Independent backup mode transfer and mechanism for digital control computers by Tulpule, Bhalchandra R. & Oscarson, Edward M.
IIIIII 11111111 111 1111111111 1111111111 ll11!111 IIIII 111111 111 11111 1111 
United States Patent [191 
US005 128943A 
[ i l l  Patent Number: 5,128,943 
Tulpule et al. (451 Date of Patent: Jul. 7, 1992 
[54] INDEPENDENT BACKUP MODE TRANSFER 
AND MECHANISM FOR DIGITAL 
CONTROL COMPUTERS 
[75] Inventors: Bhdchandra R. Tulpule, Vernon; 
Edward M. Osuuson, Bristol, both of 
Conn. 
[73] Assignee: United Technoides Corporation, 
Hartford, a n n .  
[21] Appl. No.: 346,247 
[22] Filed: Apr. 5, 1989 
Related U.S. Application Data 
[63] Continuation of Ser. No. 922,617, Oct. 24, 1986, aban- 
doned. 
[51] Int. a.5 .............................................. G06F 11/20 
U.S. C1. ..................................... 37V9.1; 395/575; 
364/DIG. 2; 364/944.2; 364/944; 364/945 
[58] Field of Search ... 364/200 MS File, 900 MS File; 
37V9.1, 10 
[52] 
P61 References Cited 
U.S. PATENT DOCUMENTS 
4,070,704 1/1978 Calk et ai. .......................... 364/200 
4,150,428 4/1979 Inrig et ai. .......................... 364/200 
4,394,763 7/1983 Nagano et a1 
4,458,301 7/1984 McAnlis et a 
4,141,066 2/1979 Keiles .................................. 364/119 
4,521,847 6/1985 Ziehm et ai. ........................ 364/184 
4.648.031 3/1987 Jenner ................................. 364/200 
4,654,819 3/1987 Stimer et ai. ....................... 364/W 
130 
4,691,266 9/1987 Finley ................................... 374/1 2 
4,823,256 4/1989 Bishop et al. ....................... 364/200 
FOREIGN PATENT DOCUMENTS 
0096510 12/1983 European Pat. Off. . 
0211500 2/1987 European Pat. Off. . 
1560554 2/1980 United Kingdom . 
2104247 6/1985 United Kingdom . 
OTHER PUBLICATIONS 
NASA, “Back-up Flight Control for Flight Crucial 
Digital Fly-By-Wire Systems”, Sep. 10, 1982, see en- 
tire document. 
Deets et al., “Flight Test of a Resident Backup Soft- 
ware System”, Jan, 1986 pp. 1-10. 
“Fault Tolerance by Design Diversity: Concepts and 
Experiments” by Avizienis et al, Aug. 1984, IEEE 
Computer Magazine. 
PrimaTy Examiner-Gareth D. Shaw 
Assistant Examiner-Kakali Chaki 
[571 ABSTRAff 
An interrupt is provided to a signal processor having a 
non-maskable interrupt input, in response to the detec- 
tion of a request for transfer to backup software. The 
signal processor provides a transfer signal to a transfer 
mechanism only after completion of the present ma- 
chine cycle. Transfer to the backup software is initiated 
by the transfer mechanism only upon reception of the 
transfer signal. 
5 Claims, 5 Drawing Sheets 
CHANNEL POWERED ? 
ACTIVITY IN PRIMARY 
OPERbTlNG MODE 
,+ BUCS T R I l  
REOUEST 
YSFER \ Y r C  
I -  
MAJORITY M 
M N N E L S  SEVERED 7 TRAKSFER TO 
BUCS TRINSFER 
REOUEST BY CPU 7 
-154 J 
bND COWYENCE 
CHINNEL ACTIVITY 
IN PRIMARY MODE 
https://ntrs.nasa.gov/search.jsp?R=20080004325 2019-08-30T02:19:05+00:00Z
U.S. Patent July 7, 1992 Sheet 1 of 5 5,128,943 
10. 
12 
US. Patent July 7, 1992 Sheet 2 of 5 5,128,943 
FA I LURE 
DETECTOR 1 
INDICATOR 
FIG. 2 
/! 38 41\ 41a -, 
MACHINE CYCLE NMI ACK MACHINE CYCLE MACHINE CYCLE 
l (PRIM*RY MODEiMACHINE CYCLE1 ( W C S  MODE) 1 (8UCS MODE) 1 (0 )  
(c)  1 \ 4 0  
BUCS 
41 b (d 1 PRIMARY 
F I G .  3 
U.S. Patent July 7, 1992 Sheet 3 of 5 5,128,943 
r l  
J J  
48 UNSEVER A R M  
50\ ARMED c 
c 
L78 
* 
k76 
52, ~ BUCS LAMP _tPOWER STATUS 7
L74 
t 
TRANSFER 
MECHAN I SM MODE STATUS- 
L-72 - 
& ~ - ~ ?  MODE STATUS, 
56’ . 
- 
c 
I 
4 
58- 6 2/ 
a z 
I 
f 
8 
POR 4 
f””””;-” 70 
t 
v) 
n 
8 
2 
SIGNAL 
PROCESSOR 
/79 
I6 
U.S. Patent July 7, 1992 Sheet 4 of 5 5,128,943 
I 
I 
I 
I 
I 
I 
I 
i 
I 
I 
% 
L 
I /I 
U.S. Patent 
TRANSFER TO 
PRIMARY MODE 
AND COMMENCE 
CHANNEL ACTIVITY 
IN PRIMARY MODE 
I56 
July 7, 1992 Sheet 5 of 5 5,128,943 
CHANNEL LOWERQ YES 
132’ 
1 
1 
COMMENCE CHANNEL 134 
ACTIVITY IN PRIMARY 
OPERATING MODE 
REQUEST BY f 148 
PILOT ? 
7/I4* I I 
MAJORITY OF 
CHANNELS SEVERED ? 
/ 142 
I 
BUCS TRANSFER 
REQUEST BY CPU ? 
1 
4 f 144 
1 I 
MAJORITY OF POWERED fi CHANNELS IN BUCS ? 
1 
t 
TRANSFER TO 
BUCS AND 
COMMENCE 
CHANNEL 
ACTIVITY IN 
BUCS OPERATING 
MODE 
F I G .  6 
5,128,943 
2 
fault tolerant backup mode transfer mechanism for digi- 
tal control computer systems. 
DISCLOSURE OF T H E  INVENTION 
An object of the present invention is to provide a 
transfer mechanism for transferring from primary pro- 
gram memory to an alternate or backup program mem- 
ory which is independent of the channel’s software. In 
other words. the transfer must occur via a hardware 
5 
1 
INDEPENDENT BACKUP MODE TRANSFER AND 
MECHANISM FOR DIGITAL COhTROL 
COMPUTERS 
STATEMENT OF GOVERNMENT RIGHTS 
The invention described herein was made in the per- 
formance of work under NASA Contract No. NAS2- 
11771 and is subject to the provisions of Section 305 of 
the National Aeronautics and Space Act of 1958 (72 
Stat. 435; 42 U.S.C. 2457). 
This is a continuation of application Ser. No. 
06/922,617 filed on Oct. 24, 1986 now abandoned. 
CROSS REFERENCE TO RELATED 
APPLICATION 
The invention described herein may employ some of 
the teachings disclosed and claimed in a commonly 
owned co-pending application filed on Mar. 22, 1985 by 
Murphy et al, Ser. No. 715,132, entitled “Backup Con- 
trol System (BUCS)”. 
1. Technical Field 
This invention relates to transfer methods and mecha- 
nisms for digital control computers and, more particu- 
larly, to methods and mechanisms for transferring be- 
tween a primary program memory and a backup pro- 
gram memory. 
2. Background Art 
In recent years, the increasing capabilities of digital 
microprocessors have led to the realization of redun- 
dant high performance digital control computer sys- 
tems, e.g., for avionic applications. These powerful and 
reliable systems can perform complex computation and 
control functions, as well as detect, isolate and reconfig- 
ure the system elements with a high degree of reliability 
in the presence of hardware failures. However, the 
increasing complexity of the software resident in the 
systems, has led to the demand for software reliability 
and fault tolerance. In particular, there has been a 
strong demand for protection from the so-called generic 
software failure or  error. Redundant digital systems 
utilizing identical software in all channels are particu- 
larly vulnerable to this type of error. This arises if all 
channels perform the same erroneous activity which 
cannot be predicted and which can lead to system fail- 
ure. Therefore, there is a basic need for techniques that 
can protect the digital control system from generic 
software failures. 
The protection mechanism against generic software 
failures may take on many forms. For example, analog 
electronic computers may be used as backups for the 
primary digital system. An alternate solution involves 
the use of “in situ” alternate software which is switched 
on in case of a detected generic software failure. In this 
case, the alternate software package is responsible for 
preventing loss of control of the system. This approach 
is quite cost effective, as the alternate software shares 
the same channel hardware, except for the program 
memory. 
The alternate software, resident in a backup memory, 
can be engaged or  disengaged by means of a transfer 
mechanism. Clearly, the reliability of the overall system 
in the presence of generic common mode software 
faults is dependent on the reliability and fault tolerance 
of the transfer mechanism. Therefore, the problem of 
protection from generic software failures is closely 
associated with the need for a reliable, independent, 
10 mechanism free of any software control. 
embodied in each channel; 
I5 
20 
25 
30 
35 
40 
45 
50 
55 
60 
65 
Another object of the present invention is to provide 
a transfer method and mechanism for transferring all 
channels to and from the backup mode with near simul- 
taneity. It will be understood that this cannot be done 
by a central transfer controller because of the possibility 
of a common mode hardware failure. 
Another object of the present invention is to provide 
a transfer mechanism and method that provides clean, 
transient free transfers, Le., the process of transfer be- 
tween the primary and backup program memories must 
not create transients or leave incompleted routines or  
apparent failures behind which can lead to loss of the 
system after the transfer. 
Another object of the present invention is to provide 
a transfer mechanism and method for a redundant sys- 
tem in which unambiguous performance is provided in 
the presence of a power loss to a subset of channels. 
Another object of the present invention is to provide 
a transfer mechanism method responsive to the detected 
occurrances of the so-called generic software fault and- 
/or the occurrance of direct user transfer requests. 
According to the present invention, the transfer 
method and mechanism, when activated, sends a non- 
maskable interrupt to all of the channel processor(s) 
when a majority of channels detect (by means of a sever 
request, a user request or any other mechanism) a ge- 
neric software failure; each of the processors then sends 
an acknowledge signal in response to the non-maskable 
interrupt after concluding the machine cycle in which it 
is engaged at the time it receives the interrupt; the ac- 
knowledge signal, which is purely a hardware driven 
signal, is then used to transfer the signal processor’s 
program memory from a primary program memory to a 
backup program memory. 
The method and mechanism of the present invention 
utilizes the technique of providing a shadow or  backup 
memory for the primary program memory. The pro- 
gram contained in the shadow backup memory will be 
different from the program in the primary memory in 
order to provide for protection against a generic soft- 
ware failure in the primary software. A key element of 
this approach is the use of a non-maskable interrupt 
which cannot be disabled by software. The transfer is 
clean and transient free. Once the system is transferred 
into backup mode it will remain in backup mode unless 
the operator, e.g., the pilot, disarms the backup system 
for a transient-free return to primary mode. 
These and other objects, features and advantages of 
the present invention will become more apparent in 
light of the detailed description of a best mode embodi- 
ment thereof, as illustrated in the accompanying draw- 
ing. 
BRIEF DESCRIPTION OF THE DRAWING 
FIG. 1 is an illustration of a redundant digital com- 
puter control system in which the present invention is 
5,128,943 
3 4 
FIG. 2 is a functional illustration of the inventive form 36. If an immediate acknowledge is returned by 
concept of the present invention; the signal processor 16 to the interrupt controller 28 
FIGS. 3(u)-3(d) are timing diagrams presented as an then the signal processor might be interrupted in the 
aid for understanding the implementation of the transfer middle of the performance of some vital task such as 
mechanism illustrated in FIG. 2; 5 addressing memory as shown in general by a machine 
FIG. 4 is an illustration of a hardware implementation cycle 38 in FIG. 3(u). It is essential for the proper opera- 
of the BUCS Transfer Mechanism, according to the tion of the BUCS Transfer Mechanism 26 of the present 
prescnt invention, particularly showing the various invention for the acknowledge signal to be sent only 
input and output signals which may be associated with during a period of time in which the Signal Processor 16 
such a Transfer Mechanism; 10 is not disturbed in its normal read/write activity. Thus, 
FIG. 5 is a simplified block diagram illustration of a FIG. qC) &ows an acknowledge signal waveform 40 
hardware implementation of the Transfer Mechanism O f  corresponding to an acknowledge signa] on a line 42 in 
FIG. 4 and FIG. 2 as occurring only during a special period of time 
FIG. 6 is a simplified flow chart illustration of the 41 during which the signal processor is guaranteed to 
logid which be accomplished a signa1 have completed the previous machine cycle 38, so as to  
implementation of the Transfer Mechanism avoid interfering with the signal processor's normal 
of FIG. 4. read/write activity. FIG. 3(6) shows that the transfer to 
backup memory is also effected during the NMI ACK 
machine cycle 41 such that the next succeeding machine 
cycle 41a accesses the backup memory. A transition 41b 
indicates a transfer boundary the signal proces- 
accessing primary as opposed to backup memory. 
Referring back to FIG. 2, the actual transfer is initiated 
BEST MODE FOR CARRYING OUT THE 
INVENTION 
FIG. 1 is an illustration of a redundant channel digital 
computer control system 10 having several redundant 
channels employed for system reliability. 
Each channel is generally as having three by the signa] on the line 42, The acknowl- 
25 edge signa] would normally be input to a State latch 420 
which in turn provides a transfer signal on a line 42b to 
main components* i'e., input/output ('lo) 12* an 
Interface 14* and a processor 16, a mi- 
croprocessor. Each signal processor 16 in each channel 
will normally interface with a primary memory space 
18 over data, control and address lines 2@, 22. Accord- 
ing to the method and mechanism of the present inven- 30 
nism may be functionally interposed between address 
and data lines U) and data and address lines 22 in order 
to permit the substitution of a backup memory 24 in 
place of the primary memory 18 in the presence of 35 m y  variation thereof. The function, of course, is to 
the primary program memory. the backup mode, software intervention to provide a switchover of the 
lines 22 signal processor's addresddata lines 22 from connec- 
are used in lieu of the address and data lines 20, 22. A tion to the primary memory along line 20 to connection 
BUCS Transfer Mechanism 26 is functionally shown 40 to the backup memory along lines 26u. This is effected 
within each channel in FIG. 1 as the means whereby the by changing the position of the "link" 44 from the posi- 
transfer is effected. tion shown in FIG. 2 to a second position 46 shown by 
phantom lines within the mechanism 26, as mentioned 
esch channel for providing and receiving various sig- above. Of course, this purely functional description is 
nals over a signal line 30 between the BUCS Transfer 45 not an accurate description of the actual means by 
Mechanism 26 and the Signal Processor 16. which this would be effected in reality. In a real circuit, 
Referring now to FIG. 2, a channel interrupt control- the function of the mechanism 26 shown in FIG. 2 
ler 28 is shown responsive to several priority interrupt would be accomplished simply by the signal Processor 
signals on lines 32 for providing the various interrupts 16 chip selecting a different memory at the proper time, 
to the signal processor 16. These will include a Nan- 50 as taught herein. Thus, it will be understood that FIG. 
Maskable interrupt request signal on a line 34 generated 2 is presented Primarily as an aid for understanding the 
in response to the presence of a signal on a line 35 from function of the BUCS transfer mechanism. 
a generic software failure detector 1 indicator 350. The Referring now to FIG. 4 a BUCS Transfer Mecha- 
detector/indicator 35dmay part of the BUCS Trans- nism 26 is shown in a way which better illustrates the 
fer Mechanism 26. The signal on the line 35 will be sent 55 signals input thereto and output therefrom and how the 
either if a generic software failure is detected or  if re- BUCS Transfer Mechanism interfaces with the signal 
quested, as indicated by a request signal on a line 356. A processor. 
number of channel failure (sever) signals are provided A BUCS Arm signal on a line 48 is provided from, for 
on lines 35, each indicative of the status of its respec- example, a pilot actuated switch indicating that the pilot 
tive channel. The signal on line 34 will be sent to the 60 wishes the BUCS Transfer Mechanism 26 to be enabled. 
processor 16 upon detection of, for example, a generic In the absence of this signal being activiated, a transfer 
software failure, among other conditions. between primary and backup memories will never oc- 
The signal processor 16 will have a machine cycle cur. 
which can typically be dynamically varied, e.g., from A BUCS Engage signal on a line 50 is also provided, 
one clock period to ten clock periods. A series of such 65 for examle, from the pilot to the various channels to 
machine cycles are shown in FIG. 3(u). In the case perform a transfer regardless of detection of a generic 
illustrated, an NMI request signal is transmitted to the software fault. This signal is provided to the backup 
signal processor, as illustrated in FIG. 3(b) by a wave- transfer mechanism for manual actuation whenever the 
a link 44, which changes its position to that shown by 
phantom lines 46 in response thereto. 
be Observed that the BUCS Transfer Mecha- 
in understanding the invention. The mechanism is illus- 
trated as a simple single pole double throw switch, 
which may be break before make, make before break, or 
It 
tion, a Backup Control System (BUCS) transfer mecha- nism z6 is only shown functionally in to aid 
several conditions including a generic software fault in repond to  the signa1 on line 42 without 
and data lines 26~7 and data and 
A Non-Maskable Interrupt Generator 28 is shown in . 
5 
5,128,943 
pilot desires a transfer or perceives the presence of a 
generic software failure. 
The BUCS Transfer Mechanism 26 will also be re- 
sponsive, in a quad channel system, to a group of four 
redundant channel power status signals 52 each indica- 
tive of the power status of one of the four redundant 
channels in the quad system. The Transfer Mechanism 
is designed to always commence channel activity in the 
primary operating mode upon restoration of power. 
One of the four signal lines 52 will originate with and be 
identical to one of four POR status signal lines 70 to be 
described below. One of the status signals on line 70 is 
merely routed back into the BUCS Transfer Mechanism 
via one of the signal lines 52. A break 520 in the signal 
line 52 is shown from its origination on signal output 
line 70 in order to indicate that the routing back of the 
POR status signal to the input may be rather circuitous 
and may involve routing outside of the channel and also 
may involve signal conditioning not shown. 
the BUCS Transfer Mechanism 26 is also responsive 
to a group of four sever status signals on a line 54 each 
indicative of the sever status of one of the four channels 
in the quad system, including its own channel. If it is 
determined that a majority of channels are presently 
severed then a transfer to the BUCS mode will be made, 
if the channel were operating in the primary mode at 
the time. 
The BUCS Transfer Mechanism 26 is also responsive 
to a group of four signals on a line 56 each indicative of 
the mode status of one of the channels in the quad sys- 
tem. If it is determined that a majority of powered chan- 
nels, as determined by reference to the signals on line 
52, are presently in the BUCS mode a channel will be 
transferred to the BUCS mode if it is presently still in 
the primary memory mode. It will be observed that one 
of the mode status signals originates at an output of the 
BUCS Transfer Mechanism, at a signal line 72, in a 
manner similar to that already described in connection 
with one of the signal lines 52. The same comments 
apply here. 
It will also be observed that the plurality of input 
signals input on input line 54 do  not have one of that 
plurality of signals originating at the output, as with one 
of the signals in each of the cases corresponding to input 
signal lines 52 and 56. However, it will be understood 
that the BUCS Transfer Mechanism 26 could also in- 
clude the necessary circuitry for originating these sig- 
nals. However, in the embodiment shown in FIG. 4, 
they have been located elsewhere (not shown). Thus, it 
will be understood that although the circuitry for origi- 
nating the signals on lines 70 and 72 have been included 
in the BUCS Transfer Mechanism 26 of FIG. 4, they 
could just as easily be provided elsewhere and not 
shown in the same manner that the source of signals 54 
has not been shown in FIG. 4. These entities are freely 
transferable in and out of the BUCS Transfer Mecha- 
nism and are not an essential part of the present inven- 
tion. 
The BUCS Transfer Mechanism 26 is also responsive 
to a power-on-reset (POR) signal on a line 58 for indi- 
cating that the channel has just been powered up and 
that the channel should commence activity in the pri- 
mary operating mode. Hence, the BUCS Transfer 
Mechanism 26 will ensure that the Primary Memory 18 
will be utilized immediately after receiving a POR sig- 
nal. 
The signal processor 16 provides a CPU commanded 
transfer signal on a line 62 to the transfer mechanism. 
5 
10 
15 
20 
25 
30 
35 
40 
45 
50 
55 
60 
65 
6 
The function of the signal on line 62 is to provide a CPU 
initiated transfer for testing, as well as to provide an 
alternate transfer vehicle controlled by software. A 
sever detect enable signal on a line 64 is also provided 
for the purpose of disabling transfer to BUCS after 
system POR, Le., to allow initial system operating in 
primary mode. A signal on a line 65 allows for a second 
attempt to  unsever. 
A Non-Maskable Interrupt request signal on a line 66 
is provided to the signal processor from the BUCS 
Transfer Mechanism. The function of this signal is simi- 
lar to that of the signal on line 34 of FIG. 2 except that 
it is provided, in FIG. 4, from the BUCS Transfer 
Mechanism itself rather than from an interrupt control- 
ler 28, as in FIG. 2. Functionally, there is no difference. 
The signal processor 16 sends an acknowledge on a line 
68 at the proper moment so as not to interfere with its 
read/write operations with memory. 
A group of four POR status signals on a line 70 are 
provided, one to  each of the channels, including one to 
itself (see signal line 56), for the purpose of indicating 
the POR status of this particular channel to each of the 
other channels. 
A group of four channel mode status signals on a line 
72 each indicative of the mode status of the particular 
channel associated with the particular BUCS Transfer 
Mechanism from which they emerge are also provided 
to all the channels in the system (one of these signals 
appears on line 56). 
A BUCS Engage lamp signal is provided on a line 74 
for energizing an indicator lamp indicative of whether 
the backup memory is being utilized at a particular 
point in time or  not. 
A BUCS Armed lamp signal on a line 76 is provided 
for energizing a lamp indicative of whether the pilot has 
armed BUCS. 
An Unsever Arm latch signal on a line 78 is provided 
to rearm an unsever mechanism (not shown) for the 
purpose of restoring a severed channel's ability to un- 
sever its outputs and commence operation in a new 
mode. A mode status signal is provided on a line 79 to 
the signal processor. This signal determines which of 
two chip select signals is active. Depending on which 
chip select signal is active, one or the other of the pri- 
mary memory 18 or the backup memory 24 will be 
selected. Thus, the signal on line 79 may be thought of 
as the ultimate output signal of the BUCS Transfer 
Mechanism 26. 
FIG. 5 is a illustration of one embodiment of the 
internals of a BUCS Transfer Mechanism. It will be 
noted that the embodiment shown in FIG. 5 is a hard- 
ware embodiment. However, it will be understood by 
those skilled in the art, that an embodiment using a 
signal processor and a program memory designed, for 
example, in accordance with the flow chart of FIG. 6, 
could substitute as well. However, it will be undestood 
that such a program must be independent of both the 
primary and secondary modes. Hence, the software 
can't share processing functions or memory functions 
with either the primary or secondary. For this reasons 
BUCS is usually more reliable and cost effective as a 
hardware embodiment. Therefore, FIG. 6 will primar- 
ily be useful as an aid to understanding and for illustrat- 
ing one set of logical steps which might be carried out 
in implementing the present invention. 
In FIG. 5, most of the input signals and output signals 
shown in FIG. 4 are illustrated. A BUCS Arm signal on 
line 48 is provided to a Backup Arm Conditioning Cir- 
7 
5,128,943 
8 
cuit 80 which conditions the signal to a level compatible arm signal on line 82, the POR signal on line 58, the 
with the input of an OR gate 84 which is responsive to pilot request signal on line 112, and the second unsever 
the conditional Backup Arm signal on line 82 and to the attempt signal on line 65. 
POR signal on line 58. In the presence of either of these The Signal Buffer Module 122 provides the unsever 
two asynchronous signals, the OR gate provides a sig- 5 arm latch signal on line 78, the BUCS armed lamp signal 
nal on a line 86 to the RS input of a D flip-flop with on line 76, the BUCS engage lamp signal on line 74, the 
asynchronous priority Over the synchronous inputs. channel mode status signals on line 72, the POR status 
The flip-flop Q output Will be high in the Presence of a signals on line 70 and, most importantly, the chip select 
high input signal on a line 90 preceded by a clock signal switch signal On line 79. 
on a line 92) but will be overridden to produce a ]OW at 10 Although the BUCS Transfer Mechanism of FIG. 4 
the Q output in the Presence of a high signal On the h e  has been shown in a particular hardware embodiment in 
86. This k to prevent a non-maskable interrupt in the FIG. 5, it will be realized that many other hardware 
absence Of the BUCS mechanism being armed or in the embodiments similar to that shown in FIG. 5 me very 
Presence of POR. A Channel Sever Detector Majority easily implemented. Such implementations would in- 
Voter 94 is responsive to a clock signal on a line 95 and 15 clude various gate and discrete component im- 
to the plurality of channel sever Status signals 54 and plementations. It will also be possible to implement the 
Provides an Output si@ On a line % lo an AND gate Transfer Mechanism 26 by means of a separate signal 
98 in the presence of three or more i.e., majority of the processor using a set of instructions those 
sever condition. The A N D  gate 98 is also responsive to 20 primary or backup software programs resident in mem- 
a Sever Detect Enable signal on the line 64 from the 
processor 16 of FIG. 4. Both the signal on the line % 
and the signal on the line 64 be present before the 
to an OR gate 102. 
four signals 54 for a quad channel system indicating a shown in FIG. 6 as long as it is not shared by either the 
ory spaces 
Thus, the BUCS Transfer Mechanism 26 of FIG. 
will, for the purposes of FIG. 6, actually be a signal 
nents for such a Drocessor including a CPU, a ROM for 
AND gate 98 provide an Output 
On a line loo 25 proc-sor including all o f the  necessary internal compo- 
The plurality of signals indicated by the line 56 of 
FIG. 4-are provided- to a majority voter 104 which 
provides an output signal on a line 106 to the OR gate 
102 if three or more of the channel mode status signals 
indicate that three or more Le., majority of channels in 
quad channel system are in the BUCS mode. In that 
case, it would be required for the channel in question to 
also be in the BUCS mode and the signal on line 106 is 
provided to the OR gate 102 for that purpose, as will be 
described in more detail below. 
The BUCS Engage signal on the line 50 is provided in 
response to the pilot actuating a switch 108 in the cock- 
pit. A Pilot Request signal conditioner 110 is responsive 
to the Engage Signal on line 50 and provides a condi- 
tioned output signal on a line 112 which is conditioned 
to  be compatible with the OR gate 102, e.g., a signal 
scaling from a high voltage of 12 V D C  to a TTL com- 
patible voltage of 5 VDC. 
The OR gate 102 is also responsive to the CPU gener- 
ated Transfer Command signal on line 62. This signal 
permits a path for letting the channel join the system or 
unilaterally making the transfer in case of a generic 
software failure, as described above. 
the D flip-flop 88 provides the Non-Maskable Inter- 
rupt signal on the line 66 to the processor 16 of FIG. 4 
in the presence of either a majority of the channels in 
sever, a majority of the channels in BUCS, a pilot re- 
quest, or a CPU transfer command. Of course, the 
backup system must be armed before any of these condi- 
tions will actually result in a transfer to backup mem- 
ory, as controlled at the RS input. 
Once the Non-Maskable Interrupt signal on the line 
66 has been sent to the signal processor, the processor 
will respond with an NMI Acknowledge signal on the 
line 68 which is provided, along with the NMI signal 
itself, to an A N D  gate 114 which will provide an output 
signal a line 116 to another D flip-flop 118 only if both 
the NMI and NMI Acknowledge signals are both pres- 
ent. This ensures that the processor has finished with its 
present activity before the backup memory is selected. 
The D flip-flop 118 will provide an output signal on 
a line 120 to a Signal Buffer Module 122 which is also 
responsive to a number of signals including the backup 
holding the program steps illustraGd in FIG. 6 in per- 
manent memory, a RAM, a data bus, a control bus, an 
address bus, and all of the other necessary components 
The flow chart illustrating FIG. 6 begins with an 
enter step 130 after which a step 132 is next executed in 
which a determination is made as to whether or not the 
particular channel in which the Transfer Mechanism is 
35 located is powered o r  not. If not, step 132 is continually 
executed and re-executed until a determination is made 
that the channel being controlled for transfer is pow- 
ered. Once this determination is made, a step 134 is next 
executed in which channel activity is commenced in the 
primary operating mode. In other words, the primary 
memory 18 is utilized rather than the backup memory 
24. 
A step 136 is next executed in which a determination 
is made as to whether or not BUCS is armed or not. If 
45 not, step 136 is continually re-executed until a determi- 
nation is made that BUCS is in fact armed. Once this 
determination is made, a step 138 is next executed in 
which a determination is made as to whether a BUCS 
transfer request has been made by the pilot, Le., whether 
50 the signal on line 50 of FIG. 5 is present or not. If not, 
a step 140 is next executed in which a determination is 
made as to whether or not a majority of the channels are 
severed o r  not, i.e., as to whether a majority of the 
signals on lines 54 are severed o r  not. If not, a step 142 
55 is next executed in which a determination is made as to 
whether or not the CPU has made a BUCS transfer 
request, Le., whether the signal on line 62 of FIGS. 4 
and 5 is present or not. If not, a step 144 is next executed 
in which a determination is made as to whether or not a 
60 majority of the presently powered channels are in 
BUCS or not. If not, a step 146 is next executed in 
which a determination is made as to whether or not 
BUCS is still armed. If so, the steps 138, 140, 142, and 
144 are re-executed over and over again until a determi- 
65 nation is made by one of the steps 138,140,142,144 that 
a transfer to BUCS is appropriate as indicated by next 
executing a step 148 or BUCS is no longer armed, in 
which case a step 150 i s  next executed to determine 
3o of a signal processor. 
5,128,943 
9 
whether or not the channel is using the primary mem- 
ory 18 or the backup memory 24. 
If a determination is made by one of the steps 138-144 
that a transfer to BUCS is appropriate, then step 148 is 
executed to determine whether the channel is already in 
BUCS or not. If not, a step 152 is executed in which a 
transfer to BUCS is effected and channel activity is 
commenced in that mode. If the channel were already 
in BUCS then step 152 would be unnecessary and a step 
154 is directly executed in which a determination is 
made as to whether or not power has been lost or not in 
the particular channel. If so, the next step executed 
would be step 132 in which the program waits until the 
channel is powered up again and activity is recom- 
menced in the primary mode. If channel power was not 
lost, then step 146 would next be executed in which a 
determination is made as to whether or not BUCS is still 
armed. 
If BUCS is not still armed, then a determination is 
made in step 150 as to whether or not the channel is still 
in BUCS. If so, a step 156 is next executed in which a 
transfer to the primary mode is made and channel activ- 
ity is commenced in that mode. If it were determined in 
step 150 that the channel is no longer in BUCS then a 
transfer would be made directly to step 136 instead of 
executing step 156. In any event, step 136 is next exe- 
cuted after either step 150 or  step 156 to determine 
whether BUCS is armed or not. 
The program continues in the above described man- 
ner indefinitely and transfers may be made in and out of 
BUCS as indicated. 
Although the invention has been shown and de- 
scribed with respect to a best mode embodiment 
thereof, it should be understood by those skilled in the 
art that the foregoing and various other changes, omis- 
sions, and additions in the form and detail thereof may 
be made therein without departing from the spirit and 
scope of the invention. 
We claim: 
1. A signal processing method for use in each one of 
a plurality of separately powered channels of a redun- 
dant channel system, each channel having primary pro- 
gram memory with resident software for providing a 
10 
program failure common to a majority of the channels, 
comprising: 
means (58) for providing a channel power-on-reset 
(POR) signal indicative of either an initial applica- 
tion of channeol power or of an interruption fol- 
lowed by a reapplication of channel power; 
sever voting means (%), responsive to sever status 
signals (54) from each channel, for providing an 
interrupt signal (96) in the presence of a majority of 
the channels indicating a sever status, thereby indi- 
cating a program failure common to  said majority 
of channels; and 
means 88, responsive to said interrupt signal % from 
said Sever voting means (94) and to said POR signal 
58, for normally providing in response to said inter- 
rupt signal %, in the absence of said POR signal 58, 
a nonmaskable interrupt signal (66) to cause such 
channel to switch from said primary program 
memory to said backup program memory, and for 
not providing said nonmaskable interrupt signal 
(66) in response to said interrupt signal (%) in the 
presence of said POR signal (58); 
whereby signal processing always commences using 
the primary program memory as a preselected 
startup program memory regardless of the memory 
used prior thereto. 
5 
lo  
Is 
2o 
25 
3. The apparatus of claim 2, further comprising: 
backup voting means (104), responsive to mode status 
signals (56) from each channel, for providing an- 
other interrupt signal (106) in the presence of a 
majority of the channels indicating the backup 
program memory is in use; wherein, 
said means (88) for providing said nonmaskable inter- 
rupt signal is also responsive to said other interrupt 
signal (106) from said backup voting means (104) 
for normally providing in response to said other 
interrupt signal (106), in the absence of said POR 
signal (58), said nonmaskable interrupt signal (66), 
and for not providing said nonmaskable interrupt 
signal (66) in response to said other interrupt signal 
(106) in the presence of said POR signal. 
4. A signal processing method for use in each one of 
30 
35 
40 
- -  
a plurality of separately powered channels of a redun- 
dant channel system, each channel having primary pro- 
plurality of control function program instructions and 
for providing system startup function program instruc- 
instructiqns for =id plurality of 5o tions for the related channel, and dissimilar backup 
the resident software in said primary program memory, 
for providing program instructions for said plurality of 
control functions for the related channel, comprising 
obtaining Program instructions from said Primary 
program memory to start up operation of the re- 
lated channel; 
processing signals under control of the resident soft- 
ware of said primary program memory; 
selectively providing an arm signal indicative by its 
presence that transferring from use of primary 
program memory to use of backup program mem- 
ory is to be permitted and indicative by its absence 
that such transferring is not to be permitted; 
testing, in response to the presence of said arm signal, 
for the presence of fault signals indicative of incor- 
rect operation in one or more of the channels; 
plurality of control function program instructions and 45 
for providing system start up function program instruc- 
program memory with resident software, dimerent from 
the resident software in said primary program memory, 
for 
the steps of: 
tions for the related channel, and dissimilar backup gram memory with resident 'Oftware for providing a 
control functions for the related channel, comprising program memory with resident different from 
obtaining .program instructions from said 
program memory to up operation of the re- 
lated channel; 
processing signals under control of the resident soft- 
ware of a selected one of said memories, 
monitoring channel power for an interruption and 
subsequent reapplication thereof; and 
upon detecting reapplication of power after said in- 60 
$erruption, using the primary program memory as a 
preselected startup memory regardless of the mem- 
ory used prior t o  said interruption. 
2. Signal processing apparatus (26) for use in each one 
of a plurality of separately powered channels of a re- 65 
dundant channel system, each channel having primary 
program memory and dissimilar backup program mem- 
ory for use in the presence of an indication of a primary 
55 the steps of: 
5,128,943 
11 12 
providing an interrupt signal, in the presence of a 
majority of the channels providing fault signals 
indicative of incorrect opertion; 
mary program memory upon detecting the absence 
of said arm signal regardless, until said arm signal is 
redetected, of the subsequent presence of fault 
permitting the signal processor to complete its pres- 
ent operation in response to said interrupt signal 
and then suspending further signal processing steps 
until commencing to obtain program instructions 
from the backup program memory; 
providing a suspend acknowledge signal in the pres- 
ence of the signal processor suspending the execu- 
tion of further steps; 
ceasing to obtain program instructions for the signal 
processor from the primary program memory in 
response to said suspend acknowledge signal; 
commencing, after said ceasing, to obtain program 
instructions for the signal processor from the 
signals in a majority of channels indicative of incor- 
rect primary program execution therein; 
monitoring channel power for an interruption and 
subsequent reapplication thereof; and 
upon detecting reapplication of power after said in- 
terruption, using the primary program memory as a 
preselected startup memory regardless of the mern- 
ory used prior to said interruption. 
5. The method of claim 4, further comprising the step 
preventing the obtaining of further instructions from 
the primary program memory after commencing to 
obtain instructions from the backup program mem- 
5 
10 
of: 
15 
backup program memory; ory except after said arm signal is detected as hav- 
ing been removed or after a power interruption. checking for the continuing presence of said arm 
signal and transferring the signal processor to pri- * * . * .  
20 
2 5  
30 
35 
45 
50 
55  
60 
65 
