1. Field of the Invention
The present invention relates to a highly reliable information processor system where a high reliability is required, and particularly relates to a highly reliable information processor system provided with fault tolerant capability to allow temporary malfunctions at microprocessors.
2. Description of the Prior Art
A highly reliable information processor system conventionally has a redundant triple-microprocessor configuration to avoid discontinuance of processing because of temporary malfunctions. Such a system is provided with three microprocessors, and any malfunctioning microprocessor among them can be easily identified by decision of majority through monitoring of the outputs from the microprocessors. When a malfunction is detected, the malfunctioning microprocessor is isolated and the remaining two microprocessors continue processing.
Functional Redundancy Monitor (FRM) method enables relatively easy embodiment of such a triple-processor configuration. In a FRM system, two microprocessors in monitor mode take in the signal output to an outside from another microprocessor operating in execution mode so as to check the signal against their own signals each time a bus cycle is activated.
According to the principle of triple majority decision, when a discrepancy is found at either of the monitor mode microprocessors, the microprocessor where the discrepancy occurs is malfunctioning. If discrepancies are found at both of the two monitor mode microprocessors, then the microprocessor in execution mode is malfunctioning.
Another well-known example of triple majority decision is a system where all the signals output from the three microprocessors are subjected to triple majority decision outside of the system and then the result is transferred to another unit (memory, for example). In this case, there is no concept of execution mode and all microprocessors output signals to the outside in the same way.
Triple majority decision can be expressed by the following formula: EQU Y=A*B+B*C+C*A
where A, B and C are the three signals and "*" means AND and "+" means OR. As understood from this formula, the value indicated by two or three of the three signals A, B and C is given to the output Y. Thus, it can be said that the output Y always has a proper value unless more than one error occurs at a time.
Thus, in a conventional highly reliable information processor system provided with FRM capability, the output signal is checked each time a bus cycle is activated. This method is effective when the three microprocessors simultaneously activate bus cycles, certainly. However, such a system cannot detect or can detect only with a delay a malfunction which causes discrepancy in timing among the bus cycles themselves.
For example, if a microprocessor in monitor mode does not activate a bus cycle, the conventional system cannot detect such a malfunction. If the microprocessor in execution mode activates a bus cycle earlier than the microprocessors in monitor mode, the malfunction may be detected only after termination of the bus cycle. In order to properly continue processing with a degraded double-processor system even after malfunction detection, the bus cycle during which the malfunction occurs needs to be activated again, which means that the malfunction must be detected while the bus cycle is still being activated.
Temporary malfunctions at a highly integrated microprocessor are mostly caused by reversing of a flip-flop inside the microprocessor. This reversing, however, is only temporary, and the flip-flop with reversing is restored when new data is written to that flip-flop. If a system stops its processing upon such a temporary error, it can be said to have a low reliability.
Flip-flops inside a processor can be classified into those for data processing and those for control, and the majority of the flip-flops are used for data processing. However, reversing of a bit in a large scale register for instruction storage may cause the instruction involving that bit to be interpreted as an instruction different from the original one. This surely changes the internal sequence and results in discrepancy in bus cycle timings. The ratio of such malfunctions with shifting of bus cycles is not ignorable.
On the other hand, the method using an external circuit for triple majority decision where all output signals are subjected to majority decision is certainly quite advantageous. It can detect all malfunctions, does not at all adversely affect other devices and enables processing to be continued without any suspension. However, it requires all the output signals to pass the triple majority decision circuit, which delays the transfer of address, data and other signals to another unit, resulting in lower performance. In addition, the triple majority decision circuit itself requires a considerably large-scale hardware. Such lowering of performance and increase of component quantity are fatal drawbacks, for they are against the modern request for higher performance, lower cost, smaller size and lower power consumption.