Backup control system (BUCS) by Murphy, Richard D. & Fischer, William C.
United States Patent [191 [ill Patent Number: 4,890,284 
Murphy et al. [45] Date of Patent: Dec. 26, 1989 
[54] BACKUP CONTROL SYSTEM (BUCS) 
[75] Inventors: Richard D. Murphy, Trumbull; 
William C. Fischer, Monroe, both of 
COM. 
[73] Assignee: United Technologies Corporation, 
Hartford, Conn. 
[21] Appl. No.: 159,483 
[22] Filed: Feb. 22,1988 
[51] Int. (3.4 .............................................. GO6F 11/20 
[52] U.S. Cl. ..................................... 37V9.1; 244/194; 
364/187 
[58] Field of Search ......................... 371/9, 10, 16, 68; 
364/184, 187,431.11,200 MS File, 900 MS 
File; 244/194 
1561 References Cited 
U.S. PATENT DOCUMENTS 
4,115,847 9/1978 Osder et al. .......... 364/187 X 
4,141,066 2/1979 Keiles .............................. 364/200 X 
4,200,226 4/1980 Piras ........................................ 371/9 
4,231,089 10/1980 Lewine et al. ...................... 364/200 
4,371,754 2/1983 De et al. ............................. 371/9 X . 
4,437,154 3/1984 Eisele et al. ............. 364/187 
4,532,594 7/1985 Hosaka et al. ................. 364/431.11 
4,542,479 9/1985 Kamimura et al. ................. 364/900 
4,590,549 5/1986 Burrage et al. ................. 364/184 X 
FOREIGN PATENT DOCUMENTS 
0096510 12/1983 European Pat. Off. . 
021 15oO 2/1987 European Pat. Off. . 
1560554 2/1980 United Kingdom . 
2104247 6/1985 United Kingdom . 
OTHER PUBLICATIONS 
NASA Position Paper, Back-up Flight Control For 
Flight Crucial Digital Fly-By-Wire Systems, Sep. 10, 
1982. 
Dual Dissimilar Microprocessors Give Fail-safe Air- 
craft Control, Control Engineering, Sep. 1982, p. 74. 
Snyder, Modular Fault Tolerance Keeps Computer 
Systems Reliable, Electronic Design, vol. 29, No. 10, 
May 14, 1981, pp. 163-167. 
“Fault Tolerance ‘by Design Diversity: Concepts and 
Experiments”, Algirdas Avizienis and John P. J. Kelly, 
Computer, Aug. 1984, pp. 67-80. 
Primary Examiner-Charles E. Atkinson 
Attorney, Agent, or Firm-Francis J. Maguire, Jr. 
[571 ABSTRArn 
A backup software program is installed in an isolated 
portion in the memory of at least one of redundant 
computers. The backup program performs basically the 
same functions as the prime program but is dissimilarly 
programmed to prevent a common software error. 
Switchover to the backup program occurs either auto- 
matically in response to monitors, or manually by the 
operator (Le. pilot) when he detects an anomaly. 
10 Claims, 2 Drawing Sheets 
32 A 
WATCH DOG TIMER 
OTHER PROTECTIVE CONDITIONS ’ !P42A 
https://ntrs.nasa.gov/search.jsp?R=20080008805 2019-08-30T03:44:13+00:00Z
U.S. Patent DW. 26,1989 
n 
n - 
-I w z z 
I 
V 
a 
Sheet 1 of 2 4,890,284 
n 
M 
LL 
B 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I '  
US. Patent DN. 26,1989 Sheet 2 0 f 2  4,890,284 
rt 
0 
4,890,284 
1 
BACKUP CONTROL SYSTEM (BUCS) 
The invention described herein was made in the per- 
formance of work under NASA Contract No. NAS2- 5 
11771 and is subject to the provisions of Section 305 of 
the National Aeronautics and Space Act of 1958 (72 
CROSS REFERENCE TO RELATED 
APPLICATION 
The invention described herein may employ some of 
the teachings disclosed and claimed in a commonly 
owned co-pending application fded on Oct. 24,1986 by 
Tulpule et al, Ser. No. 922,617, entitled A RELIABLE, 15 
INDEPENDENT, BACKUP MODE TRANSFER 
PUTERS. 
Stat. 435; 42 U.S.C. 2457). S-3777 
10 
MECHANISM FOR DIGITAL CONTROL COM- 
20 TECHNICAL FIELD 
The invention relates to techniques for responding to 
software errors, especially in life critical systems such as 
aircraft control. 
BACKGROUND OF THE INVENTION 25 
Continued proper operation of a digital system fol- 
lowing a software fault is highly desirable in modem 
computer systems and becomes mandatory in a life 
critical digital system, such as those employed in air- 
craft primary flight control systems. A software error 30 
may manifest itself by the processor becoming mired 
within the program and not completing its tasks, or by 
the processor completing its tasks too rapidly by not 
executing all of its program. Redundant hardware and 
voting schemes provide hardware fault protection but 35 
do not provide safeguards against software faults when 
the redundant computers are programmed with identi- 
cal software. Thus, each of the redundant channels can 
suffer the same software fault, at virtually the same 
instant. The present state of the art in software verifica- 40 
tion and validation does not provide any tool or tech- 
nique which can guarantee the absence of software 
faults; on the contrary, experience has shown that soft- 
ware errors continue to.exist even in exhaustively veri- 
fied and validated software. 45 
Backup systems have been provided by simple analog 
systems, additional digital systems which are dissimi- 
larly programmed, or by mechanical means. Reversion 
to these backups generally occurs following disagree- 
ment between the redundant channels of the prime 50 
digital system. These backup systems require significant 
additional hardware with the attendant disadvantages 
of cost, weight, power demand and heat dissipation. 
The analog and mechanical backups are additionally 
constrained to be simple derivatives of the usually 55 
highly complex and nonlinear implementation of the 
prime digital system. 
DISCLOSURE OF THE INVENTION 
continuing the proper operation of a digital computer 
system in the presence of a software error with minimal 
additional hardware. 
According to the invention, a backup software pro- 
gram is installed in an isolated portion in the memory of 65 
at least one of the redundant computers. The second 
program performs basically the same functions as the 
prime program but is dissimilarly programmed to avoid 
It is an object of the invention to provide a means of 60 
a common software error. Switchover to the second 
program occurs either automatically, or manually by 
the operator (i.e. pilot) when he detects an anomaly. 
Automatic switchover is initiated when at least n-1 (in a 
system having n levels of redundancy) computer moni- 
tors indicate a software fault condition. The computer 
monitors may be duty cycle timers which detect a com- 
puter cycling improperly (too long or too short), rea- 
sonableness testers, analog comparision models, or a 
combination of these types. Complexity and sophistica- 
tion of the monitors will vary for particular applications 
but, in general, the monitors must be implemented in 
hardware to preclude their being rendered ineffective 
by the common software faults they are intended to 
discover. The assembler or compiler used to assemble/- 
compile the backup mode program is also dissimilarly 
programmed to eliminate possible assembler/compiler 
faults as a source of common mode software faults. 
Other objects, features, and advantages of the inven- 
tion will become more apparent in light of the following 
description thereof. 
BRIEF DESCRIPTION OF THE DRAWINGS 
FIG. 1 is a block diagram of a control system employ- 
FIG. 2 is a schematic of a monitor for the invention; 
FIG. 3 is a block diagram detailing a portion of the 
ing the invention; 
invention 
BEST MODE FOR CARRYING OUT THE 
INVENTION 
In FIG. 1 is shown a computer based control system 
(10) having four computer channels A-D. Each channel 
has a processor section 12, associated input/output 
hardware 14, and memory 16. The memory 16 is di- 
vided into two portions. A portion 18 contains primary 
software which is accessed during normal system oper- 
ation. A portion 20 contains dissimilar backup software, 
and is accessed only upon failure of the primary soft- 
ware. A monitor 22, is operable to detexmine failure of 
the primary software. The monitor 22 is, for example, a 
duty cycle timer, reasonableness tester, or analog com- 
parison model. 
The four channels A-D are redundant; that is, each 
contains copies of the primary and backup software in 
their respective memories 16. The computer system 10 
implements a voting scheme in either hardware or soft- 
ware, such as is known, to output the most appropriate 
selected signal to a controlled device 24, such as the 
control surface actuators of an aircraft, in response to 
inputs 26, such as signals from a pilot or sensors. It 
should be understood that the invention is applicable to 
any number of channels, and that the backup software 
could be installed in only one channel. 
FIG. 2 details a typical monitor 22 used in each chan- 
nel of the computer system 10, for instance the channel 
A, which is representative of the monitors 22 in chan- 
nels B, C, and D. An OR gate 30A (the “A” suffix 
indicates association with channel A) is responsive to 
signals from a watchdog timer 32A, a short duty cycle 
timer 34A, and a signal on a line 36A, indicative of other 
protective conditions; any of which will cause the OR 
gate 30A to provide a signal on a line 4OA that will shut 
down the power to channel A. A relay 42A for the 
channel A trips in response to the signal on the line 40A 
to shut down the channel A. Similar OR gates 30B30D 
and relays 42B-42D are provided for the other channels 
B-D. The switching logic for the monitors 22 should be 
3 4 
implemented in hardware so that they are independent 
of software faults. 
A switching section MA includes two contact sets 
# j A 4 D ,  MA-aD from each relay 42A-42D, ar- 
ranged as shown so that any three channel failures will 5 ware for each channel that it is installed in. 
generate a signal on a line 49A to an AND circuit 50A. 
Another switching section 5 2 ~  includes a third 
set M A - ~ D  from each relay 4 2 ~ 4 2 ~  w- 
ranged in parallel so that the failure of any one channel 
parator 5&4, so that until a predetermined internal of 
time Vm,j bas elapsed, indicative of the time within 
wliich a common mode software failure would be expe- 
ricnced in channels, an enable signal is provided to 
the AND 
conditions such as rotor brake ~ 0 ~ 9 . )  If it is judged 
that a mode failure is a near 
event, then Trrfcan be set to infinity. ms will pedt 
of n severs occur. 
The AND circuit 50A is only responsive to the sig- 
nals from the switching section 44A and the comparator 
critical system is active (such as might be sensed by a 25 
rotor brake release signal in a helicopter embodiment) 
as indicated by a 
channels A-D). 
66A-66D from each 
software failure in all four channels A-D. 
AND gate 50A and to the Output Of the switching 
tion to provide a 
initiate the backup mode of operation based on either 
contingency. The signal on the l i e  72A is also provided 
in response to a manual ovemde signal on a line 73 to 
the OR gate 70A. 
ne1 A as a nonmaskable hardware interrupt signal on a 
line 73A if an AND circuit 74A is armed by an arming 
signal on a line 76A to its input. The nonmaskable hard- 
ware interrupt request is issued to each channel A-D, 
whereupon the CPU 12 Will complete whatever instruc- 45 
tion it is currently executing before acknowledging the 
nonmaskable interrupt. The hardware transfer logic 
will respond to the nonmaskable interrupt by switching 
to the backup memory bank. The CPU will then begin 
‘‘servicing the interrupt” at the prescribed memory 50 
location in the backup memory. The interrupt service 
routine in this case will actually be the backup software. 
This switchover logic accomplishes a unified switch- 
over of the processor at a known processor state and to 
a known location in the backup memory. It is necessary 55 
that the backup system reinitialize the system, for in- 
stance by reinitializing. suspect fault conditions could 
also be reset, since they could be faulty indications of 
the malfunctionary software. It is also desirable to syn- 
chronize the commands computed to actuator positions 60 
(in an aircraft) to minimize transients, and then blend 
over a period of time to the backup memory commands. 
In a system such as an aircraft control system, the 
backup software can be a simplified control law. Gener- 
ally, the simpler the control law is, the easier it is to 65 
verify and validate. The backup software can be in- 
stalled in all of the computers, but it may be preferable 
to install it in only one, thereby avoiding voting 
schemes and other complications in the event of switch- 
over to the backup software. 
The backup system requires limited additional input- 
/output interfaces, digital logic circuitry, and new soft- 
When the pilot arms the Backup Mode (76A), the 
FCS (Flight Control System) will continue to operate 
in the normal mode until any one or more of the follow- 
ing Conditions occur: 
2. n- 1 control system channels Output ‘‘Sever” within 
3. n Control System Channels output SWer. 
a timer, such as an integrator 56A d d h g  a coH1- 10 1. The pilot initiates a backup transfer. 
the Prescribed time internal Tref. 
The Backup mode transfer logic selects from the me timer 56A may be reset for 15 aforementioned condition list any active requesting 
condition signal to drive a nonmaskable interrupt re- 
quest to the processor(s) in the channel. The reaction to 
the nonmaskable interrupt can be thought of as causing 
20 The same transfer process will be separately occumng 
” $ t ~ ~ e ~ ~ ~ ~ ~ G .  3, each channel will respond 
to the via a hardware interrupt 8o which will 
The memory bank will be switched from the prime 
memory bank 82 to the backup memory bank 84; 
2. The proper starting address of the backup software 
(residing in the backup memory bank) will be trans- 
femed into 
42A-42D arranged in series 30 3. The CPU 88 will execute its next instruction from the 
the backup software to be engaged whenever n- 1 out a jam transfer to the backup memory for instructions. 
to provide a si@ On a line 6o when the the following actions to occur: 
On a line 61 to 
A switching section 64A includes a contact set 86; and 
so that a si@ is output On a line 68A in response to a st&g address ofthe backup program now stored in 
the program counter. 
we claim: 
1. In a computer system (10) having a plurality of 
On a line 72A which will 35 identical processors (12) and controlling a device (24), a 
method of providing control Over the device compris- 
ing: identical primary software in a portion (18) 
of memory (16) associated with each processor 
(1-4, said primary software directing the operation 
of the processors to control the device during nor- 
mal operation; 
installing backup software, dissimilar from the p& 
mary software, in an isolated portion (20) of mem- 
ory (‘6) associated with at least one of the proces- 
sors (12), said backup software capable of directing 
the operation of the processor(s) to control the 
device of in the event of a sensed event; 
sensing for a fault event occ-g in the primary 
software affecting all processors; 
sensing for a fault event 0Cc-g in the primary 
software affecting a majority of the processors (12); 
sensing for an externally initiated event represented 
by a backup software transfer command signal; 
pro%riding a nonmaskable interrupt request in re- 
sponse to one of said sensed events; 
completing whatever instruction is being executed in 
the primary software when the nonmaskable inter- 
rupt request is provided, and then acknowledging 
the nonmaskable interrupt request; and 
disabling the primary software and executing the 
backup software in response to the nonmaskable 
interrupt request so as to maintain control over the 
device with the backup software associated with 
the at least one processor. 
2. A method according to claim 1, comprising jam- 
transferring to the isolated portion of memory in re- 
sponse to the sensed fault. 
An OR gate 70A is responsive to the output of the 
The signal on the line 72A will proceed to the cham 4 
6 
4,890,284 
5 
3. A method according to claim 1 wherein the backup 
software is simpler than the primary software. 
4. In a computer system (10) having at least two iden- 
tical processors (12) and controlling a device (241, a 
method of providing control over the device compris- 5 
ing: 
installing identical primary software in a portion (18) 
of memory (16) associated with each processor 
(U), said primary software directing the operation 
of the processors to control the device during nor- 10 
mal operatiow 
installing backup software, dissimilar from the pri- 
mary software, in an isolated portion (20) of mem- 
ory (16) associated with at least one of the proces- 
the operation of the processor(s) to control the 
device in the event of a sensed fault in the primary 
software affecting all processors; 
6. A method of providing control over a device (24) 
by means of a computer system (10) having a plurality 
of identical processors (12), comprising the steps of: 
installing identical primary software in a portion (18) 
of memory (16) associated with each processor 
(12), said primary software in each channel's mem- 
ory (18) for directing the operating of its associated 
processor to control the device; 
installing backup software, dissimilar from said pri- 
software, in a podon (20) of said memory 
(16) in at least one of the processors (12), said 
backup software protected by hardware (80) from 
access by said primary software, said backup soft- 
ware for directing the operation of the processor(s) 
fault in said primary software affecting the proces- 
son; 
sensing, by means of a window timer, a fault in said 
primary software affecting the processors (12) and 
providing a fault signal indicative thereof; and 
disabling, in response to said fault signal, said primary 
software and activating said backup software so as 
to maintain control over the device (24) with said 
backup software. 
7. A method of providing control over a device (24) 
by means of a computer system (10) having a plurality 
of identical processors (U), comprising the steps of: 
sors (1211 said backup software capable of directing 15 to control the device (24) in the event of a sensed 
enabling a nonmaskable interrupt request circuit; 
sensing the fault in the primary software affecting all 20 
providing a nonmaskable interrupt request in re- 
completing whatever instruction is being executed in 
processors; 
sponse to the sensed fault; 
the primary software when the nonmaskable inter- 25 
rupt request is and then 
the nonmaskable interrupt request; and 
&,,ling the and executing the 
backup software in response to the nomaskable 
intempt request so as to maintain control over the 30 
identical software in a podion (18) 
(16) associated with each processor Of 
device with the backup software associated with (U), said primary software in each channel's mem- 
the at least one processor. ory (18) for directing the operating of its associated 
5. In a computer system (10) having a plurality of processor to control the device; 
identical processors (12) and controlliing a device (N), a installing backup software* dissimilar from said prim 
method of providing control over the device compris- 35 mary in a pornon (20) Of said memory 
ing: 
(16) in at least one of the processors (12), said 
mtalling identical primary software in a portion (18) backup software protected by hardware (80) from 
of memory (16) associated with -each processor access by said primary software, said backup soft- 
(l2), said primary software directing the operation ware for directing the operation of the processor(s) 
of the processors to control the device d h g  nor- 40 to Control the device (24) in the event of a sensed 
mal operation: fault in said primary software affecting the proces- 
installing backup software, dissimilar from the pri- sors; 
mary software, in an isolated portion (20) of mem- sensing, by means of hardware (22), for a fault event 
ory (16) associated with at least one of the proces- occurring in the primary software affecting a ma- 
sors (12), said backup software capable of directing 45 jOritY of the Processors (12) and sensing for an 
the operation of the processors(s) to control the externally initiated event represented by a backup 
device in the event of a sensed fault in the primary software transfer command signal and providing 
software affecting amajority of the processors; said fault signal in response to one of said sensed 
sensing a fmt to occur fault in the primary software events; and 
affecting any one or more of the processors; disabling in response to said fault signal, said primary 
providing a transfer enable signal for a selected per- software and activating said backup software so as 
iod after sensing said fault in said one or more of to maintain control over the device (24) with said 
the processors; backup software. 
sensing said fault in the primary software affecting a 8. A method of providing control over a device (24) 
majority of the processors and providing a transfer 55 by means of a computer system (10) ha+g a plurality 
signal for so long as said fault persists; 
providing a nonmaskable interrupt request in re- insbllbg identical primary software in a portion (18) 
sponse to the sensed fault only if said transfer signal of memory (16) associated with each processor 
occurs concurrently with said enable signal; (12), said primary software in each channel's mem- 
completing whatever instruction is being executed in 60 ory (18) for directing the operating of its associated 
the primary software when the nonmaskable inter- processor to control the device; 
rupt request is provided, and then acknowledging installing backup software, dissimilar from said pri- 
the nonmaskable interrupt request; and mary software, in a portion (20) of said memory 
disabling the primary software and executing the (16) in at least one of the processors (12), said 
backup software in response to the nonmaskable 65 backup software protected by hardware (80) from 
interrupt request so as to maintain control over the access by said primary software, said backup soft- 
device with the backup software associated with ware for directing the operation of the processor@) 
the at least one processor. to control the device (24) in the event of a sensed 
50 
of identical processors (12), comprising the steps of: 
7 
4,890,284 
fault in said primary software affecting the proces- 
sors; 
sensing by means of hardware (22), a fault in said 
primary software affecting the processors (12) and 
providing a fault signal in the form of a nonmaska- 5 
ble interrupt signal in response to the sensing of 
said fault in said primary software affecting the 
processors and wherein said step of disabling com- 
prises the step of jam transferring to said backup 
software in response to said nonmaskable interrupt 10 
si&, and 
disabling, in response to said fault signal, said primary 
software and activating said backup software so as 
to maintain control over the device (24) with said 
9. A method of providing control over a device (24) 
by means of a computer system (10) having a plurality 
of identical processors (l2), comprising the steps of: 
installing identical primary software in a portion (18) 
of memory (16) associated with each processor 20 
(12), said primary software in each channel's mem- 
ory (18) for directing the operating of its associated 
processor to control the device; 
installing backup software, dissimilar from said pri- 
mary software, in a portion c20) of said memory 25 
(16) in at least one of the processors (12), said 
backup software protected by hardware (80) from 
access by said primary software, said backup soft- 
ware for directing the operation of the processor(s) 
to control the device (24) in the event of a sensed 30 
fault in said primary software affecting the proces- 
sors; 
sensing, by means of hardware (23, a first to occur 
fault in the primary software affecting any one or 
more of the processors (12) and providing a trans- 35 
fer enable signal for a selected period after sensing 
backup software. 15 
said first fault event and providing a transfer re- 
quest in response to n-1 fault event if said n- 1 fault 
event; and 
disabling, in response to said fault signal, said primary 
software and activating said backup software so as 
to maintain control over the device (24) with said 
backup software. 
10. A method of providing control over a device (24) 
by means of a computer system (10) having a plurality 
of identical processors (12), comprising the steps of: 
installing identical primary software in a portion (18) 
of memory (16) associated with each processor 
said primary software in each channel's mem- 
ory (18) for directing the operating of its associated 
processor to control the device; 
installing backup software, dissimilar from said pri- 
mary software, in a portion (20) of said memory 
(16) in at least one of the processors (12), said 
backup software protected by hardware (80) from 
access by said primary software, said backup soft- 
ware for directing the operation of the processor(s) 
to control the device (24) in the event of a sensed 
fault in said primary software affecting the proces- 
sors; 
sensing, by means of hardware (22) a fault in said 
primary software affecting the processors (12) and 
providing a fault signal indicative thereof; and 
disabling, in response to said fault signal, said primary 
software and activating said backup software so as 
to maintain control over the device (24) with said 
backup software; 
wherein said backup software (20) in each channel 
are operated synchronously and said device (24) is 
controlled by means of synchronized command 
signals to control transients. * * * * *  
45 
50 
55 
60 
65 
