This invention relates to a method for controlling the bootstrap loading of the operating system in a fault tolerant system. One type of fault tolerant computer systems comprises two distinct computing zones that operate in lockstep synchronism as a single system during normal operation. During such lockstep operation, both zones ideally perform the same operations, read identical data and provide identical outputs. Each zone is also capable of independent operation. Independent operation of a zone normally occurs when one zone is removed from service for repair or is otherwise unable to operate.
While that zone is down, the other zone continues to run a user's application under control of the operating system. It is critical that upon its return to service, the repaired zone not be permitted to bootstrap load a separate copy of the operating system. If the repaired zone were permitted to load a separate copy of the operating system, data corruption problems would occur. Running two independent copies of the operating system would cause the respective zones to read and write data not appropriate to the current operation of the fault tolerant system. This result runs counter to the basic requirement that the two computing zones operate in lockstep synchronism.
It is therefore important to provide a method for insuring that the two computing zones of a fault tolerant system operate from a single copy of the operating system.