The information relates to a process for maintaining the microsynchronous operation of duplicated information-processing units. Accordingly, the duplicated units operate with a common internal processing clock which is independent of the clock used to receive information to be processed or used to transmit information-processing results. Such units are additionally equipped in each case with a device for error monitoring of the information received and of the information-processing results to be transmitted.
The reason for the above-mentioned duplication of the information-processing units is the aim of ensuring a high level of protection against failure and error. If information which is received in accordance with one of the clock systems mentioned is transferred to the other clock system for the purpose of processing, as it passes through the associated multivibrators the signal transfer may fluctuate by one clock period so that the microsynchronization with respect to corresponding components in the two units is disrupted and hence the protection against failure and error which is aimed at can no longer be ensured. In addition, the information fed to the units on the transmission paths is affected in different manners on the way. Even if such transmission errors can be recognized by the above-mentioned devices for monitoring the error free reception of the information to be processed, it is not sufficient to prevent the distorted information from being processed because, even then, the microsynchronous parallel operation of the units would be disrupted. The same applies for the presence of an error in the information-processing results to be transmitted.
The object of the invention, therefore, is to prevent the microsynchronization of the operation of such duplicated units from being disrupted as mentioned above.
In general terms the present invention is a process for maintaining microsynchronous parallel operation of duplicated information-processing units. The internal processing clock of each unit is mutually synchronous but independent of the clock used to receive information to be processed or used to transmit the processing results. Each unit contains a device for error monitoring of the information received and of the information results to be transmitted. The information fed to the units is temporarily stored before being processed and the corresponding result information is temporarily stored before being passed on. If the information received or the information processing results to be transmitted are error free, the units each supply a synchronization signal, indicating the appropriate processing phase and derived from the internal system clock, to the partner unit, and the start of the relevant processing phase is synchronized with this signal. In the absence of a synchronization signal on the part of the partner unit, even if information is received correctly or if distorted information is received, information processing in the affected unit is prevented or, even if an undistorted information processing result is obtained, dummy information is transmitted instead. The procedure of the invention not only ensures that the processing components of the units operate synchronously, but it also ensures that uniform relationships are maintained in the event of errors in respect of the information received and the information-processing results to be transmitted which affect only one of the units.
Other refinements of the invention are defined in the subclaims.
Provided that processing components of the units are duplicated, for the purpose of detecting hardware errors during information processing, in a master-checker configuration, the information inputs of the components are operated in parallel. Outputs of the checker component are operated as information inputs which can be fed the output signals of the master component as input signals for carrying out a comparison. Before the units exchange synchronization signals, clock edge synchronization of the processing clocks is carried out in each case between the master and the checker component of the units by exchanging synchronization signals which are likewise derived from the internal system clock. This embodiment takes as its starting point the fact that the information-processing components inside the duplicated units are duplicated, for the purpose of recognizing hardware errors, in a master-checker configuration, and specifies how a two-stage process can be used in such a case to satisfy the requirements of microsynchronization.
In a further embdiment the synchronization signals exchanged are multiplex signals comprising individual synchronization signals for the individual internal input and output interface circuits.
At startup or restart of the processing units, the repetition cycles of the demultiplexed individual synchronization signals emitted by the processing components of the units are reset by a common reset signal derived from the internal system clock.
In a further embodiment, at startup or restart, the output interface circuits of the master and checker processing components are to be reset if there is no dedicated reset signal available for the clock system which controls these output interface circuits, and the reset signal is derived from the system clock instead. The reset signal of the checker processing component is therefore derived from the output signal of the master processing component.