The invention lies in the field of microelectronics. The invention relates to a processor device that contains a clock generation unit, a processor unit, a main memory, and a processor bus set up as a data and address bus for the processor unit and the main memory.
Processor devices of the aforementioned type are used for controlling various technical systems, such as call processing systems in a telephone network. Depending on the area of application, the processor device has additional, application-specific components that are controlled by the processor device and that possibly even control other, external components in turn.
In many applications, including in the aforementioned call processing systems, a particular level of error immunity is required for security-related reasons. To achieve the error immunity, the fundamental hardware parts within the processor system of the application controller are duplicated. Thus, the processor system contains two identical versions of a processor device, one of which carries out the tasks of the processor system as the active device while the other device is passive and operates in idle mode, or in parallel in a xe2x80x9ctandem mode.xe2x80x9d On the active side, error occurrence is monitored during operation. In the event of an error in the active device, the passive device automatically takes up operation, with the intent that the changeover takes place in as uncomplicated a fashion as possible and without the user noticing. The now passive device can then be serviced or replaced without the need for concern that operation, which is assured by the now active device, might be interrupted.
If, in particular cases, the requirements of system security are very high and duplication is no longer sufficient, the processor device may also be implemented a plurality of times within the processor system, one of the devices always being active while the others are passive. In such a case, the monitoring and the order of the reciprocal enabling of the processor devices may be cyclical, for example. The duplicated case can easily be generalized to the more general case of multiplication by a person skilled in the art and, for the sake of brevity, such generalization is always dealt with in parallel without any mention below when discussing duplicated systems, unless express reference is made to the contrary.
In prior art methods, the passive side is updated at the instant of changeover. In this context, the passive processor device first changes to the operating state when an error has occurred on the part of the active processor device, as far as possible adopts the status of the active processor device, e.g., the content of the main memory, and then continues operation. The process is naturally associated with a markedly perceptible interruption in operation, and, in many cases, individual areas of operation or even the whole of operation need to be terminated completely and restarted. In a switching office, for example, such steps mean a temporary or permanent interruption in a data link or message transmission.
International PCT publication WO 94/08292 describes a duplicated processor control unit including two identical, interconnected control units each having a processor unit, a RAM data memory, and peripheral circuits. Each processor unit is set up to establish whether or not it is active or in standby mode. The active processor unit performs the write cycles on the RAM synchronously in the two duplicated RAMs or in one of the two RAMs. The standby unit remains in standby until it is called on account of a fault in the active unit, in which it replaces the previously active unit. The two processor units are additionally connected through a synchronous communication channel produced using dedicated modules. The communication channel is used by the active processor unit when carrying out particular activities, e.g., monitoring processes and error diagnosis processes, which it carries out on the standby unit.
The activities of the two processor units disclosed in International PCT publication WO 94/08292 are, thus, essentially asymmetrical, with the communication channel being used to shift processes from the active unit to the standby unit, the peripheral components, including the main memory, essentially being accessed only by the active processor unit. Hence, in the absence of any comparison with a second processor unit running in parallel, for example, a malfunction in the active processor unit results in the main memory having incorrect information written to it or in faulty states in the peripherals, which states first need to be re-corrected after changeover to the previous standby unit.
Each of the two processor units in International PCT publication WO 94/08292 is additionally equipped with two microprocessors operating in microsynchronized mode. The microsynchronism of the two microprocessors is monitored by a comparator block that monitors the identity of the address, data, and control signals of the two processors at each instant; any discrepancy is interpreted as a fault in the relevant processor unit. An error in the microsynchronous operation of the microprocessor pair thus produces an interrupt signal or reset for the whole processor unit. Operation of the processor unit based on just one of the two microprocessors is not possible. Furthermore, duplication of the microprocessors within a processor unit produces a xe2x80x9ctandem unit,xe2x80x9d not, however, inherently independent processor devices with a respective dedicated main memory and processor bus comparable with a processor device in accordance with the subject matter of the present invention. In addition, the microsynchronism of the microprocessors that is disclosed in International PCT publication WO 94/08292 is established on an entirely different structural level as compared with the processor units.
German Published, Non-Prosecuted Patent Application DE 40 05 321 A1, discloses an error-tolerant computer system having two redundant computer units. The activities of the two computer units are also asymmetrical because, respectively, one computer unit is operational and writes to the main memories in both units, while the other is available as a backup switching unit. Microsynchronous parallel operation between the processors in the two computer units is expressly excluded in German Published, Non-Prosecuted Patent Application DE 40 05 321 A1.
The article by H. J. Lohmann in Elektron. Rechenanlagen 22 (1980), pp. 229-236, discloses a microcomputer system including two microcomputers of identical configuration for producing output signals to control railway signal equipment. The microcomputers each produce an output signal; the two output signals are supplied to the actuating circuits through converters. The microcomputer clock signals are produced separately for each of the two microcomputers in a respective control pulse generator. After each processing clock step, a monitoring pulse transmitted by the control pulse generators causes the output signals to be compared. The control pulse generators then trigger the next clock step only if the respective no-error message has been received correctly. The configuration imposes reliable correspondence verification after each processing step. If a disparity arises, the no-error messages are not sent and the control pulse generators do not trigger another clock step; consequently, the actuating circuits switch to a de-energized state.
As is clear from the above, the output signals in the system according to H. J. Lohmann are compared; a reciprocal check on an internal state of the processor devices is not possible. Another disadvantage to the system according to H. J. Lohmann is that the speed of the microcomputer system is markedly reduced because a complete check on the output signals is performed before each processing step. In addition, the microcomputer system is configured only for simultaneous operation of the two microprocessorsxe2x80x94much like the microprocessor pair in a respective processor unit in International PCT publication WO 94/08292xe2x80x94because individual operation of one microcomputer, not to mention the presence of just one microcomputer (while the other is being serviced, for example), is not provided. Instead, the entire system is always in operation or not in operation.
The microcomputer system according to H. J. Lohmann can be used by the person skilled in the art as an advantageous illustrative embodiment of a processor unit in International PCT publication WO 94/08292 having two microsynchronized microprocessors. In addition, the implementation of microsynchronism within the processor units would make it appear unnecessary to introduce microsynchronism between the two processor units.
It is accordingly an object of the invention to provide a duplicable processor device that overcomes the hereinafore-mentioned disadvantages of the heretofore-known devices of this general type and that can be operated in a microsynchronous operating mode in which the processors in the devices perform the same operations on the same clock edge and are checked against one another in the process, and that can have one processor device permit full operation independently as well. In particular, the aim is for error monitoring and error handling to be able to take place almost entirely without interruption to the application-specific control.
With the foregoing and other objects in view, there is provided, in accordance with the invention, a processor device, including a clock generation unit, a processor unit connected to the clock generation unit, a main memory, a processor bus configured as a data and address bus for the processor unit and the main memory, a crossover bus to be connected to at least one further processor device, and a bus control device having an interface for the crossover bus, the bus control device having an operating mode sharing microsynchronism with the at least one further processor device connected through the crossover bus during operation of the processor device, the bus control device configured, when data is interchanged through the processor bus, to process a personal signature for interchanged data, to interchange the personal signature with the at least one further bus control device of at least one further processor device through the crossover bus, to compare a received signature with the personal signature, and to output an error signal triggering error handling in the processor device when the personal signature and the received signature do not correspond.
The objective of the invention is achieved, based on a processor device having a bus control device therein and an interface for a crossover bus to at least one further processor device. The processor device is set up so that, during operation of the processor device in an operating mode that shares microsynchronism with the at least one processor device connected through the crossover bus, when data is interchanged through the processor bus, e.g., upon data access by the processor unit, the processor:
calculates or receives a signature for the interchanged data;
interchanges the signature with the at least one further bus control device through the crossover bus;
compares the signature received with the personal signature; and
in the event of the signatures not corresponding, outputs an error signal that triggers error handling, e.g., error diagnosis, in the processor device.
The solution of the invention makes it possible to reliably monitor the processor functions during operation and to quickly initiate error handling in the event of a discrepancy, without the need for concern about a fault in the application operation. The signature interchange permits parallel execution in two or more devices within the context of microsynchronism and makes it possible to detect any asynchronism arising in the event of an error after a latency time of a few system clock cycles. The detection enables interruptions to operation in the event of an error, and also during servicing, to be reduced to a minimum or even to be prevented completely.
In contrast to the system according to H. J. Lohmann, in accordance with the invention, data present on a processor bus is checked using signatures that are formed for it, which is equivalent to checking an internal state of the processor devices and hence to more a powerful verification. In the processor devices according to the invention, the signatures are interchanged when the processors are operating correctly.
In one preferred embodiment of the invention, the clock generation unit can be synchronized with a clock generation unit in a second processor device to support the establishment of microsynchronous operation. The second processor device is connected through the crossover bus, within a prescribed maximum synchronization tolerance and the processor unit can be started, based on the synchronized clock signal from the clock generation unit, by a start signal in synchronism with a processor unit in the second processor device within a prescribed maximum clock offset. Insofar as reference is made to a second processor device in this regard, such reference is not to be understood as being a restriction to just two devices in the processor system; instead, it means a specifically selected processor device, e.g., the one starting first or an already active processor device.
To carry out the signature verification, the bus control device beneficially contains a comparison module through whose inputs the signatures are supplied and which is set up for bitwise comparison of the signatures.
To compensate for transit times through the crossover bus, it is expedient if the personal signatures are supplied to the comparison stage through a silo memory with a time delay.
In a further preferred embodiment, the bus control device contains a cross reading device that is set up to reciprocally read out components of the processor device and/or of a second processor device, connected by the crossover bus, through the crossover bus and to enable the data that has been read at an instant that is synchronized with the cross reading device in the second processor device. The configuration permits components that are synchronized through the crossover bus to access nonsynchronized (xe2x80x9casynchronousxe2x80x9d) components.
In such a context, the cross reading device is beneficially set up so that, during read access to a component that can be accessed by the processor device, the cross reading device transmits the data received from the component through the crossover bus.
Equally, it is beneficial in such a context if the cross reading device is set up so that, instead of read access to a component which can be accessed by the second processor unit, the cross reading device receives the appropriate data from the second processor device through the crossover bus.
To manage access to xe2x80x9casynchronousxe2x80x9d components, it is useful if the cross reading device controls access to the components of the processor device and of the second processor device based on the addressing of the address range associated with the relevant components,
a first address range being associated with access by both processor devices to the relevant component of the processor device;
a second address range being associated with access by both processor devices to the relevant component of the second processor device; and
a third address range being associated with access by the processor devices to their own respective component.
In a further preferred embodiment, the bus control device contains a cross refresh master device that is set up to read out the content of the main memory by direct access operations and to transmit it together with the respective associated memory address through the crossover bus. The configuration permits coordinated copying of the relevant memory contents.
In such a context, it is expedient, in order to keep areas that are already copied per se up to date as well, if the master device is set up so that, during write access operations by the processor unit to the main memory within the address range of the memory contents already transmitted, it transmits a respective copy of the relevant memory data and memory addresses through the crossover bus.
Beneficially, the data interchanged through the crossover bus contains additional information relating to the data read or written during direct access, e.g., characteristic data indicating the beginning or end of a data block, or an address identifier for distinguishing between addresses and data.
It is also advantageous, particularly in order to compensate for different data transmission rates in the processor device and on the crossover bus, if the master device contains a silo memory as a buffer memory for the data and addresses that are to be transmitted through the crossover bus.
In order to prevent the silo memory from overflowing, the master device expediently contains a signal output that is activated at a prescribed filling level of the silo memory and that is connected to an input of the processor unit that slows down or temporarily halts write access operations by the processor unit to the main memory.
For coordinated copying of the memory contents, it is also useful if the bus control device has a cross refresh slave device that is set up to write memory contents received together with the respective associated memory address to the main memory at the appropriate address point through the crossover bus.
To compensate for different data transmission rates, it is advantageous if the cross refresh slave device contains a silo memory as buffer memory for the data and addresses transmitted through the crossover bus.
The objectives set above are likewise achieved by a processor system including at least two processor devices of the type illustrated, in which, according to the invention,
the processor devices are connected to one another through the crossover bus,
the processor units in the processor devices can be started, based on a common clock signal, so as to be synchronized with one another by a common start signal within a prescribed maximum clock offset; and
the bus control devices in the processor devices are set up so that, with each subsequent data access operation by the processor units through the respective associated processor bus, they interchange signatures concerning the data access operation through the crossover bus, evaluate them in terms of their correspondence, and output an error signal if there is no correspondence.
The advantages of such a solution have already been illustrated in connection with the processor device according to the invention.
Beneficially, the processor system is set up to perform, based on an error signal, error handling, e.g., error diagnosis, at least in that processor device which triggered the error signal, and, during the error handling, to continue operation of the processor system on the at least one remaining processor device. The configuration achieves xe2x80x9cfrictionlessxe2x80x9d continuation of the operation of the processor system even in the event of an error occurring in one of the processor devices.
Other features that are considered as characteristic for the invention are set forth in the appended claims.
Although the invention is illustrated and described herein as embodied in a duplicable processor device, it is, nevertheless, not intended to be limited to the details shown because various modifications and structural changes may be made therein without departing from the spirit of the invention and within the scope and range of equivalents of the claims.
The construction and method of operation of the invention, however, together with additional objects and advantages thereof, will be best understood from the following description of specific embodiments when read in connection with the accompanying drawings.