top - download
⟦bfc9ca7f4⟧ Wang Wps File
Length: 35306 (0x89ea)
Types: Wang Wps File
Notes: WATCHDOG DESIGN NOTE
Names: »0345A «
Derivation
└─⟦89b9efcb1⟧ Bits:30006072 8" Wang WCS floppy, CR 0029A
└─ ⟦this⟧ »0345A «
WangText
…10……06……0f……0b……86…1
…02…
…02…
…02…
…02…CPS/TCN/017
…02…BHB/801216…02……02…#
WATCHDOG
DESIGN
NOTE
…02……02…CAMPS
T̲A̲B̲L̲E̲ ̲O̲F̲ ̲C̲O̲N̲T̲E̲N̲T̲S̲
1 INTRODUCTION .................................
6
1.1 CAMPS WATCHDOG (CPS-WD) ..................
6
1.1.1 Configuration Control ................
8
1.1.2 Build-in Test (BITE) .................
8
1.1.3 Trouble Shooting .....................
9
1.1.4 CAMPS Engineering Functions ..........
9
2 APPLICABLE DOCUMENTS .........................
9
3 CONFIGURATION CONTROL, MANUAL AND BY SS&C .... 10
3.1 PROCESSOR UNIT ASSEMBLY .................. 10
3.1.1 CCA Functions (PU) Summary ........... 11
3.2 CHANNEL UNIT ASSEMBLY .................... 13
3.2.1 CCA Functions (CU) Summary ........... 14
3.3 TDX CRATE ASSEMBLY ....................... 14
3.3.1 CCA Functions (TDX) Summary ............ 17
3.4 80D BLOWER UNIT ASSEMBLY ................. 18
3.5 SUMMARY OF CCA HARDWARE REQUIREMENTS ..... 18
3.5.1 CCA in a Processor Unit Assembly ..... 18
3.5.2 CCA in a Channel Unit Assembly ....... 18
3.5.3 CCA in a TDX Crate Assembly .......... 18
3.5.4 TBD .................................. 18
4 TROUBLE-SHOOTING PHILOSOPHIES ................
19
4.1 ERROR DETECTION AND -HANDLING ............
19
4.1.1 TDX System ...........................
19
4.1.2 Channel Unit Assembly ................
20
4.1.3 Processor Unit Assembly (RAM) ........
20
4.2 HOW IS SWITCHING DONE ....................
20
4.2.1 Single User Connection Point Error ...
21
4.2.2 Multi User Connection Point Error ....
21
4.2.3 I/O Crate Error ......................
21
4.2.4 PU Crate Error .......................
22
4.2.5 WD Error .............................
22
4.2.6 Power Failures .......................
22
4.3 TROUBLE-SHOOTING .........................
23
4.3.1 Faulty LTUX-S Section ................
25
4.3.2 Faulty TDX-Bus-Section ...............
25
4.3.3 Faulty I/O Module Section ............
26
4.3.3.1 Erroneous Disk ctrl ..............
26
4.3.3.2 Erroneous LTU ....................
27
4.3.3.3 Erroneous Floppy Disk ctrl .......
27
4.3.4 Faulty Stand-By Processor Unit Section
27
4.3.4.1 Initial Testing ..................
28
4.3.4.2 Extended Test Mode ...............
29
4.3.5 Faulty Active Processor Unit Section .
30
5 TIME OF DAY-FUNCTION .........................
30
6 ENGINEERING FUNCTIONS ........................
31
6.1 CONTROL OF EXTERNAL LINES ................
31
6.2 TESTS, ON-LINE AND OFF-LINE ..............
31
6.3 SOFTWARE MAINTENANCE ....................
31
6.4 H/W CONFIGURATION STATUS DISPLAY .........
32
1̲ ̲ ̲I̲N̲T̲R̲O̲D̲U̲C̲T̲I̲O̲N̲
This design note is based on the (ED-)WATCHDOG SYSTEM
DESIGN NOTE, ASM/801007 (ED-WD).
The features and characteristics of the ED-WD have
been evaluated in order to judge the ED-WDs feasibility
for application in CAMPS.
The conclusion of this evaluation is that the ED-WD-design
as presented is a nice design, which fits the requirements
of the CAMPS system to a larger extent than any other
existing WD-concept known by the CAMPS project group
(FIKS, ICL, DORA).
1.1 C̲A̲M̲P̲S̲ ̲W̲A̲T̲C̲H̲D̲O̲G̲ ̲(̲C̲P̲S̲-̲W̲D̲)̲
In order to detail the requirements to the CPS-WD,
a "HW failure diagnostic group" was established within
the CAMPS project, presenting maintenance, H/W, S/W,
and System Engineering. This document gives a presentation
of the requirements and comments emerging from this
group concerning the functions and abilities of the
CPS-WD system, see fig. 1.1.
Note 1: VDU + FD is the DELTA DATA 7268T. (No other
known supplier of similar, tempest approved
system)
Note 2: WD panel controller is part of the general
…02…WD-system, but will not be used for CAMPS
Figure 1.1
An important fact to remember, is that the CAMPS equipment
is enclosed within an EMI-shield, and thus invisible
to operators under normal operation.
To access the controlled equipments the EMI-shield
has to be broken, which will restrict application of
the equipment.
The VDU + Keyboard + PRINTER are placed outside the
EMI-shield.
Below are listed the general principles of operation
for the CPS-WD:
1.1.1 C̲o̲n̲f̲i̲g̲u̲r̲a̲t̲i̲o̲n̲ ̲C̲o̲n̲t̲r̲o̲l̲
Configuration control can be operated in the following
ways:
a) Automatically by the WD-program
b) Manually by the VDU + KEYBOARD through the WD
c) Manually on each crate assembly independent of
the WD
1.1.2 B̲u̲i̲l̲d̲-̲i̲n̲ ̲T̲e̲s̲t̲ ̲(̲B̲I̲T̲E̲)̲
Build-in test in the various modules may be activated
in the following ways:
a) By "power-up" independent of the WD
b) Manually on each crate assembly independent of
the WD
c) Manually by the VDU + KEYBOARD through the WD-system
d) Automatically by the WD-program
1.1.3 T̲r̲o̲u̲b̲l̲e̲ ̲S̲h̲o̲o̲t̲i̲n̲g̲
It shall be possible to perform a step-by-step trouble-shooting
procedure controlled by the CPS-WD.
The M&D-S/W necessary for the test may be sourced from
one of the Disks of the Channel unit by using a PU
or from the maintenance position Floppy Disk.
1.1.4 C̲A̲M̲P̲S̲ ̲E̲n̲g̲i̲n̲e̲e̲r̲i̲n̲g̲ ̲F̲u̲n̲c̲t̲i̲o̲n̲s̲
All engineering functions required for CAMPS shall
be conducted by the CPS-WD.
2̲ ̲ ̲A̲P̲P̲L̲I̲C̲A̲B̲L̲E̲ ̲D̲O̲C̲U̲M̲E̲N̲T̲S̲
- WATCHDOG SYSTEM DESIGN NOTE, ASM/801007
- CAMPS REQUIREMENTS SPECIFICAITON, CPS/210/SYS/0001
- PROPOSED CAMPS H/W CONFIGURATION, CPS/AUX/002
3̲ ̲ ̲C̲O̲N̲F̲I̲G̲U̲R̲A̲T̲I̲O̲N̲ ̲C̲O̲N̲T̲R̲O̲L̲,̲ ̲A̲U̲T̲O̲/̲M̲A̲N̲U̲A̲L̲
This section describes how the watchdog via crate configuration
adapters (CCA's) controls and monitors the different
types of crate assemblies within the CAMPS system.
Relevant assemblies are:
1) Processor Unit Assembly
2) Channel Unit Assembly
3) TDX crate Assembly
4) 80D BLOWER UNIT ASSEMBLY
Certain control/monitoring functions do require some
redesign of CR80D components.
3.1 P̲R̲O̲C̲E̲S̲S̲O̲R̲ ̲U̲N̲I̲T̲ ̲A̲S̲S̲E̲M̲B̲L̲Y̲
Fig. 3.1.1 is a schematic drawing of a processor unit
assembly (PU) showing the CCA control & monitoring
paths.
As shown an auto/manuel switch is incorporated in the
TIA (TDX Bus Interface Adapter) and the mia (Map Interface
Adapter) accessible from the front panel of the two
devices. The frontpanel of the TIA & the MIA also
includes an on/off switch (not shown) which together
with the auto/manuel switch makes it possible manually
to select whether the PU is connected to or disconnected
from one or both of the TDX busses and/or the channel
bus.
When set to auto mode the connect/disconnect bus function
is controlled only from the watchdog via the CCA.
3.1.1 C̲C̲A̲ ̲F̲u̲n̲c̲t̲i̲o̲n̲s̲ ̲(̲P̲U̲)̲ ̲S̲u̲m̲m̲a̲r̲y̲
Referring to Fig. 3.1.1
ANALOG DIGITAL DIGITAL
INPUTS INPUTS OUTPUTS
A: Supervision of analog
Voltages (+5, +/- 12V) 3 -
-
B:
1. Controlling the connect/
disconnect state of the
MIA/TIA's - -
1
2. Issue 'Maintenance Mode'
Command to the MIA/TIA's - -
1
3. Monitor the state of the
auto/manuel switch - 1
-
C:
ITENTIONALLY DELETED
D: Monitor the result of
individual selftest
routines (wired-or) - 1
-
E: Individual selftest results - -
-
F: Issue 'Master Clear'
command to the MAP module - -
1
Fig. 3.1.1
3.2 C̲H̲A̲N̲N̲E̲L̲ ̲U̲N̲I̲T̲ ̲A̲S̲S̲E̲M̲B̲L̲Y̲
The CCA control & monitoring paths within the channel
unit asembly (CU) is shown on Fig. 3.2.1. To improve
the watchdog control of the CU an extra set of 2 control
lines and 2 supervision lines is introduced having
a design impact on each unit connected to the I/O busses
in the CU. Via the 2 control lines the CCA (watchdog)
controls the "take ownership" command as follows for
all units together:
"̲T̲a̲k̲e̲ ̲o̲w̲n̲e̲r̲s̲h̲i̲p̲"̲ ̲i̲s̲:̲
1) Enabled via I/O bus B and bus A
2) Disabled via I/O Bus A
enabled via I/O Bus B
3) Enabled via I/O Bus A
Disabled via I/O Bus B
4) Disabled via I/O Bus A
and I/O Bus B
During an integration or maintenance phase some of
the above mentioned functions (2 and 3) might be established
individually for each connected unit by means of a
three-position switch on the front panel of each of
the units (i.e. disk controller, floppy disk controller,
LTU).
The positions of the switch being:
1) A enable (corresponds to function 3 above).
2) Auto
3) B enable (corresponds to function 2 above)
when the switch is thrown to 1 or 3 (away from auto)
the switch overrides the watchdog control of that unit.
One of the supervision lines introduced monitors the
state of all the switches (wired-or) indicating (to
the watchdog via CCA) one or more of the switches being
out of the auto position.
The second supervision line monitors the results of
the card build in tests indicating to the watchdog
a go/no go crate status.
As for indications it is a requirement to have two
led's on the front panel of each unit indicating which
of the busses (A or B) that has "ownership" of the
individual units.
3.2.1 C̲C̲A̲ ̲F̲u̲n̲c̲t̲i̲o̲n̲s̲ ̲(̲C̲U̲)̲ ̲S̲u̲m̲m̲a̲r̲y̲:̲
Referring to Fig. 3.2.1 ANALOG DIGITAL DIGITAL
INPUTS INPUTS OUTPUTS
A: Monitor dualized supply
voltages (+5, +/- 12V) 6 -
-
B: Monitor (wired-or) state of
front panel switches
(Auto/non auto) - 1
-
C: Controlling "Take owner-
ship" - enable/disable - -
2
D: Monitor card self-test
results (wired-or) - 1
-
E: Individual self-test re-
sults - -
-
3.3 T̲D̲X̲ ̲C̲R̲A̲T̲E̲ ̲A̲S̲S̲E̲M̲B̲L̲Y̲
This crate (see fig. 3.3.1) is somewhat special as
the CCA is not a discrete module but integrated with
the BTM module (TDX Bus Terminating module) forming
the BTM-Y module. This module assigns either TDX Bus
# 1, TDX Bus # 2 or none to the internal crate TDX
Bus. The assignment is controlled via two sources:
1) The on-card CCA (watchdog)
2) A set of switches on the front panel
Fig. 3.2.1
Fig. 3.3.1
*Only in two of the crates in the system.
One of the switches is an auto/manuel switch controlling
the assignment source. If thrown to auto the watchdog
is 'in control' else the other switch controls the
assignment:
1) TDX Bus 1 connected
2) TDX Bus 2 connected
3) No TDX Bus connected
The watchdog monitors the auto/manuel switch for an
auto/non auto indication.
The watchdog, furthermore, monitors the status signal
out of the modules with build-in selftest procedures
to establish a crate Go/NoGo status, and the status
signals from the TDX controller, if placed in the crate.
3.3.1 C̲C̲A̲ ̲F̲u̲n̲c̲t̲i̲o̲n̲s̲ ̲(̲T̲D̲X̲)̲ ̲S̲u̲m̲m̲a̲r̲y̲:̲
Referring to Fig. 3.3.1 ANALOG DIGITAL DIGITAL
INPUTS INPUTS OUTPUTS
A: Monitor supply voltages
(+ 5, +/- 12 V) 3 -
-
B: Monitor results (wired-
or) of individual self-
test routines - 1
-
C:
1. Controlling bus assignment - -
2
2. Monitor state of auto/
manuel switch - 1
-
D: Monitor TDX-controller
status (RS, TS, FS, CO1/2) - 5
-
E: Result of individual self-
test if any - -
-
3.4 8̲0̲D̲ ̲B̲L̲O̲W̲E̲R̲ ̲U̲N̲I̲T̲ ̲A̲S̲S̲E̲M̲B̲L̲Y̲
TBD
3.5 S̲U̲M̲M̲A̲R̲Y̲ ̲O̲F̲ ̲C̲C̲A̲ ̲H̲A̲R̲D̲W̲A̲R̲E̲ ̲R̲E̲Q̲U̲I̲R̲E̲M̲E̲N̲T̲S̲
3.5.1 C̲C̲A̲ ̲i̲n̲ ̲a̲ ̲P̲r̲o̲c̲e̲s̲s̲o̲r̲ ̲U̲n̲i̲t̲ ̲A̲s̲s̲e̲m̲b̲l̲y̲
3 analog inputs minimum
3 Digital Inputs -
4. Digital Outputs -
3.5.2 C̲C̲A̲ ̲i̲n̲ ̲a̲ ̲C̲h̲a̲n̲n̲e̲l̲ ̲U̲n̲i̲t̲ ̲A̲s̲s̲e̲m̲b̲l̲y̲
6 Analog Inputs Minimum
2 Digital Inputs -
2 Digital Outputs -
3.5.3 C̲C̲A̲ ̲i̲n̲ ̲a̲ ̲T̲D̲X̲ ̲C̲r̲a̲t̲e̲ ̲A̲s̲s̲e̲m̲b̲l̲y̲
3 Analog Inputs Minimum
7 Digital Inputs -
2 Digital Outputs -
3.5.4 C̲C̲A̲ ̲i̲n̲ ̲b̲l̲o̲w̲e̲r̲ ̲U̲n̲i̲t̲ ̲A̲s̲s̲e̲m̲b̲l̲y̲
TBD
NOTE: As seen the requirements from 3.5.1 and 3.5.2 are covered
by the current Watchdog Design Note (ASM/801007) while
the requirements listed in 3.5.3 and 3.5.4 needs a
special design.
4̲ ̲ ̲T̲R̲O̲U̲B̲L̲E̲-̲S̲H̲O̲O̲T̲I̲N̲G̲ ̲P̲H̲I̲L̲O̲S̲O̲P̲H̲I̲E̲S̲
The purpose of this section is to establish a trouble
shooting procedure where as much failure diagnostics
as possible are executed through the watchdog as an
interactive process between the watchdog and the failed
system.
In the following it is assumed that the watchdog is
connected to the following peripherals:
1. Visual Display Unit (VDU)
2. KeyBoarD (KBD)
3. Floppy Disk Drive (FDD)
4. LinePrinTer (LPT)
4.1 E̲R̲R̲O̲R̲D̲E̲T̲E̲C̲T̲I̲O̲N̲ ̲A̲N̲D̲ ̲-̲H̲A̲N̲D̲L̲I̲N̲G̲
Error detection is based upon communication (V24/V28)
between the watchdog and both processor unit assemblies
(the active PU & the stand-by PU), at min. 9,6 Kbaud.
All communication from the PUs to the Watchdog is performed
via the MIA Module (MAP INTERFACE ADAPTER).
Each PU branch will frequently generate an "Alive"
message preventing the Watchdog from switching. In
order to cope with both redundant and non-redundant
types of failures, each PU must also frequently generate
a status report based on information from on-line diagnostics.
4.1.1 T̲D̲X̲ ̲S̲y̲s̲t̲e̲m̲
When an error occurs in the data transmission from
one or more of the LTUX lines, the on-line diagnostic
will analyse whether or not a switch-over should take
place simultaneously generating a status report to
the WD. At first a TDX-bus switch would be initiated
(if a switch is decided) then if this has no effect
a processor unit assembly switch will take place. A
detected error in a TDX controller also causes a TDX
BUS switchover.
4.1.2 C̲h̲a̲n̲n̲e̲l̲ ̲U̲n̲i̲t̲ ̲A̲s̲s̲e̲m̲b̲l̲y̲
When an error occurs in the data transmission from
one or more of the LTU lines, the on-line diagnostic
software will analyse whether or not a switch-over
should take place simultaneously generating a status
report to the WD. It can generally be assumed that
only an error in more than one of the modules connected
to the I/O bus will cause a switchover.
When an error occurs in the data transmisision from
a disk, the transmision is retried in order to avoid
intermittent errors. In case of repeated errors another
disk is employed and a status report is generated.
If the other disk is also failing, a switch-over will
take place.
If an error occurs in the data transmission from the
floppy disk, the transmission is also retried. But
in case of a repeated error only a status report is
generated to the WD leaving it to the operator to decide
whether the floppy disk operation is important enough
to justify a switchover or not.
4.1.3 P̲r̲o̲c̲e̲s̲s̲o̲r̲ ̲U̲n̲i̲t̲ ̲A̲s̲s̲e̲m̲b̲l̲y̲ ̲(̲R̲A̲M̲)̲
When an error occurs in the data transmission from
a RAM memory in the PU, the transmission is retried
in order to avoid intermittent errors. In case of repeated
errors, a status report is generated and a switch-over
is performed.
4.2 H̲O̲W̲ ̲I̲S̲ ̲S̲W̲I̲T̲C̲H̲I̲N̲G̲ ̲D̲O̲N̲E̲?̲
Upon detection of a failure, the WD program must initiate
an audible signal presumably the BELL on the Watchdog
VDU. Simultaneously, a headline report should appear
on the VDU containing information of WHERE the error
was originated and WHAT caused the error (data, status,
missing signal etc.). Also a detailed report containing
configuration, status, log, error information etc.
should appear on a Line Printer.
Six types of errors exist, namely:
- Single user connection point error.
- Multi user connection point error.
- I/O crate error.
- PU crate error.
- WD error.
- Power failures
4.2.1 S̲i̲n̲g̲l̲e̲ ̲U̲s̲e̲r̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲o̲n̲ ̲P̲o̲i̲n̲t̲ ̲E̲r̲r̲o̲r̲
A status print-out is generated. No switch-over is
performed.
4.2.2 M̲u̲l̲t̲i̲ ̲U̲s̲e̲r̲ ̲C̲o̲n̲n̲e̲c̲t̲i̲o̲n̲ ̲P̲o̲i̲n̲t̲ ̲E̲r̲r̲o̲r̲
If the on-line diagnostics software package proves
that a switch-over must be performed on the BTM-Y module,
a message is sent to the WD together with a status
print-out.
T̲h̲e̲ ̲s̲w̲i̲t̲c̲h̲-̲o̲v̲e̲r̲ ̲i̲s̲ ̲n̲o̲t̲ ̲a̲ ̲w̲a̲t̲c̲h̲d̲o̲g̲ ̲d̲e̲c̲i̲s̲s̲i̲o̲n̲
If the on-line diagnostics software package proves
that all user connection points are in error, a message
is sent to the WD causing the redundant PU to take
over and a status print-out is also transmitted.
4.2.3 I̲/̲O̲ ̲C̲r̲a̲t̲e̲ ̲E̲r̲r̲o̲r̲
If the on-line M&D software package proves an error
which cannot specifically be referred to one module,
a message is sent to the WD causing the redundant PU
to take over and also a status report is generated.
T̲h̲e̲ ̲s̲w̲i̲t̲c̲h̲-̲o̲v̲e̲r̲ ̲i̲s̲ ̲n̲o̲t̲ ̲a̲ ̲w̲a̲t̲c̲h̲d̲o̲g̲ ̲d̲e̲c̲i̲s̲s̲i̲o̲n̲
4.2.4 P̲U̲ ̲C̲r̲a̲t̲e̲ ̲E̲r̲r̲o̲r̲
If a PU error occurs error detection based upon a status
information or no "alive" messages the WD performs
an immediate isolation of the PU from the I/O bus and
c̲o̲m̲m̲a̲n̲d̲s̲ the redundant PU to take over if applicable.
Then a status report is generated.
T̲h̲e̲ ̲s̲w̲i̲t̲c̲h̲-̲o̲v̲e̲r̲ ̲i̲s̲ ̲a̲ ̲w̲a̲t̲c̲h̲d̲o̲g̲ ̲d̲e̲c̲i̲s̲s̲i̲o̲n̲
4.2.5 W̲D̲ ̲E̲r̲r̲o̲r̲
A WD error must never interface with the PU data handling.
In case of an error, an audible (BELL) and/or visible
(LAMP) warning should appear and trouble shooting can
take place by using the VDU if possible.
It is desired that modules can be withdrawn and replaced
with power ON and it is imperative that the current
system configuration is preserved when bringing back
the WD into operation (f. inst. as opposed to the initial
configuration).
The Wacthdog must have on-line self diagnositc S/W
capable of checking and verifying vital Watchdog on-line
functions. Furthermore, off-line diagnostic S/W should
be present to ease troubleshooting a faulty watchdog.
4.2.6 P̲o̲w̲e̲r̲ ̲F̲a̲i̲l̲u̲r̲e̲s̲
A power failure is detectable by discrete monitoring
from the watchdog. Due to the scanning nature of the
watchdog configuration bus and the timedelays hereby
introduced, a power failure within the TDX system or
the channel unit could be detected by the ON LINE DIAGNOSTICS
SW as a lack of response from a group of peripheral
devices causing a switchover. The real cause of this
detected error will be available only when the watchdog
has scanned the crate with the power failure. It is
obvious that in this case a switch-over based upon
the ON LINE DIAGNOSTICS SW diagnose would serve no
purpose. On the other hand if the system should wait
for the watchdog to detect the power failure (Worst
case: a Full scan 42 measurements with a capacity
of
App. 12 per second) it would introduce a delay (non-priority
scan) of App. 3.5 seconds before switch-over could
be initiated. This leads to the conclusion that any
time the ON-LINE DIAGNOSTICS SW detects an error possibly
caused by a crate power
failure it should command the watchdog to stop the
scan cycle and start it at the actual crate, hereby
reducing the switchover delay by a factor 42/6 = 7
(Worstcase 6 measurements within 1 crate) corresponding
to app. half a second.
A power failure in a processor unit assembly will be
detected either as:
1: No "alive" messages
2: Discrete measurement
3: Both 1 and 2
The detection of a power failure will immediately cause
a switchover decided by the watchdog.
Due to the dualized power supplies in the channel unit
a power fail as described above requires a failure
of both power supplies in the crate. When one power
supply fails no action will be taken (no errors detected)
before the scan cycle reveals the power fail. Then
a message is writen on the watchdog VDU. Information
about and the cause of any action taken due to a detected
power fail should be written on the watchdog VDU along
with an audible and/or visible signal.
4.3 T̲R̲O̲U̲B̲L̲E̲-̲S̲H̲O̲O̲T̲I̲N̲G̲
In general the trouble-shooting procedure will be errortype
dependent. The routines used (experience and/or debug
tools) will not be the same when troubleshooting an
off-lined faulty processor unit as those used when
troubleshooting a possible defect LTUX-S. The ON-LINE
DIAGNOSTICS S/W should be able to discover the latter
routing the exact information via the watchdog to the
VDU, while none would rely on the ON-LINE DIAGNOSTICS
SW to provide any valid information about a defect
PU this being the system executing the ON-LINE DIAGNOSTICS
SW.
To describe possible fault finding procedures the system
is devided into 5 error sections.
1) L̲T̲U̲X̲-̲S̲ ̲S̲e̲c̲t̲i̲o̲n̲
This includes the lineside equipment and -wiring
and the LTUX-S itself.
2) T̲D̲X̲-̲B̲u̲s̲ ̲S̲e̲c̲t̲i̲o̲n̲
This section includes:
The TDX-Bus
The TDX-Controller
The BTM-Y
The Host Interface Adapter (TIA)
3) I̲/̲O̲ ̲M̲o̲d̲u̲l̲e̲ ̲S̲e̲c̲t̲i̲o̲n̲
This section includes:
The I/O Controllers
The I/O Adapters
The I/O Devices
The LTUs and their connected peripherals
4) S̲t̲a̲n̲d̲-̲b̲y̲ ̲P̲r̲o̲c̲e̲s̲s̲o̲r̲ ̲U̲n̲i̲t̲ ̲S̲e̲c̲t̲i̲o̲n̲
The processor unit assembly
Its associated channel bus
CIA and I/O Bus
5) A̲c̲t̲i̲v̲e̲ ̲P̲r̲o̲c̲e̲s̲s̲o̲r̲ ̲U̲n̲i̲t̲ ̲S̲e̲c̲t̲i̲o̲n̲
The processor unit assembly
Its associated channel bus
CIA and I/O Bus
In the following a number of Off-line M&D SW modules
is described. It is assumed that these are contained
as files on a disk/floppy disk. Activation commands
both load the programs from the disk/FDD and starts
executing them. The destination of the SW module load
is indicated within the Description.
4.3.1 F̲a̲u̲l̲t̲y̲ ̲L̲T̲U̲X̲-̲S̲ ̲S̲e̲c̲t̲i̲o̲n̲
The ON-LINE DIAGNOSTICS S/W, The Watchdog Scan of power
supplies and the LTUX-S S/W together should provide
so much information at the VDU that troubleshooting
is reduced to replacement of either lineside equipment,
-wiring, LTUX-S's or power supply (fuse).
Further OFF-LINE M&D-S/W-based debug tools are TBD.
4.3.2 F̲a̲u̲l̲t̲y̲ ̲T̲D̲X̲-̲B̲u̲s̲-̲S̲e̲c̲t̲i̲o̲n̲
Errors in this section will always result in a TDX-bus
switch.
Power failures are detected by the watchdog.
It should be possible to perform the following functions
based upon OFF-LINE M&D S/W modules loaded to the active
PU activated by simple commands entered via the watchdog
KBD:
4.3.2.1 Activate an initialization procedure in a selectable
host interface adapter (TIA), interpret the result
and send it to the VDU.
4.3.2.2 Set up of a simple communication between the active
PU and the stand-by PU via the off-lined TDX-bus system,
in order to reveal errors on the upper/lower TDX-bus,
or errors in the TDX-controller. Most of TDX-controller
errors though, should be detected by the watchdog as
mentioned in section 3.3. The set-up involves OFF-LINE
M&D S/W modules in both PU's. Monitoring the communication
(if any) leads to a more explicit information send
to the VDU.
4.3.3 F̲a̲u̲l̲t̲y̲ ̲I̲/̲O̲ ̲M̲o̲d̲u̲l̲e̲ ̲S̲e̲c̲t̲i̲o̲n̲
Errors in this section will only result in a processor
unit assembly switch-over if:
1. More than one disk ctrl fails.
2. More than one LTU fails.
If this is not satisfied the detected error is assigned
an I/O module rather than the active PU. Troubleshooting
will be performed by a set of off-line M&D S/W modules
activated from the VDU by simple commands representing
the type and address of the module to be tested.
4.3.3.1 E̲r̲r̲o̲n̲e̲o̲u̲s̲ ̲D̲i̲s̲k̲ ̲c̲t̲r̲l̲
If the erroneous module is a disk controller the off-line
M&D S/W should consist of:
4.3.3.1.1 A module loaded to the active PU that issues a
"clear" command to the controller initiating the
selfcheck procedure, receives the resulting status
byte, if the test is run, and sends a message to
the VDU based upon the information contained in
the status byte. The watchdog detects whether
a selfcheck has begun or not via the crate status
line. If not it stops further troubleshooting through
this module writing this on the VDU. If a self
check is activated (and probably the right one)
the watchdog waits for the check to end in order
to establish via the crate status line if the disk
ctrl is faulty. The nature of the error is decoded
from the status byte mentioned above.
4.3.3.1.2 A module loaded to the stand-by processor unit
that:
1. Issues a"Take Ownership" command to the erroneous
disk ctrl via the stand-by I/O bus.
2. Activates a module similar to the module 4.3.3.1.1
acting via the stand-by I/O bus.
4.3.3.1.3 A module loaded to the active/stand by PU that
checks the RAM area on the disk ctrl. The RAM
is dual-ported and only one port is tested by the
self-check routine.
This test checks the other port.
4.3.3.1.4 A module loaded to the active/stand by PU loading
a set of executable instructions down to a RAM
area on the disk ctrl, and then loads a pointer
(pointing to the beginning of this area) down to
the control logics on the disk ctrl. This initiates
the u -processor on the disk crtl to execute the
instructions in RAM, the result of which could
be modification of another area in RAM which then
can be checked for valid operation. This serves
as an extended test of the controllogic. Any malfunction
should be written to the VDU.
4.3.3.1.5 A module loaded to the active/stand by PU that
excersises the disk drive monitoring status information
to detect whether the drive is faulty or not.
4.3.3.2 E̲r̲r̲o̲n̲e̲o̲u̲s̲ ̲L̲T̲U̲
TBD
4.3.3.3 E̲r̲r̲o̲n̲e̲o̲u̲s̲ ̲F̲l̲o̲p̲p̲y̲ ̲D̲i̲s̲k̲ ̲c̲t̲r̲l̲
TBD
4.3.4 F̲a̲u̲l̲t̲y̲ ̲S̲t̲a̲n̲d̲-̲B̲y̲ ̲P̲r̲o̲c̲e̲s̲s̲o̲r̲ ̲U̲n̲i̲t̲ ̲S̲e̲c̲t̲i̲o̲n̲
When an error is discovered either caused by an erroneous
status send to the watchdog or due to the lack of an
"alive" message, the watchdog immediately off-lines
the PU sending a message to the VDU and to the active
PU ending the inter-PU "check-pointing" via the TDX-bus.
Off-lining causes the PU to be completely disconnected
from both TDX-busses and the channel bus to prevent
any garbling on these busses.
4.3.4.1 I̲n̲i̲t̲i̲a̲l̲ ̲T̲e̲s̲t̲i̲n̲g̲
Watchdog action takes one of two directions dependant
of a S/W switch that can be set/reset via the watchdog
KBD. If the S/W switch is set the watchdog operates
fully automatic and no operator intervention can take
place before action 1, described below, has been executed.
If the switch has been reset action 1 is only executed
via an operator command enabling the operator via another
command, to perform a memory dump, if possible, to
the watchdog LPT before initializing and troubleshooting
the off-lined PU.
Watchdog actions preceeding the more comprehensive
troubleshooting procedure:
1. Via the CCA in the PU the watchdog issues a "maintenance
mode" command to the MIA, thus enabling a "master
clear" command to be executed. This command is
then issued to the map module. All modules in the
crate are cleared and the self-check routines starts
up. The RAM and power supplies have no self-check
routines.
2. The watchdog, still via the PU CCA, monitors the
crate status line first to detect whether at least
one self-check routine has been initiated and next,
when the routines should be finished, to detect
if any self-check revealed an erroneous module.
At this point any PU processing in the off-lined
PU is inhibited via a watchdog initiated command
that causes the u-processor on the MAP module to
disable the processor- and channel-bus interface
(no processor bus grants given).
3. If no errors are detected at this point that can
fully explain the reasons for off-lining the PU
a more extended test can be activated via operator
commands as described in section 4.3.4.2.
If the reason(s) for the off-lining has been found
and repaired the operator enters a command form
the KBD. This causes the off-lined PU to be reconnected
to the TDX busses and the channel bus, and a message
to be send causing the PU to reenter stand-by mode
(loading stand-by programs). Furthermore a message
is sent to the active PU causing the inter-PU check-pointing
via the TDX-bus to resume.
4.3.4.2 E̲x̲t̲e̲n̲d̲e̲d̲ ̲T̲e̲s̲t̲ ̲M̲o̲d̲e̲
When entering this mode, via a command from the KBD,
the watchdog via the CCA in the channel unit disables
the effect of any "take ownership" command issued on
the I/O bus belonging to the off-lined PU. This inhibits
any garbling of the active system during troubleshooting
when reconnecting the channel bus for test purposes.
This extended test uses a set of off-line M&D S/W modules
stored as files on a disk/floppy disk. The S/W modules
should satisfy the functions sketched below.
4.3.4.2.1 An off-line M&D S/W module executable by the u-processor
on the MAP module, which when activated is loaded
to the 8K RAM area on the MAP. The effect of executing
the module is to determine whether a RAM access
is possible via the channel bus or not. If possible
a part of RAM is thoroughly tested, and a status
is returned to the watchdog.
4.3.4.2.2 An off-line M&D S/W module executable by the u-processor
on the MAP module, which when activated is loaded
to the RAM area on the MAP and executed, the effect
being a control of the MAP-MIA communication protocol
by fetching data resident in the PROM on the MIA.
This also involves the data registers RD1 and RD2
on the MIA. A status is returned to the watchdog.
4.3.4.2.3 An off-line M&D S/W module executable by the u-processor
on the MAP, which when activated is loaded to the
MAP RAM area and executed. When activating it the
watchdog first reconnects the channel bus, then
loads the module. Executing the module results
in a "set up transfer" to verify parts of the CIA-MIA
communication protocol. A status is returned to
the watchdog.
4.3.4.2.4 An off-line M&D S/W module executable by CPU's
in the PU, which when activated is loaded to the
PU RAM module into part of the area previously
tested. A command to the MAP u-processor enables
a processor bus grant to one of the CPU's which
when granted access executes the program in RAM
leaving a result within the tested area, which
can be read by the MAP u-processor and send to
the watchdog. Then the next CPU gets access and
so on.
4.3.4.2.5 H̲o̲s̲t̲ ̲I̲/̲F̲ ̲V̲e̲r̲i̲f̲i̲c̲a̲t̲i̲o̲n̲
TBD.
4.3.4.2.6 F̲u̲l̲l̲ ̲B̲l̲o̲w̲n̲ ̲T̲e̲s̲t̲
TBD.
4.3.5 F̲a̲u̲l̲t̲y̲ ̲A̲c̲t̲i̲v̲e̲ ̲P̲r̲o̲c̲e̲s̲s̲o̲r̲ ̲U̲n̲i̲t̲ ̲S̲e̲c̲t̲i̲o̲n̲
TBD.
5̲ ̲ ̲T̲I̲M̲E̲-̲O̲F̲-̲D̲A̲Y̲ ̲F̲U̲N̲C̲T̲I̲O̲N̲
A TIME-OF-DAY function is required for the CAMPS equipment.
Two possible solution concepts are considered:
a) TIME-OF-DAY based on the DAMOS clock-routine. This
is run by the PU's oscillator.
b) TIME-OF-DAY based on a separate T-O-D-system, which
is connected in another feasible way to the CAMPS
system.
6̲ ̲ ̲E̲N̲G̲I̲N̲E̲E̲R̲I̲N̲G̲ ̲F̲U̲N̲C̲T̲I̲O̲N̲S̲
The engineering functions of the CAMPS equipment are
assigned permanently to the engineering position, which
is connected to the CPS-WD-system as shown on fig.
1.1.
In section 3,4 and 5 above is described the H/W facilities
for configuration control and troubleshooting, controlled
by the CPS-WD-system.
Below are listed the enginnering functions required
for the CAMPS system. These functions shall be controlled
by the equipments of the engineering position, i.e.:
a) VDU with keyboard, possibly extended with a Floppy
Disk System.
b) Line Printer.
6.1 C̲O̲N̲T̲R̲O̲L̲ ̲O̲F̲ ̲E̲X̲T̲E̲R̲N̲A̲L̲ ̲L̲I̲N̲E̲S̲
Engineering functions shall exist to control external
lines as required by line interface equipment. Examples
are line speed, code, start/stop bits control.
6.2 T̲E̲S̲T̲S̲,̲ ̲O̲N̲-̲L̲I̲N̲E̲ ̲A̲N̲D̲ ̲O̲F̲F̲-̲L̲I̲N̲E̲
Engineering functions shall exist to conduct on-line
and off-line tests by software or other means as needed
to meet availability requirement.
6.3 S̲O̲F̲T̲W̲A̲R̲E̲ ̲M̲A̲I̲N̲T̲E̲N̲A̲N̲C̲E̲
Engineering function shall exist to control load of
software from on-line and off-line media to facilitate
fast restart in failure cases and load of new software
transported to site as required for initialization
and restart.
6.4 H̲/̲W̲ ̲C̲O̲N̲F̲I̲G̲U̲R̲A̲T̲I̲O̲N̲ ̲S̲T̲A̲T̲U̲S̲ ̲D̲I̲S̲P̲L̲A̲Y̲
As a basis for execution of engineering functions the
following status information shall be displayed at
VDU:
- Switching status of redundant equipment on crate-level.
- Status of line interface equipment with regard
to parameters controlable via engineering functions.
A̲P̲P̲E̲N̲D̲I̲X̲
C̲O̲M̲M̲E̲N̲T̲S̲ ̲T̲O̲ ̲T̲H̲E̲ ̲W̲A̲T̲C̲H̲D̲O̲G̲ ̲D̲E̲S̲I̲G̲N̲ ̲N̲O̲T̲E̲
A̲d̲ ̲s̲e̲c̲.̲ ̲1̲.̲1̲.̲3̲)̲
The main source of the M & D S/W is a disk with the
floppy disk as a back-up system.
A̲d̲ ̲s̲e̲c̲.̲ ̲3̲.̲2̲)̲
"T̲a̲k̲e̲ ̲o̲w̲n̲e̲r̲s̲h̲i̲p̲"̲ ̲i̲s̲
1) Enabled via I/O bus A and B
2), 3) and 4) unchanged.
As for indications it would be desirable.....
is changed to:
As for indications it is a requirement.......
A̲d̲ ̲s̲e̲c̲.̲ ̲3̲.̲5̲.̲4̲)̲
T̲B̲D̲ is changed to:
C̲C̲A̲ ̲i̲n̲ ̲a̲ ̲8̲0̲D̲ ̲B̲l̲o̲w̲e̲r̲ ̲U̲n̲i̲t̲ ̲a̲s̲s̲e̲m̲b̲l̲y̲ TBD
A̲d̲ ̲s̲e̲c̲.̲ ̲4̲.̲1̲)̲
.....essential sub-routines.
is changed to:
.....on-line Diagnostics.
A̲d̲ ̲s̲e̲c̲.̲ ̲4̲.̲1̲.̲2̲)
....retrieved......
is changed to:
....retried....
A̲d̲ ̲s̲e̲c̲.̲ ̲4̲.̲1̲.̲3̲)
....retrieved....
is changed to:
....retried .....
A̲d̲ ̲s̲e̲c̲.̲ ̲4̲.̲2̲.̲5̲)
The following text should be added:
The Watchdog must have on-line self diagnostic s/w
capable of checking and verifying vital Watchdog on-line
functions. Furthermore off-line diagnostic s/w should
be present to ease troubleshooting a faulty watchdog.
A̲d̲ ̲s̲e̲c̲.̲ ̲4̲.̲3̲)̲
in the last 6 lines of text
.....contained as files on a floppy disk
is changed to:
.....contained as files on a disk/floppy disk.
.....from the FDD....
is changed to:
......from the disk/FDD
A̲d̲ ̲s̲e̲c̲.̲ ̲4̲.̲3̲.̲1̲)
The last two lines are substituted with:
Further OFF-LINE M & D s/w based debug tools are TBD
A̲d̲ ̲s̲e̲c̲.̲ ̲4̲.̲3̲.̲3̲.̲1̲.̲2̲)
in 2)...module 4.3.3.1...
is changed to:
.....module 4.3.3.1.1
Ad sec's 4.3.3.1.3)
4.3.3.1.4)
̲4̲.̲3̲.̲3̲.̲1̲.̲5̲)̲
The active PU is substituted with the active/stand-by
PU.
A̲d̲ ̲s̲e̲c̲.̲ ̲4̲.̲3̲.̲4̲.̲1̲)̲
in 2)
.....disable the processor bus interface.....
is changed to:
.....disable the processor- and channel bus interface....
A̲d̲ ̲s̲e̲c̲.̲ ̲4̲.̲3̲.̲4̲.̲2̲)̲
....files on a floppy disk....
is changed to:
....files on a disk/floppy disk....
