1. Field of the Invention
This invention relates to an improved cross-channel data link of the type comprising an element of a fault tolerant computing system.
2. Discussion of the Prior Art
There are a significant, and growing, number of computer applications which demand a higher level of reliability and availability than can be practically achieved with conventional "single thread" systems, such systems being of the type wherein a single fault can cause a fatal error. An avionic computer control system of the so called fly-by-wire type is illustrative. Here, the flight of the aircraft and the safety of its crew depends upon the continuous error free operation of the computer system.
Fault tolerant computing requires some form of redundancy of computing resources to enable fault isolation and continued operation in spite of isolated faults. The preferred method is known as N-modular redundancy with majority voting, where the modular element may be any computing resource, but is typically a complete general purpose computer, including its associated input/output circuitry. The remaining discussion will assume that the redundant element is in fact such a computer.
In this arrangement, a limited number of faults can be tolerated. Implementing this concept requires that all modules execute identical programs on identical computers in substantial synchrony. Since all computers operate on the identical input data in synchronism, it is thus possible to instantaneously compare the output data from each and vote to determine the correct result, even though one or more of the modules may be in error, i.e., only the majority need be correct. The preferred means for maintaining synchronization, comparing computational results and exchanging failure status information, is a cross-channel data link which permits the exchange of data on a periodic basis. A typical application may require an exchange of 5,000 to 10,000 bits each processing frame, i.e. every 10 to 20 milliseconds. Each computer analyzes the data received from all other computers and uses this data to either confirm that it is in synchronization or to re-establish synchronization if it has been lost. In addition, data is used to validate or evaluate the health of the system, or to vote against other components of the system.
The cross-channel data link is a critical element of the system. It should be designed to maximize reliability and to insure that no single point failure of the data link can prevent data exchange between any pair of computers since without this exchange, synchronization may be lost and the benefits of majority voting lost. It has been found desirable to employ fiber optic media to gain the benefit of improved electrical isolation, rejection of interfering signals, and the potential for higher channel capacity.
The prior art approach for a fiber optic, cross-channel data link for a triple-modularly redundant computing system is shown diagrammatically in FIG. 1. Each of computers 10, 12 and 14 execute identical programs in response to a common set of data inputs 16 and exchanges this data via a fiber optic cross-channel data link. The computer outputs on lines 18, 20, 22 are presented to majority output voting 24 which produces a correct output even when any one of computer outputs 18, 20 or 22 is incorrect. Similarly, the input voting 23 provides a majority of input signals such that all computations within the three computers proceed on identical input data.
Communication between the cross-channel data link and the computers is via bidirectional data buses 11, 13 and 15. The cross-channel data link is comprised of optical node controls 26, 28 and 30 plus optical fibers 32-42. Referring to optical node 26, each node is comprised of two optical transmitters of the light emitting diode type, such as 46 and 48, plus two optical receivers (photo detectors), such as 44 and 50. Alternatively, optical transmitters 46 and 48 may be replaced with a single optical transmitter and an optical splitter. Either arrangement provides a simultaneous bidirectional data path between any pair of computers. For example, the data path formed by transmitter 46 on node 26, optical fiber 36, and receiver 52 on node 28 allows data from computer 10 to be sent to computer 12.
Although this arrangement provides the requisite communication paths when all elements are operable, a failure of any one element in the data link can cause an operable computer to be declared faulty. It is well known in the art to reconfigure data channels to route data around a failed link.
Reconfiguration of a cross channel data link, however, is undesirable due to the potential to exacerbate the effect of faults. For example, re-routing circuitry could provide an alternate path through element 48, 34, 54, 56 and 42 in the event of a failure of the path formed by elements 46, 36 and 52. However, such circuitry adds the risk that a single failure of the re-routing circuitry could cause multiple data paths to fail. Such prior art arrangements further lack the ability to isolate a data link fault solely to the transmitter, fiber or receiver. Since these elements are typically in different line replaceable units, diagnostic tests are thus unable to determine which unit to replace to correct for certain faults. Such prior art arrangements are further incapable of performance level measurements which could identify impending failures for repair before an actual fault occurs. This is particularly problematic with optical fibers being subjected to high "g" accelerations during aircraft maneuvers. Fiber-optic links used with prior art cross-channel data links have required specialized equipment for measurement of link integrity by ground maintenance personnel. These measurements are inadequate when the system is installed in a moving vehicle such as a fighter aircraft. Latent failures or marginal thresholds may be exposed during a high "g" maneuver. Cracked fibers and/or misaligned connections can disable the system if the fiber shifts at all. The present invention provides for a continuous detection capability which equals or exceeds the equipment utilized by ground maintenance personnel. As a result, the system is able to compensate for loss of power thresholds by adjusting the transmitter power output and is able to reconfigure in a deterministic fashion in that it "knows" where the exact failure is.
Because the system of the present invention incorporates a built-in fault detection and isolation system, ground crews are not required to validate the system with additional hardware. The system confidence level exceeds that associated with prior art fiber-optic cross-channel data links due to the ability to verify integrity after the components are installed. It has been a requirement of the prior art systems that signals be injected into the fiber with the plural computers disconnected. Hence, when the connection is re-established, the contact itself is still in question. With the present invention, faults detected during a previous flight are made available to maintenance personnel in prognosticating repair actions.
Furthermore, because only three fibers are required to provide a fault tolerant system in accordance with the present invention, a higher reliability level is achieved, when compared to the prior art and, in addition, continued operation can be enhanced through fault detection and dynamic reconfiguration.