1. Field of the Invention
The present invention relates to the automatic selection of at least one of a plurality of redundant common system modules provided to ensure reliable operation of the system, and more particularly, to a method and apparatus in which the diagnostic functions are distributed among a plurality of system components which monitor the operation of the at least one active redundant common system module and select another redundant common system module to become operative in the event a failure in the active redundant common system module is detected by a predetermined number of the system components.
2. Description of the Prior Art
Previously, there were many instances where a single common module might be responsible for controlling the inputs and outputs from a multiplicity of different nodes (i.e., from other types of modules and components) in an entire system. The reliability of this single common module was thus of critical importance in that its failure could result in an entire system failure. Therefore, it became appropriate to provide redundant common modules to prevent the failure of the entire system in the event that one of the common modules fail. When such redundant common modules were utilized, it became necessary to provide for the automatic selection of one of the redundant common modules to ensure that a properly functioning redundant common module was always in operation.
Typically, the automatic selection of one of the redundant common modules has been provided by the application of an independent diagnostic module. The diagnostic module constantly tests the one active redundant common module to ensure that it is functioning properly. In the event of the detection of a malfunction, the diagnostic module would then switch the operation to another presumed properly functioning redundant common module. The diagnostic module also periodically switches the operation from the one active redundant common module to another redundant common module, even if a failure is not detected in the active redundant common module, in order to ensure that the other redundant common modules are indeed functioning properly. This helps to prevent the occurrence of "silent" failures in the redundant common modules, which in the absence of periodic switching, would go undetected until the active redundant common module failed and would thus result in further unreliability of the system.
However, it is readily apparent, that the problem with the use of the diagnostic module is that a new common element of critical importance has been introduced into the system. If the diagnostics module itself should fail, the entire system could also fail just as though there were no redundant common modules. In many cases the complexity and, therefore, the failure rate of the diagnostic module has been greater than the failure rate of the redundant common modules it is testing. Further, the additional cost of the independent diagnostic modules may also be prohibitive.
The present invention overcomes the aforesaid problems by providing a system in which the diagnostic functions are distributed among the several nodes in the system. The nodes in the system control the selection of the redundant common modules by generating votes which indicate their choice.