CA1180453A - Digital data processor with fault tolerant bus protocol - Google Patents

Abstract

FAULT-TOLERANT COMPUTER SYSTEM

ABSTRACT
A fault-tolerant computer system provides information transfers between the units of a computing module, including a processor unit and a memory unit and one or more peripheral control units, on a bus structure common to all the units. Information-handling parts of the system, both in the bus structure and in each unit, can have a duplicate partner. Error detectors check the operation of the bus structure and of each system unit to provide information transfers only on fault-free bus conductors and between fault-free units. The computer system can operate in this manner essentially without interruption in the event of faults by using only fault-free conductors and functional units.

Arbitration circuits of unusual speed and simplicity provide units of the computing module with access to the common bus structure according to the priority of each unit.

The units of a module check incoming and outgoing signals for errors, signal other module units of a detected error, and disable the unit from sending potentially erroneous information onto the bus structure.

Description

Bl~CKGROUND Ol' TilE INVENTION
_. ______ This inv~ntior~ relates to di~ital computincJ
appclratus and methocls that p.rov1.de essentially contirluous operation in the evellt o~ numerous aul.t ~0 --3~
] conditions. The invention thus provides a cornputer system that is unusually reliable. The computer systein also i5 highly flexible in terrns of systeln confiyuration and i5 easy to use in terms of sparing the user from concern in the event of numerous fault condition6. The system further provides ease of use in terms of proyramming sim~lifications and in the provisi~n of relatively low-cost hardware to handle numerous operations.

Faults are inevitable in digital computer systems due, at least in part, to the complexity of the circuits and of th~ associated electromechanical devices, and to progra~ning complexity~ There accordingly has long been a need to maintain the inte~rity of the data being processed in a computer in the event of a faul~, while maintaining essentially continuous operation, at least from the standpoint of the userO To meet thi~ need, the art has d~veloped a variety of error-correcting codes and apparatus for operation wi~h such codes. The art has also developed various configurations of equipment redundanciesO One example of this art i~ set forth in UOSO Patent No.
4,228,496 for "multiprocessor system"v That patent provides pairs of redundant processing modules, ~ach of which llas at least a processing unit and a memoxy unit, and which operates with peripheral control units. A
fault anywhere in one processing module can disable the entire module and require the module paired with it to continue operation alone~ A fault anywhere in the 1 latter module can disabl.e it also, so that two aults can disable the en~ire module pair.

This and other prior pract.ices have met with limited success. Efforts to simplify computer hardware have often led to unduly complex software, i~e. machine programmingO Efforts to simplify software, on the oth~r hand, have led to excessive equipment redundancy7 with attendant high cost and complexity~

It is accordingly a general object of this invention to provide a digi~al computer system which operates with improved tolerance to faults and hence with im~roved reliability.

Another object of the invention is to provide digital computer apparatus and me~hods for detecting faults and for efecting remedial action, and for continuing operation, with assured data integrity and essentially without disturbance to the user~

It is also an object of the invention to provide fault-tolerant digital computer apparatus and methods having both relatively uncomplicated software and a relatively efficient level of hardware duplication.

A urther object of the invention ~s to provide fault-tolerant digi~al computer apparatus and methods which have a relatively high degree of i3 1 decentralization of error de~ection and which o~erate with r latively simple corrective action in the event of an error-producing fault.

A further objec~ of the invention is to provide fault-tolerant di~ital computer apparatus and metllods of the above character which employ different error detection methods and structures for diff~rent system components for obtaining cost econom.ies and hardware simplifications.

A rnore specific object of the invention is to provide a fault-tolerant computer system having a processor module with redundant elements in the bus structure and in the processing, the memory and ~he peripheral control units so arranged that the module can continue valid opexation essentially uninterrupted even in case of aults in multiple elements of the module.

Other general and specific objects of the invention will in part be obvious and will in part appear hereinafter.

SUMMARY OF T~E _NVENTION
A computer system according to the invention has a processor module with a processing unit, a random access memory unit, and peripheral control units, and has a single buæ structure which provides all information transfers between the several units of the moduleO The computer system can employ only a single 1 such processor module or can be a multiprocessor system with multiple modules linked together. The bus struc~ure wi~hin each processor module includes duplicate ~artner buses~ and each functional unit can have a duplicate partner unit. Each unit, other than control units which operate with asynchrorlous peripheral devices, normally operates in lock-step synchronism with its partner unit. For example, the two partner melnory units of a processor module normally both drive the two partner buses, and are both driven by the bus structure, in full synchronism.

Further in accord with the invention, the computer system provides fault detection at the level of each ~unctional unit within a processor moduleO To attain this feature, error detectors rnonitor hardware operations within each unit and check information transfers between the units. The detection of an error causes the processor module to isolate the bus or unit which caused the error frorn transferring information to other units, and the module continues operation. The continued opera~ion employs the partner of the faulty bus or unit. Where the error detection preceeds an inforrnation transfer, the continued operation can execute the ~ransfer at the same time it would have occurred in the absence of ~he fault. Where he error detection coincides with an information transfer, the continued operation ~an repeat the transfer.

The computer system can effect the foregoing fault detection and remedial action extremely rapidly, 1 i.e~ within a fraction of an operating cycle. A
preferred ernbodiment, for example, corrects a ~ues~ionable .inforFnation transfer within two clock intervals after detec~ing a fault-manifest.ing error.
The computer system of this embodiment hence has at most only a single information transfer that is of questionable validity and which requir2s repeating to ensure total data validityq Although a processor module according to the invention can have significant hardware redundancy to provide fault-tolerant operation, a module that has no duplicate units is nevertheless fully operational~ This feature enables a user to acquire a computer system according to the invention at the low initial cost for a non-redundant configuration and yet attain the full coml~uting capacity The user can add duplicate units to the system, to increase the fault-tolerant reliability, as best suited for that user and as economies allow.
This is in contrast to many prior computers, which are not e~pandable in this manner. A computer system according to the invention and havlng no duplicate units nevertheless provides significant error detection and identification, which can ~ave the user from the results of n~lerous aults. The a~tainment of this fea~ure also enables a computer system which has duplicat~ units to remain operational during removal, repair and replacement of various units.

In general, a processor module according to the inven~.ion can include a back-up partner for each 1 unit of the module. Hence, a module can have two central processiny units, two main (random access) memory units, two disc control units, two cornmunication control units, and two link control units for linking the processor rnodule to another module to form a multiprocessor sys~em~ The module further can have a tape control unit, for operation with a magnetic tape memory, but which generally is not duplicated.

This redundancy enables the module to continue operating in the event of a fault in any unit. In general, all units of a processor module operate continuously, and with selected synchronism, in the absence of any detected fault, Upon detec~ion of an error-manifesting fault in any unit, that unit is isolated and placed off-line so that it cannot transfer information to other units of th~ module, The partner of the off-line unit continues operating and thereby enables the entire module to continue operating, normally with essentially no interruption. A user is seldorl aware of such a fault detection and transition to off-line status, except for the display or other presentation of a maintenance request to service the off-line unit~

In addition to the foregoing partnered duplication of functional units within a processor module to provide fault-tolerant operation, each unit within a processor module generally has a duplicate of hardware which is involved in a data transfer. The pur-1 pose of this duplication, within a functional unit, .is to test, independently of the other uni.ts, fo.r faults within each unit. Other structure within each unit of a module, including the error d~tection s-~ructure, is in general not duplicated.

The co~non bus structure which serves all units of a processor module preferably employs a combination of the foregoing two levels of duplication and has three sets of conductors that form an A bus, a B
bus that duplica es the A bus, and an X bus. The A and B buses each carry an identical set of cycle-definition, addr2ss, data, parity and other signals that can be compared to warn of erroneous information transfer between units. The conductors of the X bus, which are not duplicated, in general carry module-wide and other operating signals such as timing, error conditions, and electrical powerO

A processor module accord.ing to the invention detects and locates a fault by a combination of techniques with.in each functional unit including comparing the operation of duplicated sections of the unit, the use of parit~ and further error checklng and correcting codes, and by monitoring operating parameters such as supply voltagesO Each central processing unit in the illustrated computer system, as one specific example, has two redundant processing sections which operate in lock-~tep synchronism~ An error detector compares the opcrations of ~he redundant sections and, 1 if the comparison is invalid, isolates the processirlg unit from transferring information to the bus structure.
This isolates other functional units of the processor module from any faulty information which may stem from the processing unit in questlon~ Each processing unit also has a stage for providing virtual memory operation and which is not duplicated. Rather, the processing unit employs parity techniques to detect a fault in this stage~

The random access memory unit of the illustrated co}nputer sys-tein is arranged with two non-redundant memory sections, each of which is arranged for the storaye of different bytes of a memory word.
The unit detects a fault both in each memory section and in the composite of the two sections, with an errox-correcting code. Again, the error detector disables the memory unit from transferring potentially erroneous inforlnation onto the bus structure and hence to other uni~s.

The memory unit is also assigned the tasX in the illustra~ed processor module of checking the duplicated bus conductors, i.eO the A bus and the B bus.
~or this purpose, the unit has parity checkers that test the address signals and that test the data signals on the bus struc~ure. In addition, a comparator compares all signals on the A bus with all signals on the B bus.
Upon determining in this manner that either bus is faulty, the memory unit signals other units of the 1 module, by way of ~he X bus, ~o obey only the non-faul~y bus.

Peripheral control units for a processor module according to the invention employ a bus interface section for connection with the common bus structure, duplicate con~rol sections termed "drive" and "check", and a peripheral interface section that communicates between the con~rol s~ctions and the peripheral input/output devices which the uni~ serves. There typically are a disc control unit for operation with disc meMories, a tape con~rol unit or operation with tape transports, a cormnunication control unit for o~eration, through con~unication panels, with communication devices including terminals, printers and modems, and a link control unit for interconnecting one processor module with another in a multipro~essor systemO In each instance the bus interfac~ section feeds input signals to the drive and check control sections from the A bus and/or the B bus, applies output signals from the drive channel to both the A bus and the B bus, tests for logical errors in certain input signals from the bus structure, and tests the identity of signals output frorn the drive and check channels. The drive control section in each peripheral control unit provides control, address, status, and data manipulating func~ions appropriate for ~he I/O device which the unit serves. The checX control section of the unit is essentially identical for the purpose of checking the drive control section. The peripheral interface section ii3 l of each control unit includes a combination of parity ancl comparator devices for testing signals which ~)ass between the control unit and the peripheral devices for erxors.

A peripheral control unit which operates with a synchronous I/0 device, such a~ a communication control unit, operates in lock-step synchronism with its partner unit. However, the partnered disc control units, for example, operate with different non~synchronized disc memories and accordingly operate Witll limited synchronism. For example, the partner disc control units perform wri~e operations concurrently but not in precise synchronism inasmuch as the disc memories operate asynchronously of one anothex~ A link control unit and its partner also typically operate with this limited degree of synchronism, The power supply unit for the foregoing illustra~ed processor module employs two bulk power supplies, each of which provides operating power to only one unit in each pair of partner units. Thus, one bulk supply feeds one duplicated portion of the bus structure, one of two partner central processing units, one of two partner memory units, and one unit in each pair of peripheral control units. The bulk supplies also provide electrical power for non-duplicated units of the processor module. Each unit of the module has a powex supply stage which receives operating power from one bulk supply and in turn develops the operating 1 voltages which ~hat unit requires. This power stage in addition monitors ~he supply voltages. Upon detecting a failing 6uppIy voltage, the power stage produces a signal that clamps to ground potential all output lines rom that unit to the bus structure. Thi~ action pxecludes a power failure at any unit from causing the transmission o~ faulty information to the bus structure, A further feature of the invention is that some units of ~he processor module execute each information transfer with an operating cycle that includes an error-detecting timing phase prior to the actual information ~ransfer. A unit which provides this operation, an example of which is a control unit for a peripheral device, thus tests for a fault condition prior to effecting an information transfer. The unit inhibits the information transfer in the event a fault is detected. The modulel however, can continue operation--without interruption or delay--and effect the information transfer from the non-inhibited partner unit.

Other units of the processor module, generally including at least the central processing unit and the memory unit, for which operating time is of more importance, execute each information transfer concurrently with the error detection pertinent to that transfer~ In the event a fault is detected, the unit immediately produces a signal which alerts other processing units to disregard the immediately preceding ~14-1 inform~tion transfer. The processor module can repeat the information transfer rom the partrler of the unit which reported a fault condition. This mannex of operation produces optimum operating speed in that each information transfer is execu-ted without delay for th~
purpose of error detection~ A delay only arises in the relatively ew instances where a fault is detected.

The inven~ion in one embodiment embraces digital data processor apparatus having at least a central processing unit, a random-access memory unit, a control unit for a Inass storage device, and a control unit for a communication device, and further featuring a bus structure having redundant first and second buses and a third buso The buses are connected with all the units for operating the units and for pro~iding information transf~rs between them, Fault det~ction means check each information transfer between any unit and any one or more of ~he first bus and the second bus, The fault detection means detect fault conditions in a unit ~nd in each of the first and second buses. The embodiment further features logic means responsive to the fault detection means and responding to the absence of any detected fault condition for providing information transfers on both the first bus and the second bus and responding to the detection of a fault in one of the first and s~cond buses to condition all the units to respond only to information-transferring signals on the o~her of the first and second busesO

1 A further feature Eor practice with such an embodiment has a separate fault detection means in each unit for detecting faults in that unit, each separate fault de-tection means responc~iny to the detection oE a fault condi-tion in that unit -to apply at leas-t one Eault-reporting signal to the third bus for transfer to other units.

A processor module of the fo.regoing character can also employ, pursuant to a feature of the invention, supply means for providing electrical operating power for the processor, memory and control units, and power logic means responsive to the level of operating power for preventing those units from applying information l~j transfer signals to the buses in the event the operating power is below a selected supply condition.

1 The central processing unit and the fault detection means of a processor module can include/ accord-ing to a feature o the invention, first and second processing sections, each of which is arranyed for receiving signals from the third bus and from ei-ther of the first and second buses, or providing identical processing in response to the received signals, and for producing output signals for application to the bus structure. There also is provided comparator means for comparing corresponding outpu-t signals from the first and second processing sections. The compara-tor means detects fault conditions in the processing unit in response to that signal comparison. The comparator means can also compare corresponding signals which the first and second processing sections receive from the bus structure, and detect a fault condition in response to that comparison of received signals.

5~

1 The memory unit and the fault detection means of a processor module can include, as a feature of the inven~ion, irst and second random access memory ~ections, each of which is arranged for storing portions of memory words and which together store cornplete memory wOrd5. Means are provided or writing in~o each memory section a memory word portion received from any of the first and second buses, and means are provided for reading a complete memory word from both memory sections and for applying the memory word selectively to the first and second buses. There is also provided means for checXing memory-word parity and for detecting a fault condition in response to invalid memory-word parity.

At least one control unit and the fau t detection means of a processor module according to the invention can employ, pursuant to yet another feature, first and second de~ice controlling sections, each of which is arranged to receive signals from at least any of the first and second buses; and each of which is arranged for providing identical operations in response ~o the received signals and for producing output signals in response to those operations. At least the first such device is arranged to apply output signals to both the first bus and the second bus and to apply output signals to a device connected therewith. This embodiment furthex employs comparator means for comparing corresponding output signals from the first and second controlling ~ections. The comparator means 1 detec-ts fault conclitions in the one contro]. unit in respollse to such a signal. compa.rison~

The invention ln ano-the.r embodiment embraces digital dat:a processo.r apparatus having fi:rst ancl second redundant cen-tral p.rocessing units, first and second redundant random access memory units, at least a first control unit for a peripheral device, and at least first and second buses, each of which is connec-ted for transEerring inEormation between the aforesaid units.
Fault detection means are provided for checking each information transfer between units. The fault detection means detects fault conditions in any unit and in any bus. Logic means response to the fault detection means are also provided. The logic means respond to the absence of any detected fault condition for providing information transfers on both the buses and identically with both the central processing units and identically with both the memory units, and respond to the detection of a fault in one processing uni-t -to inhibit that unit from drivlng information-transferring signals onto either bus. The logic means further respond to -the de-tection of a fault in one memory unit to inhibit that unit from driving information-transferring signals onto either bus, and respond to the detection of a fault in one bus -to condition all the uni-ts to respond only to in~ormation-transferring signals on -the other bus.

1 It is also a feature that the loyic means provide in:Eormation transfers which occur on bo-th the buses with lockstep synchronism between the buses.

--~o--1 Central processing apparatus according to the invention provides programmable processing of digital information including the transfer of diyital information with memory apparatus and with peripheral apparatus by way of any of irst and sccond duplicative buses, and features first and second programmable digital data processing means that are at least substantially alike. Each processing means is arranged for receiving, and for producing, information-transferring signals, and for applying produced signals to at least one bus. Multiplex }neans connected with the processing means apply the information-transferring signals from either of the first and second buses to both processing means. Further, means are provided for comparing produced signals from the firs~ processing means wi~h those from the second processing means and for producing a fault-reporting signal in response there~o~

The central processing apparatus also features timing control means for operating each processing means to process successive operations from different information-transferring sequences.

Random-access computer memory apparatus according to the invention reads and writes digital information transferred to and from other computer apparatus by way of a bus structure having at least first and second duplicative buses, and further features irst and second random access memory means, each of 1 which is arranged for storing portions of memory words and which together are arranged for ~toring com~lete memory words. Multiplexor means apply word portions received from any one of the first and second buses to bo~h memory means. Ou~put means apply each memory word portion read from the memory means to both the :Eirst and second buses, and code checking means are in circuit with the output means for responding to invalid read-word error checking code to produce a ault-reporting signal~

It is al50 a feature of the invention to provide in such memory apparatus first code-introducing means for providing a selected code in each word ~ortion applied to each of the memory means, and second code-introducing means for ~roviding a selected further code in each two-portion word applied to the wo memory means. The second code-introducing means, in a preferred embodiment t includes means for providing the further code such that ~he code checking means can detect and correc~ any single bit error in a memory word.

These and other features of the invention enable a computer system to operate without ~ransferring potentially faulty information from one functional unit to another, except in selected instances where the system attends to the transmission of po~entially faulty information within a few clock phases at most of the fault and hence well within a single operating cycleO

S~

1 The invention a~tains these and other feature~
as set forth h~reinafter with apparatus and methods that detect error-manies~ing faults at the functional level o a central processing unit, a memory unit, or individual peripheral control units. As deemed preferable fol reliability, the fault detection is implemented in each such unit at a point close to the connec~ion of the unit to other units and/or devices.
Further, the detection of error manifesting faults can readily be distributed timewise 50 that every timing phase causes an error~checking operation.

The invention accordingly comprises the several steps and the rela~ion of one or more of such ste~s with respect to each of the others, and the apparatus embodying features of construction, combinations of elements and arrangements of parts adapted to effect ~uch s~eps, all as exemplified in the following detailed disclosure, and the scope of the invention is indicated in the claims.

BRIEF DESCRIPTION OF DR~WINGS
For a fuller understanding of th~ nature and objects of the inventivn, reference should be made to the ollowing detailed description and the accompanying drawings, in which:

FIGURE 1 is a block schematic representation of a computer system according to the invention, 1 FIGURE 2 shows a set of timing diagrams illustrating operat.ion of ~he bus structure of the computer system of FIGURE l;

FIGURE 3 is a schematic representation of arbitration circuits for use in the system of FIGU~E 1, FIGURE 4 is a functional block representation of central processing units for the system of FIGURE l;

FIGURES 5A and 5B form a block schematic dia~ram of one central processing unit according to the inven$ion;

FIGURE 6 shows timing diagrams illustrating operation of the central processing unit of FIGURES 5A
and 5B;

FIGVRES 7 and 8 are diagrams illustrating operating sequences of the central processing unit of FIGURES 5A and 5B;

FIGURE 9 is a block schematic diagram of a memory unit according to the invention;

FIGURE 10 is a block schematic diagram of memory unit control logic according to the invention;

FIGURE 11 is a functional block representation of a standard interface section o a control unit according to the invention, -24~
lFIGURES 12A and 12B fortn a block schematic diagram of an interface section according to FIGURE ll;

FIGURE 1~ is a block diagram of control circui~ry for the interface section of FIGURES 12A and 12B;

FIGURE 14 is a block schematic diagram of control sections and a furt}ler interface section for a co~nunica~iorl con~rol unit according to the inven*ion;

FIGURE 15 is a block schPmatic diagram of a 10 control circuit for a pair of communication control units according to the invention;

FIGURE 16 shows section of a ~ape control unit according to the invention, FIGURE 17 is a block schematic diagram of a power supply arrangement according to the invention;

FIGURE 18 is a block schematic diagram of a power supply stage according to the invention;

FIGURE 19 shows timing diagrams illustrating the operation of the circuit of FIGURE 18; and 20FIGURE 20 shows a clamp circuit for use in practicing the inventionO

.
The _rocessor Module A processor module 10 accordiny to the invention has, as FIGURE l shows, a central processing unit (CPU) l~, a main memory unit 16, and control units for peripheral input/output devices and including a disc control unit 20, a communication control unit 24 and a tape con~rol uni~ ~, A single common bus structure 30 interconnects the units to provide all information transfers and other signal co~munications between themO
The bus structure 30 also provides operating power to the units of the module from a main supply 36 and provides system timing signals from a main clock 38.

A module lO as shown can be connected with a disc memory 52, a cor~nunication panel 50 for hooking up communication devices, and with a tape transport 54 to forrl1 a complete, single~processor com~uter system.
However, the illustrated module lO further has a link contxol unit 32 for connection to other l:ike processor modules by way of a linking bus structure 40. In this manner the module lO forms part of a mult'iprocessor computer system.

The bus structure 30 includes two identical buses 42 and 44, termed an A bus and a B bus, and has an X bus 46~ In general, ~he signals on the A bus and on the B bus ex~cute information ~ransfers between units of the module lO. Accordingly, these buses carry function, address, and da-ta signal6. The X hus in general carries -~6-1 signals that serve more than one other unit in the modulç and including main power~ timing, status and fault~responsive signalx4 With further reference to FI~URE 1, each functional unit of the module 10 in accordance with the invention can have a back up redundant partner unit.
Accordingly, the illustrated module has a second central processing uni~ 14, a second memory unit 18, a second ~` disc control unit 22, a second communication control 3~
unit 26, and ~ second link control unit ~ The system does not have a second tape control uni~ although such can be provided. It often is not cost effective in a computer system to provide full redundancy with a second tape control unit. Moreover, the absence from tlle FIGURE l system of a second tape control unit illus~rates that a com~uter system according to the invention can provide different degrees of tolerance to aults. Thus, not only can a second tape control unit be provided where a user's needs make this desirable, 2Q but conversely the system in FIGVRE 1 can be implemented with any one or more of the illustrated second units omitted.

Each unit 12 through 28, 32 and 34 is connected to all three buses of the bus structure 300 This enables each unit to transfer si~nals on either or both the A bu3 and the B bus, as well as on the X bus a Module Operation The basic operation of the system 10 is that, ~8a~ 3 1 in the absence of a fault, the partner central processing units 12 and 14 operate in lock ste~
syncllronism with one another. ~us, both units drive the A bus and the B bus identically, and both are driven identically by the two buses. The same is true for the partner memory units 16 and 18 and again for the partner communication control units 24 and 26. Further, both communication control units 24 and 26 jointly drive and are driven by a communication bus 48 that connects to one or more communication panels 50 which are connected to conventional communication dPvices such as keyboards, cathode ray tube terminals, printers and modems.

The disc control units 20 and 22, on the other hand do not operate in full synchronism with one another because the disc rnemories 52, ~2 with which they function operate asynchronously o~ one another. During fault-free operation, each disc control unit 20 and 22 writes data received from one bus 42, 44 in one memory 52 connacted with it. HencP two disc memories, each conne~ted to a different disc control unit, contain identical data. During a read operation, the system reads the stored data from one of these two memories 52 depending on which control unit 20, 22 is available and can effect the read operation in ~he least time, which typically means with the shortest access time~ The ~wo link controllers 32 and 34, moreover, typically are operated independently of one another.

The units 12 through 28 and 3~ and 34 of the processor module of FIGURE 1 check for fault conditions 1 during each information transfer. In the event a fault is detected, the unit in question is immedi~tely disabled ~rom driviny information onto the bus structure 30. This protects the computer system from the transfer of potentially faulty information between any units, The partner of the faulted unit, however, continues operating. The system can thus detect a fault condition and continue operating without any interruption being apparent to the user, The processor module 10 provides this fault-tolerant operation by means of the system structure, i~e. hardware, rather than with an operating system or other software program.

The peripheral control units, 20, 22, 24, 26,

2~, 32, 34 in the illustrated computer system transfer information to other units with an operating sequence that checks for a fault prior to driving the information onto the bus structure 30~ Ir. the e~ent of a fault, the fault unit is inhibited from executing the information drive step, and remains off line, Operation continues, however, with the partner unit alone driving the information onto the bus structure.

It is more timewise efficient, however, for information transferR from the central processing units and from the memory units to proceed without any delay for fault checking~ Accordingly, the illustrated central processing units 12 and 14 and illustra~ed memory units 16 and 18 operate with a sequencQ in which information is driven onto the bus structure without 1 delay for fault checking. The fault check instead is performed concurxently. In the event of an error~pxoducing fault, during the next clock phase the unit in question drives onto the `bus structure a signal instructing all units o the module to disregard the item of inforMation which was placed on the bus struct~re during the preceding clock phase. The module then repeats the information driving clock phase using only the good partner unit, i.e. the one free of detected faultsO ~he repeat operation aborts the subsequent transfer cycle which would otharwise have driven data onto the bus structure during this subsequent clock phase; that subsequent cycle must be repeated in its entirety.

The processor module 10 of FIGURE 1 thus operates in a manner in which a data transfer from any peripheral control units is delayed for one clock phase to provide for a fault-checking step, whereas transfers from the CPU or memory proceed without such delay and are cancelled in the event of a fault detectionO In either of the foregoing instanc~s, after completion of an information transfer during which a fault condition was detected, the potentially faulty unit remains isolated frorn driving information onto the A bus or the B bus, and the partner of the faulty unit continues operating.

ization _ FIGURE 1 also shows that the central i3 1 processing unit 12, identical to the partner unit 14, has two processor sections 12a and 12b, a MAP 12c connec~ed with the ~wo processing sections to provide virtual memory operation, a control section 12d and transceiverq 12e that transfer signals between the processing unit and the buses 42, ~4 and 46l The two proces~or sections 12a and 12b are provided for purposes of fault detection within the unit 12~ They operate essentially identically and in total synchronism with one another. A comparator 12f compares signals output frorn the two processing sections and produces a fault signal if corresponding signals from the two sections differ. In response to the fault signal, the control section, among other operations, produces an error signal that the X bus 46 transmits to all units of the module lOo The control section then isolates that unit from driving further signals onto the bus structure 30.

The error signal ~hich the failing unit sends to other units is, in the illustrated module, a pair o~
signals termed an A Bu~ Error signal and a B Bus Error signal~ Any illustrated unit in the module lO produces this pair of signals on the X bus when it detects certain error-producing faults. Any failing unit also produces an interrupt signal that causes the central process:Lng unit of ~he module to interrogate the different units to locate the faulty one.

The central processing unit 12 receives power from one of two iden~ical bulk supplies 36a and 36b in

-3:L~
1 the main power supply 36. The partner CPU 14 xeceives main power from the other bulk supply. Hence a ~ailure of one bulk supply disables only one of the two partner CPUs 12 and 14, and does not irnpair the other. The control section 12d in the unit 12 has a power stage that produces supply voltages for the CPU 12O ~he power stage monitors the bus supply voltage from the main system ~upply 36, and monitors the further voltages it produces, to producP power fault signals. As noted, the hardware of the CPU 12 responds to any fault condition which is developed within the unit to, among other operations, disable the drivers o~ the transceivers 12e frorn sending potentially erroneous information from the unit 12 to the bus structurP.

With further reference to FIGURE 1~ the main memory unit 16, ide~tical to the partner mernory unit 18, has a random access memory (~AM) that is divided into two RAM sections 16a and 16b. A transceiver 16c is connected with the A bus 42 and t!he X bus 46 and an identical transceiver 16d is connected with the B bus 44 and the X bus 46. A format section 16e of multiplex, ECC and compare circuitry in the memory unit couples either the ~ bus or the B bus with the RAM sections 16a and 16b for ~ach memory write operation~ A read operation, however, drives data read from ~he RAM
sections onto both buses 42 and 44.

An error checking and correcting (ECC) portion of the mernory unit section 16e provides an error i3 ~-32-1 checking code on every word written into the RAM
sec~ions 16a and 16D and checks the code during each memory read operation. Depending on the syndrome of the error detected in the ECC portion of the section ~6e, the memory unit raises a fault signal that is sent to all units of the module lOo More particularly, the faulty memory unit asser~s both Bus Error signalsO
Depending on status set in that memory unit, it either corrects the data and re transmits it on the A and B
buses, or goes off-line. The partner memory unit, if present, responds to the Bus Error signals and re-transmits the correct data.

In addition to testing for faults within the unit, the memory unit 16 provides fault de~ection for the A and ~ buses of the module 10. For this purpose, the compare portion of the format section 16e compares all signals which the memory unit 16 receives from the A
bus 42 With those the unit receives from the B bus 44.
WhPn ~he module 10, and particularly the buses 42 and 44, are operating without fault, the A bus and the B bus carry identical and synchroniz~d signals. If the signals differ, the compare portion of the ~ection 16e can note the fault. The format section 16e also tests the code of received signals and produces an error signal iden~ifying any bus which has a coding error.
The X bus 46 communicates this Bus Error signal to all units of the module 10 to instruct that each disregard the ~ignals on that bus~

1 The disc control unit 20, identical to the partner disc control unit 22, has a bus interface section 20a, two identlcal disc control sect.ions 20b and 20CI and a disc i~terface section 20d. The bus interace section 20a, which in the illustrated system is essentially standard for all control units, couples input signals from either the A bus 42 or the B bus 44, Wit}l a multiplexer, to the disc control sections 20b and 20c~ It also applies output signals to the A bus and the B bus. However, prior to applying output signals to the buses, the bus interface section 20~ compares output signals from the two control sections 20b and 20c and, in the event of an invalid comparison, disables output drivers in the interface section to prevent potentially erroneous signals from being applied to the bus structure 30O The disc control unit 20 receives operating power from one main bulk supply 36a and the partner unit 22 receives operating power from the other bulk supply 36b~

Each il:Lustrated disc control section 20b and 20c has a programmed microprocessor which provides read and write operations and associated control operations for operating the disc rnemories 52. Two sections are provided to facilitate checking operations within the unit 20. The disc interface section 20d applies control and write data signals from the unit to the disc memories, and applies status and read data signals from the disc memories to the control ~ections~ The disc interface section 20d tests various signals for 3~

1 error-producing faul~s with parity and comparison techniques.

With continued reference to FIGURE 1~ the conununicatiorl control unlt 24, like the identical partner 26, has a bus interface section 24a identical in large part at least to the interface section 20a of the di~c unit 20. The communication unit 24 also has two communication sections 24b and 24c and a communication interface section 24d~ There is also a lock step circuit 24e that brings the unit 24 into exact synchronism with the partner unit 26. The bus interface section 24a functions essentially like the bus interface section 20a of the disc control unit. In the illustrated module, the communication control section 24b serves as a drive section to provide control, address, data and status functions for the communication panels 50, and the other section serves as a check section to duplicate the~e operations for error checking ~urposes, The communication interface section 24b provides error checking functions similar to those described with regard to the disc interface section 2~d of the ~isc control unit 20.

Similarly, the link control unit 32, which is identical to the partner unit 34, has z bus interface 8 ection 32a connected with two redundan~ link control sections 32b and 32c and has a link interface ection 32d connec~ed be~ween the ~wo control section sections and the conductor se~ 40a of the link 40, The partner unit 34 connec~s with the other conductor set 40b~

~8~

1 The single tape control unit 28 is constructed basically like the other control units with a bus interface section 28a connected with all three buses 42, 44 and 46 of the bus structure 30, with two tape control sections 28b and 28c, and with a tape interface section 28d that connects with a tape transport 54.

Bus Structure Or~ tion The bus structure 30 which interconnects all units of the FIGURE 1 processor module connects to the units by way of a backplane which has an array of connectors, to which the units connect, mounted on a panel ~o which the bus conductors are wired. The backplane is thus wired with duplicated conductors of the A bus 42 and the B bus 44 and with non-duplicated conductors of the X bus 46r The illustrated module of FIGURE 1 operates in one of thr~e bus or backplane modes; namely, obey both the A bus and the B bus, obey the A bus, or obey the B
bus. In all three modes, the A bus and the B bus are driven with identical signals in lock-step synchronization, but units actuated to receive data ignore the other bus in the Obey A mode and in the Obey B mode, In all modes, parity is continually generated, and checked, and any unit may signal that either bu~ is potentially faulty by producin~ ~ Bus A Error signal and/or a Bus B Error signal, depending on which bus appears to have a faultO All unit~ in the system respond to such a sin~le Bus Error signal and switch to 1 obey only the other bus. The central processing unit can instruct all -the units simultaneously -to switch operating modes by broadcasting a mode instruction.

The module clock 38, E~I~URE 1, which applies main clock signals to all un:its by way of the X bus 46, provides main timing for the transfer of inEormation from one uni-t ~o another. To facilitate the production of properly phased timing sequences in di-Fferent units of the module, the main clock 38 produces~ as FIGUR~ 2 shows with waveforms 56a and 56~, bo-th clock and sync timing signals. The illustrated module operates with a sixteen megahertz clock signal and an eight megahertz sync signal and is capable of initiating a new transfer cycle on every 125 nanosecond phase of the sync signal.

Each data transfer cycle has at leas-t four such timing phases and the illustrated system is capable of pipelining four cycles on the backplane bus structure.
~0 That is, the system is capable of concurrently performing different phases of plural cycles, e.g. the last phase of one cycle, the third phase of a second cycle, the second phase of still another cycl~, and the first phase of a fourth cycle. The phases are termed, in the sequence in which they occur in a cycle, arbitration phase, definition phase, response phase, and data transfer phase. A cycle can be extended in the case of an error to include fifth and sixth, post-data, phases. These timing phases of an operating cycle are discussed further after a description of the signals that can occur on the bus structure during each phase.

1 The illustrated processor module of FIGURE 1 can produce the following signals on the bus structure 30 in connectlon with each timing phase designated~
Signals which are noted as duplicated are produced on both the A bus and the B bus; othex signals are produced only on the X bus.

Axbitration Phase Signals (Duplicated) Bus Cycle request - ~ny unit which is ready tc initiate a bus cycle can assert this signal~ The unit which succeeds in gaining bus access in the arbitration phase starts a cycle during the next phase. The central processing unit has lowest priQri~y for arbitration and frees the next timing phase following assertion of this signal to whatever peripheral control unit that secures access in the arbi~ration phase.

Arbitration Network - This set of signals interconnects arbitration circuits in the different units of the system for determining the unit with the highest priority which i9 requesting service, i~e~, which is producing a Bus Cycle request. The selected unit is termed the bus master for that cycle~

Definition Phase Signals (Duplicated~
Cycle Definition - The unit designated bus master in the arbitration phase asserts this set of signals to define the cycle, e.gO, read, write, I/O, interrupt acknowledge.

-3~-1 Address ~ The bus master unit asserts the physical address signals identifying the mernory or I/0 location for the cycle.

Address Parity - the bus master unit also produces a signal to ~rovide even parity of the address and cycle definition signals.

Fast Busy - An addressed slave unit can assert this op~ional signal to which the central processing unit responds. This signal is followed by a Busy signal during the following Response phase.

Response Phase Signals Busy - Any unit in a system can assert this signal. It aborts whatever cycle is in the response phase.

Wait - This signal is asserted to extend a cycle and has the effec~ of repeating the response phase of that cycle and of aborting the following cycle. It i8 usually asserted by the unit which the bus master unit addressed, i~e. a slave unit which is no~ ready to effect a data transfer.

Data Transfer Phase Signals (Duplicated) Data - The data signals, typically sixteen in number, are asserted by ~he Bus Master unit during a write cycle or by a slave unit during a read c~cle.

-39~
1 Upper Data Valid (UDV) - This signal is asserted if the upper byte of ~he data word is valid.

I.ower Data Valid (LDV) - This signal is asserted if the lower byte of the data word is valid.

Data Parity - This signal provi~es even parity for the data, UDV and LDV lines of the bus structure, Fast ECC Error - A slave unit asserts this signal during a read operation, with the data, to siynal the Bus Master of a correctable m~mory error. It is followed by both BU5 Error signals in a pos~-data phase.
Slow master units such as a disr control unit may ignore this signal and merely respond ~o the ensuing Bus Error signals.

Miscellaneous Duplicated Signals Bus PI Request - A unit requiring service asserts one of these signals at the appropria-te level of interrupt priority.

Miscellaneous ~on Duplicated Signals 8us A Error - A unit which detects an error on the A bus asserts this signal during the next timing phase~

Bus B Error - A unit which detects an error on the B bus asserts this signal during the next timing phase/

~40-1 Bus Clock and Bus Synchroniæation ~ The sys-teln clock 38 produces these master timing signals~

Maintenance Request - A unit requiring a low priority ma:intenance service asser~s this signal. It is usually accompanied by turning on an indicator light on that unit.

Slot Number - These signals are not applied to the bus structure but, in effect, are produced at the backplane connectors to identify the number and the arbitration priority assigned each unit of the processor module.

Partner Communica~ion - These signals are bused only between partner unitsO

Bulk Power - These are the electrical power lines (including returns) which the bus structure carries froln the bulk power supplies 36a and 36b to different units of the module lO.

Cycle Phases During an arbitration phase, any unit of the processor module lO of FIGURE 1 and which is capable of being a bus master and which is ready to initiate a bus cycle, arbitrates for use of the bus structure. The unit does this by asserting the Bus Cycle Request signal and by simultaneously checking, by way of an arbitration network described below~ for units of higher priority ~L8~3 ~41~
l which also are asserting a Bus Cycle Rec1uest. In the illustrated system of FIGURE 1, the arbitration network operates with the unit slot number, and prioriky is assigned according to slot positions. The unit~ or pair of partnered units, which succeeds in gaining access to the bus structure during the arbitration phase is termed the bus master and s~arts a transfer cycle during the next clock phaser The central processing unit 12, 14 in the illu trated system has ~he lowest priority and does not connect to the arbitration lines of the bus structure.
The CPU accordingly does not start a cycle following an arbitration phase, i.e~, a timing phase in which a Bus Cycle Request has been asserted~ It instead releases the bus structure to the bus master, i.e~ to the successful peripheral unit. Further, in the illustrated system, each memory unit 16, 18 is never a master and does not arbitrate.

During the definition phase of a cycle, the unit which is determined to be the bus m`aster for the cycle defines the type of cycle by producing a set of cycle definition or function signals. The bus master also asserts the address signals and places on the address parity line even parity for the address and function signals. All units of the processor module, regardless of their internal operating state, always receive the signals on the bus conductors which carry the function and address signals, although peripheral 1 control units ean operate without receiving parity 6ignals. The cycle being defined is aborted i the Bus Wait signal is asserted at this tirne.

During the response phase, any addressed unit o the system which i5 busy may assert the ~usy signal to abort the cycle. A memory unit, for examplet can assert a Bus husy signal if addressed when busy or during a refresh cycle. A Bus Error signal asser~ed during the response phase will abort ~he cycle, as the error may have been with the address given during the definition phase of the cycleO

Further, a slow unit can asser~ the Bus Wait signal to extend the respon~e phase for one or more extra timing intervals. The Bus Wait aborts any cycle which is in ~he definition phase.

Data is ~ran~ferred on both the A bus and the B bus during the da~a transfer phase for hoth read and wri~e cycles~ This enable~ the system to pipeline a mixture of read cycles and write cycles on ~he bus structure without recour~e to re-arbitration for use of the data lines and without having to tag data as to the ~ource unit or the destination unitO

Full word transfers are accompanied by assertion of both UDV and LDV (l~pper and lower data valid) signals. Half word or byte transfers are defined as transfers accompanied by assertion of only one of 1 these valid signals. Wxite tr~nsfers can be aborted early in the cycle by the bus ~naster by merely asserting neither valid signal. Slave units, which are being read, must assert the valid ~ignals with the data. The ~alid signals are included in computing bus data parity.

Errors detected during the data transfer phase will cause the uni~ which detects the error to assert one or both of the Bus Error signals in the next timing phase, which is a first post-da~a phase~ In the illustra~ed module of FIGURE 1, the peripheral control units wait to see if an error occurs before using data.
The central processing unit and the main memory unit of the system however, use data as soon as it i6 received and in the event of an error, in effect, bacX up and wait for correct data. The assertion of a Bus Error signal during a post-data phase causes the transfer phase to be repeated during the next, sixth, phase of the transfer cycleO This aborts the cycle, if any, that would o~herwise have transmi~ted data on the bus structure during this second post-data, iaeO sixth, phase.

The normal backplane mode of operation of the illustrated system is when all units are in the Obey Both mode, in which both the A bus and the B bus appear to be free of error. In response to an error on the A
bus, for example, all units synchronously switch to the Obey B modei The illus~rated processor rnodule 10 returns to the Obey Both rnode of operation by means of 1 supervisor software running in the central processing unit.

In both the Obey B and the Obey A modes of operat.ion, both the A bus and the B bus are driven by the system units and all units still perform full error checking. I'he only difference from operation in the Obey Both mode is that the units merely log further errors on the one bus tha~ i5 not being obeyed, without requiring data to be repeated and without aborting any cycles. A Bus Error signal however on thP obeyed bus i5 handled as above and causes all units to switch to obey the other bus~

As stated, the FIGURE 1 power supply 36 provides electrical operating power to all units of the system from the two bulk supplies 36a and 36b. In the illustrated system, one bulX supply provides operating power only to all even slot posi~ions and the other provides power only to all odd slot positions. Thus in a fully redundant system according to the invention, a failure o~ one bulk supply 36a, 36b only ~tops operation of half the system; the other half remains operative.

Pi elined Phases P
FIGURE ~ illustrates the foregoing operation with four pipelined multiple-phase transfer cycles on the bus structure for the FIGURE 1 module 10. Waveforms 56a and 56b show the master clock and master synchroniza~ion signals which the FIGURE 1 clock 38 1 applies to -the X bus 46, for twenty one successive timing phases numbered (1) to (21) as labeled a-t the top oE the drawing. The arbitration slgnals on the bus structure, represented with waveforms 58a, change at -the star-t of each timing phase to initiate, in each o the twenty-one l:llustrated phases, arbitra-tion Eox a new cycle as noted with -the cycle-numbering legend #1, ~r2~
#3...#21. FIGUKE 2 also represents the cycle definition signals with waveform 58b. The cycle definition signals for each cycle occur one clock phase later than the arbitration signals for that cycle, as noted with the cycle numbers on the waveform 58b. The drawing further represents the Busy, Wait, Data, A Bus Error~ and B Bus Error signals. The bottom row of thP drawing indica-tes the backplane mode in which the system is operating and shows transitions between different modes. FIGURE 2 thus illustrates that diEferent operations of one cycle do not overlap timewise, and occur in different timing phases.
With further reference to FIGURE 2, during timing phase nun~er (1), the module 10 produces the cycle arbitration signals for cycle #1. The system is operating in the Obey Both mode as designated. The Bus Master unit determined during the cycle arbitration of phase (1) defines the cycle to be performed during timing phase (2), as designated with the legend #1 on the cycle definition signal waveform 58b. Also in timing phase (2), the arbitration for a second cycle, cycle #2, is performed.
During timing phase (3) there is no response signal on the bus structure for cycle #1, which 1 indicates that this cycle is ready to proceed with a data transfer as occurs during ti~ning phase (4) and as designated with the #l legend on the data waveform 5~e.
Also duriny timing phase (3), the cycle definition for cycle #2 is performed and arbitration for a further cycle #3 is performed.

In timing phase (4~, the data for cycle #l is transerred, and the definition for cycle #~ is performed. Also, a Bus A Error is asserted during this timing phase as designated with waveform 58f~ The error signal aborts cycle #2 and switches all units in the module to the Obey B mode.

The Bus A Error signal of $iming phase (4~
indicates that in the prior timing phase (3) at least one unit of the system detected an error regarding signals fro~n the A bus 420 The error occurred when no data was on the bus structure, as indicated by the absence of data in waveform 58e during timing phase (3), and there hence is no need to repeat a data transfer.

During timing phase (5), with the system operating in the Obey B mode, a fifth cycle is arbitrated, ~he function for cycle #4 is defined and no response signal is present on the bus ~tructure for cycle ~3~ Accordingly that cycle proceeds to transfer data during ~im~ phase (6), as FIGURE ~ designates.
Also in time phase (6), a Bus Wait is asserted, as appears in wave~orm 58d; this is in connection with 1 cycle #4. The effec~ is to extend that cycle for another timing phase and to abort cycle #5.

A new cycle #7 is arbitrated in timing phase (7) and the d~finition operation proceeds for cycle #6, In time phase ~a), the data or cycle #4 is applied to the bus structure or transfer, Also in time phase (~), a Busy signal is asserted. This signal is part of the respons~ for cycle #6 and aborts that cycle.

The arbitration and definition operations in time phase (9) follow the same pattern but another Bus A
Error is asserted. The system already is operating in the Obey B mode and accordinyly the response to this signal is simply ~o log the error.

The Bus Wait signal asserted in time phase (10) and continuing to time phase (11) extends cycle ~8 for two further time phases, so that the data for that cycle is transferred during time phase (13), as designated9 The Bus Wait signal asserted during these phases also aborts cycles #~ and #10, as shown. Any Busy signal asserted during phase tlO), (11) or (12) in view of the extention of cycle #8 by the Wait signal, would abort cycle #8. Note that the data transfer for cycle #7 occurs in time phase ~10) independent of ~he signals on ~he Wait and the Busy conductors during this time phase.

-4~
1 Furthe.r Bus A Error signals occurring during time phases (11), (12~ and ~14) again have no effec~ on the system other tha~ to be logged, because the sys~em is already operating in the Obey B mode.

The Wait signal asserted during time phase (14) aborts cycle #13. ~lso, it extends cycle #12, which however is aborted by the Busy signal asserted during time phase (14)~ This, however, is not a common se~uence.

Data for cycle #11 is transferred in the norrnal sequence during time phase (14). Further, the data transfer for cycle ~14 occurs in time phase (17)L

In time phase (19), immediately following the cycle #15 data transfer of time pha~e (18), a Bus B
E~ror is assertedO This error si~nal aborts cycle #17t which is in the respon~e phase, and initiates a repeat of the data transfer for cycle #150 The repeat transfer occurs during cycle #20. Further, this error signal switches the module to the Obey A mode.

Control logic in each unit of the FIGURE 1 processor module 10 provides the operations in that unit for executing the foregoing bus protocol which FIGURE 2 illustrates~ The protocol which control logic in each peripheral control unit thus provides includes conditioning the unit, when first ~urned on, to receive signals on both the A bus 42 and the B bus 44 and to 1 process the two sets of signals as if they are idell~ical. Each illustrated central processor unit and memory unit, which process signals received from a single one o~ the duplicated buses, initially receives signals on the ~ bus 42, but operates as if the signals on the B bus 44 are identical, Further, the control logic in all units initially conditions the unit to transmit signals identically on both the A and the B
buses, in lock-s~ep synchronismO

The control logic in each illustrated peripheral control unit re~ponds to the A bus error signal ~nd to the B bus error, transmitted on the X bus 46, to condition the unit for the following operation.
A Bus Error signal for the A (or B) bus causes the unit, and hence all units in a processor rnodule, to stop receiving on both buses and to receive only on the other bus, i,e. the B (or A) bus, commencing with the first timing interval following the one in which the Bus Error signal first appeaxs on the X busO The units continue however to transmit signals on both the A and the B
buses.

After a peripheral control unit has respond~d to an A(or B) Bus Error signal by switching to receiving on only the B (or A) bus, the control logic therein does not again swi~ch in response to further Bus Error signals for the A (or B) bus; it essentially ignores the further error signals~ However, th~ control logic re~pond~ to a B (or A) Bus Error signal by switching the -50~
1 unit to receive on the A (or B) bus, and i~ then ignores further B ~or A) Bus Error signals.

In the illustrated module, aulty information is transmitted on the A and/or B buses generally only by the central processing uni~ and by the memory unit.
This i6 because the illu~trated peripheral control units check for faul~6 prior to transmittiny information on the A and B buses. If a fault is detected, the control unit in question does not transrnit information, and only the partner unit does.

Further, each uni~ applies address and data signals on the A and B buses with parity which that unit generates. The memory unit serves, in the illustrated embodiment, to check bus parity and to drive the appropriate bus error line or the X bu~ 46 during the timing interval immediately following the interval in which i~ detected the bus pari~y error. The memory unit also sets a diagnos~ic flag and requests a diagnostic interrupt.

A11 unit~ of a module which arbitrate fox access to the bus ~tructure, as discussed further in the next section, include logic ~hat checks for false operation of the bus arbitration logic and that drives the appropriate bus error line -- in the event of such a fault -- on the interval following the detection of the fault~ This is described further with reerence to FIGURE 12Bo The unit also Rets a diagnostic flag and requests a diagnos~ic interrupt.

1 The bus protocol which control logic in each unit provides further conditions that unit to provide the following opera~ion in response to a Bus Error signal for the bus ~hich the unit is presently conditioned to receive. (Th~se operations do not occur for a Bus Errox signal for a bus which is not being received; as noted the unit essentially ignores such an error signal.3 A unit which was transmitting cycle definition signals during he interval immediately preceding the one in which the Bus Error signal appears on the X bus re-initiates that cycle, including arbitration for the bus, if that cycle continues to be needed~ This is because the Error signal cau6es any unit receiving the cycle definition signals to abort that cycle.

A uni~ which was transmitting data signals during th timing interval im~ediately preceding the one in which ~he Bus Error signal appears on the bus repeats the da~a transmission ~wo intervals after it was previously sent, i.e. on the interval following the one in which ~he Error Signal appears on the bus.

A unit receiving definition signals for a cycle and which i~ identified (addressed) by such signals responds to the Bus Error duri~g the next interval by aborting that cycle.

A unit which was receiving data signals during the interval immediately preceding the one in which the - s ~ -1 ~us ~rror signal appears on the bus iynores that data and receives a re-txansmission of that data two intervals after the ignored one. An alternative is for the unit to .receive and latch the data from both buses and uses only ~he data from the good bus, When a unit simultaneously receives Bus Error signals or both the A and the B buses, which indicates a memory ~CC error, the unit responds exactly as it does to a Bus Error signal for a single bus being received, as discussed above, except that it do~s not make any change in the bus(es) to which it is responding. Thus an ECC error aborts any cycle that was placing cycle definition signals on the bus in the preceding interval, and it causes any data transfer in that pr ceding interval to be repeated in the next interval following the ECC error.

As FIGURE 2 illustrates, a Wait signal aborts any cycle placing definition signals on the bus in the same interval when the Wait signal occurs, and it delays, until the ~econd interval after the Wait terrninates, the data transfer for a cycle that placed definition signals on the bus in the interval preceding initiation of the Waitl The occurrence of a Busy æignal aborts a cycle that was placing definition signals on the bus in the preceding interval.

Control logic for implementing the foreyoing bus protocol and related opera~ions in the sever~l units 1 of a processor module for practice of this invention can be provided using conventional skills, and is not described further, other than as noted.

Arbitratio_ Network With reerence to FIGURE 3, the illustrated processor module lO of FIGURE 1 has two arbitration networks, a network 252 connected with the set of arbitration conductors 254 of the A bus 42 and another network (not shown) connec~ed with the arbitration conductors of the B bus 44O The two networks are identicalO Each arbit.ration network includes an arbitration circuit in each unit that competes to initiate a cycle on the bus structure~ Thus each such unit has two arbitration circuits, one of which conn~cts to the A bus 42 and the other to the B bus 44. Each arbitration network, which thus includes conductors of one bus 42 or 44 and arbitration circuits, provides an automatic hardware de~ermination of which unit, or pair of partner units, that requests access to the bus structure has priority to initiate an operating cycle.
That is, ~he arbitration network receives a Cycle Request signal from a unit when the operation of that unit requires a data transfer with another unit of the system, and the arbitratioll network determines, in each tilning phase, which requesting unit has highest priorityO

Each unit that arbitrates for access to the bus structure is assigned a rela~ive priority according 1 to the slot number at which that unit connects -to the bus struc~ure. In the illustrated ~ystem slot number zero has the lowest priorityt and partner units are assigned successive slot numbers, an even number and the next odd number~

FIGURE 3 illustrates the arbitration network 252 of the A bus with the connection of a set of four arbitratiorl conductors 254a, 254b, 254c and 254d of *hat bus to sixteen electrical receptacles 256a, 256b,...256p on the system backplane. Each receptacle 256 is assigned a slot number, the illustrated receptacles being numbered accordingly from zero to fifteen. E~ch receptacle 256 is illustrated simply as a vertical column of connections to the four arbitration conductors 254 and to a cycle request conductor 258. Thi9 network thus has four arbitration conductors and can handle up to ~2)4 or sixteen units, each connected to a separate receptacle 256. A network with five arbitration conductors, for example, can handle up to thirty-two access~requesting units.

The cycle request conductor 258 extends continuously along the A bus 42 to all the receptacles, as FIGURE 3 shows~ The arbitration conductors ~54 on the other hand are segmented according to binary logic such that only one, the conductor 254d which is assigned the binary value (2)3 extends continuously to all sixteen connectors. This conductor carries a signal designated Inhibi~ (8) (Inh 8)~ The remaining i3 -55~
1 conductors 254c, ~54b, and 254a are designated a5 carrying respectively an Inhibit (4) siynal, an Inhiblt (2) sigrlal and an Inhibit (1) signal. The arbitration conductor 254c is segmented so that each segment connects to eight successive priority-ordered receptacles 256. Thus, this conductor 254c has a first segment which connec~s together the receptacles assigned to slo~ numbers tO~ through (7~ and has a second ~egment which connects ~ogether ~he recep~acles in slot numbers (8) ~hrough (15). Similarly, the Inhibit (2) conductor 254b is segmented to connect together Pvery four successive priority-ordered receptacle~, and the conductor 254a is segmented to connect together only every two successive ordered receptacles. In each instance there is no connection along a given arbitration conductor between the different segments thereof or between different ones of those conductors.

A bus terminator ~60 on the backplane connects the INH 8 arbitration conductor 254d and the cycle request conductor 258 to a positive supply voltage through separate pull-up resistors 262, 262. Further pull-up resistors 262 are connected ~o from each segment of the arbitration conductors 254a, 254b and 254c to the pull-up supply voltage. These connections thus tend to rnaintain each conductor 254 seyment and conductor 258 at a selected positive voltage, i.eO, in a pull~up condition. A grounded or other low voltage external signal is required to pul] the voltage of any given conductor or conductor segment down from that normal positive condition.

45~

~56~
1 FIGURE 3 urther shows an arbitration circuit 2649 for one typical unit in a processor module according to the inven~ion, The illustrated arbitrati.on circuit is for the unit connected to the bus receptacle 2569 at slot number (6). An identical circuit 264 can be conrlected to each other receptacle 256a, 256b...etc., up to the number of arbitrating units in the module, Central processing units and memory units do not connect to the arbitration network, but the illustrated processing units respond to slot numbers ~ero and one.
Hence for the processor 10 of FIGURE 1~ by ~ay of illustrative example, the link units 32 and 34 have the next lowest arbitration priority and the circuits 264 therein are connected to receptacles 256c and 256d. No unit is connected to receptacle 256e and the tape unit 28 is connected _o receptacle 256f. The circuits 264 in the cc~unication units 24 and 26 and in the disc units 20 and 22 are connected to receptacles 256g/h/i and j, respectively.

The illustrated arbitration circuit 264g includes a ~eparate pull-up resistor 262 conn~cted to th pull-up ~upply voltage from the connection~ therein to segments of conductors 254c, 254b, and 254a~ The circuit 264g further has a flipflop 266 that is switched to the se~ state in response to a Request signal produced within the unitO The set output from the flip-flop 266 is applied ~o one input of each of four NAND gates 268a~ ~68b~ 268c and 268d and to both inputs of a further N~ND ~ate 2690 The illustrated arbitration i3 ~57-1 circuit also has a set of our selective connections 270a, 270b, 270c and 270d, each of which applies ~ither a ground level or an assertive positive voltage to one NAND gates 268a, 268b, ~68c and 268d, r~spectively. The set of connections 270 is associated with one specific backplane slot and is set according to that slot number and hence to ~pecify the arbitration priority of ~he unit plugged in or otherwise connected to that slot.
Accordingly, the connections of the illustrated circuit 264g for slot number t6) are set as illus~rated ~o apply the binary equivalent of this lot number, i~e., 0110, to the four NAND ga~es. One preferred arrangement to produce the multiple digit parallel signal identifying each slot number is to provide a binary-coded set of connections 270 on the backplane ~t each connection to it.

The output signals from the NAND gates 268 are connected to the arhitration conductors and to OR gates 272, the outputs of which are applied to an AND gate 274. More particularly, the output from the NAND
circuit 268a associated with the bin~ry value (2), and connected with the connection 270a, is connected to the Inhibit (1) bus conductor 254a and to an input of OR
gate 272a~ Similarly, the outputs from the next three higher binary-valued NAND gates 268b, 268c and 268d are connected respectively to the Inhibit (2), Inhibit (4), and Inhibit (8) bus conductors, and to onP input of the OR gates 27~b, 272c ~nd 272d respectively, as shown, The output from the request NAND gate 269 is connected to the cycle reque~t conductor 258.

1 The arbitration circuit 264g of FIGURE 3 produces an asser~ive output signal, termed Grant A, from the output AND ga~e 274 when it receives a Request signal at the flip-flop 266 in a time phase when no arbitration circuit connected to higher priority backplane connectors 256 receives a like request signal, More particularly, when the unit in which the illus.rated arbitra~ion circuit 264g is connected applies a request signal to the ~lip-.flop 266, the resultant assertive signal from the set output terminal actuates ~he four NAND gates 268a, 268b, 268c and 268d to apply to the arbitration conductors 254a, 254b, 254c and 254d a set of signals corresponding to the backpanel slot number as produced by the connection 2700 The flip flop 266 also actuates the NAND gate 269 to apply an assertive signal to the Cycle Request conductor 258 That is, when the output of the flip-flop 266 is at a high assert.ive value, it applies a high input signal to the NAND gate 268a, which also receives a low input signal from the slot-number connection 270a. The gate 268a accordingly producei a high level output signal wh;ich does not pull down the normal plus V level of the Inhibit (1) conduc~or 254aO Each NAND ~ate 268b and 268c, on the other hand, receives both a high level input signal from the flip-flop 266 and from the connection 270b, 270c to which it is connected and accordingly applies a low level signal to the Inhibit (2) and Inhibi.t (4) conductors, respectively. The NAND
gate 268d produces a high level output to the Inhibit (8) conductor, which remains at the normal pull-up 5g-1 value. The cycle request conductor 258 is pulled down from that level by a low level output from the NAND gate 269.

Each OR gate 272 receives as .input signals one digit of the slot-number signal and the potential on the corresponding arbitration conduc~or at that slot. By virtue of the connections of the NAND gate 268 outp~ts to the segmen~ed arbitration conductors 254, a request signal applied to a higher priority arbitration circuit 264 alters the signals which the OR gates 272 in circuit 264g otherwise receive from within that circuit 264g. A
request signal applied to a lower priority arbitration circuit 264, on the other hand, does not alter the states of the signals applied to the OR gates 272 in the arbitration circuit 264g.

In particular, in the absence of any other arbitration circuits receiving an assertive request signal, the OR gate 272a in the arbitration circuit 264g receives a high level signal rom the NAND gate 268a and receives a low level signal from the connection 270a; it accordingly produces a high level output signal. The sarne input signals are applied to the OR gate 272d and it al50 produces a high level output signalt The 0~
gate 272b on the o~her hand receives a low level signal roln the NAND gate 268b and receives a high level signal from the connection 270b. Hence the OR gate 272b receives two different valued input signals and produces a high level output signalr The input conditione to the ~l3~3 1 OR gate 272c al80 difer in this same manner. Thus, under this operating condi~io~, all four OR gates 272 produce identical, hig}l level, output signals. In res~onse, the AND gate 274 produce6 an assertive Grant A
output signal on line 278. This signal causes the associated unit o the processor module to initiate a cycle of operations, as discussed above with reference to FIGURE 2.

In ~he event that an arbitration circuit 264 in a lower priority unit is also activated by a request signal, the input signals to the OR gates 272 of the illustrated arbi~ration circuit 264g are unchanged from the example just described. However, in the event a higher priority unit produces a request signal, the inputs to the OR gates of the illustrated arbitration circuit 264g are di~fer~nt, and the output AND gate 274 do~s not pxoduce an assertive signal. For example, when the system unit connected to the next higher priority receptacle 276h produces a request ~ignal, the arbitration circuit therein applies a low level signal not only to the Inhibit (4) and Inhibit (2) conductors, but also to the Inhibit (1) conductor. The resultant low level signal on the latter conductor is applied to the OR gate 272 in the circuit 26~g connected to the number ~6) slot. That OR gate accordingly produces a low level output signal, thereby inhibiting the AND gate 274 at slot (6) from producing an assertive output signal.

1 Note that the oregoing operation employs NAND
ga~es 268 that produce a high level output signal with a relatively high impedance. A NAND gate with an open-collector circuit, for example, provid0s thi.s operation, which facilitates pulling the voltage on an arbitration conductor segment to a low level.

The arbitration circuit 264g in FIGU~E 3 further has an OR gate 280 connected between the switch 270a and input to the OR gate 272a. The other input to the OR gate 280 is an assertive level that comes from a hardware status flag that is set to allow an even-odd pair of backpLane slots, to which are connected two units operating as partners, to arbitrate as a single unit. The OR gate 280 thus is optional and is used only where a unit of the system 10 may operate in lock-step synchronism with a partner unit.

It will now be understood that each unit of a processing module which competes, via th~ arbi~ration network, to define a bus cycle has two arbitration circuits 264~ One is connected to the A bus as FIGURE 3 shows~ and the other is connected in ~he identical manner to the B bus, and the latter arbitration circuit produces a Grant B signal when it pr~vails in an arbitration phase~ The response within a unit to assertive Grant signals is discussed below with reference to FIGURE 120 Central Processiny Vnit FIGURE 4 shows that the illustrated central 1 processing un.it 12 of FIGURE 1 has, in each processing section 12a and 12b, a dual processor 60 and 62, respectively. Control lines 6B, data lines 70 and address lines 72 connect from the dual processor 60 to a multiplexor 61 that connects transceivers 12e that connect to the buses 42 and 44~ Similarly, control lines 74, data lines 76 and address lines 78 connect froln the other dual processor 62 ~o the tran~ceivers 12e by way of a multiplexor 63. Each multiplexor in the illustrated unit 12 selectively applies input signals received rom either the A bus or the B bus to the dual processors 60 and 62. Output signals from the processor 60 are, in the described embodiment, applied only to the A bus, and ~hose rom the processor 62 are applied only to the B bus. A local control stage 64, 66 is associated with each dual processor 60, 62, respectively. Each processing section also has a parity generator 92, 94 for providing selected parity on the data and address signals which that processi.ng section sends out on the buses 42 and 44.

The comparatox 12f checks for error-producing faults by comparing address signals which the two processing sections 12a and 12b receive on the address lines 72 and 78. The comparator also checks the output signals from the two processing sections to the bus structure, iOe. compare the signals on the control, data and address lines from the dual processor 60 with the signals on the corresponding lines from the processor 62.

-63~
1 The two processing sections 12a and 12b ~se a single virtual memory ~AP 80 to convert virtual memory addresses on the address lines 72 and 78 to phyqical memory addre~ses. The MAP 80 also connects to both sets of data lines 70 and 76. Parity check circuit~ 82 and 84 ensure the validity of the MAP 80, which is no~
duplicated within the unit 12~

Any mismatch of corresponding signals applied to the comparator 12f causes a comparison error signal, lQ which is applied to a common, non-duplicated control stage 86. In response, the control stage sends out error signals on the X bus 46. It also disables the drivers in the transceivers 12e to take the processing unit 12 of~ line so that it cannot send further signals to other units of the FIGURE 1 system. The control stage 86 also moni~ors the two parity error ~ignals from the parity check circuits 82 and 84. The control stage 86 is part of the CPU control section 12d (FIGURE 1), which also includes clamp circuits 88 and 90. The clamp circuits respond to a power failure at the unit 12 to clamp to ground, at the transceiver 12e drivers, all ou~put lines from the processing unit 12 to the bus structure 30~

FIGU~ES 5A and 5B, which show ~he illustrated central processing unit 12 .in further detail, shows that the dual processor 60 of FIGURE 4 has two programmable mioroprocessors~ an executive microprocessor 100 and a user microprocessor 102. The dual processor 60 also has i3 1 a multiplexor 104, a data selector 106, decoders 108 and 110 and 112, drivers 114 and 116 o an internal data bus 117, latches 118 and 120 and 122, and collt.rol gates 134 The local control stage 64 of FIGURE 4 includes a proyrar~mable read-only memory (PROM) 124, a random access men~ory (RAM) 12~, a timer 128, an interrupt control stage 130, and a local status and control s~age 132. The common control stage 86 shown in FIGURE 4 includes sta~us and control circuits 133, control and timing circuits 135, and a power stage 140 ~hat receives bulk power from the X bus 46.

FIGURE 5A further shows that the transcelvers 12e of FIGURES 1 and 4 employ, to transfer signals between the A bus 42 and ~he processing section 12a, a receiver 136 for A bus interrupt signals, transceiYer 138 for A bus data signals, a transceiver 142 for A bus function (cycle definition) signals, and transceivers 144 and 146 for A bus address signals. An identical set o an interrupt receiver 137, a data transceiver 139, a function transceiver 141, and address transceivers 143 and 145 connects between the two multiplexors 61 and ~3 and the B bus 44. The processor 12 further has a transceiver 148 (FIGURE 5B) connected with the X bus 46.

The proces~ing section 12b of FIGURE 1 is constructed identically to the processing section 12a and is connected with the MAP 12c, with the comparator 12f, the power stage 140, txansceivers 12e, add with the stages 136 a~d 13~ Df the control section ~ in the same l manner as FIGURES S~ and 5B show for the processing section l~aO The multiplexor 61 applies to the cV
processing section 12~ signals received from one bus 42 or 44, and the multiplexor 63 applies signals received Oll the same bus to the processing section 12bA

The central processing unit 12 thus has two essentially identical subsystems, the processing sections 12a and l2b, which operate in lock-step with one another. The comparator l~f compares operations of ,he two section~ at the end of each clock phase. The entire unit 12 operates in lock-step with an identical partner unit 14, such that when either unit 12 or 14 detects an error, control circuits within that unit automatically take the unit off-line from the bus structure. Processing continues essentially uninterrupted by the partner unit~ The failing unit generates a low priority interrupt to inform the partner unit khat an error has been detectedO The operative unit 12, 14 can interrogate each unit in th~ module to determine the source or nature of the error~ In some instances, such as a random transient error, the operative central processing unit can bring the failed unit back into lock step operation.

Each central processing unit 12, 14 has a section or portion that is not duplicated and which provides control, timing and error checking functions~
The non~duplicatPd logic is designed so that in most cases a f~ilure therein does not cause an ~rror in the data being processed~

1 The illustrated centrAl processing unit of FIGURES 4 and S employs in each microprocessor 100 and 102 of FIGURE 5B a commercially available type 6~000 microprocessor. The illustrated embodiment employs two 5uch microprocessors, one to execute user-defined code and one to execute the operating system. Xither micro~rocessor can operate in the user rnode or in the executive mode. The executive processor 100 is arranged for operation such that it does not encounter pa~e faults, but rather is always executing code currently in physical memory, i~e. within the processing unit or in the memory unit 16, 189 That is, i~ does not address unavailable data. It also handles all interrupt requests in the processor module. The user micro~rocessor 102, on the other hand, is arranged to handle user code and to es~sentially halt operating whenever it encounters a page fault~ The action of resolving a user page fault causes an interrupt to the executive microprocessor lOOo The user microprocessor 102 resumes operating as soon as the executive microprocessor 100 provides the necessary memory rearrangement to resolve the page faultO The two microprocessor 100 and 102 normally operate at maximum speed, with memory accesses pipelined through the MAP
l~c and onto the bus structure 30.

Output signals from each microprocessor 100, 102 include a multi~digit parallel address on lines lOOa, 102a, respectively, and a function code on lines lOOb, 102b~ The function codP identifies, for example, 1 whethex the address on lines lOOa, 102a is for a read operation or a write operation and furt}ler identifies whether that memory access operation .is to involve an instruction, da~a, an interrupt vector or other information~ The lines lOOa, lOOb, 102a, 102b are applied to the multiplexor 104.

The select control line input to the multiplexor 104 from the control yates 134 selects the executive microprocessor 100 upon initial power up of the processox and otherwise selects the one microprocessor 100, 102 which is appropriate for the particular operation to be performed.

At the start of each operating cycle, in each proc~ssing section 12a and 12b, a Select signal from the control gates 134 actuates the multiplexor 104 to select one of the two microprocessors 100, 102. Each microprocessor appli~s two inputs to the multiple~or 104, namely a function code and a memorv address; the forrner is illustrated as four bits long and the latter of twenty-four bit length. The twelve most significant bits of the address from the selected microprocessor are applied from the multiplexor 104 on lines 147 to a further multiplexor 149 that feeds the ~ir~ual memory MAP 800 The multiplexor 149 selects from the twelve input address bits those that represent a virtual page number and hence address one page location in the MAP
12c~ The multiplexor 149 ef~ects this solution in res~onse to a Local Cycle signal~ The least significant -68~
l twelve bits o~ the selected address from the multiplexor 104 represent the byte address in the addressed page and are appli~d on lines 140 through the driver of transceiver l44 (FIGURE 5A) to address conductors of the A bus 42.

The most significant twelve bits of address on the multiplexor output lines 1~4a are also sent to the decoder 108 for decoding the following conditions:
local address, page fault I, and interrupt ~cknowledge, Interrupt acknowledge is a particular function coming rom a microprocessor 100, 102. The local address is a selected section of the virtual memory space and is valid only when the selec~ed microprocessor 100 or 102 is operating in the executive mode. The decoder 108 produces a Page ~ault I signal when a user addresses a location outside the allocated memory space, Any Page Fault causes an interrupt to the executive micro~rocessor lO0. Page faults in the executive micro~rocessor do not normally occur and if they do, the processing section produces a Bus Error ~ignal, In response to any Page Fault signal, the control gates 134 in conjunction with the control and timing logic 135 abort a memory access that is in process by asserting the Busy signal on the next clock phase, as indicated by one output from the control gates 134.

With continued reference to the illustrated central processing unit of FIGURE 5, a local cycle is ini~iated by the selected microprocessor by producing

5~

1 address signals identiying the desired location i~ the local address space. The decoder 10~ responds to any such local address to produce a signal identifying the local address condition. In response, the control gates 134 produce a Local Cycle signal, which actuates the local status and control stage 132 to execute the local cycle. The address drivers in transceiver 144 (FIGURE
5A) are disabled. The driver 114 ~FIGURE 5B~ is enabled to connect the local data bus 152 to th~ interval data bus 117, and the local driver 11~ is enabled. Also, the multiplexor 149 is set for the local cycle.

The PROM 124 operates in a local cycle of this nature to handle power-up diagnostics and initialization of the processor module 10 o FIGURE 1. Further addresses which cause local cycles are used for I/O
control of the central processing unit 12 i~self. In this address space are such information items as the used bits and the written bits for the MAP, initialization of the timer 128, qtart-up control of the user microprocessor 102, and the handling of various page faults and other types of interrupts with the interrupt control stage 130. Th0 local cycle can also be used to read and, conversely, to write such information as the status of the processor, the serial and revision numbers and maintenance history of the processor, and timing and data information.

The interrupt control 130 receives interrupts which are produced under program control and receives 1 all ~nterrupts which the hardware of the processor produc~s including page faults, time-out signal~s, and maintenance interrupts. The interrupt control 130 also receives fault si~nals which originate outside the processor and are communicated to it by way of the bus structure 30 and the receiver 136. The interrupt contrcl 130 processes these interrupt conditions in conjunction with the executive microprocessor 100.

With further reference to FIGURE 5B, the illustrated MAP 12c employs a high speed random access memory of 4096 words t each of sixteen bit length~ In response to the combined twenty-four bit address from the multiplexors 104 in both processlng sections 12a and 12b, the virtual me~lory MAP 80 reads out a sixteen bit word consisting of a twelve bit physical page number, on lines 151 and 153, and a four bit code, on lines 155, showing which accesses are legal to that page. This four bit code also identifies which paqes address I/0 space within the central procefising unit 12~ In response to the code on lines 1S5 and signals from the multiplexor 104, the decoder 110 identifies two condiiions, namely, Page Fault II and I/0 address.

The decoder 108 thus produces a Page Fault I
signal in response to address signals from the selected microprocessor 100, 102. The decoder 110 on the other hand, produces a Page Fault II signal in response in part to function signals which the MAP 12c develops in response ~o address signals from the selected microprocessor~

1More particularly, in the illustrated CPU 12 of FIGURES 5A and 5B, one of two portions of the MAP 12c reæponds to the twelve-bit address from the multiplexor 104 in the processing sect.ion 12a to produce the four-bit function code on lines lS5 which ~eed to the decoder llO in the processing section 12~ and to the corresponding decoder in the proc0ssing section 12bo This section of the map also produces, on lines 151, four bits of a twelve-bit pag~ number. The remaining 10eight bits of the tw~lve-bit page number are produced, on lines 153, by the other section of the M~P in res~onse to the twelve address bits it receives from the processor section 12b. The combined twelve bits on th~
MAP output lines 151 and 153 are applied, as FIGURE 5A
shows, to a driver in the addre~s transceiver 146 for the A bus address lines and are also applied to a corresponding driver of the B bus in the other ~rocessing section 12b.

Thus, the processing ~ection 12a drives the physical page address from the MAP 80, and the byte address from the selector 104, to the address lines of the A bus 42 through drivers in transceivers 144 and 146, The signals which th~ processing section applies to these drivers in addition are applied ~o an output comparator 150 in ~he comparator 12f~ The output compaxator 150 compares these signals with th~ identical signals generated in the processing section 12b~ Any failure in this comparison causes the processor 12 to go off-line.

i3 ~72-1 The ~P l?c also can be acc~s~ed wlth sixteen-bi~ words in the local address space so that i-t can be addressed by the operating system. Thi.s is done by way of the internal data bus 117.

The internal data bus 117, illustratively with sixteen bit parallel capaci~y, re~eives data from either microprocessor 100, 102, by way of the data selector 106. The internal bus appli~s the selected data through a latch 120 ~o the dxiver of transceiver 138 for driving onto the data lines of the A b~s 42. The output of the latch 120 i5 also applied to the output comparator 150 for comparison with the corresponding output data from the processor section 12b~ The latch 120 provides tem~orary storage of output data so that in the event any error is reported on the buses, the operating sequence in which the error was reported can be duplicated and the data retransmitted on the A bus 42, from the latch 120, even though the microprocessors 100 and 102 may have sequenced to a subsequent operating stepO

With continued reference to FIGURES 5A and 5B, the transceiver 138 applies data received from the A bus 42 to the la*ch 118 by way of the multiplexor 61. The processor section 12a receives data from the B bus 44 and applies it ~o the section 12a at the latch 122.
Each latch 118 and 122 transfers received data to the internal data bus 117 of the proc ssor section 12a in response to a Select A signal and a Select B signal, i3 1 xespe~tivelyO The control logic 134 produce~ one such Select signal at a time. The bidirectional data selector 106 applies the received data from the bus 117 to either rnicroprocessor lQ0 and 102. The internal data bus 117 can also drive signal~ through bidirectional drivers 114 and 116 to a local data bus 152 and to a further data bus 154. The data bus 154 is common to ~oth processor sections 12a and 12b as FIGURE 5B shows, and connects to the statu~ and control circuit 136.

With continued reference to FIGURES 1 and 5A
and 5B, ~ach central processing unit 12 and 1.4 performs error checking at the same time it drives the A bus 42 and the B bus 44. This concurrent operation is in contrast to units in the processor module 10 which implement an error check prior to driving the bus structure. The processing unit operates in this manner because timing therein is sufficiently important that any delay in operation is undersirable for system throughput, An error noted by the checking logic during the time th~ processing unit is driving the bus structure causes the unit to drive both an A Bus Error ~ignal and a B Bus Error signal, by way of the driver 48, onto the X bus 46 during the next phase of the system clock. During the same time phase, the failing central processing unit drives a level One maintenance interrupt, onto ~he X bus 46, which the partner central processing unit receives~ At the end of that time phase, the failing unit goes off line, becoming incapable of driYing further signals onto the bus 1 structure, except in response to interrogation from the partner central processing unit. Thi5 aUtOlnatiC
off-line operation ensures khat any read or write cycle, whether to the memory unit 16, 18 o FIGURE 1 or to a peripheral device through a control unit and duriny which an error was detected in either the address or the data on the A bus or B bus, is aborted. Further, any da~a transfer during that same operating cycle is repeated using only the partner central processing unit.

Essentially the only portions in the central processing unit 12 which are not duplicated, aside from the MAP 80 which includes parity ehecking, are the comparator 12f, the power stage 140, the status and control stage 133, and the control and timing stage 135. A fault in these circui~s is not likely to cause a system failure or invalid data within the system. Further, the system is provided with software that tests ~hese CPU elements~

As also shown in FIG~RES 5A and 5B, other units of the FIGURE 1 module can access the partnered CPUs 12, 14. In the processing section 12a, ~or example, the decoder 112, which is connected by way of the multiplexor 61 and 63 with the A bus address transceiver 144 and 146 or the B bus address transceiver 143 and 145, respectively, responds to incoming address signals which identify the processor 1~ to produce a Proces~or Select signal which is applied to ~he control gates 134~ The processor 12 can be signaled in this way -1 to perform a read cycle and apply statu~ infor~ation to the bus struc~ure 30. Conversely, when selected in this manner, the processor 12 can be controlled to perorlll a write cycle to e~fect a control change.

CPU Fault Detection With further reference to FIG~RES 5A and 5B, the comparator 12f has an inpu~ cornparator 156 that compares the input data which the processing section 12a receives from the A bus 42 wi~h the input data which the processing section 12b receives on the B ~us 44. The output co}np~rator 150 compares the function, address and data signals (including parity) which the processing section 12a applies to transceivers 142l 144 and 146, and 138, respectively, with corresponding signals which the processing section 12b produces, The illustrated processor also compares selected timing and control signals from the control gates 134 of section 12a with corresponding signals fxom section 12b. This comparison of internal control ~ignals checks internal operations of the CPU and facilitates prompt detection of faults and is useful in diagnostic and maintenance of the processor unit.

At any time that one or more corresponding input signals o the comparator 12f differ, the comparator produces a Compare Error signal which is applied to the control stage 133. The error can be the result of a data in error, a data-out error, a unction error, or an address error. It can also be either a ~8~i3 ~76-1 cycle errox or a control error due to differing ~imirlg or cont.rol signals.

The detection of an error by the parity chPcking circuits B2 and 84 connected with the virtual memory MAP 80 produces a parity error signal which also is applied to the control stage 133.

The control stage 133 responds to the Compare Invalid signal of comparator 12f, and to a Parity Invalid signal from the parity check circuits 82 and 84, to produce, on the next clock phase, a Processor Error s,gnal on line 158. One exc~ption to this operation occurs if the Compare Invalid signal is due to an invalid comparison in the input comparator 156 of input data signals, as can occur during a read operation. In that event, control stage 133 produces the Processor Error signal only if no Bus Error signals are produced with the next timing phase. A Bus Error signal indicates a fault condltion in the bus structure 30 and hence identifies that the invalid comparison of input data was the result of a fault in the A bus or B bus portion of the bus structure 30 and not in either processing section 12a or 12k. The Bus Error signal is one of many signals which the processor status and control s~age 133 produces. The stage 133 produces the Bus Error signal in response to an invalid comparison of the Processor S~lect signal it receives from the decoder 112 of the processing section 12a and with the corre6ponding signal from the processing section 12b.

1 FIGURE 6 shows timing waveforms which illustrate these fault detection operations of each illustrated processing unit 12, 140 The drawing 6hows three successive t:iming phases, designated phase N, phase (N~l), and phase (N~ The waveform 162 shows the occurrence during phase N of a fault which produces a Compare Invalid signal or a Parity Invalid signal~
The faul~ signal of waveform 162 actuates the control stage 133 to produce a Processor Error signalt as shown with waveform 166, during the next ~iming phase, i.e, phase (N+l). One funotion of Processor Error signal 166 i5 to disable logic circuits and thereby essentially halt all operation in the processing unit 12.

The processor status and control stage 133 next asserts both an A Bus F.rror signal and a B Bus Error signal, each with waveform 168, during phase (~1). The s~age 133 also produces these signals in the event of a detected difference be~ween the Processor ~ Select signals in the two processing sections 12a and 23~. ~he illustrated processing section 12a also produc~s a level one interrupt signal, waveform 174, during phase ~N~

At the start of the phase 1~2), the stage 133, still in response to the fault signal of waveorm 162, terminates the assertive bus master ~tatus, as shown with waveform 176. This action is accornpanied by termination of the Bus Error signals of waveform 168.
Th~ A Bus error signal and the B Bus error signal are 1 applied to the X bus 46 to signal all units in the FIGURE 1 module 10 to ignore information placed on the bus during the immediately prior phase, e.g~, to iynore the CPU bus transfer shown with waveform 164~ The level one Interrupt signal 174 is also applied to the X bus 46 and signals the partner processing un.it 14 that some unit in the module has detected a fault-producing error7 When the processiny ~ection 12a switches out of the Master state with waveform 176, it disables all the bus drivers in the transceivers 136, 138, 142, 144, 146 and 148, as well as in the transceivers 12e connected with the processing section 12b.

With further r~ference to FIGURES 5 and 6, in the event the fault signal 162 occurs during the data transfer of a memory read operation as shown with data waveform 164J the control stage 133 produces both Bus Error signals. The memory unit 16, 18 in FIGVRE 1 xesponds to the concurrent A and B Bus Error signals to repeat the data ~ransf~r of waveform 16~. FIGURE 6 shows the repeated data transfer with a broken-line waveform 164a.

Similarly, if the fault ignal 162 occurs during a write operation, the partner processor 14 repeats the CPU-bus transfer of waveform 164 during phase (N~2) as indicated also with the waveform 164aO

Thus, a proc0ssing unit 12, 14 can only drive the bus structure when in ~he Master state, as required 4~3 1 to produce the Bus Enable signal ~hat is applied to the drivers. The Pro~essor Error signal promptly, i.e. at the end of the next timing phase, turns off the master status. In the even~ ~he processing unit 12 produces a Processor Error signal as illustrated in FIGURE 6, the partner unit 14 continues operating essentially without interruption. When the Processor Error signal 166 occurs during a write operation, the partner processing unit 14 xepeats the data ~ransfer, ~s shown with waveforln 164a. When the Processor Error arises during a read operation, ~he partner unit reads in the repeated data which the memory applies to the bus structure in a subsequent timing phase. Further, the ~artner processing unit 14 responds to the level One interrupt o~ waveforrn 174, which i5 a low level interruptt to initiate a diagnostic routine. In the event the cause of the Processor Error appears to be a transient phenomenon, i.e., the diagnostic routine does not identiy or locate any faulty or erroneous condition, the processing unit 12 can be restored to operation without maintenance. In a preerred embodiment the occurrence of the transient failure is recorded, and if repeated the processing unit is not returned to service without further diagnosisO

With continued reference to FIGURE ~B, when the processing unit 12 is initialized, it negates an internal Error Check signal, and thereby preven~s a Parity Invalid signal or a Compare In~alid signal from producing a Proce~sor ~old Signal. Instead, the CPU

~3 o -1 executes a test rou~ine, typically stored in the PROM
124, which exercises all conditions that can produce a Processor Error signal. As each potentially faulty condition i5 created, the processing section tests to see whether the corresponding fault reporting signal is indeed produced. The absence o the Error Check signal thus inhibits the processing unit from attaining Master state, with the result that faults produced during this logic exercising routine do not stop the processing unit and are not reported to the bus structure 30O The test routine in the PROM 124 asserts the Error Check signal and enables the processor to assume the Master State only upon successful completion of this checking routine.

Each processing unit 12, 14 of FIGURES SA and 5B includes logic circuits, typically in the processor status and control stage 136, to bring the two partner units into lock~step sync~roniæation. The illustrated CPUs 12 and 14 attain lock-step synchronization with the transition to Master status. Each illustrated unit 12 and 14 must be in the Master state in order for it to drive signals onto the bus structure. The initializing sequence stored in each PROM 124 typically includes instructions for bringing the partnered units into synchronization and to ensure that neither processing unit is in the Master state initially, i~e, upon being turned on. The proc~ssing units 12t 14 are not in synchronization initially in the initializing sequence and one unit attains the Master state during a 1 multi-phase cycle prior to the other. The one unit obtaining Master status controls the further initializing operation of the other unit to bring it into the Master Rtate at a selected time during the next multi-phase initiali~ing cycle.

CPU Operatin~ Seguence FIGURES 7 and 8 diagram operating sequences of the central processing unit 12 in FIGURE 5 for a data transfer cycle in the processor module lO in accordance with the format of backplane bus signals of FIGURE 2.
Both diagrarns illustrate cycles when no other unit of the computer system is requesting access to the bus structure. FIGUR~ 7 shows a write cycle and FIGURE 8 a read cycle. A write cycle as illustrated in FIGURE 7 commences when the control and timing stage 135 of FI~URE 5 is set in response to a main clock signal (FIGURE 2, waveform 56a) to the Phase One condition, as designated with action box 180. In this definition phase of the cycle, the selected microprocessor lOO, lQ2 20 of FIG~RE 5 produces function and address signals for the write opera~ion. The function signals are applied rom the driver 140 to the bus structure, as designated with action box 182. Simultaneously, the cornparator 150 compares the function signals which each processing section 12a and 12b applies to the bus structure, as designated with decision box 184. A valid comparison results in the cycle continuing, action box 186. Also during Phase One, as indica~ed with decision box 188, a page fault can occur as determined for example by the J~3 1 decoder 110 of FIGURE 5B or in connection with another operating cycle which commenced prior to the cycle illustrated in FIGURE 7. The absence of a page fault in Phase One allows the illu~trated cycle to continue, action box 186.

As shown with decision box 1~0, the assertion of a Bus Wait signal by a previously commenced op~r~ting cycle aborts the illustrated cycle, p r action box 19~.
In the absence of a Bus Wait, the write cycle advances upon the next clock signal to the respon~e phase, Phase Two, as designated with action box 194. An invalid comparison, as determined with decision box 184 in the prior phase results, during the response phase, in the production of signals by the processor stages 134 and 136 and designated Processor E~ror, A Bus error and B
Bus error, and further causes the cycle to abort as designated with action box 1960 Similarly, the decoding of a Page Fault during the preceding phase Onel as determined with decision box 188, causes the system during the Phase Two to produce a Page Fault signal and a Bus Busy signal and to abort the write cycle, action box 196.

~ lso during the illustrated phase two, the selected microprocessor 100, 102 applies the write data through the data selector 106 and to the latch 120, a~
designated with action box l~B.

The assertion by any unit in the system of a Bus Error signal during Phase Two, a~ designated with 1 decision box 200, aborts the cycle, as shown with actior box 196. The cycle also aborts at this phase in the event a unit raises the Bus Busy signal, decision box 202~ Further, in the event a unit raises a Bus Wait signal, as designated wi~h decision box 204, the processor control and timing stage 135 remains in Phase Two for another timing phaseO

When the cycle is not aborted or delayed in Phase Two, the operation proceeds to Phase Three, the data ~ransfer phase, as designated with action box 206.
In this phase, the data in the latch 120 is applied through the driver of transceiver 138 to the bus structure, as designated with action box 208~ The proce~sing unit 12 compares the outgoing data as designated with decision box 210 and the cycle continues, action box 212, in the absence of a detected fault. Also during this phase an invalid comparison determined during the preceding Phase Onel decision box 184, causes the Master status to be cleared, as designated with action box 214~

FIGURE 7 shows that the write operation unconditionally proceeds from Phase Three to Phase Four, as designated with action ~ox 216. During this phase the result of an in~alid comparison in the preceding phase, decision box 210, causes the processing unit to produce the Proce~sor Error ~ignal, the A Bus Error signal and the B Bus Error signal, action box 218.
These signals cause the partner processing unit to 1 repeat the data transfer, as designated with action box 224, in the next Phase Five. The assertion of a Bus Error signal during Phase Four, as can occur by the partner Ullit or any other uni~ connected with the bus structure, and as designated with decision box 220, causes the cycle to advance to a further Phase Five, designated wi~h action box 222. In the absence of the bus error, the cycle ends without entering Phase Five.
Upon entering Phase Five, however, the processing unit which caused the error clears the ~aster status, action box 226. Also, the processor 12, 14 which is free of a fault again applies to the bus structure the data stored in its latch 120, as designated with action box 224. At this juncture the illustrated write cycle is complete and ends.

A read cycle for the processing unit 12, 1~
shown in FIGURE 8, coJ~mences in the same manner as the write cycle of FIGURE 7 and has the same operations during Phase One, the definition phase, as illustrated.
The proceæsing unit proceeds to Phase Two, the response phase, and executes the same operations as in the write cycle of FIGURE 7 with the exception that the transfer of data to a latch, designated in FIGURE 7 with action box 198, does not occur in a read cycle.

With further reference to FIGURE 8, durin~
Phase Three, the data ~hase, the processing unit 12, 1 receives read data from the bus structure by way of driver 138 ~nd a latch 118 or 122 tFIGURE 5) and 1 ~ransfers it to a microprocessor 100, 102 in each processing section, as designated with action box 230.
The comparator 156 tests whether the incom.ing data i~5 identical from each of the two busses 42 and 44, decision box 232. A valid comparison enables the cycle to continue, action box 234; an invalid comparison inhibits ~he processor clock, ~s designated with action box 236. Also during the data transfer phase, the occurrence of a Fast ECC Error signal, as produced from a memory unit as discu~sed below and as designated in FIGURE 8 with decision box 238, likewise inhibits the processor clock, action box 236~

The processing unit inerements to timing Phase Four, action box 240, and, in the event the processor clock i5 inhibited, sets a register t.o the hold status, action box 242. Otherwise, the cycle ends, except in the event a Bus Error signal is asserted during Phase Four~ as det~rmined with decision box 244, in which case the read cycle proceeds ~o an optional Phase Fivej designa~ed with action box 246~ During this phase the processing unit repeats the transfer of data from th~
bus structure to a microprocessor, as designated with action box 2480 Also, the processor hold condition is cleared, as designated w.ith action box 250.

Memory Unit FIGURE 9 ~hows the main memory unit 16 of the FIGURE 1 processor module 10. The partner memory unit 18 is identi.cal and operates in lock-step synchronism -~6-1 with unit 160 The memory sections 16a a~d 16b (FIGURE
l) of the illustrated memory unit employ identical random access memories (R~M~) ~90 and 292, respectively.
Each is illus~ratively a four-way interleaved dynamic RAM array capable of writing repeatedly to the same leaf once every five timing phases (FIGURE 2~ and of reading repeatedly from the same leaf once evexy three ~iming phases. The RAM 290 stores the upper byte of a data word and the ~AM 292 stores the lower byte of a data word. Each RAM applies a byte of read data through an interleave multiplexor 294, 296, respectively, and the combined ou~put bytes of a read word are applied to an output multiplexor 298. The output from this multiplexor is applied to the A bus 42 by way of an A
bus transceiver 300 and is applied to the B bus 44 through a B bus transceiver 302. The multiplexors 294, 296 and 29~ are part of the memory unit format section 16e, FIGURE l, which includes address and control ~ircuits 16f shown in the lower par~ of FIGVRE 9.

Each transceiver 300, 302 can apply different bytes of write data received from the associated bus to each of two wr.ite mul~iplexors 304, 306 to write the upper byte of a data word in the RAM 290 by way of a data channel which has a further multiplexor 308, a write register 310 and a write buffer 312, and to write the lower byte of the same data word in the ~AM 292 by way of a like data channel that has a further multiplexor 314, a write register 316 and a write buffer 318~ The two write mul~iplexors 304, 306, in the 1 illustrated embodiment select data from a single transceiver 300, 302, and hence from eithe.r the A bus or the B bus.

Aq ~urther shown .in FIGURE 9, read data frorn the RAMs 290, 292 is applied to an error checking and correcting tECC) stage 320~ The ECC stage applies the upper byte of a read word both to the channel multiplexor 308 and to an old data register 322. It applies the lower byte of a read word to the channel multiplexor 314 and to a second old data register 324.
The two old data registers are connected to apply the data byte stored in each to the multiplexor 298 for application as a complete two-byte word to both the A
bus and the B bus by way of the transceivers 300, 302.

A pari~y checking circuit 328 is connected to check the parity of the writ~ data output from the transceiver 300, and a like parity check circuit 330 is connected wi~h the write data ou~put from the transceiver 302~ A parity generator 332 is connected to add a parity bit to the upper data byte which the multiplexor 304 received from ~he transceiver 300 and a like parity genera~or 334 is connected to add a parity bit to the lower data byte which the multiplexor 306 receives from that transceiver~ Similarly, parity generators 336 and 338 are ~onnected with the write date lines feeding from the transoeiver 302 ~o the multiplexors 30~ and 306, respectively.

-8~-1 In addition, a check bi~ gen~rator 340 is connected to insert further check bits to the write data bytes applied to ~he write bufers 312 and 318. There is also a pari~y generator 342 connected to in~roduce a parity bit to each read data word output rom the mul~iplexor 298 ~o the transceivers 300, 302.

The format section 16e of the illustrated memory unit further includes a comparator 326 connected to compare the data words outpu~ from the transceivers 300, 302 to the byte multiplexors 304, 306~ An invalid comparison raises a faul~ status, which can be processed as desired. A clamp circuit 344, preferably identical in design and operation to the clamp circuits 88 and 90 in each central processing unit ~hown in FIGURE 4, is connected to selectively ground the read data line~
which feed to the tran~ceivers 300, 302.

It will thus be ~een that the illustrated memory unit is in effect arranged with two identical read/write portion~, each of which processes a ~yte of a given data word. Each such portion include~ one transceiver 300, 302, one buæ select multiplexor 304, 306, one channel multiplexor 308, 314; and one write register~ write ~uffer, and RAMo With fur~her reference to FIGURE 9, the address and control circuits 16f of the memory unit are sirnilarly arranged in t~o portions, each of which operates with one RAM 2~0, 292. Receivers 346 and 348 ~8~3 1 connect with the address and function conductor~ of the A bus 42 and of the B bus 44, respectlvely, ~nd are connected with channel multiplexors 350, 352 to select the signals from one receiver and correspondingly from one bus. An address and control stage 354 receives the signals from the multiplexor 350 and applies them to an addr~ss and con~rol buffer 356 tha~ operates the RAM
290. Similarly, an address and control stage 358 receives signals from the multiplexor 352 for produciny signals which are applied by way o~ an address and control buffer 360 to operate the other RAM ~92. The stages 354 and 358 produce, respectively, a Select D
signal and a Select C signal which control the channel multiplexor 308 and 314. Each multiplexor is set to select input signals either from the bus structure or from the ECC stage 320, depending on the source of each byte being written in a memory section, A comparator 362 is conn~cted to compare the address and control signals output from ~he two receivers 346 and 348, i~e., on th~ ~wo huses 42 and 44.
In respons~ to an invalid compar.ison, this comparator, like the data comparator 326, produces a fault signal.

Parity check circuits 364 and 366 are connected with the output lines from the receivers 346 and 348, respec~i.velyO The data parity check circuit 328 and the addre~s parity check circuit 362 test the parity of signals on the A bus 42 for all data transfer operations of the processor module 10~ The parity checX

--so--1 circuits 320 and 366 provide the same unction with reyard to signals on the B bus 44. Note that address parity is separate from data parity inasmuch as address signals, including function or cycle definition, and data signals occur at different phases o a cycleO In each phase each set of bus conductors has its own parity, which is tested.

The illustrated memory unit 16 also has a status and control stage 368 which is not duplicated.
The stage receives the parity error signals, the comparator fault signals, and ECC syndrome signals from the ECC stage 320. The stage 368 connects to numerous other element~ in the memory unit, with connections which are in large part omitted for clarity of illustration~ A bus error stage 370 is connected with the stage 368 and, by way a transceiver, with conductors of the X bus 46 as described below with reference to FIGURE 10.

With this arrangement shown in FIGURE 9, the memory unit 16 can operate without a partner unit 18 (FIGURE 1) and still detect and correct for a ~ingle failure in an integrated circuit chip of the RAMs 290, 292~ Moreover, the unit 16 with a partner unit 18 is able to detect a high percenta~e of single component failures and to continue functioning by disabling the failing memory uni~ 16, 18. Further, it is the memory unit 16, 18 of the FI~URE 1 ~ystem that checks for errors on the bus structure 30 and signals other unit~

4~3 1 of the system in the event that such an error is detected~ This arrangement is deemed preferable, but other units can also be arranyed to provide this operation, either in lieu of or in addition tc ~he bus error-checking in the memory unit. The parity check circuits 328, 330, 3~4, and 366 and the comparators 326 and 362 test or bus faults. As will also become apparent from the following further description, the memory unit 16 can function as an I/O device which o~her units of the processor module 10 can addr~ss, for example to diagnose a detected fault in the operation of a memory unit 16, 18~

FIGURE 10 shows the bus error sta~e 370 of FIGURE 9 which responds to pari~y error signals and ~he ECC syndrome signal of the illustra ed memo:ry unit ~.
~- An OR gate 372 receives the Data Parity Error signal for the A bus, which the parity ~heck circuit 328 produces on its outpu~ line 328a, and ~eceives th2 Address Parity Error signal for the A bus output from the parity check circui~ 364 on line 364a~ Similarly, ~he Data Parity Error si~nal for the B bus, produced on line 330a, and the Address Parity Error signal for the B bus, produced on line 3G6a, are applied to a further OR gate 374.
Either error signal for the A bus and input to the OR
gate 372 actuates a transceiver 376 to produce an A Bus Error signal. This signal is applied to the X bus 46 for communication to all units in the module 10~
Similarly, an error signal for the B ~us and input to the OR gate 374 actuates a further transceiver 378 to 1 produce a B Bus Error signal that is appl.ied ~o the X
bus 46. FIGURE 2 illustrates operation of ~he illustrated processor module 10 when ei~her Bus Error siynal i6 assertedO

Each transceiver 376 and 378 i5 also connected with a multiplex control logic stage 380 that produces the OBEY A and OBEY B select F,ignals for the multiplexors 304 and 306. The transceiver 376 applies the A Bus Error signal r~ceived from the bus struc~ure even when driven by the memory unit 16, to the logic sta~e 380 and the transceiver 378 liXewise applies the B
Bus Error 6ignal. The lo~ic stage 380 normally produces both OBEY signals. When i.t produces a single OBEY
signal, and receives a Bus Error signal for the bus not being obeyed, it maintains the same single 3BEY signal.
However, when it produc~es a single OBEY signal and receives a Bus Error signal ~or the bus that is being obeyed, it produces only the other OBEY signal.

The operation of the FIGURE 9 parity generators 332, 334, 336 and 338, check bit generator 340, and ECC stage 320 i8 now described in reference to an example with a sixteen-bit memory word consisting of two eight-bit bytes. Each data word which the memory unit 16 receives from the bus structure has a sixteen-bit length plus one parity bit, introduced for ex~nple by the parity generator 92 in a CPU section described above in FIGURE 5~ The parity check circuits 328 and 320 test thi~ parity of data applied to the ~93 1 ~nemory unit 16, and only eiyht data bits of each input word are appl.ied to each bus multiplexor 304 and 306.
The pa.rity generators 332, 334, 336 and 338 pro~uce byte parity for ~he data word received frorn the A bus and for the word received .from the B bus~ Each multiplexor 304 and 30~ accordingl~ receives two nine-bit inputs, and applies a selected one to the output thereof, for a total byte length through Qach bus multiplexor, channel mul~iplexor and write register of nine bits.

The check bit generator 340 adds to each nine-bit byte two further parity bits to bring each byte length to eleven bits, all of which are written in each RAM 290, 292. Thus, the illustrated me~nory 16 stores a twenty-two bit memory word for each sixteen-bit data word, The code with which these error checXing and correcting bits are appended to each sixteen bits of data are set forth in the following Table I, in which the data word bits are numbered (15~ through (00), and the memory check bits introduced by the parity generators and by the check bit generator are numbered (5C) ~o (OC)~ The effectiveness of ~his ECC code stems in significant part from the fact that the present memory unit employs two byte-processing portions, two byte-storing RAMs, and controls each ~AM with one of two identical address and control circuit por~ions~ One RAM
290, 292 stores the data bits designated 15 to 08 and the check bits 4C, 3C and 2C o~ the following codeO The other R~M stores the data bits of 07 to 00 and the check bits 5C, lC and OCO It is preferred that each data byte -~4 1 of a mel~lory word include the parity bit generated from the other byte.

TABLE I

14 13 12 11 10 09 08 07 06 05 04 03 02 01 ~

X ~ X X X X ~ X ~C

X X X X X X X X lC
X X X X X X X XOC

According to the showing in Table I, check bit 5C is generated to provide even parity for data bits 08 ; through 15, inclusive. Check bit 4C is similar, but with regard ~o data bits 00 through 07, inclusive.
Check bit ~ on the other hand is generated to provide odd parity for data bits 00, 03, OS, 06, 08, 11, 13 and 14. Each remaining check bit also i9 generated to provide odd parity for the data bits designated for i~.

When the memory unit 16 is used without a partner unit 18, this six-bit error correcting code of Table 1 makes possible the correction of single RAM
failures. Further, when the memory uni~ 16 op~rates with a partner unit 18, the partnered units are capable of detecting errors in each uni~ and of isolating either unit from driving further signals onto the bus while the ~95-l other unit continues normal operation. The six-bit error code of Table I enables the source of a sing].e bit error to be located. The status and control ~tage 368 includes failure registers for storing the address of an ~rror for subsequent accessing, and for storlng the syrldrolne .

The reliability which the code of Table l provides for a memory unit having eatures as described can be explained as follows. The twenty-two-bit memory word, ~hich the memory unit 16 stores in the two RAMs 290 and 29~ has (222) possible states. Of these, only ~2l6) are valid, i.e., will produce a zero syndrome in the ECC s~age 3200 The ratio of valid m~mory worcl states to invalid ones thus is (2l6) divided by t222) or (1/64)o A sample of random memory words hence will produce a ratio of (63) memory words with non-zero syndromes from the ECC stage 320 for every (64) memory words. Consequently, in the event of a failure in ei~her portion of the address and control circuits 16f, i.e., in one address and control stage 354, 358 or in one buffer 356, 360, which causes half of the memory word to be addressed or enabled incorrectly, th~
resulting memory word -- half of which has been addressed and enabled correctly and half of which has been addres~ed and enabled incorrectly -- can be considered to have a random stateO Sixty-three out of sixty-our times, the present memory unit will detect ~6 l such a failur~ during a ~ad operation by way of a non-~ero syndrome from the ECC unit 320, The resulting non~zero syndrome will cause the unit 16, 18 in which it occurs to be switched to an off~ e status, but leave the partner unit operating normallyO A memory unit in off~line s~atus, as imylemen~ed in the control stage 368, receive~ and processes diagnostic interrogation sig~als but does not drive signals onto the bus structure except in re6ponse to such intQrrogation.

Aside *rom a failure in ~he address and control section 16f of the memory unit, failure of component.s in the format section 16e are detected by parity. The parity ~enerators 332, 334, 336 and 338 generate byte parity directly at the output o the transceivers 300, 30~. The memory unit 16 propagates this byte parity through the section 16f and uses it to generate the two check bits which the check bit generator 340 introduces to the memory wordO The ECC
stage 320 ~hereupon detects a failure in the write data path of the memory unit 16 during a read operation by generating a non-zero syndrome. The ECC stage also detects error-produciny faults in any element of the data read path, iOe., the data path from a ~AM to the multiplexor 298, up to the inputs to the bus-driving transceivers 300, 3020 The illustrated me~ory ~nit detects faults in the non-duplicated portions, e.g.j in the ECC stage 320, the status and contr41 sta~ 368 or the parity S~

1 generators, by means of maintenance software. However, an error in this portion of the memory unit is not by itself likely to produce ~rroneous data on either the A
bus or B bus.

With further reference to FIGURES 9 and 10, the syndrome signal from the ECC stage 320 is applied to the status and control ~tage 368. A non-zero syndrome signal ac~uates a driver 384 (FIGURE 10) to produce a Fast ECC Error ignal and apply it to the X bus 46~ A
non-zero syndrome signal also produces both the A Bus Error signal and the B Bus Error signal, from the transceivers 376 and 378, by enabling an AND gate 382 to respond to a selected clocX signal, The memory unit 16, as noted above, carriea out the foregoing fault detection operations concurrently with memory read and write operations. In the event a fault is detected during a time phase when the ~emory unit is driving read data onto the bus, the non-zero syndrome signal from the ECC 6tage 320 causes the driver 384 o~ FIGURE 10 to produce the Fast ECC
signal during the sarne time pha~e. This signal informs the CPU 12, 14 that a memory ECC error is occurring in the curren~ time phase. The transceivers 376 and 378 drive the A Bus Error a~d the B Bus Error signal~, or either o~ them as appropriate, during the next time phase. In the second time phase after the error is detected, the memory uni can drive correct data onto the bus structureO The correct data comes from the old 1 data reyisters 322 and 324, which store co.rrected data produced in the ECC stage 320. That is, each old data register 322 and 324 can store corrected read data which it receives from the ECC stage 320, Al~ernatively, in a module having two memory units, the correct data comes from the old-data regis~ers 322 and 324 of the nonfailing partner unit.

Wi~h further reference to FIGURE 9, each address and control stage 354 and 358 can produce a Channel Busy signal and a further signal designated Channel Driving Bus. An A~D ga~e 386 (FIGURE 10) in the memory status and control stage 368 i5 actuated by the two Busy signals ~o drive a transceiver 388 to produce a Fast Busy signal and the Busy signal discussed above with reference to FIGURE 2n A urther A~D gate 390, FIGURE 9, produces an Out Enable signal that enables the data transceivers ~00 and 302 only when both Driving Bus siynals are present. With this arrangement, when the two channels of the address and control circuit 168 do not concurrently produce the Driving Bus signals, the ~emory unit is disabled from transferring data to the bus structure, as desired to prevent potentially faulty data from being transmitted to other units of the computer systemq The clamp ~tage 344 in a memory unit prevents potentially faulty data from being applied to the transceivers 300, 302 in the event of a power supply failure~

A memory unit having th~ foregoing features of FIGURES 9 and 10 can execu~e numerous memory cycles~ In 1 a memory .read cycle, the data read rom melllOry i5 applied to the bus structure 30 by way of the transceivers 300, 302 in the same time phase as it i5 applied to the ECC stage 320. In the event this stage produces a non-zero syndrome, the memory unit produces the Fast ECC signal during the same time phase and transmits it to the central processing unit 12, 14 (FIGURE 1~ by way of the X buæ 46. I'he ECC stage produces the corrected data word and stores it in the old data registers 322, 324 for feeding to the bus structure by way of the multiplexor 298 and the transceivers 300, 302 during a subsequent timing phase.

In addition to executing a conven~ional write operation of a full data word, the memory unit can perform a write operation with only a single data byte rom the bus structure. For this operation, the addr~ss control portion of the memory unit does not receive both the Upper Data Valid and the Lower Data Valid ~ignals, as occurs when a full data word is to be written, but receives only one of these control signals. In response to receiving only a single Data Valid signal, the memory unit first reads from the R~Ms 290, 292 the word stored at the location being addressed, and uses one byte of that word in conjunction with the new data byte received from the bus structure to assemble ~ complete data wordO
The new byte receives one parity bit from one parity generator 332, 334, 336 or 338~ ~he old byte already has one phrity bito The newly assembled eighteen-bit word rec~ives four additional check bits from ~he check -100~
1 bit genera-tor 340 befo.re being written into memory. The memory unit thus stores a full twenty-two bit word, which includes the new data byte in addition to the old data byte with a full compleme~t of parity and check bits.

Another memory cycle which the memory unit 16, 18 can execute is to read a complete word from the RAMs 290, 292 and drive it onto the bus structure by way of the transceivers 300, 302 and to receive the same data fro~n the bus structure and again write it at the ~ame address, with a recomputing of all ECC bits. Thi5 memory operation is useful, for example, to duplicate the contents of one rnemory unit in a partner unit. That is, to bring one memory unit up to date with a partner memory unit, a system can read from the latter memory unit and place the resultant data on the bus structure, and write that da~a from the bus structure into the former memory unit at the same location. Any data read rom the former memory unit is not driven onto the bus structure, by inhibiting the Output Enable signal of the transceivers 300, 302 in that memory unit. The illustrated memory unit is thus capable of writing from an on-line memory unit to an off-line memory unit in one multi-pha~e memory cycle~

~E~
The communication cont.rol unit 24, typical of the partner unit 26, and like other control units 20, 22, 28, 32 and 34 of the FIGURE 1 processor module 10, ~q~3 1. has a bus interface section 24a that connects to the bus structure 30, has two parallel control ~tages 24b and 24c that provide logic and data transfer operations for the col~nunication devices connected with the CQ~nUnicatioll panels 50, and has a communication interface section 24d that connects to ~he communication panels. FIGURE 11 is a simplified schematic representation of elements of the communication control unit 24 and particularly sf the bus interface section 24a. Two channel-selecting multiplexors 400 and 402 are connected to receive input signals, each through a separate set of receivers, from the A bus 42 and from the B bus 44. The mul~iplexors form a cross-over circuit for applying signals from either bus to each control section 24b, 24cv Thus bo h control sections 24b, 24c can receive input signals from the A bus 42 or from the B bus 44, or one control section can receive signals from one bus while the other control section receives signals from the other bus.

The multiplexors 400, 402 pro~ide this operation in response to a selection controlling signal wh.ich each multiplexor receives and termed an Obey A
signal and an Obey B signal. In the module 10 of FIGU~E
1 in which all elements are functioning properly, both Obey signals are present and accordingly the multiplexor 400 applies to the control section 24b signals received from the A bus and mul~iplexor 402 applies signals from the B bus to the control section 24c~

1 The multiplexor ~00, by way of example, responds to an assertive Obey A select signal to apply to the output terminals the signals which it receives from the A bus 42. An assertive Obey A select input switches the multiplexor to apply the signal it receives ro~n the bus 44 to it~ output terminalsO The multiplexor 402 opera~es identically and responds to the Obey B signal to apply to its output terminal signals received from the ~ bus, whereas the Obey B select input ~roduces the A bus signal at the multiplexor output.
The CPU ~ultiplexors of FIGURES 4 and 5A oeprate in this manner in response to each designated select signal, as do the multiplexors in the memory unit, FIGURE 9.
However, in the preferred embodiment, each CPU 12 and 14 and each memory unit 16 and 18 processes input signals received 'rom either the A bus or the B bus but not from both buses, whereas each peripheral control unit 20, 22, 24, 26, 28, 32, and 34 responds to the Obey A and Obey B
signals to process input signals re~eived from both the A bus and the B bus.

The control section 24b drives an output device, which for the co~unication control unit is one or more communication panels 50 (FIGURE 1), and drives signals fro~n the control unit to the bus structure 30.
The other con~rol sec ion 24c produces signals for checking these operations. Accordingly, drivers 404 apply bus output signals from the drive control section 24b to both the A bus and the ~ bus, A comparator 406 compares these output siynals with corresponding output -lV3-1 signals froln the check control section 24c~ In response to an invalid comparison, the cornparator switches a so called broken flip~flop 408 to disable the drivers 404. When thus disabled, the drivers do not drive signals onto the bus structure, regardless of what input signals they receive.

With further reference to ~IGURE 11, the multiplexors 400, ~02, ~he dxivers 404, the comparator 406, and the flip flop 408 are part of the bus interface section of the control unit 24. This section also includes a clamp circuit 410 that responds to the detection of a power failure in the control unit 24 as determined by a power failure detector 412 to clamp to ground the output lines from the drive control section 24b to the drivers 404~ This prevents the control unit 24 from applying po~entially faulty signals to the bus structure. The detector 412 generally responds sufficiently quickly to the onset of a power failure to clamp th~ driver input lines to an inactive condition during the transition from normal operation to inoperativeness due to the power failure.

FIGURE 11 alsc indicates schematically that a fault detector ~14 is connected with the signal lines interconnectiny the drive control section 24b and the co~nunication panels 50 to test the signals on these lines against the signals which the check section 24c produces. The fault detector thereby ~ests for further fault conditions in the operation of the control uni~

1 24. The resultant fault signals from th~ fault de~ector 414 are applied to each con~rol section 2~b and 24c, as indicated.

Bus Interface Section FIGURES 12A and 12B show in further detail a preferred embodiment of the communica~ion control unit 24 interface section 24a. Each also shows the connections of the interface section to the conductors of the A bus 42 and of the B bus 44, and o the X bus 46 conductors for the Bus Error signals~ ~his interface section is preferably used in each control unit of the FIGURE 1 module 10.

The illustrated control unit interface s ction 24e has an arbitration circuit 416 connected with the cyc1e request conductors and with the arbitration conductors of the A bus 42, in the mann~r described with reference to FIGURE 3 for the arbitration circuit 264.
A li~e arbitration network 418 is connected in the same manner with the cycle request and arbitration conductors of the B bus ~4. Control logic 420 actuates the two arbitration circuits 416 and 418 wi~h an arbitrate enable (Arb En) signal, as show~, whe~ the control unit 24 is in an arbi~ration phase, as described with reference to FIGURE 20 The Grant sig~al output from each arbitration circuit 416 and 418, asserti~e when the con~rol unit 24 is the highes~ priority unit requesting access to the bus structure 30, is applied to each of two mul~iplexors 422 and 424. The Inultiplexors respond -105~
1 to an Obey A signal and an Obey B signal to procluce both Grant D(drive) and ~rant C(check) signals, as required for operation of ~he memory un.it. The reæultant Grant Drive and Grant Check output 6ignals from the two multiplexors 422, 424 enable the control unit 24 to drive signals onto the bus structure for a data transfer cycle.

To drive address signals onto the bus structure, the bus interface section 24a has an A bus address driver 426, FIGURE 12B, with output lines connected to the cycle definition, physical address, and address parity conductors of the A bus 42. A like B bus address driver 428 is connected in the same manner with conductors of the B bus 44. An Address Enable (ADDR EN) signal froln the control logic 420 enables the address drivers 426 and 428 during the definition phase of an operating cycle. Input signals to both drivers 426 and 428, in co~non, are address signals from the drive control section 24b of FIGURE 11 and a cycle definition signal from the contxol logic 420 (FIGURE 12A). In addition, each data bus driver receives, again in co~non, an address parity digit from an address and cycle defini ion parity generator 434~ The input signals for this parity generator are the output address and cycle definition signals applied to the two drivers, A comparator 436 compares the output address`and cycle definition signals from the drive control section 24b, on lines 430 and 432, with the corresponding signals which the check control stage 24c produces on lines 438 1 and 440. The address com~are signal from ~he compara~or 436 is developed on a line 442. A diode clamp staye 444 responds to a Clamp signal to clamp to ground all the input lines to the drivers 426 and 428.

The interface stage of FIGURE 12B applies data to the bus structure with an A bus data driver 446, the output of which is connected to the A bus 4~ conductors of data signals, data parity, and ~he upper data valid and lower data valid signals. The contxol logi~ 420 enables this driver, and an identical driver 428 connected with ~he corresponding conductors oE the B bus 44, with a Data Enable signal during the data transfer phase of an operating cycle. The input signals to the two drivers 446, 448 are the output data, Upper Data Valid and Lower Data Valid signals from the drive control section 24b of the control unit; these signals are applied to the interface section of lines 450, 452, and 4540 A data parity generator 456 also connects with these lines to produce a data parity bit that is also applied to the two data drivers 446 and 448.

A data comparator 458, which together with the address comparator 436 is part of the FIGURE 11 comparator 406, compares the signals applied to the drivers 446 and 448 on the lines 450, 452 and 454 with corr~sponding signals which the check control section ~c develops on conductors 460, 462 and ~64, The resultant data compare signal i5 developed on line 468, A diode clamp 470 is connected with all the inpu~ lines 1 to data drivers 446 and 448 and responds to the Clarnp signal to fix the lines to ground po~ential.

The data which each data line 450 and 460 applies to thP drivers 446 and 448, respectively, can include status informationD The status information, for example, includes control unit identification such as type and revision sta~us, and operating s~atus such a~
idle, busy, broken, and interrupt condi~ions. A control unit s~ores such status information in status registers, as can be provided with conventional techniques, and drives it to the A bus and B bus in response to interrogation, typically from the CPU.

With further reference to FIGURE 12A, the cornmunication control unit 24 receives address and cycle definition signals from the A bus 42 with a cycle defini~ion and address receiver 472. A like receiver 474 receives corresponding ~ignals from the B bus 44.
Each receiver 472, 474 applies the cycle definition signals and selected address signals to a cycle definition and address decoder 476 and 478, respectively~ The decoder 476 produces an assertive output signal, designated ME A, in response to signals on ~he A bus 42 which address the con~rol unit 24. This signal, and o~her address signals from the receiver 472, are applied to inputs of two channel multiplexors 480, 482~ The multiplexors 480, 482 are actuated wi~h Obey and Obey B signals in the same manner as the arbitration multiplexors 422 and 424. A ME D (drive) signal and the ~108-1 address signals frorn the multiplexor 480, on conductors 484 and 4~6 respectively, are applied to a latch 490.
The latch is enabled to store these signals, in response to a timing signal, by an Idle signal which the drive control ~ection 24b produces when it is inactive, iOe., is not participating in a data transfer cycle.

In the event the multiplexor 480 pro~uces a ME D(drive) signal on line 484 at a time when the drive control section 24b is not producing the Idle si~nal, .i.e~, i5 not in the idle state, the control section actuates the control logic 420 to produce a Bus Busy signal~ which is applied to the X bus 46. With refer~nce to FIGURE 2, this signal causes the data transfer cycle which produced the ME D signal to be abortedO

Upon being entered into the latch 490, the cycle definition and address signals are available on lines 492, 494 for application to the drive control section of the control unit 240 A like latch 496 s~ores the ME C (checX) and address signals output rom the multiplexor 482 when the check control Rection 24c is in the Idle state.

Data receivers 498 and 500, shown in FIGURE
12A, receive data and the Upper Data Valid and Lower Data Valid signals on the A bus and on the B bus, respectively, and apply corresponding da~a and data valid signals to each o two further channel ii3 --10~3--1 multiplexors 502 and 5049 Obey A and Obey B siynals actuate each multiplexor 502 and 504, and regis-ters 506 and 508 receive data and Data Valid signals ~or the drive channel and for the check channel, respectively, fro~n the multiplexors. Data and Data Valid signals clocked into each latch 506 and 508 are available for application to the drive control stage 24b on lines 510 and 512, and are similarly available on lines 514 and 516 from the latch 50~ for the check channel of the control unit.

The data receivers 498 and 500 also can receive co~nand and instruc~ion information from another uni~ of a processor module, yenerally the CPU. This inforrnation is transferred from the receivers to the latches 506 and 508. As further shown in FIGURE 12A, the latch 506 is connected to txansfer the information, under control of the ME A signal, to co~mand resisters 518 and to status control stage 520. The command and instruction information actuates the command register assert different command lines 518a for controlllng the operation of a control unit, and actuates the status control stage to produce such control siynals as set Obey A, set Obey B, set both Obey A and Obey B, and set Reset~ The latch 508 preferably is conrlected with an identical set of command registexs and state con~rol stage~

The illustrated bus interface section 24a further has a transceiver 522 ~FIGURE 12B) connected ~110--1 with t~le ~us error conductor of the A bus 42 and has a like transceiv~r 524 connected with the corresponding error conductor of the B bus 4~. The input error signal froln each transceiver 522, 524 is applied to Obey A
logic 526 and to Obey B logic 528. The former produces an Obey A siynal and the logical complement, and the latter produces an Obey B signal and the logical complement. These are ~he signals which operate the gran~-routing multiplexors 422 and 424, the address-routing multiplexors 480 and 482, and the data-routing multiplexors 502 and 504. In one preferred manner of operation when no error-producing fault is detectedl the multiplexors 422, 480 and 502 respond to siynals recelved on the A bus concurrently with the response of the multiplexors 424~ 482 and 504 to signals received on B ~U5- ~n error detected with regard to the A bus causes the obey logic 526 to disabl~ the Obey A
signal and thereby switch multiplexor 422, 480 and 502 to apply to the output terminals of each the input signals fro~n the B bus. Correspondingly~ the detection of an error on the B bus switches the other multiplexor of each pair, i,e. the multiplexors 424, 482 and 504.

The error transceivers 522 and 524 also drive error signals onto the A bus and B bus in response to a logic error as detected within the interface section, whenevex it is in an arbitration phase of operation and obeying both buses, by a logic error circui.t 530. This ci.rcui~ 530 produces a Set Error A signal and a Set Error B siynal in the event the arbitration circuits 416 1 and 418 produce inconsi~ten~ Grant A bus ~nd Grant B bus signals. The Set Error signals are stored in regist~rs 532 and 534 for application to the transceiYers 522 and 524, as shown. In the event a power failure produces the Clamp signal, a clamp circuit 536 cl~mps to ground the input lines to the transceivers 522 and 524.

The bus interface section 24a of a control unit as shown in FIGURE 12 operates with all receivers of siynals from the A bus and the B bus continually ON
for receiving bus signals~ The receiver portions or the Error transceivers 522 and 524 accordingly respond to signals on the A bus error and B bus error conductors to produce an A bus error signal on line 523 and/or a B bus error signal on line 525, whene~er another unit of the system applies the appropriate Error signal to either of these bus conductors. The obey logic 526 and 528 respond to these Bus Error signals, and to Obey instructions received from the bus structure, typically in response to signals rom the central processing unit 12, 14. In particular, when the obey logic 526, 528 receives instructions to respond to both buses, it produces both the Obey A signal and the Obey B signal~
It produces either one signal or the other, but not both, in response to other received instructions. When the obey logic is producing only the Obey A signal and the error A transceiver 522 applies an A Bus Error signal to it, the circuit switches to produce only the Obey B signal, Conversely, when the logic 526, 528 is producing only the Obey B signal and it receives a ~ Bus i3 1 Error signal froln transceiver 5~4, it sw.itches to produce only the Obey A error s.ignal. When the log.ic 526, 528 is producing only the obey siynal for one bus and receives a Bus Error signal for the other bus, it continues to produce ~he same one obey signalO In the event the obey logic 526, 528 receives bus error signals fro3n hoth transceivers 522 and 524 in the same clock phase, it does not change the existing condition of the Obey .~ and Obey B signals. ~his condition oceurs when a CPU 12, 14 detects an invalid comparison or invalid parity as discussed with reference to FIGURE 6~
Otherwise it is a fault condition for the processor ~odule 10 and the memory unit 16, 18 detects most instances of such an error condition to produce an ECC
error.

The cycle definition and addres~ receivers 472 and 474 (FIGURE 12A) respond to cycle definition and address signals received froM the bus structure, and store in the latches 490 and 496 the signals received fro~n the A bus and/ox the B bus according to the condition of the Obey A and Obey B signals applied to the address multiplexors 480 and 482. Similarly, the data receivers 498 and 500 respond to data and data valid and data parity signals on the A bus and the B
bus, and store corresponding input data in both latches 506 and 508 according to the Obey signals applied to the data multiplexors 502 and 504O

l'he illustrated bus int~rface section of the control unit 24 of FIGURE 12 drives onto both the A bus ~113-1 and the B bug address signals output from the drive control section 24b (FIGUR~ 11) wi~h a parity bit, by way of the addre~s drivers 426 and 428. Sim.ilarly, the data drivers 446 and 448 apply to both the A bus and the B bus data output from the drive control section 24b, together with a parity bit from the parity generator 456.

The address comparator 436 (FIGURE 12B) co~npar~s the output address and cycle definition signals applied to the drivers 426 and 428 with the corresponding signals from the check eontrol staye 24c of the control unit. As discussed below with reference to FIGURE 13, the Address Enable signal applied to the address drivers is asserted, to cause the signals to be driven onto the bus structure, in the next clock phase after the signals are applied to the comparator 436. In the event the set of drive signals applied to the comparator does not compare idPntically with the set of check signals, the address drivers are not enabled~
This action prevents the contxol unit 24 from applying potentially faulty information to the bus structure.

In the same manner, the data comparator 458 compares the output data and valid signals, which the drive control section applies to the data drivers 446 and 448, with the corresponding signals which the checX
control section develop~. An invalid data comparison inhibits the Data Enable siynal and thereby prevents potentially faul~y data from being applied to the bus structure~

~8~

1 With further reference to FIGURE 12A, the arbitration circuits 416 and 418 ~oyether with the cross-over formed by the multiylexors 422 and 424 produce, duriny normal operation, ~he Grant D signal concurrently with the Grant C siynal. The multiple~ors 422 and 424 produce both ~he Grant D siynal and the Grant C signal in three different conditions. In one condition~ both buses are functioning properly so that the Obey A and Obey B signals both are present. In this condition, bo~h the Grant A and the Grant B signals are required for the ~lultiplexors to produce the Grant D and Grant C signals. In a second condition, where only the Obey A signal is present, and not the O~ey B signal, the mul~iplexors produce both the Grant D and Grant C
signals in response to the Grant A signal, re~ardless of the condition of the Grant B signal. The third condition is the reverse of the second; only the Obey B
signal is asserted and the Grant B signal alone causes the Grant D and C signals to be produced, In the event only one of the Grant D or Grant C siynals is produced when both obey signals are assertive, the error logic 530 (FIGURE 12B) produces either, but not both, the Set Error A or ~.he Set Error B
6ignalO More particularly, each control unit in the illustrated processor module 10 checks the arbitration lines of the bus structureO For this operation, the error logic 530 responds in the following manner to the assertion of only one of the two Gran~ C and Gran~ D
signals when bo~h the Obey A and Obey B signals are ii3 1 assertive. When in the next clock phase another unit of the module commences an operating cycle, the error logic 530 produces a Set Error signal for the bus that produced a Grant signal, For example, when the arbitration circuits 416, 418 in the corMmunication control unit produce only a Grant B signal, and not a Grant A signal, and on the next clock phase a unit of the system other than the communication control unit 24 or the partner 26 applies cycle definition and address signals to the bus structure, the error logic 530 reports that the production of the Grant B signal was the result of an error in signals receiv~d from the B
bus 44O Accordingly the error logic 530 produces the Set Error B signal. The error B transceiver 524 responds to that signal to apply a B Bus Error signal to the B bus 44. Conversely, when the arbitration circuits 416, 418 produce only a Grant B signal, and not a Grant A signal, and on the next clocX phase no unit of the system applies cycle definition and address signals ~o the bus structure, the error logic 530 reports that the failure to produce a Grant A ~ignal was the result of an ~rror in signals received from the A bus 42. The error logic 530 accordingl.y produces the Set Error A signal, which the error A transceiver 522 drives onto the A bus error conductor~

FIGURE 13 shows further circuits of the bus interface section for preventing the timing and control logic 420 of FIGU~E 12A from producing the arbitration ena~le address enable~ and data enable signals. This ~l8~

1 action of blocking the enable signals to the hus drivers occurs in response to the detection of an error in the in~erface section. FIGURE 13 shows that driver enable c.ir~uit 540 in ~he control logic 420 produces the arbitration enable, address enable and data enable signals in response to con~rol and timing signals except when a flip-flop 542 is set, in response to a fault condition, and produces a Broken signal. The Broken signal from the flip--flop 542 is also applied by line 543 to disable the transmit section of each error tran~ceiver 522 and 524 of FIGURE l~B. (The flip-flop 542 is pre~erably the same broken flip-flop 408 described with reference to FIGURE llo One condition that sets flip-10p 542 to produce the Broken signal results from an illegal difference in the cycle definition and address signal~
which the com~unication control unit bus interface receivers 472 and 474 produce from signals received from the bus structure 30. More particularly, with further reference to FIGURE 13, a comparator 544 receives selected ones of the cycle definition and address signals from the A bus and compares them with corresponding cycle definition and address signals received from the B bus. The Address In Invalid signal that the comparator produces in response to an invalid comparison condition i5 stored in a la~ch 546 for application, by way of an OR gate ~48, to an AND gate 550.

-1~7-1 A NAND gate 552 also actuates the OR gate 548 when either one, but not both, the ME A signal or the ME
B signal, which the FIGU~E l~A cycle definition add.ress decodPrs 476 and 478 produce, .is presentO Latches 554 and 556 save the ME A and ME B signals .fo1^ application to the NAND gate~ With thi~ arrangement, the OR gate 548 applies an assertive signal to the AND gate 550 either when the two sets of signals applied to the coJnparator 544 differ or when only one ME signal is produced but not the other~ A fault i~ present if either of these conditions occurs when the control unit is set to respond to both buæes, i,e~, when both the Obey A and the Obey B signals are present, and when neither the Error A nor the Error B siynal is assertive.
Accordingly, other inputs to the AND gate 550 are, as shown, the Obey A, Obey B, Error A, and Error B signals.
When these four inputs are assertive, the A~D gate 550 responds ~o an assertive output from the OR gate 548 to set the broken flip-flop 542, by way of an OR gate 5580 Thus, the circuit of FIGURE 13 produces the Broken signal when the bus interface section 24a is set to obey both buses and neither Bu~ Error signal is present, but nevertheless the cycle definition and address signals received frorn the ~wo buses differ, as de ermined by the comparator 544 and ~he NAND gate 5520 The latches 546~ 554 and 556 provide a delay of on~
clock phase before producing the Broken signal, ~o allow either Error A ox Error B signal to be asserted. I
either Error signal is asserted during the one timing 1 ~hase delay which the latches provide, the inequality which the comparator 544 and/or the NAND gate 552 detects is considered ~o be the result of the faulty bus which gives rise to the asserted Error A or Error B
~ignal, rather than to a fault in the control unit 24.
Hence, if either Error signal is asserted duriny the single timing phase delay, the control unit 24 continues operating, and does not raise the Broken signal.

The FIGURE 13 OR gate 558 also receives t~e FI~URE 12B output lines 442 and 468 from the address comparator 436 and the data comparator 458, respectively. An invalid comparison from either comparator again causes the OR gate 558 to set the broken flip-flop 542.

FIGURE 13 further shows that the OR gate 558 receives the complement of a Control Compare signal.
The bus interface section 24a typically compares selected control signals, for checking se:Lected control functions, and raises the broken flag in response to a failure of such control signal comparisons. The broken flip-flop 542 is cleared or reset in response to either a ~eset signal or a Program Clear signal as applied to an OR gate 560.

The Broken signal from flip-flop 542 is applied also to an OR gate 562 that sets a flip-flop 564 to raise a maint~nance request interrupt signal and to tur~ on an indicator of the broken condi~ion. 9ther 1 inputs to the OR gate 562 are a Fan Failure signal and Power Failure signal. The forrner signal indicates that a temperature controlling fan is faulty and the latter siynal, produced with power circuits described hereinafter, indicates that the electrical ~upply to the control unit is failing.

Communication Control Unit ~ IGURE 14 shows the drive control section 24b, the check control section 24c and the communication interface section 24d of the illustrated communication control ur.it 24. The two control sections 24b and 24c are essentially identical. Each has a microprocessor 570, 572 connected with a data bus 574, 576 and with an address bus 578, 580, respectively~ A clock 582, 584 is connected with each microprocessor S70, 572, and a random access memory 586, 588 is connected with each data bus 574, 57G, respectively, Also connected with each data bus 574, 576 are a data output register 590, 592, a data input register 594, 596 and a control input register 598, 600. An address output register 602, 604 is connected with each data bus 574, 576, and with each address bus 578, 580, respectively~

The control registers 598 and 600 of the drive and check control sections 24b and 24c receive the control and address signals tored in the interface section latches 490 and 496, respectively, of FIGURE
12A~ The control registers 598 and 600 also receive o~her control and timing æignals from within the bus 3~3 1 interface section, and apply cont.rol Riynal.s to other elements o the bus interface section. The data in registers 594 and 5g6 recelve respectively the informat.ion stored in the data latches 506 and 508 of FIGURE 12A. The address output registers 602 and 604 connect to the hus address drivers 426 and 428, respectively, of F'IGURE 12B, and the data out registers 590 and 592 connect to the data drivers 446 and 448.

With further reference to the simplified functional representation in FIGURE 14, the illustrated drive control section 24b has an address output register 606 connected with the address bus 578, and has a communication control regis~er 608, a communication data output register 610 and a communication data input register 612, all connected with the data bus 574. The check control section 24c similarly has an address output register 614 connected with the ~ddress bus 580 and has, connected with the data bus 576, a bus control register 616, a communicat.ion data output register 618 and a communication data input register 620.

FIGURE 14 further shows a functional reprcsentation of the communication unit interface section 24d which connects to the communication panels 50 by way of ~he communication bus 48 (FIGUR~ 1). The illustrated communicat.ion bus 48 i3 arranged with two identical sets of conductors designated odd conductors 622 and even conductors 6~4. A peripheral communication device generally connects at communication panel 50 to 1 only one conductor set. The irlterface section 24d applies signals from the address output register 606 cf the drive section 24b to two co~nunication bus drivers 626 and 628. One driver i8 connected to the even-address conductors 622 and the other, to the odd-address conduc~ors 624, a5 shown. The signals from the address register 606 are also applied to a comparator 630, which provides an even-address loop-back com~are function, and to a comparator 632. The latter compara~or also receives the address output signals from the reyister 614 in the check control sectionO The coln~arator 632 thus compares the address output si~nals from the drive control section, with those produced in the check control section.

The address signals from the check channel address output register 614 are also applied to a comparator 634 that provides an odd-address loop-back compare function. A further driver 636 applies the output address signals from the even-address driver 626 to a further input of the loop-back comparator 632 and a like driver 638 applies the output signals from the odd bus driver 628 to the other input of the odd-address loop-back comparator 634.

The co~nunication bus interface section 24d similarly applies the data signals output from th~ drive channel register ~10 to a driver 640 which feeds the even-conductor 8 t g24 of the co~nunication bus 48 and to a driver 642 which feeds the odd-conductor set 622.

~!33~3 l An even-data loop-back comparator 64~ also receives the da~a signals from the register 610 and, by way of a driver 64~, ~he signa~.s output from the even-data driver 5400 An odd-data loop~back comparator ~48 compares the data signals output from the check channel register 618 with the data which the driver 642 applies to the odd-conductors 622, as fed back by way of a driver 650, Further, da~a input to the control unit 24 from the cor~munication bus 48 is applied, by way of the data in drivers 646 and 650, to the communication data input registers 612 and 6200 A further comparator 652 compares the data which the drive channel data register 610 applies to the communication bus 48 with the data output from the check channel register 618.

The communication control unit 24 operates in the following manner with the control sections 24b and ~4c and with the communication interface section 24d of FIGURE 14. The drive control section 24b addresses a communication device, by way of the communication bus 48 and a communication panel 50, with address and control signals rom the address output register 606. The ~ignals are driven onto both the odd and the even address conductors of ~he bus 48 by way of the drivers 626 and 628. The loop-back comparators 630 and 634 compare the addr~ss and control siynals placed on each set of address and control conductors with corre~ponding signals which ~he register 614 in the check channel produces~ In addition, the compara~or 632 compares the outputs of the two registers 606 and 614 i3 L An invalid comparison of address signals or of data signals, output from the two control ~e~itons 24b and 24c for application to a communication device and as detected by the comparators 632 and 652, produces an error signal that switches the broken flip-flop 542 of FIGURE 13 to the set or broken state. The Communication Address Error and the Col~lunication Data Error signals from the compara~ors 532 and ~52, respectively, accordingly are also applied to the FIG~RE 13 OR gate L~ 558.

Any invalid loop-back comparison, as detected with the loop-back comparators 630 and 634 of address signals and as detected with the loop-back comparators 644 and 648 of data signals, produces a Fault signal.
The fault signals are applied to both the drive and the check control sections 24b and 24c, typically by way of status reyisters 654 and 646 connected with each data bus 574 and 576, respectively. Each control section typically s~ores any such Fault signal in a status location for processing in any of several selec~ed ways~
For example, the control unit can be instructed to repeat a read operation or a write operation in the event of a fault signal. An alternative mode of operation is to simply log the fault and continue operation, and a further mode of operation is to halt operation in the event of a comparison fault.

In a read operation, the designated communication device responds to address, data, and 9~

1 control ~ignals and sends information, typically either status information or data. The control unit 24 receives this information from the peripheral device either the even-data conductors or the odd-data conductors, whichever arP connected to the addressed device. Accordingly, one data input driver 646 and 650 applies the received information ~o both the data input register 612 in the drive channel and ~o the data input reyister 620 in the check channel. These data input registers serve as selectors to couple input data from either the odd set of conductor~ or the even set of conductors to data buses 574 and 576, respectively.

In a wrlte operation, in addition to applying address and control signals to the bus 48, the drive control section 24d sends out data, by way of the da~a output register 610, to the data conductors of both conductor sets. The comparator 652 compares the data being sent out to the co~nunication panel on the bus 48 with the corresponding signals which the check channel produces. In addition, the data loop-back comparators 644 and 648 compare the data applied to the bus 48. The comparator 644 effec~s the comparison with the data output from the drive channel regi~ter 610, and the comparator 648 effects the comparison with the data output from the check channel reyister 618.

26 The communication unit interface stage 24d thus checks operations of the control sections 24b and 24c, checks the outpu~ drivers to the communication bus ;i3 1 48 and, with the loop back comparators, checks unctio~s o the cor~nunication bus.

The drive and the check chann~ls of the communica~ion unit operate in lock-step synchronism with one another. Further, the communication control unit operates in synchronism with peripheral communication devices and hence can operate in lock-step synchronism with the partner communication unit 26. The illustrated co~nmunication unit 24 attains this synchronism with a partner unit by synchroni~ing the clocks 582 and 584 in one unit 24 with the corresponding clocks .in the partner unit 26, as now described with reference to FIGURES 14 and 15. The clocks 582 and 584 in each control section 24b, 24c include a stage which counts system timlng signals received from the X bus of the bus structure.
FIGURE 15 shows the two clocks 582 and 584 of FIGURE 14 and the system timing input line 658 ~o each for the counting operation, to gener~te timing signals for the conununication unit operation, The drawing also shows the corresponding clock~ 582' and 584' in the partner co~nunication unit 260 The drive and check clocks 582 and 584 in one unit are synchronized by synchronizing the restart of each count interval. Further, the p~ir of clocks 5B2, 584 in each communication unit 24, 26 is synchronized with those in ~he partner uni~ to provide the lock-step synchronous operation.

The illus~rated control unit 24 provides this operation, as shown in FIGURE 15, by applying to an ~ND

-12~
1 gate 6GO the clock and synch signals which the drive clock 582 therein produces a~ the very end of each count interval, and the corre~pondir~g clock and syrlch si~nals fro3n the check clock 584 ~herein. When all ~he input signals to the AND gate 660 are assertive, the AND gate produces an In Synch siynal which it applies to an AND
gate 664 and to an OR gate 662. The output signal from the AND gate 664 is applied to the re-~tart input of the two clocks 582 and 584, as shown, The OR gate 662 al~o receives the Broken signal produced with the broken flip-flop 5~2 of FIGURE 13, and the sarne Clamp siynal that clamps the input to bus drivers throuyhout the processor module in the event of power failure.

The OR gate 662 thus produces an assertive output signal, which signals the partner unit to count and hence is termed Partner Count OK, in response to the Clamp signal, which is a stopped condition for the unit 24 but not for the partner unit 26. The OR gate 662 also produces the Partner Count OK ~ignal in responæe to either the In-Synch signal from the AND gate 660 or a Broken signal. This signal from the OR gate 662 thus is present either when the two clocks 582 and S84 are ready to commence a new col~nt interval or when the communication unit 24 is broXen, or when the Clamp siynal is asserted. The Partner Count OK ~ignal is applied to one input of an AND gate 664' in the partner com~unication unit 26, as FIGURE 15 also shows. The ~D
gate 664' is connected in the same manner as the AND
gate 664 in the control unit 24 with an AND gate 660' and an OR gate 662'.

~8~3 -1~7-1 Thus, in the unit 24, the ~ND yate 664 produces an assertive clock reætart signal each tilne the clocks 582 and 584 therein have attained a full count, as determined with the AMD gate 660, at the time when it receives the Partner Count OK signal.

In the event either unit 24, 26 becomes broken, or suffers a Clamp producing power failure, the AND gate 664, 664' in the partner unit nevertheless receives a Partner Count OX Rignal by vir~ue of the Broken signal and the Clamp signal being applied to the OR gate 6G2, 662l in the unit which i5 broXen.

Thus, when the two partner communication units are not broken and are not stopped, the clocks in each unit co)~mence a new count interv~l only when the partner unit is synchronized with it as determined by the In-Synch signals output from the two AND gates S60 and 660'. A Clamp ~ignal or a broken condition in one partner unit releases the other unit to commence a new count interval independent of the clamped or broken unit.

Tape Control_ nit FIGURE 16 shows the drive control &ectlon 28b, the check control section 28c, and the tape interface section 28d of the tape control unit 28 of FIGURE 1.
This control unit operates with a non-synchronous peripheral device, i~e. a tape transport, and hence is illustrative of fe~tur~s employed in the disc control -128~
l unit 20, 22 of the FIGUR~ 1 module lO~ The control unit sections of FIGURE 16 operate with a bus interface section 28a (FIGURE 1) preferably structured substantially as the interface section 24c described above with reference to FIGURES 12 and 13.

The illustrated drive control section 28d has a micro~rocessor 700 connected with an address and control stage 702 and with a data stage 704~ The check control section 28c similarly has a microprocessor 706 connected with an address and control stage 708 and with a data stage 710~ The address and control stages 702 and 708 and the data stages 704 and 710 typically employ a number of registers for address, control, and data signals connected by way of data and address buses with the microprocessors 700, 706, respectively, with related control and timing logic, as illus~rated in FIGURE 14 for the communication unit section~ 24b and ~4c. The further construction of the tape control unit sections 28b and 28c for practice of the invention can follow conventional practices known to thQse skilled in this art and is not described furtherO

The tape unit interface section 28d applies address and control signals to a tape transport by way of a driver 682 and applies data sign~ls, with parity from a parity generator 686, by way of a driver 684. A
comparator 694 compares the ou~put data from the drive section 28b with corresponding data signals from the check section 28co ~n invalid data ~omparison results -129~
1 in an error signal which causes he FIGURE 13 flip-flop 542 to switch to the set or broken condition.

The interface section 28d receives status signals froln a tape transpo.rt by way of a buffer 688 and receives data signals, with parity, by way of a buffer 690. The data signals are applied to the data stage in both the drive and the check sections 28b and 28a, parity check circuit 692 t ests the parity of the received data from the ~uff~r 690 and in the event of faul~y parity, produces a fault signal which also is applied to both address and control ~tages 702 and 708.

The status signals from the buffer 688 are applied to the address and control stages 702 and 708 in both the drive and the check channels. Further, the address and control signals from the driver 682 are applied to a comparator 696 for comparison with the corresponding signals which the address and control stage 708 in the check channel produces. An invalid comparison produces a further error siynal which switches the tape control unit to the broken state.

A furth~r comparator 698 compares da~a signals output from the chec~ channel data stage 710 with data input from a ~ape transpor~ to provide a read after write comparisonO For this operation, the tape control unit instructs the peripheral tape transport to record data output rom the drive channel data stage 704 as for a conventional write operation and, further, to read the i3 1 newly-recorded data. The read data, after transrnission through the data input buffer 690 and the data parity check eircuit 692, as applied to one input of the com-parator 698. The other comparator input receives data signals from the check channel data stage 710 by way of FIF0 (first in first out) register 699 that provide a selected time delay. During correct operation, the check channel signals the comparator 698 receives from the FIF0 register are identical to the signa:Ls read back rrom the ~ape transportO Th~ detection of an error raises a further status fault that is applied to both address and control stages 702 and 708.

The tape control unit 28 thus provides duplicated circuits, i.e. the drive and check stages 702, 704, 708 and 710, with duplicated microprocessors 700 and 706, for signals being transferred between the bus structure 30 and a peripheral tape transportD In addition to fault detection in the tape control unit bus interface section 28a, the unit tests the parity of data received from a tape tansport~ compares control signals and address signals and da~a signals which it applies to a tape transport, and compares output data with the read-afterwrite response from the peripheral tape transport.

The fault signals from the parity and from the read after write comparison tests are applied to cir-cuits in bo~h the drive and ~he check channels. The control unit can respond to any fault signal in whatever 3~

-131~
1 manner is prescribed, including, for exampls, to halt operation and/or raise a maintenance i.nterrupt signal, or to log the fault signal while continuing operation.

The disc con~rol unit 20, and the identical partner unit 22, for the FIGURE 1 module 10 can be constructed with a bus interface section 20a as described with referPnce to FIGURES 11, 12A, 12B and 13.
The check control section 20b and the drive control section 20c can be similar to the corresponding cont~ol sections of the communication unit 24 and of the tape unit 28 described with reference to FIGURES 14 and 16, and using conventional disc controller implimentations.
The disc interface section ~Od can likewise employ constructions described for the communication unit and the tape uni~ to test for faults/ by comparison and/or cyclic redundancy checking (CRC~.

The module operates two disc control units 20 and 22, which are connected to different disc memories, to store ~he same information in the disc memory subsystem connected to each unit. Only one control unit, however, is employed to read information, the selection typically being made on the basis of which disc con~rol unit is not busy and has the shortest access time.

The illustrated module 10 of FIGURE 1 can use either or both link control units 32 and 34 to exchange inormation with another module or like computer 1 processor by way of one or both sets of th~ link conductors 40a and 40b~ Each illustrated link control unit employs a bus intelface section 32a and redundant control sections 32b and 32c, together with a link interface section 32d. Each sectiol) can be constructed as described herein for corresponding sections of the communication con~rol unit and the tape control unit, in view of practices known for linking computer processors to multi-processor networks.

Central Power Supply The power supply subsystem for the FIGURE 1 processor module 10 is described first with reference to FIGURE 17, which shows the connections of sever~l units of the module to different supply conductors of the bus structure 30. These conductors, aside from ground r~turn conductors which for simplicity are not shown, include a supply conductor 716 which provides operating power from the bulk supply 36a to all units connected in the even-numbered, for example, connectors of the back plane described with reference to FIGURE 3. A like supply conductor 718 provides operating power from the bulk supply 38b to units connected in the odd-numbered receptacles of the back plane. There also is a power-failure conductor 720, 722 connected from each of two further supplies 36c and 36d to both processor units 12 and 14, as shown.

As shown on the right side of FIGURE 17, the supply 36c maintains each conductor of the A bus 42 -133~
1 norlnally, i.e, in the absence of an assertive siynal, at a positi~e supply voltage by way of a separate pull~up resistor or each such conductor, as described wi-th reference to FIGVR~ 3. The supply 36c develop~ this vol~age with an elec~rical converter 724 that is energized froln eith~r bulk supply 36a or bulk supply 36b by way of a power-handling OR gate 726. A reference and compare circui~ 728 in the supply 36c produces an A Bus Power Fail signal on conductor 720 when the output of the converter 7~4 falls below a selected threshold level~ The supply 36d, which develops the pull-up voltage for each conductor of the B bus 44, is similar, with a conver~er 730 fed by a powerhandling OR gate 732 and a reference and compare circuit 734 which produces a B Bus Power Fail signal on conductor 722.

FIGURE 5B shows that the processor status and control stage 133 in the proc~ssor 12 receives the Bus Power Fail signals on conductors 720 and 722. The response of the CPU to each signal is to produce a Bus Error signal for the corresponding bus, the signal pro~uced under ths co~dition is a level, rather than a pulse of one time~phase durationO E~ch Bus Power Fail signal also sets a status register or flag which the CPU
can interrogate~

Wi~h this supply arrangement, the failure of either bulk supply 36a or 36b disables essentially only one-half of the units in a processor module, assuming the units are evenly distributed between connections to 1 odd-numbered backplane connections and even-numbered ones. It leaves the remaining units fully operatlonal.
Similarly, ~he failure of either bus supply 36c or 36d disables only the A bus 42 or the B bus 44, but not both. I~ hence does not degrade the quality of the module perfoxmance.

FIGURE 18 shows a power circuit 740 which i5 provided in the central processing unit 12. The partner CPU 14 has an identical circuit. This circuit receives bulk power from either bus conductor 716, 718 (FIGURE
17) on a power input line 742. A ~ulk monitor 744 produces a Bulk Failure alarm signal on line 746 in the event the bulk supply 36a, 35b to which it is connected fails. This alarm signal is a highest priority interrupt. The CPU response is to execute special routines that save crucial informatin before an Alert signal halts all further operation.

A power inverter 748, energized rom the power line 742, produces the different supply vol~ages, for example +5 volts, -S volts, ~12 volts, which the CPU
requires on conductors 750a, 750b and 750c. A primary reference circui~ 752, also energized from the power line 742, produces a first reference voltage which separa~e comparators 754a, 754b, 754c compare with the voltage on each line 750a, 750b and 750c, respectivelyO
An OR gate 756 produces a Power Fail signal in response to an invalid compare signal applied to it from any comparator 754. The illustrated power circuit 740 1 includes a urther, secondary reference circuit 758 which produces a secondary re~erence voltage that a comparator 760 tes~s against ~he output from the primary reference circuit 752. The invalid compare output from the comparator 760 is also applied to the OR gate 756 and, when assertive, produces the Power Fail signal, A mechanical swi~ch 762 is mounted on the circu.it board or other frame of the processing unit 12 to be closed, and thereby to ground a further input line to the secondary refPrence 758, only when the CPU is installed, iae. when ~he unit is fully plugged into the structure of the back plane of FIGURES 2 and 3. The switch 762 .is open when the unit 12 is not fully plugged in, and it immediately opens when the unit becomes partially unplu~ged. When open, the swi~ch 762 breaks the ground connection for the secondary reference 758.
This causes the comparator 760 to produce an invalid compar~ signal that generates the Power Fail signal.
When the processor unit 12 is unplugged for removal from a computer system, for example for servicing, the switch 762 opens prior to the interruption of any electrical connections between the unit and the bus structure 30O
That is, the switch 762 opens upon the initial movement of the unit to unplug ito In addition to producing the Power Fail signal, the OR ga~e 756 actuates a further OR circuit 764 to produce an Alert sign~l and is applied to one input of an AND gate 766. The other input to both the -136~
1 OR gate 764 and the ~ND gate 766 is the output rom a delay circuit 768 that also receives the Power Fail signal~ With this arrangement, the OR gate 764 produces the Alert signal as soon as the Power Fail signal is produced/ and continues to assert the Alert signal until a time determined by ~he delay circuit 768 after the Power Fail signal i5 removed. Fur~her, the AND gate 766 is actuated to produce the Clamp signal af~er initiation of the Power Fail signal by the delay interval of the delay circuit 768, and ~erminating with the Faul signal.

FIGURE 19 shows these relative time relations of the Power Fail, Alert, and Clamp signals with waveforrns 770a, 770b and 770c, respectively. Thu5, in the event of a power failure, the power circuit 740 produces ~he Power Fail signal and an Alert signal essentially simultaneously~ After a selected delay it produces the Clamp signal.

The circuit of FIGU~E 18 detects a power failure, and produces the Power Fail and Alert signals, sufficiently quickly to enable mally circuits in units of a processor module to respond ~o these signals and effect protective measures during the delay interval and before the disabling loss of power occurs. The Clamp signal prevents further opera~ions at a time w~en system power m~y have fallen to such a point that the operation is no longer fully reliable.

~137~
l Similarly, upon return of power, ~he Power Fail and Clamp æignals immediately terminate, but the Alert ~ignal continues for the brief delay of the circuit 768 to allow the system units to stabilize to full power before resuming processing operation.

The response of the illustrated processor module to the Power ~ail signal is to raise an interrupt for initiating routines to save informa~ion from loss upon a power failure. The subsequent AlPrt signal resets the module units to place logic circuits in the sarne known condition used for initializing the module.
By way of specific example, when an operating voltage normally of (5) volts drops to (4.8) volts, the FIGURE
18 power circuit produces the Power Fail and then Alert signals. Ten microseconds later i~ produces the Clamp signal; the failing voltage a~ that time typically is around (4.5) volts.

As indicated above, the partner CPU 14 has a power circuit 740 identical to the one shown in FIGURE
18. In addition, each other unit of ~he FIGURE l module lO preferably has a power circuit identical to the one ~hown in FIGURE 18, excep~ that the bulk monitor 744 typically is omitted from all units other than the central processor units 12 and 14.

FIGURE 18 further shows the OR gate 562 and the flip-flop 564 previously described with reerence to FI5URE 13. These logic elements respond not only to the 1 Broken signal and the Fan Fail signal, but also to the Power ~ail signal of FIGURE 18 Clam~ Circuit Eacll unit of the illustrated processor rnodule 10 i5 described above as having a clamp circuit connected to each driver, or transrnitter, that applies signals to the A bus 42 and to the B bus 44. The clamp circuits thus located throughout the module are normally inactive, but are all activated by the clamp signal produced with the power supply circuit of FIGURE 18.
The output element of each driver, or transmitter, that connects to a bus conductor is a transistor. FIGURE 20 shows two such bus-driving transistors 780 and 782 in any unit of the module 10, each having a collector connected to drive information onto different conductors 784, 786 of the A bus 42 or the ~ bus 44, A separate pull-up resistor 7~8, 790 connects from the supply conductor of one bus supply 36c or 36d, FIGURE 17, to each bus conductor 784 and 786, A separate clamping diode 790, 792, as provided in a clamp circuit 88 or 90, as in FIGURE 4, or in ~he clamp circuit in any other unit of the system, as illustrated, is in circuit with each driver transistor 780, 782 ~o clamp the transistor base to the nondriving ground level o the Clamp signal to disable the transis~or from conduction. In the absence of an input signal to the base of the driver transistort the bus conductor is at the norlnally high voltage which the pull-up resis~or applies to it from the electrical supply. The Clamp signal, applied to - 13~ -1 each cl~lmp circuit diode, disables -the dri.ver transistor from respondillg to any input siynal it might receive.
The clamp sigllal thus preveJIts ~:he driver from plc~cincJ
information on tlle bus struc-ture o the FIGURE 1 processor ~od~le 10.

It will thus be seen that the objects set forth above, among those made apparen-t rom t:he prececling description, are efficiently attained. It will be understood that changes may be made in the above constructions and in the foregoing se~uences of operation without departing from the scop~ of ~he invention. It is accoxdingly intended that all matter contained in the above description or shown in the accompanying drawings be interpreted as illustrati.ve rather that in a limiting sense.
It is also to be understood that the following claims are .intended to cover all of the generic and specific features of the invention as described herein 7 and all statements of the scope of the invention which, 3~

-140~
1 as a matter of language, might be said to fall therebetween.

Having described the invention, wha~ is claimed as new and secured by Letters Patent is set forth in the appended claims.

Claims (22)

The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:

1. In digitial data processor apparatus which transfers information between functional units including a processing unit, a memory unit, and peripheral control units on a common bus structure and with transfer cycles which include plural operations including a definition operation which can include addressing, and a data-trans-fer operation, where said operations of one cycle are non-overlapping and occur in different respective timing intervals, the improvement comprising A. at least first and second duplicative buses in said bus structure, each arranged for carrying definition signals and data signals, c B. means for detecting errors separately on each said bus in at least one of said definition operation and said transfer operation, and C. means for executing plural different ones of said operations during a single timing interval, said executing means including means responsive to an error detection by said detecting means for repeating, in a subsequent timing interval, the operation in which that error was detected and for preventing during that subsequent timing interval another operation that would otherwise occur in the absence of that error detection.

2. In apparatus according to claim 1, the further improvement comprising means for effecting said inform-ation transfer operations selectively on said first and second buses, and responding to an error detection by said detecting means on only one of said buses for effecting said repeated operation on the other of said buses.

3. In digital data processor apparatus which transfers information between functional units including a processing unit, a memory unit, and peripheral control units on a common bus structure with transfer cycles which include plural operations including an arbitration operation, a definition operation which can include addressing, and a data-transfer operation, where said operations of one cycle are non-overlapping and occur in different timing intervals, the improvement comprising A. means for executing at least two different ones of said operations concurrently during a single timing interval, B. means for detecting a cycle-interrupting control signal during at least one said operation, and C. means responsive to the detection, in one timing interval, of a cycle-interrupting signal for repeating, in a subsequent interval, the occurrence of at least a first selected operation which occurred during an interval in which said cycle-interrupting signal was detected.

4. In apparatus according to claim 3, the further improvement in which said interrupt-responsive means includes means for aborting a cycle for which a second selected operation, other than said first select-ed operation, occurred during the interval in which said cycle-interrupting signal was detected.

5. In apparatus according to claim 3, the further improvement in which said interrupt-responsive means includes means for aborting a cycle for which said first operation would otherwise occur, in the absence of that error detection, during said subsequent interval.

6. In apparatus according to any of claims 4 or 5, the further improvement comprising means for re-initiating said aborted cycle.

7. In apparatus according to claim 3, the further improvement comprising A. at least first and second duplicative buses in said bus structure, each arranged for carrying arbitration signals and definition signals and data signals and control signals, B. means for detecting an error on any one of said buses in said definition signals and, separately, in said data signals, and C. means for signaling to all said functional units the detection of any such error.

8. In apparatus according to claim 3, the further improvement comprising A. at least first and second duplicative buses in said bus structure, each arranged for carrying arbitration signals and definition signals and data signals and control signals, B. means for detecting an error on any one of said buses in said definition signals and separately, in said data signals, and C. means for repeating a data-transfer operation which occurred during the interval in which any of said buses carried signals which said detecting means detected as erroneous.

9. In apparatus according to claim 3, the further improvement comprising A. at least first and second duplicative buses in said bus structure, each arranged for carrying arbitration signals and definition signals and data signals and control signals, B. means for detecting an error on any one of said buses in said definition signals and separately, in said data signals, and C. means for cancelling any cycle for which a definition operation occurred during the interval in which any of said buses carried signals which said detecting means detected as erroneous.

10. In apparatus according to claim 3, the further improvement comprising A. at least first and second duplicative buses in said bus structure, each arranged for carrying arbitration signals and definition signals and data signals and control signals, B. means for detecting an error on any one of said buses in said definition signals and separately, in said data signals, and C. switching means responsive to the detection by said detecting means of an error on only one of said buses for effecting subsequent operations on only the other of said buses.

11. In apparatus according to claim 3, the further improvement A. in which said interrupt-detecting means includes means responsive to a Wait signal produced in a first timing interval when an addressed unit is not ready for addressing operation in a first cycle, B. further comprising means for rescheduling the data operation of said first cycle to a timing interval subsequent to said first interval, and C. further comprising means for cancelling a second cycle for which a transfer operation would other-wise occur in that subsequent interval.

12 In apparatus according to claim 3, the further improvement in which A. said interrupt-detecting means includes means responsive to a Busy signal produced by an addressed unit during the timing interval of an addressing operation with that unit, and B. further comprising means for cancelling the cycle which includes that addressing operation.

13. A method for transferring information in digital data processor apparatus between functional units including a processing unit, a memory unit, and peripheral control units on a common bus structure and with transfer cycles which include plural operations including a defini-tion operation which can include addressing, and a data-transfer operation, where said operations of one cycle are non-overlapping and occur in different respective timing intervals, said method having the impro-vement comprising A. transferring such information normally on at least first and second duplicative buses in said bus structure, each arranged for carrying definition signals and data signals, B. detecting errors separately on each said bus in at least one of said definition operation and said transfer operation,

Claim 13 continued C. executing different ones of said operations during a single timing interval, and D. responding to an error detection by said detecting means for repeating, in a subsequent timing interval, the operation in which that error was detect-ed and for preventing during that subsequent timing interval another operation that would otherwise occur in the absence of that error detection.

14. A method according to claim 13 comprising the further improvement of A. effecting said information transfer operations selectively on said first and second buses, and B. responding to an error detection by said detecting means on only one of said buses for effecting said repeated operation on the other of said buses.

15. A method for transferring information in digital data processor apparatus between functional units includ-ing a processing unit, a memory unit, and peripheral control units on a common bus structure with transfer cycles which include plural operations including an arbitration operation, a definition operation which can include addres-sing, and a data-transfer operation, where said operations of one cycle are non-overlapping and occur in different timing intervals, said method having the improvement comprising

Claim 15 continued A. executing at least two different ones of said operations concurrently during a single timing interval, B. detecting a cycle-interrupting control signal during at least one said operation, and C. responding to the detection, in one timing interval, of a cycle-interrupting signal for repeating, in a subsequent interval, the occurrence of at least a first selected operation which occurred during an interval in which said cycle-interrupting signal was detected.

16. A method according to claim 15 in which said improvement further comprises aborting a cycle for which a second selected operation, other than said first selected operation, occurred during the interval in which said cycle-interrupting signal was detected.

17. A method according to claim 15 in which said improvement further comprises aborting a cycle for which the operation which would occur, in the absence of that error detection, during said subsequent interval is said first operation.

18. A method according to claim 15 in which said improvement further comprises A. aborting a cycle having an operation that would otherwise conflict with said repeated operation, and B. re-initiating said aborted cycle in an inter-val after said subsequent interval.

19. A method according to claim 15 in which said improvement further comprises A. responding to a Wait signal produced in a first timing interval when an addressed unit is not ready for addressing operation in a first cycle, B. re-scheduling the data operation of said first cycle to a timing interval subsequent to said first interval, and C. cancelling a second cycle for which a trans-fer operation would otherwise occur in that subsequent interval.

20. A method according to claim 15 in which said improvement further comprises A. means responding to a Busy signal produced by an addressed unit during the timing interval of an addressing operation with that unit, and B. cancelling the cycle which includes that addressing operation.

21. A method for transferring information in digital data processor apparatus between functional units including a processing unit, a memory unit, and peripheral control units on a common bus structure with transfer cycles which include plural operations including an arbitration operation, a definition operation which can include addressing, and a data-transfer operation, where said operations of one cycle are non-overlapping and occur in different timing intervals, said method having the improvement comprising A. providing at least first and second duplicative buses in said bus structure, each arranged for carrying arbitration signals and definition signals and data signals and control signals, B. detecting an error on any one of said buses in said definition signals and said data signals, and C. repeating a data-transfer operation which occurred during the interval in which any of said buses carried signals which said detecting means detected as erroneous.

22. A method according to claim 21 in which said method further comprises cancelling any cycle for which a definition operation occurred during the interval in which any of said buses carried signals which said detecting means detected as erroneous.