1. Field of Invention
The present invention relates to fault-tolerant systems employing multiple processor systems where the output data words of the processors are processed by a majority voter.
2. Description of the Related Art
Fault-tolerant operation of data processing systems is of paramount importance when such systems are employed for aircraft navigation and flight control. Commonly, aircraft applications require redundant systems whose outputs are cross-checked before being utilized by a flight management system which may include, among others, navigation subsystems and/or flight control subsystems. In those situations where a plurality of processors operate on the same input data, the intended output data of each of the processors should be identical, thereby verifying the integrity of the output data. If, of course, the output data of the independent processing systems are different, a scheme must be employed to determine as to which of the plurality of processors is in error so that the faulty processor may be disabled so that the flight management system may continue to functionally operate with the remaining processors by tolerating the fault but not use the faulty processor's output data.
Commonly, flight management systems generally employ a microprocessor for processing sensor input data by executing a fixed set of instructions requiring a fixed number of clock cycles of the system clock generator to execute these instructions. The total number of clock cycles to execute the fixed set of instructions is sometimes referred to as a "frame". In order to provide independent redundancy, generally associated with each microprocessor is an independent processor clock generator, commonly employing a high frequency oscillator.
In fault-tolerant multiple processor systems where the output data of each of the processor-oscillator pairs is presented to a synchronous majority voter, the majority voter is such that when a processor-oscillator pair provides data that is different than the other processors, the majority voter simply votes out or inhibits the use of the data output from the faulty processor-oscillator pair.
Employment of a synchronous majority voter with fault-tolerant multiple processor systems requires synchronous like serial data which is compared bit-for-bit by the majority voter. Generally, attainment of synchronous processor output serial data of the plurality of processors while maintaining processor independence is a difficult problem since the processors will start executing the same instructions at the same time, but may drift with respect to each other due to oscillator drift. In these circumstances, bit-for-bit voting of output serial data from the processors will vote out the processor-oscillator pair output serial data due to differing processor clock rates even though the output serial data is valid. This, of course places stringent requirements on the separate processor clock generators for each of the redundant processors so that each processor is outputting serial data at substantially the same time This is so, since if they are not, the majority voter may, perhaps, vote out all of the processors. However, even if the oscillators are closely matched, the oscillators may still drift relative to each other.
One solution for relaxing the stringent requirements of the oscillators and not reject good data is to operate the processors in lock step. However, few processors have this capability, and processors that do, are expensive. Further, processors which run in lock step require a common oscillator, rather than separate processor-oscillator pairs which makes the fault-tolerant system dependent upon the single common oscillator. Accordingly, a very high reliability common oscillator would be required since it is a single-point failure of all of the processors.