Telecommunications systems, such as the Public Switched Telephone Network, are typically built as large scale centralized networks in which transmission facilities linking customers are interconnected though switching centers. A primary requirement of such complex systems is a high degree of reliability, which is usually accomplished by having redundant equipment, including redundant transmission paths, redundant nodes and redundant equipment at each node. The redundant equipment or components are often added to the system as spare or backup equipment.
Each of the interconnecting switching centers or nodes within a communications network is typically a rack or cabinet of electronic routing equipment. Within that cabinet there is usually at least one redundant local system controller capable of controlling the operation of the entire rack or subsystem and it's functioning within the network.
In such architectures, a significant design concern is how to determine when control of the routing rack should be switched from one local system controller to the spare or backup system controller.
Generally, when a system includes spare components, a redundancy switchover controller monitors the status of operating components. When the redundancy switchover controller determines that a component is failing, the controller inserts a backup or redundant component into the system to replace the failed unit by operating switches connected to the inputs and outputs of the failed component and the spare component. However, a problem arises if the component that is failing is the system controller itself or the component tasked with monitoring operational status. In such cases, the problem to be solved is how the failed component is going to detect the need for changeover and effect the switch over.
If a separate, active component is added to monitor and determine which of the two control cards should be in charge, system reliability is compromised by the possible failure of this non-redundant active monitoring and arbitration circuit.
Another approach to the problem is to delegate the decision making to the spare component, as discussed in U.S. Pat. No. 6,308,286. In such systems, each spare component (and possibly a plurality of them) monitors the system itself and determines when a component that it is standing by for fails. The spare component then inserts itself into the system. However, when the spare component is the system controller, this approach has major flaws. One fatal scenario occurs when a faulty off-line or spare component makes the incorrect determination that the functioning on-line controller has failed and inserts itself, a faulty controller, on-line. A clearly unstable state of continuous switching between the two controllers results.
There is a clear need for a simple method to determine which of two of redundant system controllers should be the one in control that does not compromise the overall systems reliability. Such a method should particularly avoid unstable system states.