The present invention relates to fault tolerant systems and, more particularly, to a method for confirming validity of a control signal for energizing a back-up system in a fault tolerant environment.
Numerous electronic control systems utilize multiple redundant systems to assure fault tolerance in critical applications. One example of such a system is a redundant switching fabric for a communication line card installation. Typically, such systems have two switching fabrics, a primary and a back-up. All of the line cards are connected to the outside world through the switching fabric. In the event that the primary fabric has a failure, the system has to switch to the back-up fabric. In this example, the switching function resides on each line card and a remote controller provides a binary state signal to each card to let the card know when to switch to the back-up fabric.
One potential problem with such systems is that the control signal may become tied to one of the binary states and be unable to switch in response to the remote controller. For example, if a binary zero is used to maintain the line cards connected to the primary fabric and the control signal line becomes grounded, the line card will not receive a binary one signal generated by the controller when the binary one signal is used to command a change to the back-up fabric. Another potential problem is that the control signal could fail into the switch state and cause one or more of the components to switch in error. In particular, a subset of the components might see the switch indication. This is particularly undesirable since it could lead to a partitioning of the system and result in a system failure. This type failure is not amenable to the test mode described below. There are solutions to this problem as well, such as running dual redundant signals and then running tests on both of them but such additional redundancy introduces more complexity. One solution to this problem is to periodically run a test mode in which a test signal is sent to each line card and a check is then made to determine if the line card responded to the test signal. While this approach may be suitable in simple systems having only a few devices that need to switch, verifying that each line card in a typical communication system has switched presents a complex problem. Accordingly, it would be desirable to provide a method for continually verifying proper operation of devices in response to control signals in a fault tolerant environment.