The present invention pertains to redundant processor systems and more particularly to a functional lockstep arrangement for redundant processors in real-time processing applications.
Processor systems used for critical real-time processing applications have inherent problems in determining when a hardware failure has occurred and taking subsequent corrective action. One method of detecting such failures and maintaining consistent operation is to use redundant processors with synchronous processing. In such situations, the processors each perform the same exact instruction at the same time. This is called clock lockstep processing. Usually a third processor monitors the operation of the redundant processors by comparing the inputs and outputs of the processors. If a mismatch of the inputs or the outputs of the processors is detected, the third processor determines which of the two processors is operating properly and disconnects the other processor.
The redundant lockstep implementation has several drawbacks. First, increasing microprocessor throughput requires an increase in the processor's clock speed. With increasing clock speeds and processor complexity, clock lockstep is very difficult to achieve and maintain. For example, even when processors are in a known condition such as a reset, maintaining clock lockstep is very difficult. The setup and hold times for synchronous reset signals become narrower as clock speeds are increased. As a result, the circuitry needed to meet setup and hold time conditions becomes more complex and expensive.
Second, asynchronous inputs to a redundant processors will generally fail in the clock lockstep mode. Whenever asynchronous signals are sampled, there are times when the input signal will change during the sampling time. When this occurs, there is a probability that the input signals change may not be seen by one of the processors. Further, when the input signal causes a processor interrupt to occur, it would be possible for one processor to respond to the interrupt and start execution of an interrupt service routine while the second processor would not see the interrupt until one clock cycle later. Hence, the two processors will not remain in clock lockstep although there is not a hardware fault.
Third, internal processor states cannot always be guaranteed to be the same even though redundant processors are executing the same instruction. The internal processor states are especially hard to predict after the processors have undergone a reset or initialization process. Hence, it may be difficult or impossible to insure clock lockstep in such situations.
Accordingly, it is an object of the present invention to provide a functional lockstep processor arrangement.