Hopkins, A., Smith, T. Lala, J.: FTMP---A Highly Reliable Fault Tolerant Multiprocessor for Aircraft. In: Proceedings of IEEE 66(10):1221--1239 (1978)  Home/Search   Document Not in Database   Summary   Related Articles   Check

....5 and verify the results by simulation in Sec 6. In Sec. 7, we compare our technique with different duplication methods, and finally, we conclude the paper in Sec. 8. # 2. Related Work A traditional concurrent error detection techniques is to use massive redundancy. N modular hardware redundancy [5] and N version programming [6] are examples of massive redundancy, but these techniques incur (N 1) hundred percent area or performance overhead. To reduce this overhead, system level error checking methods such as designing self checking programs [7] running a separate task for error checking ....

A. L. Hopkins, Jr., et al., FTMP A highly reliable fault-tolerant multiprocessor for aircraft, Proc. IEEE, vol. 66, pp. 1221-1239, Oct. 1978

....the feasibility of implementing fail stop processors is established by this argument, the practicality is not. However, recent work in the implementation of highly reliable processors gives reason to believe that it is indeed practical to implement fail stop processor approximations. Both FTMP [10] and SIFT [26] could be configured to behave like a collection of fail stop processor approximations; both employ replicated processor and memory units. Redundancy can also be introduced at lower levels in a variety of ways [1, 25] The level at which redundancy is applied is an important issue ....

HOPKINS, A. L., SMITH, T. B., AND LALA, J.H. FTMP--A highly reliable fault-tolerant multiprocessor for aircraft. Proc. IEEE 66, 10 (Oct. 1978), 1221-1239.

....and to guarantee the timeliness of real time applications. Research work in the field of distributed dependable realtime computer architectures for safety critical applications started more than thirty years ago with the design of the STAR computer [2] and the two projects SIFT [3] and FTMP [4]. These projects were carefully evaluated and gave rise to new designs about ten years later: FTPP [5] MAFT [6] and the architectural concepts of the AIRBUS flight control system [7] In 1992 the first paper on SAFEbus [8] the architecture that was later deployed in the Boeing 777 aircraft for ....

A. Hopkins, T. Smith, and J. Lala. FTMP -- A Highly Reliable FaultTolerant Multiprocessor for Aircraft. Proceedings of IEEE, 66(10):1221-- 1239, 1978.

.... algorithms designed for arbitrary networks, is that precision is limited either by the variance of the message delivery delay [14] or by its upper bound [23] This problem may be attenuated in special architectures, either by implementing clock synchronization exclusively by hardware [8,13] or by using hybrid schemes [18,11] which attempt at reducing that variance. Probabilistic or statistical solutions to damp the effect of the variance have also been proposed [4,2] An alternative path was followed here, based on the observation that a majority of the distributed systems ....

A.L. Hopkins, T.B. Smith, and J.H. Lala. FTMP - A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft. Proceedings IEEE, 66(10):1221--1240, October 1978.

....an extra output to validate the standard output. Typically a self checking circuit has both the inputs and outputs encoded in the form of two bits double rail logic which has two valid code words and two non code words for each logic line. Various fault tolerant systems like SIFT [WLG78] and FTMP [HBL78] employ triplication, and several commercial faulttolerant systems like Tandem non stop, Sequoia, and others [SS82] Sie90] adopt dual redundancy and self checking modules. A different approach to reduce hardware redundancy for fault detection consists in time domain checks. A computation can be ....

Hopkins, A., L., Basil Smith, T., and Lala, J., H., "FTMP-A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft", Proceedings of the IEEE, Vol. 66, No. 10, pp. 1221-1239, October 1978.

....are multiprocessor tasks because they occupy all the processors in the partition at the same moment of time. In computer control systems a high level of reliability is often achieved by executing redundant copies of the program on different processors and voting on the final control decision [3, 50, 56]. Such applications are multiprocessor tasks because more than one processor is simultaneously occupied. In the preceding discussion we concentrated on parallel processors. Now, we are going to demonstrate that multiprocessor tasks scheduling is also applicable in the case of dedicated (i.e. ....

A.L.Hopkins, J.M.Lala, T.B.Smith, "FTMP - A highly reliable faulttolerant multiprocessor for aircraft", Proceedings of the IEEE 66/10 (1978).

....probably much more in order to check the equivalence of successive executions. 6 Related work Many run time supports for distributed real time applications have been developed, like for example Spring [28] and Maruti [20] Some of them provide fault tolerance mechanisms, like for instance FTMP [16], Maft [17] Mars [18] Delta 4 [3, 10] While Hades shares many similarities with all these projects, for space considerations we focus below only on the environments the most similar to Hades: ARMADA [1] Mars [18] and GUARDS [25] Hades shares many goals with the ARMADA project [1] It aims at ....

A.L. Hopkins, T.B. Smith, and J.H. Lala. FTMP a highly reliable fault-tolerant multiprocessor for aircraft. Proceedings of the IEEE, 66(10):12211239, October 1978.

....the feasibility of implementing fail stop processors is established by this argument, the practicality is not. However, recent work in the implementation of highly reliable processors, gives reason to believe that it is indeed practical to implement fail stop processor approximations. Both FTMP [Hopkins et al. 78] and SIFT [Wensley et al. 78] could be configured to behave like a collection of fail stop processor approximations; both employ replicated processor and memory units. Redundancy can also be introduced at lower levels in a variety of ways [Avizienis 76] Siewiorek Swarz 82] The level at which ....

Hopkins, A.L., T.B. Smith, J.H. Lala. FTMP -- A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft. Proc. of the IEEE, Vol. 66, No. 10 (October 1978), 1221-1239.

....bus guardian, to each node to support the available behavioral error detection mechanisms. The bus guardian helps to reduce the residual fail silent violations, which are due to the error detection latency associated with the error detection mechanisms. Bus guardians were first introduced in FTMP [4]. In contrast to the approach taken in FTMP our ap proach does not rely on any redundancy within each node. We supply the bus guardian with a priori knowledge of the temporal access pattern during design time of the system to ensure fault independence. An upper bound for the error detection ....

....produced by the replicated subsystems are compared and if agreement cannot be reached over the results then the results are discarded. The replicas must be kept synchronized to avoid the states of the replicated subsystems from diverging. Numerous systems are based on this approach. In FTMP [4] and Stratus [20] for example, redundancy is introduced at processor level. In FTMP a massive degree of redundancy is used to implement fail silence. Processor and memory modules, which are organized in triads, communicate on redundant busses. Access of a module to the busses is controlled by ....

A. Hopkins, T. Smith, and J. Lala. FTMP - A highly reliable Fault-tolerant Multiprocessor for Aircraft. Proceedings of the IEEE, 66(10):1221-- 1239, Oct. 1978.

....for a failure rate of 10 9 failures per hour on a ten hour flight mission. The FTMP conducts all information processing and transmission in triplicate so that voters in each separate node can correct errors. In addition, each node, or module, may be reassigned or retired in any combination [19]. The overall structure of FTMP consists of an arbitrary number of these modules which include processors with local cache memories connected to any number of memory modules via a triply redundant serial bus. The processor and memory modules are placed in groups of three to perform redundant ....

A.L. Hopkins, T.B. Smith, and J.H. Lala, "FTMP - A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft", Proceedings of the IEEE, Vol. 66, No. 10, October 1978, pp. 1221-1239.

....Modular redundancy is now commonly used in systems at the circuit level, the processor level and the process level. DMR TMR is a very effective way of detecting correcting hardware errors in real time, without delay to the system. This type of performance is critical in many real time applications [3]. A fundamental problem with the simplest TMR model, however, is that each Triple Modular Redundancy Unit (TMRU) relies upon a single voter to propagate the correct output. Although an error in any one of the modules will be masked, an error in the voter will not be masked, and thus the voter ....

A. L. Hopkins, T. B. Smith III, and J. H. Lala, "FTMP--A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft," Proceedings of the IEEE 66(10)(October, 1978).

....the fault handling capability of each cluster. Linear growth in cluster reliability with respect to cluster size is possible, as are refinements in the convergence and consistency algorithms for synchronization. 1 Introduction Existing ultra reliable system designs, such as SIFT [18] and FTMP [6], rely on fully connected inter processor structures to maintain synchronization based operations across the system through all possible fault scenarios, including Byzantine faults. As the performance requirements of complex control systems require increased processing power, these systems need to ....

....modeling approach, based on realistic distinctions among fault effects can be applied to any ultra reliable system architecture. We conclude with a summary of our contributions, and future research endeavors. 2 Background and Motivation The complete interconnection structure of SIFT[18] and FTMP[6] provided direct support for consistency based distributed and fault tolerant operations. However with graph and algorithmic overheads associated with these designs, extending these to large system designs impacts the performance and operational aspects. The hexagonal mesh structure of HARTS [13] ....

A. L. Hopkins et al., "FTMP -- a highly reliable fault-tolerant multiprocessor for aircraft," Proceedings of IEEE, vol. 66, Oct 1978.

....systems. Although clocks are available in each node, they are not synchronized, or even aware of clocks on other nodes. Without an accurate common time base, it is impossible to measure inter node latencies. The problem of clock synchronization has been studied frequently in distributed systems [4, 7, 8, 10, 13, 15, 19]. However, previous e#orts either require extra hardware support, or lack the fine clock accuracy necessary in systemarea network monitoring. In this paper, we describe a clock synchronization algorithm based on Cristian s algorithm [2] Our algorithm is implemented in the firmware running on the ....

....applications. Moreover, the accuracy requirements for a globally synchronized clock in these environments are high, because network latencies in these systems are at the microsecond level. For short messages, latencies can be just a few microseconds. Previous clock synchronization studies [7, 17] require some sort of extra hardware support to achieve microsecond level accuracy. Our goal here is to exploit the programmability of these network interfaces to implement a minimally intrusive, microsecondlevel globally synchronized clock without any extra custom hardware support. Programmable ....

A. L. Hopkins, T. B. Smith, and J. H. Lala. FTMP --- A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft. Proc. IEEE, vol 66(10), Oct. 1978.

....when no faults are present. The other approach is to invoke an overload management technique upon detection of a failure. For example, one can prioritize tasks based on their importance to the application and discard tasks which do not adversely affect the performance delivered by the application [12]. The solution discussed in this paper for dealing with component failures is based on this latter approach. During overload, the proposed solution invokes a scheduling policy which carefully discards task instances in order to reduce the effective utilization of the system. Since the discarded ....

A. L. Hopkins, T. B. Smith, and J. H. Lala, "FTMP -- A highly reliable fault-tolerant multiprocessor for aircraft," Proceedings of the IEEE, vol. 66, October 1978.

....it is difficult to implement either a threshold voter or a shift out checking unit which requires comparators, detectors, and collectors. Triple Modular Redundancy (TMR) has been one of the most popular fault tolerance schemes using spatial redundancy. In the Fault Tolerant MultiProcessor (FTMP) [6], computations are done on triplicated processors memories connected by redundant common serial buses, and its quad redundant clocks use bit by bit voting in hardware on all transactions over these buses. C.vmp [18] is also a TMR system which traded performance for reliability by switching between ....

....are not caused by a common cause, but non coincident fault arrivals at different modules are not negligible and may lead to a TMR failure. Disagreement detectors which compare the values from the different voters of a TMR system can detect single faults, but may themselves become faulty. FTMP [6], JPL STAR [1] and C.vmp [18] are example systems that use disagreement detectors. In FTMP, any detected disagreement is stored in error latches which compress fault state information into error words for later identification of the faulty module(s) System reconfiguration to resolve the ....

A. L. Hopkins Jr., T. B. Smith III, and J. H. Lala, "FTMP--a highly reliable faulttolerant multiprocessor for aircraft," Proceedings of the IEEE, vol. 66, no. 10, pp. 1221--1239, October 1978.

....degree of spatial redundancy. Specifically, instruction retry is used optimally (in the sense of minimizing a certain cost) for triple modular redundant (TMR) controller computers. A TMR system is a typical example of static redundancy which can tolerate one faulty module without any delay [3, 5, 6, 15, 16]. The TMR system can tolerate even multiple faults, if they occur sequentially with a relatively long inter occurrence interval, by using appropriate detection, identification, and replacement of a faulty module (whose error was masked ) before a new fault occurs to another module within the TMR. ....

....interval, by using appropriate detection, identification, and replacement of a faulty module (whose error was masked ) before a new fault occurs to another module within the TMR. Detect diagnose reconfigure is a conventional recovery policy for handling multiple faults in TMR systems [5, 15]. Alternatively, the system can also recover from the masked error induced by a transient fault by retrying the failed operation a fixed number of times on the same hardware [3] Note that these two policies can tolerate only a subset of multiple faults. That is, TMR failures failure to ....

A. L. Hopkins Jr., T. B. Smith III, and J. H. Lala, "FTMP--a highly reliable fault-tolerant multiprocessor for aircraft," Proceedings of the IEEE, vol. 66, no. 10, pp. 1221--1239, October 1978.

....of operating such a system by considering the synchronization requirements imposed on the processors and memory units, namely, tightly synchronized (TS) or loosely synchronized (LS) operation. Considering processors and memory units independently, we have TS TS systems, such as C. vmp [14] and FTMP [4], that require both the processors and memory units to operate in lock step, LS LS systems, such as SIFT [16] and MAFT [6] that allow both to operate in a loosely synchronized way, TS LS systems that require tightly synchronized processors but loosely synchronized memory operations, and LS TS ....

....clocks that drift apart, a TS TS system requires the use of special hardware to ensure lock step execution of processors and memory units. FTMP (Fault Tolerant Multiprocessor) is one example of TS TS systems. Processors in FTMP are grouped together (with three processors per group) into triads [4] and all triads in the system execute tasks in parallel. The memory is replicated with each replica being connected to the CPU via a separate bus. At each CPU, bit by bit voting is used to obtain the majority value. Though FTMP was not designed to tolerate Byzantine general failures, it can be ....

A.L. Hopkins, Jr., T.B. Smith, III, and J.H. Lala, "FTMP -- A highly reliable fault-tolerant multiprocessor for aircraft," Proceedings of the IEEE, Vol. 66, No. 10, Oct. 1978, pp. 1221-1239.

....of the system by replacing it with a spare module or switching it 4 in distributed systems off without replacement (thus allowing for graceful degradation) This process is necessary for both dynamic and hybrid redundancy. Specific hardware like the Configuration Control Unit (CCU) in FTMP [8], may be dedicated to handling system reconfiguration. This process (of using cold spares) generally consists of (i) switching power and bus connections, ii) running built in test (BIT) on the selected spare module, iii) loading programs and data, iv) initializing the software. When warm spares ....

A. L. Hopkins Jr., T. B. Smith III, and J. H. Lala, "FTMP--a highly reliable fault-tolerant multiprocessor for aircraft," Proceedings of the IEEE, vol. 66, no. 10, pp. 1221--1239, October 1978.

.... algorithms designed for arbitrary networks, is that precision is limited either by the variance of the message delivery delay[22] or worse, by its upper bound[35] This problem may be minimized with hardware support, either by implementing clock synchronization exclusively by hardware[13, 19] or by using hybrid schemes[27, 17] which attempt at reducing that variance. In large scale systems, the distance, added to the very large number of nodes, worsens the variance problem. Hierarchical or master based algorithms, using probabilistic or statistical techniques to damp the effect of ....

A.L. Hopkins, T.B. Smith, and J.H. Lala. FTMP - A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft. Proceedings IEEE, 66(10):1221--1240, October 1978.

....Esprit Projects 1226 (DELTA 4) and BR 6360 (Broadcast) and by JNICT through project Codicom. based algorithms[9,14] message delivery times cannot be computed with exactitude due to the variability of network message delivery delays, thus affecting virtual clocks precision. When using hardware [4,7] or hybrid schemes[5,11] the variability of network access delays is minimal but these solutions are expensive and hard to implement. Probabilistic or statistical solutions to damp the effect of the variance have also been proposed [3,2] In fact, a major limitation of all known software clock ....

A.L. Hopkins, T.B. Smith, and J.H. Lala. FTMP - A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft. Proceedings IEEE, 66(10):1221--1240, October 1978.

....system continually votes and replaces its state with voted values. Thus, the transient fault recovery process does not require fault detection. 1. 3 Previous Efforts Many techniques for implementing fault tolerance through redundancy have been developed over the past decade, e.g. SIFT [11] FTMP [12], FTP [13] MAFT [14] and MARS [15] An often overlooked but significant factor in the development process is the approach to system verification. In SIFT and MAFT, serious consideration was given to the need to mathematically reason about the system. In FTMP and FTP, the verification concept was ....

Hopkins, Albert L., Jr.; Smith, T. Basil, III; and Lala, Jaynarayan H.: FTMP --- A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft. Proceedings of the IEEE, vol. 66, no. 10, Oct. 1978, pp. 1221--1239.

.... algorithms designed for arbitrary networks, is that precision is limited either by the variance of the message delivery delay [14] or by its upper bound [28] This problem may be attenuated in special architectures, either by implementing clock synchronization exclusively by hardware [8], 13] or by using hybrid schemes [21] 11] which attempt at reducing that variance. In large scale systems, the distance, added to the very 7 large number of nodes, worsens the variance problem. Hierarchical or masterbased algorithms, using probabilistic or statistical techniques to damp the ....

A.L. Hopkins, T.B. Smith, and J.H. Lala. FTMP - A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft. Proceedings IEEE, 66(10):1221--1240, October 1978.

....of component failures should the system be able to mask automatically 4.1 At what level of abstraction should automatic failure masking occur It is possible to mask component failures at the hardware level, at the operating system level, or at the application level. For example the FTMP system [H78] implemented redundancy management mechanisms which mask hardware failures directly in hardware, by triplexing physically independent processors with arbitrary failure semantics and using voting. The Stratus system [TW89] also masks most hardware server failures at the hardware level by duplexing ....

A. L. Hopkins et al, FTMP-A highly reliable fault-tolerant multi-processor for aircraft, Prc. IEEE, Vol. 66, Oct 1978.

....to the sensors and actuators is static as opposed to dynamic. Hence, there are fewer design errors to be corrected during the validation process. 7 Previous Efforts Many techniques for implementing fault tolerance through redundancy have been developed over the past decade, e.g. SIFT [4] FTMP [5], FTP [6] MAFT [17] The techniques differ with respect to: ffl the unit of fault isolation and reconfiguration ffl the voting strategy ffl the level of synchronization ffl the verification concept In FTMP, for example, the unit of reconfiguration is a memory module or a CPU module. In ....

....the system. In FTMP and FTP, the verification concept was almost exclusively testing. Obviously, the approach advocated here is one of formal rigor in specification and verification of the system. Although several fault tolerant real time computing bases have been designed for control applications [4, 5, 6, 17], only the SIFT project attempted to use formal methods. Although many positive theoretical advances were made, the SIFT operating system was never completely verified [13] On the positive side, the concept of Byzantine Generals algorithms was developed [9] Also the first fault tolerant clock ....

Hopkins, Albert L., Jr.; Smith, T. Basil, III; and Lala, Jaynarayan H. 1978: FTMP --- A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft. Proceedings of the IEEE, vol. 66, no. 10, pp. 1221--1239, October.

....recovery blocks[8] or n version programming[9] in multiprocessor systems. Some architectures have even been designed to tolerate both hardware and software faults simultaneously (e.g. the FTP AP system[14] Transputer based fault tolerant systems also exist, including the Mars 94 architecture[16], and FTMTA system[12] A problem with most of these designs is that they are either application specific, or constrain an application designer to a particular set of network topologies. The Reconfiguration and Fault Tolerance (RaFT) project currently being undertaken at the University of Essex is ....

A. Hopkins, FTMP - A highly reliable fault-tolerant multiprocessor for aircraft, Proceedings of the IEEE, Vol. 66, Oct. 1978, pp1221-1239

....computation and control of the Safeguard antiballistic missile (ABM) defense system of the early 1970 s. ANTS extends and generalizes the approach of Safeguard, and we intend to provide performance and dependability analysis for ANTS multicomputer systems. Two other predecessor systems are FTMP [6] and SIFT [7] Unlike ANTS, these systems use at least three times the resources required by the application. Triads of processors are assigned to execute task segments. Also FTMP adopted a fully synchronous approach which uses a hardware implemented bit by bit voting on all transactions. The ....

....An incorrect transmission can be detected almost immediately. The electrical characteristics of the network may also be destroyed by a failed ANT node such that further communication is impossible. This type of failures can be avoided by using a design similar to the Bus Guard (BG) in FTMP [6]. However, we caution here that this type of design is device dependent. Detailed designs can only be derived for a specific implementation. We also note that this type of failure may not be a catastrophic one. When several independent peripheral devices are used to handled buses, we may see that ....

A. L. Hopkins, Jr., T. B. Smith III, and J. H. Lala, "FTMP - A highly reliable faulttolerant multiprocessor for aircraft," Proc. IEEE, vol. 66, pp. 1221--1239, October 1978.

....The top curve represents the total probability of failure. We have opted for a less complex system in order to produce the best reliability. Previous Efforts Many techniques for implementing fault tolerance through redundancy have been developed over the past decade, e.g. SIFT [6] FTMP [9], FTP [10] MAFT [11] 3 Although it is infeasible to measure the contribution of the design flaws in the ultrareliable regime, its effect can be discussed theoretically. The techniques differ with respect to: o the unit of fault isolation and reconfiguration o the voting strategy o the level ....

....and FTP, the verification concept was almost exclusively based on empirical testing. Obviously, the approach advocated here is one of formal rigor in specification and verification of the system. Although several fault tolerant real time computing bases have been designed for control applications [6, 9, 10, 11], only the SIFT project attempted to use formal methods. Although many positive theoretical advances were made, the SIFT operating system was never completely verified [12] On the positive side, the concept of Byzantine Generals algorithms was developed [13] as was the first fault tolerant clock ....

[Article contains additional citation context not shown here]

A. L. Hopkins, Jr., T. B. Smith, III, and J. H. Lala, "FTMP --- A highly reliable fault-tolerant multiprocessor for aircraft," Proceedings of the IEEE, vol. 66, pp. 1221--1239, Oct. 1978.

.... algorithms designed for arbitrary networks, is that precision is limited either by the variance of the message delivery delay [14] or by its upper bound [22] This problem may be attenuated in special architectures, either by implementing clock synchronization exclusively by hardware [8,13] or by using hybrid schemes [18,11] which attempt at reducing that variance. Probabilistic or statistical solutions to damp the effect of the variance have also been proposed [4,2] Both approaches are not without disadvantages: hardware solutions are dedicated, while the traffic overhead of ....

A.L. Hopkins, T.B. Smith, and J.H. Lala. FTMP - A Highly Reliable FaultTolerant Multiprocessor for Aircraft. Proceedings IEEE, 66(10):1221--1240, October 1978.

....redundancy, N = 3) while the third option has a large time overhead (upto 200 in time for N =3) In order to provide error masking, all critical transactions must be replicated and voted upon, where the minimum degree of replication is triplication. Such an approach has been used in the FTMP[1], the C.VMP[2] and the SIFT multiprocessor[3] The FTMP and C.VMP performed the voting on triplicated set of computations in hardware, while the SIFT performed the voting on triplicated set of computations in software. A lower cost fault tolerance technique in multiprocessors is to use dynamic or ....

.... may be used to appear in Foundations of Dependable Computing: Vol III, SystemImplementation , Gary Koob editor, Kluwer Academic Publishers, Processor 0 Processor 1 I iterations I iterations 2,6 1,5 Normal computations: Normal computations: DO J = 1,N D[5,J] f A[5] B[J] C[5,J] D[1,J] f A[1],B[J] C[1,J] ENDDO Check computations: DO J = 1,N E(J) D[1,J] D[5,J] F(J) f A[2] A[6] B[J] C[2,J] C[6,J] ENDDO DO J = 1,N D[2,J] f A[2] B[J] C[2,J] D[6,J] f A[6] B[J] C[6,J] ENDDO Check computations: DO J = 1,N E(J) D[2,J] D[6,J] F(J) f A[1] A[5] B[J] C[1,J] C[5,J] ENDDO ....

[Article contains additional citation context not shown here]

A. L. Hopkins, I. T. B. Smith, and J. H. Lala, "FTMP: A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft," Proc. IEEE, vol. 66, pp. 1221-- 1239, Oct. 1978.

....Link Interprocessor Communication Link Processor Replicate R Processor Replicate 1 Actuators Sensors Figure 2: Generic hardware architecture. 3 Previous Efforts Many techniques for implementing fault tolerance through redundancy have been developed over the past decade, e.g. SIFT [2] FTMP [3], FTP [5] MAFT [12] and MARS [4] An often overlooked but significant factor in the development process is the approach to system verification. In SIFT and MAFT, serious consideration was given to the need to mathematically reason about the system. In FTMP and FTP, the verification concept was ....

Albert L. Hopkins, Jr., T. Basil Smith, III, and Jaynarayan H. Lala. FTMP --- A highly reliable fault-tolerant multiprocessor for aircraft. Proceedings of the IEEE, 66(10):1221--1239, October 1978.

....model at a proportionate cost. 2. 2 The SNMR Scheme We use the replication approach, more specifically, N modular redundancy (NMR) approach, as the basic fault tolerance mechanism in our framework (with specialization) Many NMR systems have been developed for various environments, such as FTMP [1], SIFT [9] MAFT [2] MARS [3] and Delta 4 [7] Among them, SIFT is the most flexible mechanism and can be implemented in open distributed systems. However, SIFT incurs a high overhead. Consider implementing the NMR protocol among servers and shared storage units discussed in Subsection 2.1.3. ....

A.L. Hopkins, Jr., T.B. Smith, III, and J.H. Lala, "FTMP -- A highly reliable fault-tolerant multiprocessor for aircraft," Proceedings of the IEEE, Vol. 66, No. 10, Oct. 1978, pp. 1221-1239.

....that are missioncritical and life critical, such as space exploration, aircraft avionics, and robotics. These applications require not only long duration of reliable services, but also timeliness of operations. Computer systems that are built to support these applications include SIFT [28] FTMP [9], the space shuttle primary computer system [26] and MAFT [11] These mission critical systems are mainly parallel or distributed systems that are embedded into complex, even hazardous environments, under tight constraints on timeliness and dependability of operations. A great deal of efforts has ....

Hopkins, A.L. et al. "FTMP-A highly reliable fault-tolerant multiprocessor for aircraft," Proceedings of the IEEE, Vol. 66, No. 10, October, 1978.

....the results of task computations. As previously suggested, clock synchronization hardware will be added to the architecture as well. 1. 2 Previous Efforts Many techniques for implementing fault tolerance through redundancy have been developed over the past decade, e.g. SIFT [Goldberg 1984] FTMP [Hopkins 1978], FTP [Lala 1986] MAFT [Walter 1985] and MARS [Kopetz 1989] An often overlooked but significant factor in the development process is the approach to system verification. In SIFT and MAFT, serious consideration was given to the need to mathematically reason about the system. In FTMP and FTP, the ....

Albert L. Hopkins, Jr., T. Basil Smith, III, and Jaynarayan H. Lala. FTMP --- A highly reliable fault-tolerant multiprocessor for aircraft. Proceedings of the IEEE, 66(10):1221-- 1239, October 1978.

.... algorithms designed for arbitrary networks, is that precision is limited either by the variance of the message delivery delay [12] or worse, by its upper bound [18] This problem may be minimized with hardware support, either by implementing clock synchronization exclusively by hardware [7, 11] or by using hybrid schemes [13] which attempt at reducing that variance, for instance, using clock synchronization units that are able to timestamp messages [9] and receive GPS signaling. Although designing specifically for CAN, our goal is to allow the use of off theshelf components. ....

A. Hopkins, T. Smith, and J. Lala. FTMP - A highly reliable fault-tolerant multiprocessor for aircraft. Proceedings of the IEEE, 66(10):1221--1240, Oct. 1978.

No context found.

Hopkins, A., Smith, T. Lala, J.: FTMP---A Highly Reliable Fault Tolerant Multiprocessor for Aircraft. In: Proceedings of IEEE 66(10):1221--1239 (1978)

No context found.

A. L. Hopkins, T. B. Smith, and J. H. Lala. FTMP - a highly reliable fault-tolerant multiprocessor for aircraft. Proceedings of the IEEE, 66(10):1221--39, October 1978.

No context found.

A. L. Hopkins, Jr., et al., "FTMP -- A highly reliable fault-tolerant multiprocessor for aircraft," Proc. IEEE, vol. 66, pp. 1221-1239, Oct. 1978

No context found.

A.L. Hopkins et al, FTMP-A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft, Proc. of the IEEE 66 (10), October, 1978.

No context found.

Hopkins, A. L., Smith, T. B., and Lala, J. H., "FTMP - A highly reliable fault-tolerant multiprocessor for aircraft," Proceedings of the IEEE, vol. 66, no. 10, pp. 1221--1239, Oct. 1978.

No context found.

Hopkins, Jr., A. L., Smith, III, T. B., Lala, J. H. FTMP--- A highly reliable fault-tolerant multiprocessor for aircraft. Proceedings of the IEEE 66 (10): 1221-1239, Oct. 1978.

No context found.

A.L. Hopkins, Jr., T.B. Smith, III, and J.H. Lala (1978) FTMP-A highly reliable fault-tolerant multiprocessor for aircraft. Proceedings of the IEEE 66, 1221-1239.

No context found.

Hopkins, Albert L., Jr.; Smith, T. Basil, III; and Lala, Jaynarayan H.: FTMP---A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft. Proc. IEEE, vol. 66, no. 10, Oct. 1978, pp. 1221--1239.

No context found.

Hopkins, A.L. et al. "FTMP-A highly reliable fault-tolerant multiprocessor for aircraft," Proceedings of the IEEE, Vol. 66, No. 10, October, 1978.

No context found.

A. Hopkins, T. Smith, J. Lala. FTMP - A Highly Reliable Fault-Tolerant Multiprocessor for Aircraft. In Proceedings of the IEEE, pages 1221-1239, October 1978.

No context found.

A. Hopkins, FTMP - A highly reliable fault-tolerant multiprocessor for aircraft, Proceedings of the IEEE, Vol. 66, Oct. 1978, pp1221-1239

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC