Error detection/correction and fault detection/recovery – Data processing system error or fault handling – Reliability and availability
Reexamination Certificate
2001-01-16
2004-02-17
Beausoliel, Robert (Department: 2184)
Error detection/correction and fault detection/recovery
Data processing system error or fault handling
Reliability and availability
C714S012000, C714S048000
Reexamination Certificate
active
06694449
ABSTRACT:
BACKGROUND OF THE INVENTION
Field of the Invention
The invention lies in the field of microelectronics. The invention relates to a processor device that contains a clock generation unit, a processor unit, a main memory, and a processor bus set up as a data and address bus for the processor unit and the main memory.
Processor devices of the aforementioned type are used for controlling various technical systems, such as call processing systems in a telephone network. Depending on the area of application, the processor device has additional, application-specific components that are controlled by the processor device and that possibly even control other, external components in turn.
In many applications, including in the aforementioned call processing systems, a particular level of error immunity is required for security-related reasons. To achieve the error immunity, the fundamental hardware parts within the processor system of the application controller are duplicated. Thus, the processor system contains two identical versions of a processor device, one of which carries out the tasks of the processor system as the active device while the other device is passive and operates in idle mode, or in parallel in a “tandem mode.” On the active side, error occurrence is monitored during operation. In the event of an error in the active device, the passive device automatically takes up operation, with the intent that the changeover takes place in as uncomplicated a fashion as possible and without the user noticing. The now passive device can then be serviced or replaced without the need for concern that operation, which is assured by the now active device, might be interrupted.
If, in particular cases, the requirements of system security are very high and duplication is no longer sufficient, the processor device may also be implemented a plurality of times within the processor system, one of the devices always being active while the others are passive. In such a case, the monitoring and the order of the reciprocal enabling of the processor devices may be cyclical, for example. The duplicated case can easily be generalized to the more general case of multiplication by a person skilled in the art and, for the sake of brevity, such generalization is always dealt with in parallel without any mention below when discussing duplicated systems, unless express reference is made to the contrary.
In prior art methods, the passive side is updated at the instant of changeover. In this context, the passive processor device first changes to the operating state when an error has occurred on the part of the active processor device, as far as possible adopts the status of the active processor device, e.g., the content of the main memory, and then continues operation. The process is naturally associated with a markedly perceptible interruption in operation, and, in many cases, individual areas of operation or even the whole of operation need to be terminated completely and restarted. In a switching office, for example, such steps mean a temporary or permanent interruption in a data link or message transmission.
International PCT publication WO 94/08292 describes a duplicated processor control unit including two identical, interconnected control units each having a processor unit, a RAM data memory, and peripheral circuits. Each processor unit is set up to establish whether or not it is active or in standby mode. The active processor unit performs the write cycles on the RAM synchronously in the two duplicated RAMs or in one of the two RAMs. The standby unit remains in standby until it is called on account of a fault in the active unit, in which it replaces the previously active unit. The two processor units are additionally connected through a synchronous communication channel produced using dedicated modules. The communication channel is used by the active processor unit when carrying out particular activities, e.g., monitoring processes and error diagnosis processes, which it carries out on the standby unit.
The activities of the two processor units disclosed in International PCT publication WO 94/08292 are, thus, essentially asymmetrical, with the communication channel being used to shift processes from the active unit to the standby unit, the peripheral components, including the main memory, essentially being accessed only by the active processor unit. Hence, in the absence of any comparison with a second processor unit running in parallel, for example, a malfunction in the active processor unit results in the main memory having incorrect information written to it or in faulty states in the peripherals, which states first need to be re-corrected after changeover to the previous standby unit.
Each of the two processor units in International PCT publication WO 94/08292 is additionally equipped with two microprocessors operating in microsynchronized mode. The microsynchronism of the two microprocessors is monitored by a comparator block that monitors the identity of the address, data, and control signals of the two processors at each instant; any discrepancy is interpreted as a fault in the relevant processor unit. An error in the microsynchronous operation of the microprocessor pair thus produces an interrupt signal or reset for the whole processor unit. Operation of the processor unit based on just one of the two microprocessors is not possible. Furthermore, duplication of the microprocessors within a processor unit produces a “tandem unit,” not, however, inherently independent processor devices with a respective dedicated main memory and processor bus comparable with a processor device in accordance with the subject matter of the present invention. In addition, the microsynchronism of the microprocessors that is disclosed in International PCT publication WO 94/08292 is established on an entirely different structural level as compared with the processor units.
German Published, Non-Prosecuted Patent Application DE 40 05 321 A1, discloses an error-tolerant computer system having two redundant computer units. The activities of the two computer units are also asymmetrical because, respectively, one computer unit is operational and writes to the main memories in both units, while the other is available as a backup switching unit. Microsynchronous parallel operation between the processors in the two computer units is expressly excluded in German Published, Non-Prosecuted Patent Application DE 40 05 321 A1.
The article by H. J. Lohmann in Elektron. Rechenanlagen 22 (1980), pp. 229-236, discloses a microcomputer system including two microcomputers of identical configuration for producing output signals to control railway signal equipment. The microcomputers each produce an output signal; the two output signals are supplied to the actuating circuits through converters. The microcomputer clock signals are produced separately for each of the two microcomputers in a respective control pulse generator. After each processing clock step, a monitoring pulse transmitted by the control pulse generators causes the output signals to be compared. The control pulse generators then trigger the next clock step only if the respective no-error message has been received correctly. The configuration imposes reliable correspondence verification after each processing step. If a disparity arises, the no-error messages are not sent and the control pulse generators do not trigger another clock step; consequently, the actuating circuits switch to a de-energized state.
As is clear from the above, the output signals in the system according to H. J. Lohmann are compared; a reciprocal check on an internal state of the processor devices is not possible. Another disadvantage to the system according to H. J. Lohmann is that the speed of the microcomputer system is markedly reduced because a complete check on the output signals is performed before each processing step. In addition, the microcomputer system is configured only for simultaneous operation of the two microprocessors—much like the microprocessor pair in a respective processor unit i
Ghameshlu Majid
Kainrath Wolfgang
Knecht Stephan
Beausoliel Robert
Greenberg Laurence A.
Mayback Gregory L.
Siemens Aktiengesellschaft
Stemer Werner H.
LandOfFree
Duplicable processor device does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Duplicable processor device, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Duplicable processor device will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3308411