Product specifications

Section 1 Introduction PM891/PM86x/TP830 Processor Unit – Redundancy

3BSE036351-510 A 49

If the primary unit fails because of an error, the backup unit resumes execution from

the last rollback point, which means the last execution unit is partially re-executed

by the backup unit. In order to re-execute a portion of the execution unit without

affecting the peripheral units (communication units on the CEX-Bus), the peripheral

units' references are also logged between rollback points. During re-execution, the

results of the peripheral units' references, which have already been executed, are

used, rather than re-executing them. The results of read operations are retrieved

from the log, and write operations pass without execution, since they have already

been executed. The peripheral units' statuses, then, are not affected by the re-

execution in any way, except for the time delay which occurs.

The RAM included in the processor unit provides an automatic double inverted

memory function for detection of arbitrary bit errors in the memory.

• All memory updates are written to both the primary memory and to the inverted

memory in parallel.

• At every memory read cycle, the data from tho two memories is compared.

• If there is a mismatch in the data a changeover is forced.

The double inverted memory handling is done in hardware and without any delay to

the memory cycle time.

MAC and IP Address Handling in Redundant Configuration

In order to provide for a bumpless changeover with respect to the control network,

both the MAC and IP addresses are swapped between the initial primary and backup

CPUs. The addresses of the initial primary CPU are stored and kept as the addresses

used by the acting primary CPU. Similarly the addresses of the initial backup CPU

are stored to be used by the acting backup CPU. This means that a redundant

controller will be always identified and recognized by the same addresses regardless

of which CPU module actually acting as primary.