1. Field of the Invention
The invention relates to VMEbus systems. More particularly, it relates to a method for functionally partitioning multi-processor applications to increase fault tolerance of the VMEbus.
2. Prior Art
The use of digital computer systems has become very common in mission critical applications such as flight control. In such applications, it is essential not only to ensure correct semantics, but also to provide fault tolerance capabilities.
Advancements in technology have enabled the avionics industry to develop new design concepts which result in highly-integrated software-controlled digital avionics. The new approach, referred to as Integrated Modular Avionics (IMA), introduces methods which can achieve high levels of reusability and cost effectiveness compared to earlier implementations of avionics. See "Design Guide for Integrated Modular Avionics", ARINC report 651, Published by Aeronautical Radio Inc., Annapolis, Md., November 1991. The IMA approach encourages partitioning and using standardized building blocks in building environmental and functional components of avionics. Strong functional partitioning facilitates integration, validation and FAA certification. Following the IMA guidelines, the cost of both development and maintenance is expected to decrease because of mass production of the building blocks, lower levels of spares, and reduced certification costs.
The backplane bus is one of the most important components in Integrated Modular Avionics. While many backplane bus designs have been proposed, only a few are actually used. Selecting the backplane bus is affected by many design and engineering factors, such as performance, reliability, and fault tolerance. Although, such issues are very important to ensure certain level of safety of commercial jet aircraft and high availability of military aircraft, the cost of the bus and associated line replaceable modules (cards) is a major concern.
Most of the currently available dependable backplane bus systems are very expensive and are supplied by very few vendors, such as ARINC 659. See, "Backplane Data Bus", ARINC Specification 659, Published by Aeronautical Radio Inc., Annapolis. Md. December 1993. Thus, a need exists for an affordable bus system that provides the required levels of dependability and complies with the IMA design methodology. The VMEbus system is a prime candidate because it is both rigorously defined and widely supported. "IEEE Standard for a Versatile Backplane Bus: VMEbus", std 1014-1987, Published by the Institute of Electrical and Electronic Engineers, New York, N.Y. March 1988. In addition, expanding selections of VMEbus boards and vendors guarantee competitive prices and continuous support. Moreover, the VMEbus offers an open architecture that facilitates the integration of multiple vendors' boards. This feature makes the VMEbus the ideal choice for integrated avionics.
The VMEbus allows multi-processing, expandability, and adaptability for many designs and processors. It handles data transfer rates in excess of 40 Mbytes/sec using parallel data transfer. However, the VMEbus does not include error detection or correction bits associated with the transmitted data. The VMEbus is asynchronous and non-multiplexed, and as such, no clocks are used to coordinate data transfer. Data is passed between modules using interlocked handshaking signals where cycle speed is set by the slowest module participating in the cycle. Using asynchronous protocol in the VMEbus provides reasonable capabilities to integrate products from various vendors.
The VMEbus provides support for multiprocessing using shared memory. To avoid inconsistency while updating shared memory, read-modify-write bus cycles are used. The read-modify-write cycle allows updating shared memory and prevents race conditions. A master-slave architecture is used in the VMEbus. Modules (i.e, cards or boards) can be designed to act as master, slave or both. Before a master can transfer data it must first acquire the bus using a central arbiter. Although the VMEbus does provide reasonable compatibility to integrate products from various vendors, fast parallel data transfer, and a wide support by many manufactures, fault tolerance in VMEbus based systems is very limited.
The VMEbus relies on all connected modules (cards or boards) for detecting and reporting faults on a specific failure control line. Thus, VMEbus modules are expected to have on-board firmware diagnostics to detect faults. The time for data transfer is monitored by the VMEbus master (i.e., the sender). If the receiver does not acknowledge the message, the master times out the data transfer and re-transmits. However, the bus provides neither error detection nor correction for the transferred data. There is no redundancy in either the transmission lines or the transferred data on the bus. Generally, the built-in-test and transmission time-out provides limited fault coverage for permanent faults only. The shared memory model used by the VMEbus for multiprocessing makes the modules tightly coupled, and in the absence of message verification, faults can and do propagate from one module to the others. Thus, errors cannot be contained within the faulty module (card or board) and can jeopardize the behavior of the entire system.
Strong partitioning of modules is one the most important IMA requirements which the VMEbus lacks. The multiprocessing in the VMEbus using a shared memory mechanism allows faults in one module to cause errors in other non-faulty modules by writing to their memories.
It is clear from the foregoing that the VMEbus needs enhancements to strengthen its fault tolerance capabilities, and specifically in containing faults and recovery from failure. Because low cost is an important feature of the VMEbus, enhancing the fault containment capabilities should avoid changing the design and the layout of the currently available cards. Changing the design of a VME card will not only require reengineering and revalidation, which increase the manufacturing cost, but will also limit the number of vendors who agree to do the modifications. Thus, the preservation of the current hardware design of the cards is highly desirable.