GB2172722A - Backup control system (bucs) - Google Patents
Backup control system (bucs) Download PDFInfo
- Publication number
- GB2172722A GB2172722A GB08606033A GB8606033A GB2172722A GB 2172722 A GB2172722 A GB 2172722A GB 08606033 A GB08606033 A GB 08606033A GB 8606033 A GB8606033 A GB 8606033A GB 2172722 A GB2172722 A GB 2172722A
- Authority
- GB
- United Kingdom
- Prior art keywords
- software
- backup
- fault
- memory
- primary
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1479—Generic software techniques for error detection or fault masking
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1666—Error detection or correction of the data by redundancy in hardware where the redundant component is memory or memory area
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- General Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Safety Devices In Control Systems (AREA)
- Hardware Redundancy (AREA)
Description
1 GB2172722A 1
SPECIFICATION
Backup control system (BUCS) Technical Field The invention relates to techniques for responding to software errors, especially in life critical systems such as aircraft control.
Background of the Invention
Continued proper operation of a digital sys- tem following a software fault is highly desir able in modern computer systems and be comes mandatory in a life critical digital sys tem, such as those employed in aircraft pri mary fliqht control systems. A software error may manifest itself by the processor becom ing mired within the program and not complet ing its tasks, or by the processor completing its tasks too rapidly by not executing all of its program. Redundant hardware and voting schemes provide hardware fault protection but do not provide safeguards against software faults when the redundant computers are pro grammed with identical software. Thus, each of the redundant channels can suffer the same software fault, at virtually the same instant.
The present state of the art in software verifi cation and validation does not provide any tool or technique which can guarantee the ab- 95 sence of software faults; on the contrary, ex perience has shown that software errors con tinue to exist even in exhaustively verified and validated software.
Backup systems have been provided by sim- ple analog systems, additional digital systems which are dissimilarly programmed, or by me chanical means. Reversion to these backups generally occurs following disagreement be tween the redundant channels of the prime digital system. These backup systems require significant additional hardware with the atten dant disadvantages of cost, weight, power de mand and heat dissipation. The analog and mechanical backups are additionally con strained to be simple derivatives of t ' he usually highly complex and nonlinear implementation of the prime digital system.
Disclosure of the Invention
It is an object of the invention to provide a means of continuing the proper operation of a digital computer system in the presence of a software error with minimal additional hard ware.
According to the invention, a backup soft ware program is installed in an isolated por tion in the memory of at least one of the redundant computers. The second program performs basically the same functions as the prime program but is dissimilarly programmed to avoid a common software error. Switcho ver to the second program occurs either auto matically, or manually by the operator (i.e. pi lot) when he detects an anomaly. Automatic 130 switchover is initiated when at least n-1 (in a system having n levels of redundancy) computer monitors indicate a software fault condition. The computer monitors may be duty cy- cle timers which detect a computer cycling improperly (too long or too short), reasonableness testers, analog comparision models, or a combination of these types. Complexity and sophistication of the monitors will vary for particular applications but, in general, the monitors must be implemented in hardware to preclude their being rendered ineffective by the common software faults they are intended to discover. The assembler or compiler used to assemble/compile the backup mode program is also dissimilarly programmed to eliminate possible assembler/compiler faults as a source of common mode software faults.
Other objects, features, and advantages of the invention will become more apparent in light of the following description thereof.
Brief Description of the Drawings
Fig. 1 is a block diagram of a control sys- tem employing the invention; Fig. 2 is a schematic of a monitor for the invention; and Fig. 3 is a block diagram detailing a portion of the invention.
Best Mode for Carrying Out the Invention
In Fig. 1 is shown a computer based control system (10) having four computer channels AD. Each channel has a processor section 12, associated input/output hardware 14, and memory 16. The memory 16 is divided into two portions. A portion 18 contains primary software which is accessed during normal system operation. A portion 20 contains dis- similar backup software, and is accessed only upon failure of the primary software. A monitor 22, is operable to determine failure of the primary software. The monitor 22 is, for example, a duty cycle timer, resonableness tester, or analog comparison model.
The four channels A-D are redundant; that is, each contains copies of the primary and backup software in their respective memories 16. The computer system 10 implements a voting scheme in either hardware or software, such as is known, to output the most appropriate selected signal to a controlled device 24, such as the control surface actuators of an aircraft, in response to inputs 26, such as signals from a pilot or sensors. It should be understood that the invention is applicable to any number of channels, and that the backup software could be installed in only one channel.
Fig. 2 details a typical -monitor 22 used in each channel of the computer system 10, for instance the channel A, which is representative of the monitors 22 in channels B, C, and D. An OR gate 30A (the "A" suffix indicates association with channel A) is responsive to 2 GB2172722A 2 signals from a watchdog timer 32A, a short duty cycle timer 34A, and a signal on a line 36A, indicative of other protective conditions; any of which will cause the OR gate 30A to provide a signal on a line 40A that will shut down the power to channel A. A relay 42A for the channel A trips in response to the signal on the line 40A to shut down the channel A. Similar OR gates 3013-301) and relays 4213-42D are provided for the other channels B-D. The switching logic for the monitors 22 should be implemented in.hardware so that they are independent of software faults.
A switching section 44A includes two con- tact sets 46A-46D, 48A-48D from each relay 42A-42D, arranged as shown so that any three channel failures will generate a signal on a line 48A to an AND circuit 50A.
Another switching section 52A includes a third contact set 54A-54D from each relay 42A42D arranged in parallel so that the failure of any one channel starts a timer, such as an integrator 56A driving a comparator 58A, so that until a predetermined interval of time (T,,,) has elapsed, indicative of the time within which a common mode software failure would be experienced in all channels, a signal is provided to the AND circuit 50A. (The timer 56A may be reset for conditions such as rotor brake---ON---.) If it is judged that a common mode failure is not a near simultaneous event, then T,,, can be set to infinity. This will permit the backup software to be engaged whenever n-1 out of n severs occur.
The AND circuit 50A is only responsive to the signals from the switching section 44A and the comparator 58A to provide a signal on a line 60 when the flight critical system is active (such as might be sensed by a rotor brake release signal in a helicopter embodiment) as indicated by a signal on a line 61 (common to all channels A-D).
A switching section 64A includes a contact set 66A-66D from each relay 42A42D ar- ranged in series so that a signal is output on a line 68A in response to a software failure in all four channels A-D.
An OR gate 70A is responsive to the output of the AND gate 50A and to the output of the switching section 64A to provide a signal on a line 72A which will initiate the backup mode of operation based on either contingency. The signal on the line 72A is also provided in response to a manual over- ride signal on a line 73 to the OR gate 70A.
The signal on the line 72A will proceed to the channel A as a nonmaskable hardware in terrupt signal on a line 73A if an AND circuit 74A is armed by an arming signal on a line 76A to its input. The nonmaskable hardware 125 interrupt request is issued to each channel A D, whereupon the CPU 12 will complete what ever instruction it is currently executing before acknowledging the nonmaskabie interrupt. The hardware transfer logic will respond to the nonmaskable interrupt by switching to the backup memory bank. The CPU will then begin "servicing the interrupt" at the prescribed memory location in the backup memory. The interrupt service routine in this case will actually be the backup software. This switchover logic accomplishes a unified switchover of the processor at a known processor state and to a known location in the backup memory. It is necessary that the backup system reinitialize the system, for instance by reinitializing. Suspect fault conditions could also be reset, since they could be faulty indications of the malfunctionary software. It is also desirable to synchronize the commands computed to actuator positions (in an aircraft) to minimize transients, and then blend over a period of time to the backup memory commands.
In a system such as a, n aircraft control sys- tem, the backup software can be a simplified control law. Generally, the simpler the control law is, the easier it is to verify and validate. The backup software can be installed in all of the computers, but it may be preferable to install it in only one, thereby avoiding voting schemes and other complications in the event of switchover to the backup software.
The backup system requires limited additional input/output interfaces, digital logic cir- cuitry, and new software for each channel that it is installed in.
When the pilot arms the Backup Mode (76A), the FCS (Flight Control System) will continue to operate in the normal mode until any one or more of the following conditions occur: 1. The pilot initiates a backup transfer. 2. n-1 control system channels output sever after the prescribed time interval T,,,. 105 3. n control system channels output sever. The Backup mode transfer logic selects from the aforementioned condition list any active requesting condition, signal to drive a nonmaskable interrupt request to the processor(s) in the channel. The reaction to the nonmaskable interrupt can be thought of as causing a jam transfer to the backup memory for instructions. The same transfer process will be separately occurring in the other channels.
With reference to Fig. 3, each channel will respond to the NNI via a hardware interrupt 80 which will cause the following sequential actions to occur:
1. The memory bank will be switched from the prime memory bank 82 to the backup memory bank 84; 2. The proper starting address of the backup software (residing in the backup memory bank) will be transferred into program counter 86; and 3. The CPU 88 will execute its next instruction from the starting address of the backup program now stored in the program counter.
Claims (5)
- 3 GB2172722A 3 1. A method of providing backup control for a software-based control system in the event of a software fault, comprising:installing primary software in memory; installing dissimilarly designed backup software in an isolated portion of memory; executing the primary software in a normal mode of operation; sensing a fault in the primary software; executing the backup software in response to the sensed fault.
- 2. A method according to claim 1, comprising; providing a nonmaskable interrupt request in response to the sensed fault; completing whatever instruction is being executed in the primary software when the nonmaskable interrupt request is provided, and then acknowledging the nonmaskable interrupt request; and executing the backup software in response to the nonmaskable interrupt request.
- 3. A method according to claim 1, comprising jam-transferring to the isolated portion of memory in response to the sensed fault.
- 4. A method according to claim 1 wherein the backup software is simplier than the primary software.
- 5. A method according to claim 1, for a redundant computer system having n-channels, comprising:installing identical copies of primary software in each channel of memory; installing dissimilar backup software in an isolated portion of at least one channel's memory; executing the primary software in a normal mode of operation; sensing a fault in the primary software; and executing the backup software in response to the sensed fault.Printed in the United Kingdom for Her Majesty's Stationery Office, Did 8818935, 1986, 4235. Published at The Patent Office, 25 Southampton Buildings, London, WC2A 1 AY, from which copies may be obtained.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US71513285A | 1985-03-22 | 1985-03-22 |
Publications (3)
| Publication Number | Publication Date |
|---|---|
| GB8606033D0 GB8606033D0 (en) | 1986-04-16 |
| GB2172722A true GB2172722A (en) | 1986-09-24 |
| GB2172722B GB2172722B (en) | 1989-06-28 |
Family
ID=24872788
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB8606033A Expired GB2172722B (en) | 1985-03-22 | 1986-03-12 | Backup control system (bucs) |
Country Status (5)
| Country | Link |
|---|---|
| JP (1) | JPS61221903A (en) |
| DE (1) | DE3609267A1 (en) |
| FR (1) | FR2579339B1 (en) |
| GB (1) | GB2172722B (en) |
| IT (1) | IT1188453B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0265366A3 (en) * | 1986-10-24 | 1990-05-16 | United Technologies Corporation | An independent backup mode transfer method and mechanism for digital control computers |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB1560554A (en) * | 1976-03-10 | 1980-02-06 | Smith Industries Ltd | Control systems |
| GB2104247A (en) * | 1981-07-13 | 1983-03-02 | Nissan Motor | Automatic control of i c engines in vehicles |
| EP0096510A2 (en) * | 1982-06-03 | 1983-12-21 | LUCAS INDUSTRIES public limited company | Control system primarily responsive to signals from digital computers |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JPS5255347A (en) * | 1975-10-30 | 1977-05-06 | Nippon Denso Co Ltd | Fail-safe system of control computer |
| US4404647A (en) * | 1978-03-16 | 1983-09-13 | International Business Machines Corp. | Dynamic array error recovery |
| DE3133304A1 (en) * | 1981-08-22 | 1983-03-03 | Robert Bosch Gmbh, 7000 Stuttgart | Method for increasing the reliability of semiconductor memories in motor vehicles |
| JPS598004A (en) * | 1982-07-07 | 1984-01-17 | Hitachi Ltd | Fail-safe circuit |
| JPS6091401A (en) * | 1983-10-24 | 1985-05-22 | Mazda Motor Corp | Car controller |
| US4787041A (en) * | 1985-08-01 | 1988-11-22 | Honeywell | Data control system for digital automatic flight control system channel with plural dissimilar data processing |
-
1986
- 1986-03-12 GB GB8606033A patent/GB2172722B/en not_active Expired
- 1986-03-18 IT IT19782/86A patent/IT1188453B/en active
- 1986-03-19 DE DE19863609267 patent/DE3609267A1/en not_active Ceased
- 1986-03-20 JP JP61063839A patent/JPS61221903A/en active Pending
- 1986-03-21 FR FR868604061A patent/FR2579339B1/en not_active Expired - Lifetime
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB1560554A (en) * | 1976-03-10 | 1980-02-06 | Smith Industries Ltd | Control systems |
| GB2104247A (en) * | 1981-07-13 | 1983-03-02 | Nissan Motor | Automatic control of i c engines in vehicles |
| EP0096510A2 (en) * | 1982-06-03 | 1983-12-21 | LUCAS INDUSTRIES public limited company | Control system primarily responsive to signals from digital computers |
Non-Patent Citations (1)
| Title |
|---|
| COMPUTER VOL 17 NO.8 AUGUST 1984 PP 67-80 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0265366A3 (en) * | 1986-10-24 | 1990-05-16 | United Technologies Corporation | An independent backup mode transfer method and mechanism for digital control computers |
Also Published As
| Publication number | Publication date |
|---|---|
| IT8619782A0 (en) | 1986-03-18 |
| JPS61221903A (en) | 1986-10-02 |
| GB2172722B (en) | 1989-06-28 |
| IT1188453B (en) | 1988-01-14 |
| IT8619782A1 (en) | 1987-09-18 |
| GB8606033D0 (en) | 1986-04-16 |
| FR2579339A1 (en) | 1986-09-26 |
| DE3609267A1 (en) | 1986-10-09 |
| FR2579339B1 (en) | 1992-09-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US4890284A (en) | Backup control system (BUCS) | |
| Sklaroff | Redundancy management technique for space shuttle computers | |
| AU711419B2 (en) | Fault resilient/fault tolerant computing | |
| RU2237276C1 (en) | System for controlling drives in a plane | |
| US4270168A (en) | Selective disablement in fail-operational, fail-safe multi-computer control system | |
| JP2552651B2 (en) | Reconfigurable dual processor system | |
| US20060200278A1 (en) | Generic software fault mitigation | |
| EP1703401B1 (en) | Information processing apparatus and control method therefor | |
| JP3255693B2 (en) | Automotive multi-computer system | |
| CA2336045C (en) | Controller or engine controller, engine and method for adjusting a control or drive system or an engine | |
| EP2325751B1 (en) | Architecture using integrated backup control and protection hardware | |
| JPS61128339A (en) | Automatic fleight controller | |
| US4345191A (en) | Two/one (2/1) fail operational electrohydraulic servoactuator | |
| WO1984000071A1 (en) | Autopilot flight director system | |
| KR20020063237A (en) | Systems and methods for fail safe process execution, monitering and output conterol for critical system | |
| US5818892A (en) | System and method for controlling control rods of a nuclear power plant | |
| CN106054852A (en) | Architecture for scalable fault tolerance in integrated fail-silent and fail-operational systems | |
| JPH07334382A (en) | Multi controller system | |
| US5128943A (en) | Independent backup mode transfer and mechanism for digital control computers | |
| GB2172722A (en) | Backup control system (bucs) | |
| KR101371891B1 (en) | Calculation module and operation method for nuclear plant safety system | |
| EP0265366B1 (en) | An independent backup mode transfer method and mechanism for digital control computers | |
| JP2001306348A (en) | Redundant information processing system | |
| JP3370387B2 (en) | Abnormality countermeasure method in a multi-CPU vehicle control computer system | |
| Murphy et al. | Backup control system (BUCS) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PCNP | Patent ceased through non-payment of renewal fee |
Effective date: 19960312 |