The present invention concerns a device for operating two functionally parallel computers.
Processors of this kind are used in digital computers. Computers of this kind are either fixed-programmed automatic control systems or programmable computers, mainframe computers, and PCs.
The main components of such computers are the input and output means, the memory, the processor, and the clock generator.
The input and output means and the memory are customarily designated as peripherals. Processors may be divided into a processing processor and an input-output processor. In the conventional PCs of today, the processing and the input-output processors are combined into the xe2x80x9cprocessor.xe2x80x9d Nevertheless, the present invention pertains to individual processors such as processing processors and input-output processor of mainframe computers and the conventional xe2x80x9cprocessorsxe2x80x9d of PCs and home computers of today. When processors are referred to alone below, the above variants are included. The control of peripherals takes place through the processor via bus lines. The processing clock pulses of the processor are provided by the clock signal generator. This is a continuous time signal series, the processor carrying out a predetermined computational process with each clock signal. The frequency of the clock signals is therefore a direct measure of the computational speed of the processor. The computational speed of the processor is therefore to be matched with respect to the frequency of the clock signal generator such that one computational operation is completed before the next clock pulse comes.
Processors are very highly integrated semiconductor circuits which naturally are subject, even under the most precise manufacturing conditions, to a certain degree of manufacturing tolerance. The processing reliability of the processors, however, is not thereby impaired. Within the specified manufacturing tolerance, the functioning reliability of the processor is always present, as long as disturbances do not impair processing reliability.
The danger does indeed exist that the function of a processor can be impaired through external disturbances. These disturbances are coupled into the computer through electrical or magnetic fields from the outside and cause the induction of voltages in conductive parts and conductive connections of highly integrated processors.
The induced voltages occur stochastically and are independent of clock. They elicit interference currents. These interference currents are superimposed on the currents within the processor and in the process induce unpredictable malfunctions.
These induced voltages can therefore result in information which comes from the processor unit to the memory modules being corrupted.
This corruption leads to undesired results in the output data of the computer. If the data transferred represent program steps, often a malfunction will occur due to accidentally interrupted programs or programs which are continued at some other, erroneous place. The effects are again undesired actions of the processor.
There are already efforts to increase the operating reliability of processor-controlled devices. In the arrangement according to DE-OS 26 12 100 (German Published Patent Application 26 12 100), two complete computers are connected in parallel and the output signals of the two computers are compared to each other in a seal-in circuit. After the comparison clock pulse comes the next active processing clock pulse.
The seal-in circuit forms a functional module in which the applied individual, synonymous output signals of the two processors are sequentially compared with each other. This takes place via a query sequence which does not pass over to the next signal until the prior signal has been checked. Since there are always numerous synonymous signals at the bus conductors to check, the sequential query of the individual synonymous signals is associated with considerable expenditure of time. Only after running through the entire query sequence is the next valid clock pulse then transmitted to the processors if all synonymous output signals are in agreement.
The progress of computation for the two processors in DE OS 26 12 100 is thus dependent on the passthrough time needed to check the output signals of the preceding work pulse for agreement.
Other customary solutionsxe2x80x94in particular those for applications with very high reliability requirements in the fields of aviation and space travelxe2x80x94consider the entire computer, comprised of processor, memory, and inputs and outputs, as a closed unit. It is then assumed that this unit can generate undesired results at the outputs. For this reason, the entire computer is made redundant, for example threefold or fivefold design, and the outputs are connected through suitable coordinating elements such that the possibly false results of one of the computers is agreed with the results of the other computers.
This multiple design of the computer components, however, always creates high costs. Except for special individual applications, however, these costs are not justified. Nevertheless, for applications with higher reliability requirements, an increased disturbance reliability and improved processing reliability is desired.
In industrial control technology, there are such applications with a high degree of reliability requirement, for example, for machine controls and in drive technology. In these applications, malfunctions of a controlling computer can cause great material damage. The redundant design of the computer, however, often is out of the question for reasons of cost. Therefore safety-relevant functions such as end disconnects are often installed in separate hardware, for example via external sensors, switches, and actuators, to which the controlling computer does not have access. In this way, important disconnection operations can be carried out even with the loss of the controlling computer. This parallel-installed technology, however, also often causes high costs which must be incurred in addition to the costs for the actually desired control function of the computer. Furthermore, the external accessory systems restrict the functionality and flexibility which are the very reason the computer is utilized.
In addition, a so-conceived disconnect does not intervene in the process until a malfunction of the machine which is to be controlled occurs and can no longer be reversed.
Therefore the external accessory devices are also given the task of stopping the ongoing process in a timely manner such that despite the error in the controlling computer which has occurred, material damage is prevented.
Therefore the functional relationships between the process parameters and any malfunctions of the computer must be analyzed in advance so that they can be recognized in time by emergency stop controls controlled in this manner.
The complexity of systems of this kind therefore presupposes a full measure of external accessory equipment in order to be able to detect all probable eventualities in a timely manner in order to be able to execute the necessary emergency stop.
The object of the invention is to further develop the known device such that a processor circuit with increased operation reliability is realized while maintaining the safety requirements and at the same time having increased possibilities for application in industry.
The invention provides the advantage that without loss of computer performance and with low costs, the operating reliability of the computer is disproportionately increased.
The disproportionate increase is based on the fact that the probability of simultaneous loss of two processors is less by an order of magnitude than the probability of the loss of a single processor.
Since the invention can be used with processors of any kind, thus also with input/output processors, processing processors, and mathematical co-processors, there is the additional advantage that in a targeted manner, it is possible to provide only certain types of processors in a computer with the increased operating reliability.
What types of processors are affected in an individual instance can be determined based on design criteria. The process according to the present invention in any case is independent of the type of the particular affected processor.
This advantage is realized in that two processors of the same construction -operated parallel to each other in a single computerxe2x80x94are connected to a functional module clocked simultaneously with the processors whereby the operating control of the two processors takes place through comparison of the synonymous output signals simultaneously with their occurrence and whereby the output signals are combined into a single output signal for the peripheral equipment.
Accordingly it is significant for the invention that the two processors are operated parallel to each other. The operating speed is specified by a single clock pulse generator for the entire system. The clock pulse signals of the clock pulse generator are conditioned parallel such that the signals CPU clock, anti-jitter, and time-out are generated in a time-delayed manner.
Each processor receives its command for executing a given computational step from the signal CPU clock. An output signal results from the computational step within a predetermined time. The output signal is transmitted to the functional module through the bus line assigned to each processor. There a check is made to determine whether the two synonymous output signals lie within the specified manufacturing-related tolerance fields which occur in processors which otherwise are of the same construction.
It is accordingly of essential significance for the invention that the checking of the synonymous output signals take place simultaneously with their occurrence. The invention makes it possible to check the signal synchronously during that time in which the like output signals are output at the same signal level over the bus lines. In the case of the presence of two like and synonymous signals, that control signal is generated which should be used for driving the peripherals.
For this purpose, anti-jitter and time-out signals are generated which are time-delayed to the CPU clock signal. The time delay is necessary in order to take into account signal travel time from the processor to the functional module and at the same time to take into account component-tolerance-based time delay between the output signals of the two processors.
The xe2x80x9canti-jitterxe2x80x9d signal is generated from the signal of the clock pulse generator. Since each clock pulse has a signal with a rising and a falling edge, a short pulse can be generated from the rising edge or from the falling edge, the running time of which is only a fraction of the time interval between two successive clock pulses. The short pulses produce a sequence of pulses which are designated here as xe2x80x9canti-jitterxe2x80x9d signal.
Each pulse of the anti-jitter signal is used to query the synonymous output signals of the processors for identity. Accordingly, each pulse of the anti-jitter signal will trigger the check of equality if the two processors have identical output signals taking into account the component-tolerance-based time delay.
At a point in time at which the synonymous signals of the two processors after running through all of the component-tolerance-based differences must finally be equal, equality is tested with the pulse of the time-out signal. If at this inquiryxe2x80x94independent of the actual signal level being 0 or 1xe2x80x94it is determined that the signals which are expected to be synonymous are unlike, a xe2x80x9cprocedure errorxe2x80x9d display signal is triggered.
Therefore with a device of this kind, the component-tolerance-based time delay of processors can only be performed according to two criteria. The first criterion checks whether the time delay is still acceptable. This would make the output signals capable of being evaluated. The second criterion checks whether the time delay is no longer acceptable. The time-out signal would then become active and a corresponding procedure error is displayed.
It is therefore of special significance that, with the present invention, monitoring takes place through the functional module during the processing pulses of the two processors, it being possible during the monitoring for the two processors to be operated at full working speed. This is made possible in that the monitoring of the output signals takes place as long as the synonymous signals of the two processors have matching signals.
If the synonymous signals of the two processors are applied to the inputs of an EXOR gate, the signal xe2x80x9c0xe2x80x9d is present at the output of the EXOR gate as long as a matching signal level is applied at the two inputs.
The desired output signal of the signal linkage can be generated with an OR or with an AND gate. Then the output signal would be present as long as the time differential between the arrival of the first output signal of the leading processor and the end of the output signal of the trailing processor. In a specialized further development, the anti-jitter signal is clocked with such a large time delay that the same signal levels of the output signals of the processors in each case must occur within two successive clock pulses of the anti-jitter signal to the extent both processors are functioning properly. In this process, unlike levels of output signals are immediately obvious to the extent they lie outside of the component tolerances of the processors. Therefore errors in the functional procedure in one of the two processors become immediately obvious because within the clock pulse of the anti-jitter signal, like signal levels are expected from synonymous signals. As a result, the checking of the output signals can occur in a first stage =anti-jitter in that the output signals of the processors are decoupled from each other electrically and are linked to a test signal which is scanned by the edge signal (=anti-jitter) at its specified time-delayed clock pulses. In so doing, the particular scanned test signal is held stable until the next scanning point by an output memory, and the signal which is held stable is evaluated as output signal for the peripherals.
The electrical decoupling can take place across an OR gate or across an AND gate.
With the use of an OR gate, the average current consumption of the bus signal line is less than with the use of an AND gate.
Nevertheless, AND gates may also readily be used for the invention.
In a second stage (=time-out), the output signals of the two processors are simultaneously queried for equality at points in time, at which the same signal levels of the output signals must be present with consideration for the known component tolerances. Since the output signals are present in each case in pairs, the procedure error signal can be outputted in the event of signal level deviation of even a single pair of output signals.