Note: Descriptions are shown in the official language in which they were submitted.
6~33
- 2 - 23930-293
The present invention relates -to a procedure for the
transmission of serial data between ~e~ computers that are pre-
ferably operating in two-channel mode, using a double-ring bus
system.
Up to now, there have been different variations of double-
bus systems. However, the known solutions have entailed various
disadvantages.
Thus, it is known, amongst other things, that the two
ring buses can be driven in parallel and on a redundancy basis in
the course of normal operation, when the data will flow through
them unidirectionally, but in opposite directions. Each computer
is functionally connected by one channel with one ring bus and by
the other channel with the other ring bus through active bus
couplers. The computers of the individual stations are autonomous,
and the whole system is; decentralized. When a fault is identified
the whole of the double-bus system is switched over to the "TEST"
mode, and the fault site is localized through "minor loops," by
means of interfaces between the ring buses. This is then followed
by~further switching to the "FAILURE" mode, when the adjacent
~ sèctors are switched permanently to a simple ring structure without
any redundancy, by~separation of the sector that contains the
fault. (Computer, August, 1984, pp. 57,58,60 - 66).
The active bus couplers of the known, completely decen~
trallzed~system each have their own intelligence that is based on
microprocessors and each is capable of dedicated, active and
restricted data processing. This plurality of data processing
:::
: :
3 23930-293
can, however, wGrk "falsely" .in and of itself, so that an error
and its effects either cannot be determined, or can be determined
only with great difficulty, by using costly test procedures, and
thus fail to satisfy the demands for security. The system is not
fail-safe.
For these reasons, such systems are impracticable.
It is the task of the present invention to create a
transmission system for serial data, said system being technically
secure, between secure computers that are operating preferably in
two-channel mode, by the use of a double-ring bus system having a
high level of protection against operational failure, in which
connection the proof of security is easy to furnish.
Thus, in accordance with a broad aspect of the invention
there is provided a procedure for the secure transmission of serial
data between secure computers operating in two-channel mode, by
; the use of a double loop bus system,
; - in which, in normal operation ("NORM" mode) the data
flows through two loop buses parallel-redundantly in opposite
~ directions and unidirectionally, each computer being functionally
connected with one channel to one ring bus and with the other
channel with the other ring bus through active bus couplers;
- in which, in the event of an identified failure, the site
of the failure is localized by switching the double-ring bus
system into "TEST" mode, with cross-connections between the ring
buses;
- in which, after this, further re-switching to reserve mode
';
:
~LZ99~6~93
- 4 23930-293
("FAILURE" mode) takes place, in that the adjacent sections are
switched permanently to a simple ring structure without redundancy,
with the separation of the failed section; wherein an active main
station with a two-channel control computer is provided to control
the two ring buses, which administers and controls access rights
to the bus hierarchically for other bus subscribers that have their
own computers, and which compares the circulated data of one ring
bus with the transmission data of the other ring bus and vice versa
diagonally, with non-comparison marking a failure, which initiates
switching from the "NORM" mode for normal operation to the "TEST"
mode, in which the substations are polled cyclically from the
main station, active bus couplers combined in pairs in the bus
control units creating progressive interruptions and cross connec-
tions until such time as non-comparison of the transmitted and the
received data within the main station signal the site of the failure,
which initiates switching to the "FAILURE" mode.
The invention is described in greater detail below on
the basis of the drawings appended hereto. These drawings are as
follows:
Figure 1: A functional diagram of the transmission sy-
stem.
~-~ Figure 2: The structure of a bus control unit, in block
form.
Figure 3: The principle of the "NORM" mode of operation.
Figure 4: The principle of the "TEST" mode of operation.
Figure 5: The principle of the "FAILURE" mode of
~46~33
- 5 - 23930-293
operation.
Figure 6: A function schematic for the "TEST" mode.
Figure 7: A function schematic for the "FAILURE" mode.
Figure 8: A function schematic of an operation control
unit in the "NORM" mode.
Figure 9: A function schematic of an operation control
unit in the "TEST" mode.
Figures 10 and 11: Function schematics of the operation
con~rol unit in the "FAILURE" mode.
The basic function of the preferably optical transmission
system is shown in figure 1. The computer channels that are
switched into circuit are designated by the numbers 1 and 2 for
the computer channels 1 and 2. In this double-ring structure, in-
~ ~ formation flows through both rings of the transmission system in
; opposite directions, and does so unidirectionally. The system
;;~ contains the master station LS and substations USl to USn~ The
main function of the master station LS is to administer and monitor
the bus feed lines. The substations US must be called up by the
S ~master station in order to have access to the bus, and cannot
intervene arbitrarily. At those locations where the bus parti-
cipants are connected, the two ring buses of the transmission
: , :
system, BUSl and BUS2 are interrupted for the connection of an act-
; ive bus control unlt, BSE. The level of error tolerance of the
transmission system is achieved by the redundancy routing with two
transmission lines and the modes of operation of the bus coupler,
which remains to be described. The partial or complete failure
~:
~2~6~33
- 5a - 23930-293
of an individual component never results in the complete failure
of the transmission system, but is confined exclusively to the
element in question, since on failure of a station that is connect-
ed, or the failure of a bus coupler, the transmission system is
reconfigured.
Optical conductors and/or copper cable can be used
advantageously as data transport media. When optical conductors
are used as transmission buses, it will be necessary to use
active bus couplers, BUKO, to produce and convert the optical
signals of the optical conductors into electrical signals for the
computer unit that is switched into circuit, and for the time and
amplitude regeneration of the optical signals. These active bus
couplers have to compensate the attenuation and distortion of the
optical signals by the optical conductors. Two active bus coup-
lers, BUKO 1 and BUKO 2, are used as coupling elements between the
transmission system and the particular two-channel computers.
Both computer channels 1 and 2 can access the two buses
BUS land BUS 2 of the parallel redundancy transmission system
if, as authorized-access stations, they wish to place data on the
bus. To this end, the two bus rings are so separated at point
of transmission for the duration of the active access to the
bus that the transmitting system can input its data and there
is no superimposition on signals that have already been sent and
which have already travelled around one ring. The endless looping
~34683
of signals is inhibited. As the bus control station, the active
main station LS of the system has additional functions in
addition to controlling access rights to the bus: during each
active access to the bus by a computer channel by the main
station LS there is a check of the whole transmission system
because corresponding monitoring functions in the main station LS
pick up circulated data from the other ring bus, this data having
been switched out of circuit by the parallel-redundant computer
channel of the main station LS. The correct passage of messages
is determined by comparison with the particular transmitted data.
The failure of a bus subscriber or disrupted message cycles will
be identified during each message cycle of the main station LS by
the other computer channel of the main station LS. In the same
way, the individual message cycles of the two computer channels
of the main station LS will be synchronized in time.
The use of various transmitting media within a transmission
system presents no problems because of the special design
principles of the bus control unit BSE. In addition to the use
of glass-fibre optics, it is also possible to use plastic-fibre
optical conductors or electrical transmission lines, insofar as
it is expedient to use them. The transmission system can be
optimally matched to all environmental constraints by the
appropriate selection of the physical transmission media.
Figure 2 shows the construction of a bus control unit, BSE,
in greater detail. What is shown in the principal connection of
the bus Fouplers BUKO 1 and BUKO 2 with a two-channel secure
3iL;~946~33
computer. A fault site in a transmission system can be localized
with the BSE bus control unit by operation in various modes, and
rendered innocuous by reconfiguration of the transmission system.
This will be dealt with at length below. A complete BSE bus
control unit always consists of two bus couplers, BUKO 1 and BUKO
2 that are configured identically as far as any differences in
the transmission intersection points, these representing ~he
connection between a computer channel of the two-channel bus
members and the parallel-redundant transmission system. Each bus
coupler has three different intersection points: RS, VS, S.
1. The bus coupler is switched to a computer channel of the
two-channel secure computer with the computer interface RS. The
computer interface contains lines for power supply, function
monitoring, and function control of the bus coupler and the
serial data input and output of the computer.
2. Both bus couplers BUKO 1 and BUKO 2 of a bus control unit
are connected to each other through a connection interface VS.
The connector interface consists exclusively of data lines.
3. The transmission interface S is the connection of the bus
coupler to the transmission system. The transmission interface
has an input and an output and an output seizure for switching
the two parallel-redundant transmission lines that operate in
opposite directions.
The power supply for the bus coupler takes place through the
computer that is switched into circuit, through the computer
interface RS. All other signals from the computer interface are
:
~9~ 3
8 - 23930-293
connected, non-reactively, with the computer channel that is
switched into circuit. The data lines of the connector interface
VS are arranged as symmetrical transmission lines and decoupled
from each other.
Because a bus control unit BSE is composed of two similar
bus couplers, and because a bus coupler contains a complete trans-
mission interface to one side of the transmission system, the
transition from one transmission medium to another transmission
medium from one transmission interface to the other transmission
interface of a BSE in a transmission system is possible without
any problem. All that is required is that the transmission of
the bus coupled are arranged accordingly. If a bus coupler of the
bus control unit has an optical transmission interface, and the
other bus coupler of this bus control system has an electrical
transmission interface, the transition from an optical to an elec-
trical transmission medium, and vice vers_, presents no problem.
;~ Protection against failure is ensured by the three dif-
ferent operating modes of the BSE bus control unit.
1. In the "NORM" mode computer channel 1 of the two-channel
circuit that is on stream is connected functionally with bus 1
and computer channel 2 of the on-stream two-channel computer is
connected functionally with bus 2 (see figure 1). Data trans-
mission is parallel-redundant because both computer channels
pass information to each other in identical sequence and quasi-
synchronously on the data transmission link. If an irreversible
~:
~29~33
fault is identified, operation is switched to the "TEST" mode.
Figure 3 shows the "NORM" mode.
2. The "TEST" mode serves to check out the transmission system
in the event of a failure in order that the site of the failure
can be localized and data transmission continued by a newly
configured system. To this end, within the data transmission
path of the bus control unit BSE the normal transmission path is
interrupted and the signals are passed on the parallel-redundant
transmission line, e.g., from bus 1 to bus 2 equals test path 1/2
and, reversed, as test path 2/1. The signals are quasi mirror
imaged and returned as an echo on the parallel-redundant bus to
the LS transmitting station. In this mode, each bus control unit
BSE's ability to function is established step-by-step. The
associated data flow is shown in figure 4.
3. In the "FAILURE" mode of a bus control unit BSE of the
transmmission system, in the event of a failure the transmission
system is reconfigured. The section of the transmission system
in which the source of the failure is located is then so
separated from the transmission system that the parallel-
redundant bus structure is restructured and the source of the
failure is decoupled from the transmission system in the two
adjacent bus control systems. In this mode, the bus control unit
BSE interrupts the flow of da-te in the direction of the data
transmission system in such a way that the transmission path
within the BSE is switched from the one unidirectional data bus
onto the parallel-redundant data bus. In this mode, the data
.
transmission system has no more redundancy. Data transmission no
longer takes place in the same time sequence, but in series,
i.e., the individual channels of the two-channel secure computer
are active on the bus, one after the other in time. In order to
initiate the "FAILURE" mode, the "FAILURE" command is passed to
the appropriate station on the functioning transmission path with
"failure path 1/2" or "failure path 2/1," whereupon the two
computer channels pass control signals to the computer that is
addressed in the bus control system that is switched in circuit,
and these signals reswitch the data path within the bus control
system that is in circuit.
Selection of the various modes of the bus control system
takes place by appropriate signals of the two-channel computer
that is on line, through the computer interface of the particular
associated bus coupler. For the duration of its activation, the
corresponding function of the bus control unit is effected.
As has already been discussed, total failure of the
transmission system is prevented in the event of a partial or
complete failure of individual components of the transmission
system. In this event, only one subscriber can under certain
circumstances no longer be addressed. When this happens, the
transmission system tolerates the following individual failures:
An active bus coupler fails, either completely or in part
A computer that is connected fails, either completely or in
part;
lZ~4683
11
One or both transmission lines of the transmission system
is/are broken between two adjacent stations at one or
several places;
A station is removed from -the system, i.e., the transmission
lines are decoupled at the two transmission of the BSE;
The power supply of one or both computer channers of the
computer unit that is connected is/are interrupted or fails
completely.
~eference is made to figure 1 with regard to function.
Each signal that is applied to one of the two unidirectional
transmission buses in the "NORM" mode by the master station LS
must ultimately appear at the line end at the input of the master
station LS after a fixed delay period khat depends on the length
of the line and the number of intervening bus couplers. The
functioning of the transmission system is tested thereby, during
all active bus cycles of the master station.
A fault in the transmission system is identified by the
master station because the end points of the two ring buses BUS 1
and BUS 2 are connected with the receiving system of the master
sation. All transmission data from the master station LS must
thus be received by it again as an echo, providing the
transmission system is not down.
If there is no echo on one of the ring buses, or if the
: ~
received data of the echo do not agree with the data that has
been sent, then there is a fault along the data transmission
path. In order that the site of the fault can be localized and
~Z~
12
thus rendered innocuous, and in order that the bus coupler of the
bus control unit ssE that is adjacent to the site of the fault
can assume the appropriate failure function, it is necessary to
switch to ''TEST'I mode. The main station LS carries out the test
procedure. To this end, it sends a test message on one
unidirectional bus, e.g./ BUS 1, and tasks the individual
substations US 1 to US n to switch to "TEST" mode in a specific
sequence. In the substation that has ~ust been switched/ the
test message is switched over to the other~ opposite, parallel-
redundant bus, e.g., BUS 2, and looped back to the main station
LS as an "echo." The status of the data transmission system can
be ascertained for the actual test path by comparison of the two
messages (test message with the echo). The location of the fault
is localized by progressive test runs. Figure 6 shows the system
with n subscribers, in that the substation US n-2 has been
switched to "TEST" mode. If it is ascertained that the fault in
located in an area between US n-2 and US n, this area is taken
out on both sides and the BSE of the substation US n-2 is tasked
for connection from bus 1 to bus 2 and the BSE of station US n is
tasked for internal connection from bus 2 to bus 1 by the main
station LS.
This does away with the redundancy of the transmission
system, i.e., the double-ring structure of the transmission
system becomes a simple ring structure without redundancy because
of the reconfiguration. The messages of the parallel-redundant
computer channels can no longer be passed simultaneously onto the
:5L2~ 3
13
bus system, bu~ must be swltched into circuit in series. Figure
7 shows the system in this state, with a failure, switched out of
circuit, between substations US n-l and US 4. The substation US
n-2 has been taken off line.
The reswitching to "TEST" mode and "FAILURE" mode also has
to take place in both bus coupler channels of a bus subscriber
even when only one channel of the secure computer has received a
corresponding command. The other parallel redundank transmission
path could be disrupted, so that in the "NORM" mode there will
only be one undisrupted transmission path available, with which
only one of the two computer channels can be accessed.
The fundamental principle of the functioning of the BUKO bus
coupler when optical transmission lines are used is as follows:
- Coupling out the optical signals from the light conductors;
- Optical/electrical conversion of the signal that has been
coupled in;
- time and amplitude regeneration of the electrical signals;
- Transmission of the regenerated signals into the other bus
coupler of the same bus control unit through the power-
supply interface VF;
- Redirection of the regenerated electrical signal to the
receiver systems of the associated computer channel or to
the electrical/optical conversion of the bus coupler;
- Electrical/optical conversion of the electrical signals;
- Recoupling in of the optical signals into the light
conductor.
:~
L683
14
Figures 8, 9, lo, 11 show a detailed block schematic diagram
of a bus control unit for the various modes. The actual signal
flow for the mode that has been selected in shown by the thic~
lines.
Switching of a bus control system into the various modes is
effected by the two associated bus couplers, each of which has
three switches, S1, S2, and S3.
In figure 8, for the "NORM" mode, the first switch Sl of
each bus coupler is in switch position A for redirection of the
signal flow. This then continues through the second switch and
the third switch of the other bus coupler. The signal flow can
be separated within the bus control unit BSE by the second switch
S2, so that the computer that is on stream can input its
transmission data into the transmission system and circulation of
the data that is present in the transmission ring (BUS 1 or BUS
2) is inhibited. The second switch S2 is controlled by the data
lines TD. The second switch S2 is in switch position B and the
third switch S3 is in switch position A. In the "~ORM" mode, the
data flow is thus routed through the BSE for each bus (BUS 1, BUS
2). At the same time, the computers receive information through
the data lines RD.
The "TEST" mode can be seen in figure 9. Here, in each
instancei the third switch S3 of each bus coupler is switched
into position B from the computer channel that is switched into
circuit. The switch S2 remains in position B, as in the "NORM"
mode. The data flow from BUS 1, for example, is thus directed
l;Z ~a~683
back through BUS 2. The data flow from BUS 2 then returns
through BUS 1.
Figure 10 shows the "FAILURE" mode, for the failure path
1/2, which is to say, from BUS 1 to BUS 2. Both computer
channels 1 and 2 receive data-flow information by way of RD,
through switch Sl in position B. However, the same for failure
path 2/1 is a quasi mirror-image of figure 11.
The present invention provides an extremely failure-tolerant
bus and transmission system that is the equal of all demands that
may be place upon it. Failure processing can be determined far
better by the creation of a hierarchically structured system with
a defined central main station and substations.
