It is well known to provide electronic systems with redundant elements so as to insure continuing operation should one or more of the elements fail. With electronic systems which are controlled by a programmable element such as a computer, this system may include two or more computers plus suitable control circuitry for monitoring failures and controlling the computer outputs in response to a failure.
Typical electronic systems that require the added security of redundant computers are (1) on-line data processing systems as are used, for example, in banking, travel reservations and time sharing systems; (2) real time electronic control systems as are used in chemical plants, utility power systems, and in air and spacecraft; and (3) telecommunications systems such as telephone exchanges, packet switching systems, satellite relay stations and the like. With many other system applications, redundancy may not be necessary but it may be desirable in instances where it is costly when the electronic system is idle.
There are basically two types of operation for redundant computers: (1) systems in which all the computers are run synchronously and process the same input information so that all the computers have exactly the same memory states and status at any given moment of time; and (2) systems in which one computer is operated in an active mode and one or more other computers are maintained in a "hot standby" mode in readiness to take over the tasks of the active computer if this computer should fail.
The German Auslegeschrift No. 2 005 310 discloses a circuit arrangement for monitoring two, redundant elements VE1 and VE2 of a telecommunications exchange which are operated synchronously and in parallel so that the signals appearing in both their inputs and their outputs are (or should be) equal. With this known arrangement, the output signals of the two exchange elements are monitored by a comparator V which produces an output signal if the signals at any two corresponding outputs of the exchange elements are unequal. The output signal of the comparator V is supplied to a reset gate RT that passes a reset signal e0 to the two exchange elements VE1 and VE2 causing these elements to repeat the operating steps which led to the failure. Further testing devices P1 and P2 monitor the outputs of the exchange elements VE1 and VE2 and produce an output alarm signal if the expected output signals of the exchange elements fail to appear. This alarm signal serves to switch off the respective exchange element via a control switch S1 or S2, and inhibits the operation of the gate RT so that the output signal from the comparator V will not be supplied as a reset signal e0. The presence of the alarm signal is also indicated by an indicator lamp, SI1 or SI2.
Whereas a redundant electronic system of this type operates with the desired degree of security, the use of two identical exchange elements operating in synchronism has two disadvantages:
(1) Although simple hard-wired systems may be easily synchronized, it becomes more difficult to synchronize systems as these systems become more complex. With software controlled systems, in particular, there is a randomness in the amount of time that the system takes to execute a specific task. As a result, the systems will seldom operate exactly in synchronism and, consequently, will not have the identical memory states at any given moment in time. Consequently, if one redundant computer should fail, the other cannot immediately take over.
(2) Another disadvantage is that, while only one unit is actually required to execute the application tasks, the additional, redundant unit or units are totally occupied by the synchronous operation and are not permitted to perform any other, less critical tasks.
These disadvantages are overcome by an electronic system in which one computer is operated in an active mode to perform all critical tasks whereas the other, redundant computer or computers are operated in a standby mode and are allowed to carry out less critical tasks such as routine "housekeeping". The German Pat. No. 2,056,535 discloses such a system in which a telecommunication (telephone) exchange is centrally controlled by either a main computer BR or a standby (reserve) computer RR. The main computer normally serves to carry out, by itself, all the required processing for operation of the exchange with the aid of certain fixed data stored in its memory. The other computer RR is operated in a standby mode and takes over for the active computer BR when this active computer becomes inoperable for any reason. During normal operation, the standby computer RR is allowed to carry out routine tasks,such as error detection, which are not critical to the service provided by the exchange.
The aforementioned patent is concerned with the manner in which fixed data, such as telephone numbers and the like, are changed in the memories of both the active and standby computers. It is assumed that these two computers operate with fixed, rather than variable data so that the computer memories do not require continual updating during operation of the exchange.