Section 1 Introduction PM861/PM864/TP830 Processor Unit – Redundancy
3BSE 027 941 R301 37
Fault Tolerance Principle
The principle of fault tolerance in the redundant processor units is based on
continuous updating of the backup unit to the same status as the primary unit. This
enables the backup unit to assume control without affecting surrounding systems in
a bumpless manner.
This principle involves dynamic division of the program execution into execution
units and the creation of rollback points at which the processor unit’s status is
completely defined.
In this context, the processor unit’s total status is defined as the processor unit’s
internal status, that is, the contents of the processor registers, plus the contents of the
data memory.
The backup unit’s status is updated each time the primary unit passes a rollback
point, enabling the backup unit to resume program execution from the last rollback
point passed, should the primary unit fail due to error.
In order to minimize the amount of information involved in the update, the backup
unit is updated only with the changes taking place since the latest rollback point.
Between rollback points, these changes that writes in the data memory, are stored in
a log buffer in the backup unit. At a rollback point, the processor’s total register
contents are also written into the data memory, so that this information is also
logged. Once the rollback point is established, the logged write operations are
transferred to the backup unit’s data memory.
If the primary unit fails because of an error, the backup unit resumes execution from
the last rollback point, which means the last execution unit is partially re-executed
by the backup unit. In order to re-execute a portion of the execution unit without
affecting the peripheral units (communication units on the CEX-Bus), the peripheral
units’ references are also logged between rollback points. During re-execution, the
results of the peripheral units’ references, which have already been executed, are
used, rather than re-executing them. The results of read operations are retrieved
from the log, and write operations pass without execution, since they have already
been executed. The peripheral units’ statuses, then, are not affected by the re-
execution in any way, except for the time delay which occurs.
To Next Page
Loading...
