[특허]Dual/triple redundant computer system

Dual/triple redundant computer system 원문보기

IPC분류정보
국가/구분	United States(US) Patent 등록
국제특허분류(IPC7판)	G06F-011/00
출원번호	US-0899667 (2004-07-27)
발명자 / 주소	Freydel,Lev R. Ida,Nathan
출원인 / 주소	Freydel,Lev R. Ida,Nathan
대리인 / 주소	Renner Kenner Greive Bobak Taylor &
인용정보	피인용 횟수 : 24 인용 특허 : 11

초록 ▼

A dual/triple redundant computer system having in one of the preferred embodiments triple redundant I/O modules and dual redundant central processor modules (CPM) that operate in parallel executing the same application program. Each input module includes three input circuits operating in parallel. The first CPM receives input data from first and third input circuits and transmits input data of the first input circuit to the second CPM. The second CPM receives input data from second and third input circuits and transmits input data of the second input circuit to the first CPM. Each CPM then performs a two-out-of-two vote among input data produced by first, second, and third input circuits and utilizes an outvoted data as input to the application program to provide output data by execution of the application program. Each output module includes three microcontrollers operating in parallel. First and second microcontroller receives output data respectively from first and second CPM, while a third microcontroller receives at the same time output data from both first and second CPM. First microcontroller transmits output data to a first and a second output circuit. Second microcontroller transmits output data to second and third output circuit. The third microcontroller performs a selected logic operation among output data produced by first and second CPM and then transmits a result of this operation to third and first output circuits. Each output circuit generates a logical product of output data received from two associated microcontrollers. Outputs of first, second, and third output circuit are connected to each other for providing a two-out-of-three voting among output data produced by first, second, and third microcontroller, and for allowing the system to generate a system output as a result of a two-out-of-two voting of output data generated by first and second central processor modules.

대표청구항 ▼

What is claimed is: 1. A dual/triple redundant computer system comprising: a) a first and a second central processor modules operating in parallel, each central processor module has means for executing an application program; b) at least one input module included a first, a second, and a third input circuits operating in parallel; c) at least one output module including a first, a second, and a third microcontrollers operating in parallel; d) the first central processor module connected to the first input circuit and to the third input circuit for receiving input data from said input circuits; e) the second central processor module connected to the second input circuit and to the third input circuit for receiving input data from said input circuits; f) said first and second central processor module connected to each to other said first central processor module to transmit input data received from said first input circuit to said second central processor module and allowing said second central processor module to transmit input data received from said second input circuit to said first central processor module; g) means in each central processor module for performing a two-out-of-three voting among input data produced by said first, second, and third input circuits, for using a result of said two-out-of-three voting as input to said application program to provide output data by execution of said application program; h) said first central processor module further connected to said first microcontroller and to said third microcontroller for delivering said output data to each of said microcontrollers; i) the second central processor module further connected to said second microcontroller and to said third microcontroller for delivering said output data to each of said microcontrollers; j) means in said first and said second microcontroller for delivering said output data produced respectively by said first and said second central processor module on an output of the associated microcontroller; k) means in said third microcontroller for implementing a selected logic operation with said output data produced by said first and second central processor modules, and for transferring a result of said selected logic operation on an output of said microcontroller; l) said third microcontroller further has means for storing a set of said selected logic operations and for allowing said application program to select a certain logic operation from said set of selected logic operations; m) said output module further including a first, a second, and a third output circuit, each of said output circuits is connected to the associated microcontroller and to the neighbor microcontroller for receiving output data produced by said microcontrollers, for performing a logical product of said output data, and for transferring said logical product on an output of said output circuit; n) said first output circuit is connected to said first and third microcontrollers for receiving the output data produced by said microcontrollers and for performing the logical product of said output data, thereby allowing said first output circuit to generate its output as the logical product of the output data produced by said first central processor module and the result of said selected logical operation; o) said second output circuit is connected to said second and first microcontroller for receiving output data produced by said microcontrollers and for performing the logical product of said output data, thereby allowing said second output circuit to generate its output as the logical product of the output data produced by said second and first central processor modules; p) said third output circuit is connected to said third and second microcontrollers for receiving the output data produced by said microcontrollers and for performing the logical product of said output data, thereby allowing said third output circuit to generate its output as the logical product of the result of said selected logical operation and the output data produced by said second central processor module; q) the outputs of said first, second, and third output circuit are connected to each other to provide a two-out-of-three voting among output data produced by the first, second, and third microcontrollers, thereby allowing the system to generate a system output as a result of a two-out-of-two voting of output data generated by first and second central processor modules; r) means in the first and the second microcontroller for detecting the occurrence of a fault within the associated central processor module, and for activating an alarm signal in the event that said central processor module fails; s) means in the third microcontroller for detecting the occurrence of a fault within the first and the second central processor module and for receiving output data only from one of said central processor modules that has not failed, and for activating an alarm signal in the event that both first and second central processor module concurrently fail; t) means in the output module for generating the system output as the result of said two-out-of-two voting among data produced by said first and second central processor modules if said alarm signal in each of said microcontrollers is not activated, for generating the system output by only using output data received from one of said central processor modules if said alarm signal associated with a faulty central processor module is activated and for disabling said output if each alarm signal is activated, thereby allowing the output module to revert from said two-out-of-two voting to a one-out-of-one voting in the event that the first or the second central processor module fails, and forcing the system output to be in the predetermined safe output condition in case that both first and second central processor modules concurrently fail; u) means in the output module for detecting the occurrence of a fault within each microcontroller and for respectively activating said first, second, and third alarm signal in the event that first, or the second, or the third microcontroller fails; v) means in each output circuit for generating its output as a logical product of output data received from the associated and the neighbor microcontroller if no one of said alarm signals is not activated, for generating said output by only using output data received from the associated microcontroller if at least one out of two alarm signals associated with neighbor microcontrollers is activated, for disabling said output if the associated microcontroller fails and the associated alarm signal is activated, thereby allowing said output module to revert from said two-out-of-three voting among output data produced by said first, second, and third microcontroller to a two-out-of-two voting in the event that one microcontroller fails, to a one-out-of-one voting in the event that that two microcontroller concurrently fail, and to the predetermined safe output condition in the event that each microcontroller fail; w) means in each microcontroller for reading status of the associated output circuit and disabling the output of said output circuit if a fault of said output circuit is discovered; x) means in each central processor module for reading status of the associated input circuits and disabling input data of said input circuit if a fault of said input circuit is discovered; and y) means in each central processor modules for synchronizing its operation with the operation of neighbor central processor modules and for providing scan-based mode of system operation to perform said application program execution on a cyclical basis. 2. The hybrid multiple redundant computer system of claim 1 wherein: a) the third microcontroller has means for calculating the result of the selected logic operation as a logical sum of the output data produced by the first and the second central processor modules; b) said third microcontroller further has means for comparing each scan output data received from the first and the second central processor module, for freezing the output of said third microcontroller if a disagreement between said output data is discovered and for producing a logical "0" value on said output to perform a shutdown if said disagreement is repeated more times that is defined by a predetermined limitation established in the application program; c) means in the first and the second microcontroller for detecting the occurrence of a fault within the associated central processor module, and for activating an alarm signal in the event that said central processor module fails; d) means in the third microcontroller for detecting the occurrence of a fault within the first and the second central processor module and for receiving output data only from one of said central processor modules that has not failed, and for activating an alarm signal in the event that both first and second central processor module concurrently fail; e) means in the output module for generating the system output as the result of said two-out-of-two voting among data produced by said first and second central processor modules if said alarm signal in each of said microcontrollers is not activated, for generating the system output by only using output data received from one of said central processor modules that has not failed if said alarm signal associated with a faulty central processor module is activated and for disabling said output if each alarm signal is activated, thereby allowing the output module to revert from said two-out-of-two voting to a one-out-of-one voting in the event that the first or the second central processor module fails, and forcing the system output to be in the predetermined safe output condition in case that both first and second central processor modules concurrently fail; f) said output module further including a first, a second, and a third watchdog controller each of which connected to the associated microcontroller for detecting the occurrence of a fault within said microcontroller and for activating an alarm signal in the event that the associated microcontroller fails; g) each said output circuit is further connected to the associated watchdog controller and connected to neighbor watchdog controllers for receiving said alarm signal from any of said watchdog controllers; h) means in each output circuit for generating its output as a logical product of output data received from the associated and the neighbor microcontroller if said alarm signal in each of said watchdog controllers is not activated, for generating said output by only using output data received from the associated microcontroller if at least one out of two alarm signals produced by the neighbor watchdog controllers is activated, and for disabling said output if the alarm signal produced by the associated watchdog controller is activated, thereby allowing the associated output module to revert from two-out-of-three voting among output data produced by said first, second, and third microcontroller to the two-out-of-two voting in the event that that one microcontroller fails, to the one-out-of-one voting in the event that two microcontroller concurrently fail, and to the predetermined safe output condition in the event that each microcontroller fail; i) said means in the first output circuit for generating its output as a logical product of output data received from the first microcontroller and said logical sum if said alarm signal in each of said watchdog controllers is not activated, generating said output by only using output data received from the first microcontroller if at least one out of two alarm signals produced by second and third watchdog controllers is activated, and for disabling said output if the alarm signal produced by the first watchdog controller is activated; j) said means in the second output circuit for generating its output as a logical product of output data received from second and first microcontrollers if said alarm signal in each of said watchdog controllers is not activated, generating said output by only using output data received from the second microcontroller if at least one out of two alarm signals produced by first and third watchdog controllers is activated, and for disabling said output if the alarm signal produced by the second watchdog controller is activated; and k) said means in the third output circuit for generating its output as a logical product of said logical sum and output data received from the second microcontroller if said alarm signal in each of said watchdog controllers is not activated, generating said output by only using said logical sum if at least one out of two alarm signals produced by first and second watchdog controllers is activated, and for disabling said output if the alarm signal produced by the third watchdog controller is activated. 3. The hybrid multiple redundant computer system of claim 1 wherein: a) said first and second central processor modules respectively connected to said first and second input circuit for receiving input data from said input circuits; b) the system further comprises an input/output processor connected to said third input circuit for receiving input data from said input circuit; c) said first and second central processor module connected each to other and connected to the input/output processor for allowing each central processor module to transmit the associated input data to the neighbor central processor module and to said input/output processor, thereby allowing each central processor module to perform the two-out-of-three voting among input data produced by said first, second, and third input circuits and to use a result of said two-out-of-three voting as input to a application program for providing said output data by execution of said application program; d) said first central processor module further connected to said first microcontroller for delivering said output data produced by said first central processor module to said first microcontroller, said first microcontroller has means for transferring said output data on an output of said first microcontroller; e) said second central processor module further connected to said second microcontroller for delivering output data produced by said second central processor module to said second microcontroller, said second microcontroller has means for transferring said output data on an output of said second microcontroller; f) said first and second central processor module further connected to said input/output processor for delivering said output data produced by said first and second central processor module to said input/output processor; g) said input/output processor has means for implementing the selected logic operation with said output data received from said first and second central processor modules and for delivering a result of said selected logic operation to said third microcontroller, said third microcontroller has means for transferring the result of said selected logic operation on an output of said third microcontroller; h) said input/output processor further has means for storing a set of the selected logic operations and for allowing said application program to select a certain logic operation from said set of selected logic operations; i) said output module further including a first, a second, and a third output circuit, each of said output circuits is connected to the associated microcontroller and to the neighbor microcontroller for receiving output data produced by said microcontrollers, for performing a logical product of said output data, and for transferring said logical product on an output of said output circuit; j) said first output circuit is connected to said first and third microcontrollers for receiving the output data produced by said microcontrollers and for performing the logical product of said output data, thereby allowing said first output circuit to generate its output as the logical product of the output produced by said first central processor module and the result of said selected logic operation; k) said second output circuit is connected to said second and first microcontrollers for receiving the output data produced by said microcontrollers and for performing the logical product of said output data, thereby allowing said second output circuit to generate its output as the logical product of the output data produced by said first and second central processor modules; l) said third output circuit is connected to said third and second microcontrollers for receiving the output data produced by said microcontrollers and for performing the logical product of said output data, thereby allowing said third output circuit to generate its output as the logical product of the result of said selected logic operation and the output data produced by said second central processor module; m) the outputs of said first, second, and third output circuit are connected to each other to provide a two-out-of-three voting among output data produced by the first, second, and third microcontrollers, thereby allowing the system to generate a system output as a result of a two-out-of-two voting of output data generated by first and second central processor modules; n) means in said first and second microcontroller for detecting the occurrence of a fault within the associated central processor module, and for activating the alarm signal in the event that said central processor module fails; o) means in the third microcontroller for detecting the occurrence of a fault within said input/output processor and for activating an alarm signal in the event that said input/output processor fails; p) means in the said input/output processor for detecting the occurrence of a fault within said first and second central processor module and for receiving output data only from one of said central processor modules that has not failed, said input/output processor further has means for commanding said third microcontroller to activate the alarm signal in the event that both first and second central processor module fail concurrently; q) means in the output module for generating the system output as the result of said two-out-of-two voting among data produced by said first and second central processor modules if said alarm signal in each of said microcontrollers is not activated, for generating the system output by only using output data received from one of said central processor modules that has not failed if said alarm signal associated with a faulty central processor module is activated and for disabling said output if each alarm signal is activated, thereby allowing the output module to revert from said two-out-of-two voting to a one-out-of-one voting in the event that the first or the second central processor module fails, and forcing the system output to be in the predetermined safe output condition in case that both first and second central processor modules concurrently fail; and r) means in each central processor module and in the input/output processor for reading status of the associated input circuit and disabling input data of said input circuit if a fault of said input circuit is discovered. 4. The dual/triple redundant computer system of claim 3 wherein: a) the input/output processor has means for calculating a logical sum of the output data produced by the first and the second central processor modules and for delivering said logical sum to said third microcontroller, said third microcontroller has means for transferring said logical sum on an output of said microcontroller; b) said input/output processor further has means for comparing each scan of output data received from the first and the second central processor module, for commanding said third microcontroller to freeze the output of said third microcontroller if a disagreement between said output data is discovered and for producing a logical "0" value on said output to perform a shutdown if said disagreement is repeated more times that is defined by a predetermined limitation established in the application program; means in said first and second microcontroller for detecting the occurrence of a fault within the associated central processor module, and for activating the alarm signal in the event that said central processor module fails; c) means in the third microcontroller for detecting the occurrence of a fault within said input/output processor and for activating an alarm signal in the event that said input/output processor fails; d) means in the said input/output processor for detecting the occurrence of a fault within said first and second central processor module and for receiving output data only from one of said central processor modules that has not failed, said input/output processor further has means for commanding said third microcontroller to activate the alarm signal in the event that both first and second central processor modules fail concurrently; e) means in the output module for generating the system output as the result of said two-out-of-two voting among data produced by said first and second central processor modules if said alarm signal in each of said microcontrollers is not activated, for generating the system output by only using output data received from one of said central processor modules that has not failed if said alarm signal associated with a faulty central processor module is activated and for disabling said output if each alarm signal is activated, thereby allowing the output module to revert from said two-out-of-two voting to a one-out-of-one voting in the event that the first or the second central processor module fails, and forcing the system output to be in the predetermined safe output condition in case that both first and second central processor modules concurrently fail; f) means in each central processor module and in the input/output processor for reading status of the associated input circuit and disabling input data of said input circuit if a fault of said input circuit is discovered; g) said output module further including a first, a second, and a third watchdog controller each of which connected to the associated microcontroller for detecting the occurrence of a fault within said microcontroller and for activating an alarm signal in the event that the associated microcontroller fails; h) each said output circuit is connected to the associated watchdog controller and connected to neighbor watchdog controllers for receiving said alarm signal from any of said watchdog controllers; i) means in each output circuit for generating its output as a logical product of output data received from the associated and the neighbor microcontroller if said alarm signal in each of said watchdog controllers is not activated, for generating said output by only using output data received from the associated microcontroller if at least one out of two alarm signals produced by the neighbor watchdog controllers is activated, and for disabling said output if the alarm signal produced by the associated watchdog controller is activated, thereby allowing the associated output module to revert from two-out-of-three voting among output data produced by said first, second, and third microcontroller to the two-out-of-two voting in the event that that one microcontroller fails, to the one-out-of-one voting in the event that two microcontroller concurrently fail, and to the predetermined safe output condition in the event that each microcontroller fail; j) said means in the first output circuit for generating its output as a logical product of output data received from the first microcontroller and said logical sum if said alarm signal in each of said watchdog controllers is not activated, generating said output by only using output data received from the first microcontroller if at least one out of two alarm signals produced by second and third watchdog controllers is activated, and for disabling said output if the alarm signal produced by the first watchdog controller is activated; k) said means in the second output circuit for generating its output as a logical product of output data received from second and first microcontrollers if said alarm signal in each of said watchdog controllers is not activated, generating said output by only using output data received from the second microcontroller if at least one out of two alarm signals produced by first and third watchdog controllers is activated, and for disabling said output if the alarm signal produced by the second watchdog controller is activated; and l) said means in the third output circuit for generating its output as a logical product of said logical sum and output data received from the second microcontroller if said alarm signal in each of said watchdog controllers is not activated, generating said output by only using said logical sum if at least one out of two alarm signals produced by first and second watchdog controllers is activated, and for disabling said output if the alarm signal produced by the third watchdog controller is activated. 5. A dual/triple redundant computer system comprising: a) a first and a second central processor modules operating in parallel, each central processor module has means for executing the same application program; b) at least one input/output subsystem for sending input data and receiving output data and to/from each central processor module; c) said input/output subsystem is composed of; at least one input module included a first, a second, and a third input circuits operating in parallel, at least one output module including a first, a second, and a third microcontrollers operating in parallel; d) the input/output subsystem further comprising a first, a second, and a third input/output processor operating in parallel for collecting input data, voting input data, for sending outvoted input data to said first and second central processor modules, and for receiving output data from said first and second central processor modules; e) a first and a second input/output network; f) a first and a second communication links; g) said first, second, and third input/output processor connected respectively to said first, second, and third input circuits for receiving said input data from said input circuits; h) said first and second input/output processor further connected to each other via said first communication links for allowing each input/output processor to transmit the associated input data to the neighbor input/output processor, for allowing each input/output processor to perform the two-out-of-three voting among input data produced by said first, second, and third input circuits; i) said first and second central processor modules respectively connected to said first and second input/output processor over said first and second input/output network for receiving a result of said two-out-of-three voting of said input data, for using said result as input to an application program, for providing output data by execution of said application program, and for delivering said output data to the associated input/output processor; f) said first and second input/output processor respectively connected to said first and second central processor module over said first and second input/output network for receiving said output data from the associated central processor module and for transferring the associated output data to said third input/output processor; g) means in said third input/output processor for implementing a selected logic operation with the output data produced by said first and second central processor modules; h) said first input/output processor further connected to said first microcontroller for delivering said output data produced by said first central processor module to said first microcontroller, said first microcontroller has means for transferring said output data on an output of said first microcontroller; i) said second input/output processor further connected to said second microcontroller for delivering output data produced by said second central processor module to said second microcontroller, said second microcontroller has means for transferring said output data on an output of said second microcontroller; j) said third input/output processor further connected to said third microcontroller for delivering a result of said selected logic operation to said third microcontroller, said third microcontroller has means for transferring the result of said selected logic operation on an output of said third microcontroller; k) means in said third input/output processor for storing a set of said selected logic operations and for allowing said application program to select a certain logic operation from said set of selected logic operations; l) said output module further including a first, a second, and a third output circuit, each of said output circuits is connected to the associated microcontroller and to the neighbor microcontroller for receiving output data produced by said microcontrollers, for performing a logical product of said output data, and for transferring said logical product on an output of said output circuit; m) said first output circuit is connected to said first and third microcontrollers for receiving the output data produced by said microcontrollers and for performing the logical product of said output data, thereby allowing said first output circuit to generate its output as the logical product of the output data produced by said first central processor module and the result of said selected logical operation; n) said second output circuit is connected to said second and first microcontroller for receiving output data produced by said microcontrollers and for performing the logical product of said output data, thereby allowing said second output circuit to generate its output as the logical product of the output data produced by said second and first central processor modules; o) said third output circuit is connected to said third and second microcontrollers for receiving the output data produced by said microcontrollers and for performing the logical product of said output data, thereby allowing said third output circuit to generate its output as the logical product of the result of said selected logical operation and the output data produced by said second central processor module; p) the outputs of said first, second, and third output circuit are connected to each other for providing a two-out-of-three voting among output data produced by the first, second, and third microcontrollers for allowing the system to generate a system output as a result of two-out-of-three voting among output data produced by said first, second, and third input/output processors, thereby allowing the system to generate a system output as a result of a two-out-of-two voting of output data generated by said first and second central processor modules; q) means in said first, second, and third microcontroller for detecting the occurrence of a fault within the associated input/output processor and for activating an alarm signal in the event that said input/output processor fails; r) means in the third input/output processor for detecting the occurrence of a fault within said first and second input/output processor and for receiving output data only from one of said input/output processors that has not failed, said third input/output processor further has means for commanding said third microcontroller to activate said alarm signal in the event that said first and second input/output processor fail concurrently; s) means in said first and second input/output processor for respectively detecting the occurrence of a fault within said first and second central processor module, for commanding the associated first and second microcontroller to activate the associated alarm signal in the event that said first or second central processor module fails; t) means in each output module for generating the system output as the result of a two-out-of-two voting among data produced by first and second central processor modules if said alarm signal in each of said microcontrollers is not activated, for generating the system output by only using output data received from one of said central processor modules if said alarm signal associated with a faulty central processor module is activated and for disabling said output if each alarm signal is activated, thereby allowing said output module to revert from said two-out-of-two voting to a one-out-of-one voting in the event that the first or the second central processor module fails, and forcing the system output to be in the predetermined safe output condition in case that both first and second central processor modules concurrently fail; u) means in each output module for detecting the occurrence of a fault within each microcontroller and for respectively activating an associated alarm signal in the event that first, or the second, or the third, microcontroller fails; v) means in each output module for generating its output as a logical product of output data received from the associated and the neighbor microcontroller if each of said alarm signals is not activated, for generating said output by only using output data received from the associated microcontroller if at least one out of two alarm signals associated with neighbor microcontrollers is activated, for disabling said output if the associated microcontroller fails and the associated alarm signal is activated, thereby allowing said output module to revert from said two-out-of-three voting among output data produced by the first, second, and third microcontrollers to a two-out-of-two voting in the event that one microcontroller fails, to a one-out-of-one voting the event that that two microcontroller concurrently fail, and to the predetermined safe output condition in the event that each microcontroller fail; w) means in each microcontroller for reading status of the associated output circuit and disabling the output of said output circuit if a fault of said output circuit is discovered; x) means in each input/output processor for reading status of the associated input circuit and disabling input data of said input circuit if a fault of said input circuit is discovered; y) means in each input/output processor for synchronizing its operation with the operation of neighbor input/output processors and for transmitting its status to neighbor input/output processors via said first communication links; and z) means in each central processor modules for synchronizing its operation with the operation of neighbor central processor modules via said second communication links and means for providing scan-based mode of system operation to perform said application program execution on a cyclical basis. 6. The dual/triple redundant computer system of claim 5, wherein: a) the third input/output processor has means for calculating a logical sum of output data received from said first and second input/output processors, said third input/output processor further connected to the third microcontroller for delivering said logical sum to said third microcontroller, the third microcontroller has means for transferring said logical sum on an output of said microcontroller; b) said third input/output processor further has means for comparing each scan of output data received from the first and the second input/output processors, for commanding said third microcontroller to freeze the output of said third microcontroller if a disagreement between said output data is discovered and for producing a logical "0" value on said output to perform a shutdown if said disagreement is repeated more times that is defined by a predetermined limitation established in the application program; c) means in said first, second, and third microcontroller for detecting the occurrence of a fault within the associated input/output processor, and for activating an alarm signal in the event that said input/output processor fails; d) means in said third input/output processor for detecting the occurrence of a fault within said first and second input/output processor and for receiving output data only from one of said input/output processor that has not failed, said third input/output processor further has means for commanding said third microcontroller to activate the alarm signal in the event that both first and second input/output processors fail concurrently; e) means in each output module for generating the system output as the result of the two-out-of-three voting among data produced by said first, second, and third input/output processors if said alarm signal in each of said microcontrollers is not activated, for reverting from said two-out-of-three voting to the two-out-of-two voting in the event that one of said input/output processor fails, to a one-out-of-one voting in the event that two input/output processors concurrently fail, and forcing the system output to be in the predetermined safe output condition in case that first, second, and third input/output processors concurrently fail, f) means in each output module for generating the system output as the result of the two-out-of-two voting among data produced by said first and second central processor module if said alarm signal in each of said microcontrollers is not activated, for reverting from said two-out-of-two voting to a one-out-of-one voting in the event that said first or second central processor module fails, and forcing the system output to be in the predetermined safe output condition in case that both first and second central processor modules concurrently fail; g) means in each input/output processor for reading status of the associated input circuit and disabling input data of said input circuit if a fault of said input circuit is discovered; h) said output module further including a first, a second, and a third watchdog controller each of which connected to the associated microcontroller for detecting the occurrence of a fault within said microcontroller and for activating an alarm signal in the event that the associated microcontroller fails; i) each said output circuit is connected to the associated watchdog controller and connected to neighbor watchdog controllers for receiving said alarm signal from any of said watchdog controllers; j) means in each output circuit for generating its output as a logical product of output data received from the associated and the neighbor microcontroller if said alarm signal in each of said watchdog controllers is not activated, for generating said output by only using output data received from the associated microcontroller if at least one out of two alarm signals produced by the neighbor watchdog controllers is activated, and for disabling said output if the alarm signal produced by the associated watchdog controller is activated, thereby allowing the associated output module to revert from two-out-of-three voting among output data produced by said first, second, and third microcontroller to the two-out-of-two voting in the event that that one microcontroller fails, to the one-out-of-one voting in the event that two microcontroller concurrently fail, and to the predetermined safe output condition in the event that each microcontroller fail; k) said means in the first output circuit for generating its output as a logical product of output data received from the first microcontroller and said logical sum if said alarm signal in each of said watchdog controllers is not activated, generating said output by only using output data received from the first microcontroller if at least one out of two alarm signals produced by second and third watchdog controllers is activated, and for disabling said output if the alarm signal produced by the first watchdog controller is activated; l) said means in the second output circuit for generating its output as a logical product of output data received from second and first microcontrollers if said alarm signal in each of said watchdog controllers is not activated, generating said output by only using output data received from the second microcontroller if at least one out of two alarm signals produced by first and third watchdog controllers is activated, and for disabling said output if the alarm signal produced by the second watchdog controller is activated; and m) said means in the third output circuit for generating its output as a logical product of said logical sum and output data received from the second microcontroller if said alarm signal in each of said watchdog controllers is not activated, generating said output by only using said logical sum if at least one out of two alarm signals produced by first and second watchdog controllers is activated, and for disabling said output if the alarm signal produced by the third watchdog controller is activated. 7. The dual/triple redundant computer system of claim 6, wherein: a) the first central processor module is further connected to the third input/output processor for reading input data and sending output data from/to said third input/output processor in the event that the first input/output processor fails; b) the second central processor module further connected to the third input/output processor for reading input data and sending output data from/to said third input/output processor in the event that the second input/output processor fails; c) said third input/output processor has means for transferring output data received from said first central processor module to said second input/output processor in the event that the first input/output processor fails and means for transferring output data received from said second central processor module to said first input/output processor in the event that the second input/output processor fails; d) said third input/output processor has means for calculating the logical sum of output data received from said first and second central processor modules in the event that said first and second input/output processors concurrently fail and for delivering said logical sum to the third microcontroller, said third microcontroller has means for transferring said logical sum on an output of said microcontroller; and e) said first and second central processor module further has means for monitoring on each scan a status of first and second input/output processor respectively and for synchronously reading input data and sending output data from/to said third input/output processor in the event that the associated input/output processor fails, thereby allowing the system to implement the two-out-of-two voting among output data produced by said first and second central processor modules although said first or said second input/output processor fails or in the event that both said input/output processors concurrently fail. 8. The dual/triple redundant computer system of claim 5, wherein: a) said first and second central processor modules operate in hot standby sparing mode providing the first central processor module to be in the online state, while the second central processor modules is in the off-line state and vice versa; b) said first and second central processor modules operate in hot standby sparing mode providing each central processor module to be in the online state, while the neighbor central processor modules is in the off-line state; c) each central processor module being in on-line state runs the application program and communicates with the associated input/output processor for reading said input data and sending said output data from/to said input/output processor over the associated input/output network; d) said first central processor module being in on-line state runs the application program and communicates with the first input/output processor for reading the associated input data and sending the associated output data from/to said first input/output processor over said first input/output network; e) said second central processor module being in on-line state runs the application program and communicate with the second input/output processor for reading the associated input data and sending the associated output data from/to said second input/output processor over said second input/output network; f) said first, second, and third input/output processor connected respectively to said first, second, and third input circuits for receiving said input data from said input circuits; g) said first and second input/output processor further connected each to other via said first communication links for allowing each input/output processor to transmit the associated input data to the neighbor input/output processor, for allowing each input/output processor to perform the two-out-of-three voting among input data produced by said first, second, and third input circuits; h) means in said first and second input/output processor for transmitting a result of said two-out-of-three voting to the associated central processor module over the associated input/output network if the associated central processor module is in on-line state, thereby allowing said central processor module to utilize the result of said two-out-of-three voting as input to a application program to provide said output data by execution of said application program; i) each central processor module being in on-line state runs the application program and communicates with the associated input/output processor for reading said input data and sending said output data from/to said input/output processor over the associated input/output network; j) said first central processor module being in on-line state runs the application program and communicates with the first input/output processor for reading the associated input data and sending the associated output data from/to said first input/output processor over said first input/output network; k) said second central processor module being in on-line state runs the application program and communicate with the second input/output processor for reading the associated input data and sending the associated output data from/to said second input/output processor over said second input/output network; l) means in said first input/output processor for sending the output data received from said first central processor module to said second and third input/output processor at the same time over said first communication links for providing the same output data on outputs of said first, second, and third input/output processors, thereby allowing the associated output module to implement the two-out-of-three voting among output data produced by said input/output processors; m) means in said second input/output processor for sending the output data received from said second central processor module to said first and third input/output processors at the same time over said first communication links for providing the same output data on outputs of said first, second, and third input/output processors, thereby allowing the associated output module to implement said two-out-of-three voting among output data produced by said input/output processors; n) said first and second central processor module further includes a first fault detector circuit and a second fault detector circuit respectively, said fault detector circuits are connected to each other over said second communication links; o) said first central processor module being in the on-line state has means for updating said second central processor module each scan via said first fault detector circuit; p) said second central processor module being in the on-line state has means for updating said first central processor module each scan via said second fault detector circuit; q) said first fault detector circuit has means for monitoring a condition of said first central processor module when said first central processor module is in on-line state, for driving said first central processor module to off-line state and switching said second central processor module to on-line state in the event that said first central processor module fails, thereby allowing the system remain operational in the presence of fault in said first central processor module; r) said second fault detector circuit has means for monitoring a condition of said second central processor module when said first central processor module is in on-line state, for driving said second central processor module to off-line state and switching said first central processor module to on-line state in the event that said second central processor module fails, thereby allowing the system remain operational in the presence of fault in said second central processor module; s) said first central processor module further has means for reading a status of said first input/output processor and for commanding said first fault detector circuit to drive said first central processor module to the off-line state and switching said second central processor module to the on-line state in the event that said first input/output processor fails; t) said second central processor module further has means for reading a status of said second input/output processor and for commanding said second fault detector circuit to drive said second central processor module to the off-line state and switching said first central processor module to the on-line state in the event that said second input/output processor fails; u) means in each input/output processor for transferring output data produced by each central processor module that is in on-line state to the associated microcontroller, said microcontroller has means for transferring said output data on an output of said microcontroller; v) means in said first, second, and third microcontroller for detecting the occurrence of a fault within the associated input/output processor, and for activating an alarm signal in the event that said input/output processor fails; w) means in said third input/output processor for detecting the occurrence of a fault within said first and second input/output processor and for receiving output data only from one of said input/output processor that has not failed, said third input/output processor further has means for commanding said third microcontroller to activate the alarm signal in the event that both first and second input/output processors fail concurrently; x) means in each output module for generating the system output as the result of the two-out-of-three voting among data produced by said first, second, and third input/output processors if said alarm signal in each of said microcontrollers is not activated, for reverting from said two-out-of-three voting to the two-out-of-two voting in the event that one of said input/output processor fails, to a one-out-of-one voting in the event that two input/output processors concurrently fail, and forcing the system output to be in the predetermined safe output condition in case that first, second, and third input/output processors concurrently fail; and y) means in each output module for generating its output as a logical product of output data received from the associated and the neighbor microcontroller if said alarm signal in each of said watchdog controllers is not activated, for generating said output by only using output data received from the associated microcontroller if at least one out of two alarm signals produced by the neighbor watchdog controllers is activated, and for disabling said output if the alarm signal produced by the associated watchdog controller is activated, thereby allowing said output module to revert from two-out-of-three voting among output data produced by said first, second, and third microcontroller to the two-out-of-two voting in the event that that one microcontroller fails, to the one-out-of-one voting in the event that two microcontroller concurrently fail, and to the predetermined safe output condition in the event that each microcontroller fail. 9. The dual/triple redundant computer system of claim 8, wherein: a) the first central processor module further connected to the third input/output processor, said first central processor module being in on-line state has means for reading input data and sending output data from/to said third input/output processor in the event that the first input/output processor fails; b) the second central processor module further connected to the third input/output processor, said second central processor module being in on-line state has means for reading input data and sending output data from/to said third input/output processor in the event that the second input/output processor fails; c) said third input/output processor has means for transferring output data received from said first central processor module to said second input/output processor in the event that the first input/output processor fails and means for transferring output data received from said second central processor module to said first input/output processor in the event that the second input/output processor fails; d) said first or said second central processor module being in the on-line state further has means for monitoring each scan a status of first and second input/output processor respectively and for reading input data and sending output data from/to said third input/output processor in the event that the associated input/output processor fails, thereby allowing the system remain operational in the event that said first or/and second input/output processors fail; e) said first central processor module being in the on-line state further has means for periodically monitoring a status of said third input/output processor and for switching said on-line state to said second central processor module in the event that said first and third input/output processors concurrently fail, thereby allowing the system remain operational in the presence of faults in said first and third input/output processors; and f) said second central processor module being in the on-line state further has means for periodically monitoring a status of said third input/output processor and for switching said on-line state to said first central processor module in the event that said second and third input/output processors concurrently fail, thereby allowing the system remain operational in the presence of faults in said second and third input/output processors. 10. The dual/triple redundant computer system of claim 9 wherein: a) each central processor module further includes a first I/O interface and a second I/O interface for allowing each central processor module to communicate with each input/output subsystem either over said first input/output network or over said second input/output network, thereby allowing the system to remain operational in the event that one of said input/output networks fails; b) the first interface in the first central processor module connected with the first interface in the second central processor module and connected to said first input/output processor over said first input/output network for allowing each central processor module being on-line to communicate with said first input/output processor; and c) the second interface in the second central processor module connected with the second interface in the first central processor module and connected to said second input/output processor over said second input/output network for allowing each central processor module being on-line to communicate with said second input/output processor. 11. The dual/triple redundant computer system of claim 2, wherein: a) each of said central processor modules further has means for periodically producing a single-bit output data per point as a result of the implementation of said application program and for transferring said single-bit data to both of the associated microcontrollers; b) each output circuit including a logic circuit connected to the associated microcontroller and to the neighbor microcontroller for receiving said single-bit output data from said microcontrollers and for transferring said single-bit output data respectively to a first and a second output of said logic circuit; c) each output circuit further comprising a voting network connected to outputs of said logic circuit for producing a logic product of said outputs on the output of said voting network, thereby producing a single-bit output of the voting network per point as a logical product of said single-bit output data received by said logic circuit from associated and neighbor microcontrollers; d) said single-bit outputs of said neighbor voting networks are connected together for generating system output per point as a logical sum of said logical products to perform the two-out-of-three voting among output data produced by the first, second, and third microcontrollers, thereby providing the system output per point as a result of a two-out-of-two voting of said single-bit output data generated by said first and second central processor modules; e) means in each microcontroller for disabling outputs of the associated voting network in the event that said voting network or the associated logic circuit fails; f) each logic circuit is further connected to the associated watchdog controller and connected to neighbor watchdog controllers for receiving said alarm signal from any of said watchdog controllers; g) each logic circuit has means for transferring said single-bit output data to the associated voting network if said alarm signal in each watchdog controller is not activated, for disabling all single-bit outputs of the associated voting network if alarm signal of the associated watchdog controller is activated, and for generating the single-bit output of the associated voting network by using the single-bit data received from only one associated microcontroller if at least one out of two alarm signals in the neighbor watchdog controllers is activated; h) the first logic circuit has means for transferring said single-bit data received from the first and third microcontroller to the associated voting network if said alarm signal in each watchdog controller is not activated, means for disabling the outputs of the associated output voting network if alarm signal in the first watchdog controller is activated, and means for generating the single-bit output of the said voting network by using the single-bit data received from the first microcontroller if at least one out of two alarm signals in the neighbor watchdog controllers is activated; i) the second logic circuit has means for transferring said single-bit data received from the second and first microcontroller to the associated voting network if said alarm signal in each watchdog controller is not activated, means for disabling the outputs of the associated output voting network if alarm signal received from the second watchdog controller is activated, and means for generating the single-bit output of the said voting network by using the single-bit data received from the second microcontroller if at least one out of two alarm signals received from the neighbor watchdog controllers is activated; and j) the third logic circuit has means for transferring said single-bit data received from the third and second microcontroller to the associated voting network if said alarm signal in each watchdog controller is not activated, means for disabling the outputs of the associated output voting network if alarm signal received from the third watchdog controller is activated, and means for generating the single-bit output of the said voting network by using the single-bit data received from the third microcontroller if at least one out of two alarm signals received by the neighbor watchdog controllers is activated.

이 특허에 인용된 특허 (11)

Vandling ; III Gilbert C. (Endicott NY), Asynchronous TMR processing system.
상세보기
Hashemi Seyed H. (Mission Viejo CA), Fault tolerant digital computer system having two processors which periodically alternate as master and slave.
상세보기
Abonamah, Abdullah A.; Freydel, Lev, Hybrid multiple redundant computer system.
상세보기
Freydel, Lev, Hybrid triple redundant computer system.
상세보기
Williams Emrys J., I/O handling for a multiprocessor computer system.
상세보기
David C. Rasmussen ; John G. Gabler ; Ronald L. Popp, Method and apparatus for processing control using a multiple redundant processor control system.
상세보기
Rasmussen, David C.; Gabler, John C.; Popp, Ronald L., Method and apparatus for processing control using a multiple redundant processor control system related applications.
상세보기
Flood Mark A. ; Bittorf Bradley J. ; Cook William B. ; Graham D. Alan ; Law Robert D. ; Mohnke David E. ; Sepsi Robert R. ; Toma Jack F., Programmable controller backup system.
상세보기
Mark A. Flood, Redundant, multitasking industrial controllers with synchronized data tables.
상세보기
Esposito Daniel (Naperville IL) Reneker Douglas A. (Naperville IL), System and method for on-line state restoration of one or more processors in an N module redundant voting processor syst.
상세보기
Cook, William; Flood, Mark, System and method for periodic task resumption following redundant control system switchover.
상세보기

이 특허를 인용한 특허 (24)

Matsui, Gen; Tanaka, Teruaki; Yamamoto, Tsuyoshi, Actuator control apparatus.
상세보기
Clark, Lawrence T.; Patterson, Dan W.; Yao, Xiaoyin, Circuits and methods for detection of soft errors in cache memories.
상세보기
Clark, Lawrence T.; Patterson, Dan W.; Yao, Xiaoyin; Pettit, David; Shringarpure, Rahul, Circuits and methods for dual redundant register files with error detection and correction mechanisms.
상세보기
Clark, Lawrence T.; Patterson, Dan W., Circuits and methods for processors with multiple redundancy techniques for mitigating radiation errors.
상세보기
Shimizu, Hirokazu; Machida, Kenichi, Control system of electric actuator and control method thereof.
상세보기
Hakura, Ziyad S.; Lindholm, John Erik; Kilgariff, Emmett M.; Ohannessian, Robert; Whitman, Scott R.; Bowman, James C.; Brown, Patrick R.; Cunniff, Ross A., Cull before vertex attribute fetch and vertex lighting.
상세보기
Hakura, Ziyad S.; Lindholm, John Erik; Kilgariff, Emmett M.; Ohannessian, Robert; Whitman, Scott R.; Bowman, James C.; Brown, Patrick R.; Cunniff, Ross A., Cull before vertex attribute fetch and vertex lighting.
상세보기
Cornes, Martin Peter John; Perkins, Gary, Direct connect algorithm.
상세보기
Hall, Brendan; Driscoll, Kevin R.; Paulitsch, Michael, Efficient triple modular redundancy on a braided ring.
상세보기
Perez, Rafael; Weiss, James Michael; Francino, Peter Nicholas, Fault tolerant systems and method of using the same.
상세보기
Perez, Rafael; Weiss, James Michael; Francino, Peter Nicholas, Fault tolerant systems and method of using the same.
상세보기
Lindholm, John Erik; Hakura, Ziyad S., Generating clip state for a batch of vertices.
상세보기
Lindholm, John Erik; Hakura, Ziyad S., Generating clip state for a batch of vertices.
상세보기
Karaffa, John Michael; Chong, Justin, Method for download of sequential function charts to a triple module redundant control system.
상세보기
Howell,Mark N.; Mishra,Pradyumna K., Method for synchronization of a controller.
상세보기
Griessbach,Robert, Method for transmitting messages between bus users.
상세보기
Alley, Daniel Milton, Methods and systems for current output mode configuration of universal input-output modules.
상세보기
Downey, Jonathan B.; Michini, Bernard J., Modular flight management system incorporating an autopilot.
상세보기
Freydel, Lev, Multiple redundant computer system combining fault diagnostics and majority voting with dissimilar redundancy technology.
상세보기
Ide, Nobuhiro, Processing apparatus.
상세보기
Clark, Lawrence T.; Nielsen, Kyle E., Radiation hardened by design digital input/output circuits and related methods.
상세보기
Wolfe,Jeffrey M.; Copenhaver,Jason L.; Ramos,Jeremy, Redundant processing architecture for single fault tolerance.
상세보기
Nickolls, John R.; Nyland, Lars; Mills, Peter C.; Sugerman, Jeremy; Foley, Timothy; Fahs, Brian; Garland, Michael; Luebke, David P., Systems and methods for voting among parallel threads.
상세보기
Nickolls, John R.; Nyland, Lars; Mills, Peter C.; Sugerman, Jeremy; Foley, Timothy; Fahs, Brian; Garland, Michael; Luebke, David P., Systems and methods for voting among parallel threads.
상세보기

IPC	Description
A	생활필수품
A62	인명구조; 소방(사다리 E06C)
A62B	인명구조용의 기구, 장치 또는 방법(특히 의료용에 사용되는 밸브 A61M 39/00; 특히 물에서 쓰이는 인명구조 장치 또는 방법 B63C 9/00; 잠수장비 B63C 11/00; 특히 항공기에 쓰는 것, 예. 낙하산, 투출좌석 B64D; 특히 광산에서 쓰이는 구조장치 E21F 11/00)
A62B-1/08	.. 윈치 또는 풀리에 제동기구가 있는 것

내보내기 구분	파일저장 인쇄 메일전송
구성항목	기본정보 상세정보 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표IPC 관리번호, 국가코드, 자료구분, 상태, 출원번호, 출원일자, 공개번호, 공개일자, 공고번호, 공고일자, 등록번호, 등록일자, 발명명칭(한글), 발명명칭(영문), 출원인(한글), 출원인(영문), 출원인코드, 대표출원인, 출원인국적, 출원인주소, 발명자, 발명자E, 발명자코드, 발명자주소, 발명자 우편번호, 발명자국적, 대표IPC, IPC코드, 요약, 미국특허분류, 대리인주소, 대리인코드, 대리인(한글), 대리인(영문), 국제공개일자, 국제공개번호, 국제출원일자, 국제출원번호, 우선권, 우선권주장일, 우선권국가, 우선권출원번호, 원출원일자, 원출원번호, 지정국, Citing Patents, Cited Patents
저장형식	Text(ASCII format) Excel format PIAS분석(.xls)
메일정보	받는사람 (필수) @ 보내는사람 (선택) @ 제목 내용 KISTI 검색결과 이메일 서비스
안내	총 건의 자료가 검색되었습니다. 다운받으실 자료의 인덱스를 입력하세요. (1-10,000) 검색결과의 순서대로 최대 10,000건 까지 다운로드가 가능합니다. 데이타가 많을 경우 속도가 느려질 수 있습니다.(최대 2~3분 소요) 다운로드 파일은 UTF-8 형태로 저장됩니다. 파일의 내용이 제대로 보이지 않을실 때는 웹브라우저 상단의 보기 -> 인코딩 -> 자동선택 여부를 확인하십시오. ~ Text(ASCII format) Excel format

연합인증

Dual/triple redundant computer system 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

이 특허에 인용된 특허 (11)

이 특허를 인용한 특허 (24)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트

연합인증

Dual/triple redundant computer system 원문보기

초록 ▼

대표청구항 ▼

연구과제 타임라인

전체(0) 논문(0) 특허(0) 보고서(0)

전체(0) 논문(0) 특허(0) 보고서(0)

이 특허에 인용된 특허 (11)

이 특허를 인용한 특허 (24)

관련 콘텐츠

특허 원문 보기

IPC 상위 출원인

AI-Helper ※ AI-Helper는 오픈소스 모델을 사용합니다.

선택된 텍스트