprocessor system connected by a duplicated system bus having a bus status notification line
JPH05100879A (en) Device and method for maintaining integrity of control information
US8522075B2 (en) Storage system having storage devices for storing data and control devices for controlling the storage devices
JP4644720B2 (en) Control method, information processing apparatus, and storage system
EP3882774A1 (en) Data processing device and data processing method
WO2003001395A2 (en) Fault tolerant processing
US7802041B2 (en) Information processing apparatus including transfer device for transferring requests
CN110928217A (en) CPU (Central processing Unit) triple-redundancy voting circuit applied to aviation electric heating control system
Proerzza et al. A low-cost fail-safe circuit for fault-tolerant control systems
US20060150011A1 (en) Duplex fault tolerant system and method using DMA
EP3594780B1 (en) Intelligent load shedding for multi-channel processing systems

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP