(19)
(11)EP 3 396 878 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
29.04.2020 Bulletin 2020/18

(21)Application number: 17167902.0

(22)Date of filing:  25.04.2017
(51)International Patent Classification (IPC): 
H04J 3/06(2006.01)
G06F 1/14(2006.01)
G06F 11/16(2006.01)
H04L 12/44(2006.01)
G06F 11/14(2006.01)

(54)

METHOD AND COMPUTER SYSTEM FOR ESTABLISHING AN INTERACTIVE CONSISTENCY PROPERTY

VERFAHREN UND COMPUTERSYSTEM ZUR HERSTELLUNG EINER INTERAKTIVEN EIGENSCHAFTSKONSISTENZ

PROCÉDÉ ET SYSTÈME INFORMATIQUE PERMETTANT D'ÉTABLIR UNE PROPRIÉTÉ DE COHÉRENCE INTERACTIVE


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(43)Date of publication of application:
31.10.2018 Bulletin 2018/44

(73)Proprietor: TTTech Computertechnik AG
1040 Wien (AT)

(72)Inventors:
  • Bauer, Günther
    1040 Wien (AT)
  • Steiner, Wilfried
    1040 Wien (AT)
  • Fidi, Christian
    3813 Dietmanns (AT)

(74)Representative: Patentanwaltskanzlei Matschnig & Forsthuber OG 
Biberstraße 22 Postfach 36
1010 Wien
1010 Wien (AT)


(56)References cited: : 
EP-A2- 2 209 241
US-A1- 2014 185 632
US-A1- 2005 117 596
US-A1- 2016 211 987
  
      
    Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


    Description


    [0001] The invention relates to a method for establishing an interactive consistency property between receivers of messages in a computer system, in particular a distributed computer system, wherein said messages are transmitted to said receivers by a sender of said computer system over a communication network connecting the receivers and the sender, wherein said communication network comprises communication paths for connecting the receivers to the sender, wherein each of the receivers is connected to the sender with at least two disjoint communication paths, wherein each of said disjoint communication paths comprises at least one switch and communication links, wherein a communication link is connecting a receiver to a switch of a disjoint communication path and a communication link is connecting the sender to a switch of said disjoint communication path.

    [0002] Furthermore, the invention relates to a computer system, in particular distributed computer system, comprising at least one sender and receivers, wherein for the exchange of messages a sender is connected to the receivers over a communication network, wherein said communication network comprises communication paths for connecting the receivers to the sender, and wherein for establishing an interactive consistency property between the receivers of messages each of the receivers is connected to the sender with at least two disjoint communication paths, wherein each of said disjoint communication paths comprises at least one switch and communication links, wherein a communication link is connecting a receiver to a switch of a disjoint communication path and a communication link is connecting the sender to a switch of said disjoint communication path.

    [0003] The invention is in the area of computer systems, in particular in the area of fault-tolerant computing systems. The invention describes a novel method to reduce the number of messages to be exchanged for interactive consistency between a set of non-faulty nodes.

    [0004] In a computer system with a fault-tolerant architecture, wherein said computer system comprises a set of nodes (which for example act as senders and/or receivers of messages) that are interconnected to each other by means of a communication network, interactive consistency ensures that all non-faulty nodes of said set of nodes consistently agree on actions to be taken by the nodes.

    [0005] Interactive consistency has originally been defined in [1] by two conditions using an analogy known as the Byzantine Generals Problem:
    • IC1. All loyal lieutenants obey the same order.
    • IC2. If the commanding general is loyal, then every loyal lieutenant obeys the order he sends.


    [0006] This original definition translates to a networked computer system as follows:
    • IC1: All non-faulty nodes accept the same message from a given sender.
    • IC2: If the sending node is non-faulty, then every non-faulty receiver accepts the message from the sender.


    [0007] Typically achieving these interactive consistency conditions (IC1, IC2) requires the nodes to implement interactive consistency algorithms. According to such algorithms the receiving nodes exchange - with messages (so-called "information messages") - between themselves which messages they received from the sending node. Because of this exchange, interactive consistency algorithms are expensive in the number of messages to be communicated between the nodes.

    [0008] It is an object of the invention to provide a novel form of synchronized interactive consistency.

    [0009] This object is achieved with a method and a computer system described in the introduction, wherein
    1. (a) the switches are equipped with local clocks, wherein local clocks of non-faulty switches of said switches are synchronized to each other with a maximum error (precision), and wherein
    2. (b) the receivers are configured to detect failures of switches, and wherein
    3. (c) redundant copies of a message are forwarded by the sender to each of the receivers, wherein each of the redundant copies designated for a receiver is forwarded across a different disjoint communication path connecting the sender with said receiver, and wherein
    4. (d) at least one switch of each disjoint communication path from the sender to the receivers is configured such that the redundant copies of the message are forwarded to each receiver with a temporal distance, CON, between the disjoint communication paths, wherein the temporal distance, CON, is selected such that all non-faulty receivers of the receivers will receive the redundant copies in the same receive order, when the switches and communication links of the disjoint paths do not exhibit a failure, and wherein
    5. (e) each receiver concludes at least from the receive order of the redundant copies of the message whether and which redundant copy to accept to satisfy the interactive consistency property, and if the conclusion yields to accept a specific copy of the received redundant copies of the message, said specific message is accepted by the receiver, and if the conclusion yields to not accept any copy of the receive redundant messages, no copy is accepted by the receiver.


    [0010] Synchronized consistency according to the invention configures the communication network between the nodes in a way, that redundant copies of a message sent by a sending node ("sender") over multiple disjoint paths through the communication network are delivered to the receiving nodes ("receivers") by the communication network with a sufficiently high temporal offset that guarantees that all non-faulty nodes will receive the messages in the same order. Since either a node (sender or receiver) or the communication network itself may exhibit a failure at any point of time and the elements of the communication network are designed to fail in benign failure modes, then nodes can execute the method disclosed in this invention to establish interactive consistency without a need for communicating the additional information messages between themselves.

    [0011] Different paths between a specific sender and a specific receiver are called "disjoint", if these paths do not have any switches or communication links in common. In other words, switches and communication links of a specific disjoint path connecting a receiver and a sender cannot be elements of any other disjoint path connecting the same sender and receiver.

    [0012] The term "redundant copies of a message" means that a sender sends two or more messages which contain at least in parts the same information in the payload. The receivers know before reception of the messages (e.g., by configuration) which parts of the payload of said messages are intended to hold the same information. The two or more messages representing said redundant copies may vary, for example in their Path-ID, their Message-ID, additional information in the payload other than said parts of the same information (e.g., additional application data), message check-sums, message encoding, cryptographic signatures.

    [0013] Advantageous embodiments of the method and the computer system described above are detailed hereinafter:



    In (e), in addition, the validity of the received redundant copies of the message may be taken into account for concluding whether and which redundant copy to accept to satisfy the interactive consistency property.



    In or according to (e) it may be provided that:

    1. (i) all non-faulty receivers which receive two or more redundant copies of the message are configured to accept the first one valid copy of the redundant copies that they receive;
    2. (ii) all non-faulty receivers which receive only one valid copy of the redundant copies of the message are configured to accept this one copy;
    3. (iii) all non-faulty receivers which do not receive any redundant copy of the redundant copies of the message do not accept a message.



    In or according to (e) it may be provided that:

    1. (i) all non-faulty receivers which receive two or more redundant copies of the message are configured to accept the last one valid copy of the redundant copies that they receive;
    2. (ii) all non-faulty receivers which receive only one valid copy of the redundant copies of the message are configured to accept this one copy;
    3. (iii) all non-faulty receivers which do not receive any redundant copy of the redundant copies of the message do not accept a message.



    In item (i) a receiver may discard the respective other redundant copy or copies of the received redundant copies of the message.



    The sender and all receivers may be equipped with local clocks, wherein the local clocks of a non-faulty sender and non-faulty receivers are synchronized to the local clocks of the switches with a known error (precision), and the sender sends the redundant copies of a message according to a communication schedule and the receivers know when to expect a message according to said communication schedule.



    The local clocks of the switches and/ or the local clocks of the sender and/ or the local clocks of the receivers may be synchronized by means of the IEEE 1588, and/ or the IEEE 802.1AS, and/or the SAE AS6802 protocol.



    One, more or preferably all communication links may be Ethernet links. Links may be wired or wireless.



    The temporal distance (duration), CON, may be a function of the precision of the communication network, wherein CON > FACTORprecision, where FACTOR is a natural number greater than 0.



    [0014] In the following, in order to further demonstrate the present invention, illustrative and non-restrictive embodiments are discussed, as shown in the drawings, which show:

    Fig. 1 distributed computer system,

    Fig. 2 communication configuration,

    Fig. 3 an example of a self-checking pair design of a switch,

    Fig. 4 distributed computer system, with multiple switches per disjoint communication path, and

    Fig. 5 distributed computer system with a ring topology.



    [0015] We discuss some of the many implementations of the invention next.

    [0016] Fig. 1 depicts a distributed computer system consisting of four nodes SND, RCV1, RCV2, RCV3 connected to each other by means of a communication network, wherein the communication network in this example consists of two switches SWA, SWB and communication links 110, 210; 111, 112, 113, 211, 212, 213 between the nodes (sender SND, receivers RCV1, RCV2, RCV3) and the switches. The communication links 110, 210; 111, 112, 113, 211, 212, 213 may be either full-duplex or half-duplex. Furthermore, each communication link 110, 210; 111, 112, 113, 211, 212, 213 may comprise a multitude of physical links. For simplicity of discussion we assume, without loss of generality, that the communication links 110, 210; 111, 112, 113, 211, 212, 213 are full-duplex Ethernet links and the switches SWA, SWB are Ethernet switches. Node SND sends messages to other nodes RCV1, RCV2, RCV3. Nodes RCV1, RCV2, RCV3 may be faulty or may operate correctly (i.e., are non-faulty). All non-faulty nodes of the nodes RCV1, RCV2, RCV3 need to agree on whether and what messages they have received from the node SND. For this, and according to the state-of-the-art, at least the non-faulty nodes of RCV1, RCV2, RCV3 would exchange information about messages received from node SND by exchanging additional messages (so-called "information-messages") between each other using the communication network.

    [0017] The invention described in this application avoids said exchange of information-messages between the nodes RCV1, RCV2, RCV3 by means of specific functionality of the communication network. We will describe this specific configuration next. It should be noted that this functionality is explained using the example with two switches, however, the following description is valid within the full scope of the invention and not limited to a communication network comprising two switches only.

    [0018] According to this specific functionality of the communication network the switches SWA, SWB in the network are equipped with local clocks and said local clocks are synchronized to each other with a maximum synchronization error called the precision.

    [0019] Furthermore, in the case of a failure of a switch SWA, SWB, the failure of said switch is detectable for a node RCV1, RCV2, RCV3. This can be achieved by constructing the switch as a self-checking pair as depicted in Fig. 3, which we will discuss later in this text. Other example realizations are disclosed in [2] and [3].

    [0020] The sender SND will send its message as redundant copies to the switches SWA, SWB, which switches SWA, SWB are configured such that they will forward the redundant messages sent by the sender SND with a sufficiently long duration in between the points in time of the respective forwarding of the messages (see interval CON in Fig. 2), such that all receivers RCV1, RCV2, RCV3, exhibit the same receive order of the redundant messages in case that they receive both messages. We discuss this communication configuration in more detail based on Fig. 2.

    [0021] Fig. 2 depicts a communication configuration as described under item 3 above. According to this communication configuration sender SND sends redundant copies of a message, MSGA, MSGB over disjoint paths through the communication network to the receivers RCV1, RCV2, RCV3, which are shown in Fig. 1. In the case of two disjoint communication paths between a sender and a receiver two redundant copies are transmitted, one copy per disjoint path. In case of three or more disjoint paths between a sender and receiver, two, three or a number of copies corresponding to the number of disjoint paths are transmitted from the sender to the receiver. Each of the copies is transmitted on a different disjoint paths.

    [0022] As shown in Fig. 2, a first disjoint path from the sender to a receiver RCV1 consists of switch SWA and the communication link 110 from the sender SND to the switch SWA and the communication link 111 from the switch SWA to said receiver RCV1 connected to it, the second disjoint path consists of switch SWB and the communication links 210 from the sender SND to the switch SWB and the communication link 211 from the switch SWB to said receiver RCV1. Sender SND and receiver RCV2 are connected by the two disjoint paths [communication link 110 - switch SWA - communication link 112] and [communication link 210 - switch SWB - communication link 212]. Sender SND and receiver RCV3 are connected by the two disjoint paths [communication link 110 - switch SWA - communication link 113] and [communication link 210 - switch SWB - communication link 213].

    [0023] Returning to Fig. 2, the sender SND sends the redundant copies MSGA, MSGB at the same point in time. In another realization, sender SND may send the copies MSGA, MSGB at different points in time. As depicted in Fig. 2 switch SWA forwards messages MSGA to the receivers RCV1, RCV2, RCV3, first followed by switch SWB forwarding MSGB to the receivers RCV1, RCV2, RCV3. As depicted, there is a minimum time interval CON in between the forwarding points in time of the switches SWA, SWB of the messages MSGA, MSGB. This time interval CON is configured to be sufficiently long, such that all non-faulty receivers RCV1, RCV2, RCV3 will receive the messages MSGA and MSGB in the same order in case they receive both messages.

    [0024] The duration (length) of the time interval CON can be chosen, for example, as a function of the precision of the system, e.g., duration > precision or duration > FACTORprecision, where FACTOR is a natural number greater than 0.

    [0025] Another example of calculating CON would be a function taking the worst-case transmission delays wc_delay of the messages into account: Then, duration > wc_delay or duration > FACTOR1wc_delay, where FACTOR1 is a natural number greater than 0.

    [0026] Another example of calculating CON would be a function taking the worst-case transmission delays wc_delay as well as the precision into account. Then, duration > wc_delay + precision or duration > FACTOR2wc_delay + FACTOR3precision. Where FACTOR, FACTOR1, FACTOR2, FACTOR3 are natural numbers greater than 0.

    [0027] An algorithm as described in the following is executed in the receivers RCV1, RCV2, RCV3 of the computer system shown in Fig. 1 and ensures that when a non-faulty receiver RCV1, RCV2, RCV3 accepts a message all other non-faulty receivers RCV1, RCV2, RCV3 accept either the same message or an identical copy. Furthermore, if a non-faulty receiver RCV1, RCV2, RCV3 does not accept any redundant copy of the message from SND, then all other non-faulty receivers RCV1, RCV2, RCV3 also do not accept any of the redundant messages from the sender SDN. According to this algorithm being executed in the receivers
    1. (i) a receiver RCV1, RCV2, RCV3 that receives both redundant copies will accept the first valid message of the redundant copies MSGA, MSGB that it receives and will discard the respective other redundant copy of MSGA, MSGB;
    2. (ii) a receiver RCV1, RCV2, RCV3 that receives only one copy MSGA or MSGB (for example because of a failure of a switch) will accept this one copy;
    3. (iii) a receiver RCV1, RCV2, RCV3 that does not receive any redundant copy MSGA, MSGB does not accept a message.


    [0028] Alternatively to the item (i) - items (ii) and (iii) remain unchanged - it may be provided that all receivers may execute the following step:

    (ia) A receiver RCV1, RCV2, RCV3 that receives both redundant copies will accept the first valid message of the redundant copies MSGA, MSGB and will discard the respective other redundant copy of MSGA, MSGB only if the redundant copies MSGA, MSGB match with respect to their message contents (for example if they contain the same application data) and discard both messages MSGA, MSGB otherwise.



    [0029] In yet another embodiment items (ii) and (iii) remain unchanged, but according to item (i) or item (ia) it is not the first, but the last valid copy of the redundant copies which is accepted by a receiver. The other features of item (i) or item (ia) remain unchanged.

    [0030] Examples of validity criteria of a message are: valid checksum of the message, valid timestamp, valid sequence number, cryptographic signature, etc.

    [0031] Fig. 3 depicts an example of a self-checking pair switch design. In this design the switch shown in Fig. 3 receives a message on the bottom port PHY and processes the message in two fault-containment units COM, MON. The output of the two fault-containment units COM, MON is compared by another fault-containment unit COMP and only if the output of the two fault-containment units COM, MON is consistent the third fault-containment unit COMP unit will forward the message to the output, in this case the port PHY on the top of the switch. Such a self-checking pair structure allows to assume with reasonable high probability that the switch itself will not be able to generate arbitrary new messages, nor that the switch can delay received message for an arbitrary duration.

    [0032] Fig. 4 depicts a distributed computer system in which each disjoint path comprises more than one switch, i.e., switches SWA1, SWA for a first disjoint path and switches SWB1, SWB for a second disjoint path. The reference signs correspond to that used in Fig. 1, in addition switch SWA1 is connected to switch SWA with a communication link 110' and switch SWB1 is connected to switch SWB with a communication link 210'. In such a setting at least one of the switches per disjoint path (an example of two disjoint paths between sender SND and receiver RCV1 is shown on bold lines) would be configured such that a time interval CON as described above in forwarding of the redundant copies of messages from a sender SND is established.

    [0033] Fig. 5 depicts a distributed computer system in which each disjoint path comprises more than one switch, i.e., switches SWA1, SWA for a first disjoint path and switches SWB1, SWB for a second disjoint path. Again, the reference signs correspond to that used in Fig. 1, in addition switch SWA1 is connected to switch SWA with a communication link 110' and switch SWB1 is connected to switch SWB with a communication link 210'. In such a setting at least one of the switches per disjoint path is configured such that a time interval CON as described above in forwarding of the redundant copies of messages from a sender SND is established. In addition the switches SWA1, SWA, SWB1, SWB are connected to form a ring topology with communication links 220, 230. The ring topology - especially in the case that more switches than shown (for example more than 5, or more than 6 switches) are provided to form a ring - are allows reconfiguring the disjoint paths between the receivers RCV1,

    [0034] RCV2, RCV3 and the sender SND in case of link failures or switch failures and thereby improves the reliability of the overall system.

    [0035] Physical topologies other than the redundant switch, redundant tree, and ring topologies are possible as well as long as the physical topology provides sufficient redundancy to enable two disjoint paths between any two nodes in the system.

    References



    [0036] 
    1. [1] Lamport, Leslie, Robert Shostak, and Marshall Pease. "The Byzantine generals problem." ACM Transactions on Programming Languages and Systems (TOPLAS) 4, no. 3 (1982): 382-401.
    2. [2] Method for transmitting messages in a computer network, and computer network, WO2015058224A1
    3. [3] EP 3 166 246 A1


    [0037] Documents US 2005/117596 A1, US 2014/185632 A1, US 2016/211987 A1, EP 2 209 241 A2, WO 2015/058224 A1 disclose different examples of the prior art.


    Claims

    1. Method for establishing an interactive consistency property between receivers (RCV1, RCV2, RCV3) of messages (MSGA, MSGB) in a computer system, in particular a distributed computer system, wherein said messages (MSGA, MSGB) are transmitted to said receivers (RCV1, RCV2, RCV3) by a sender (SND) of said computer system over a communication network connecting the receivers (RCV1, RCV2, RCV3) and the sender (SND), wherein said communication network comprises communication paths for connecting the receivers (RCV1, RCV2, RCV3) to the sender (SND), wherein each of the receivers (RCV1, RCV2, RCV3) is connected to the sender (SND) with at least two disjoint communication paths, wherein each of said disjoint communication paths comprises at least one switch (SWA, SWB; SWA1, SWA2, SWB1, SWB2) and communication links (110, 210; 111, 112,113, 211, 212, 213), wherein a communication link (111, 112,113, 211, 212, 213) is connecting a receiver (RCV1, RCV2, RCV3) to a switch (SWA, SWB; SWA1, SWB1) of a disjoint communication path and a communication link (110, 210) is connecting the sender (SND) to a switch of said disjoint communication path, and wherein

    (a) the switches (SWA, SWA1, SWB, SWB1) are equipped with local clocks, wherein local clocks of non-faulty switches of said switches (SWA, SWB, SWA1, SWB1) are synchronized to each other with a maximum error (precision), and the sender (SND) and all receivers (RCV1, RCV2, RCV3) are equipped with local clocks, wherein the local clocks of a non-faulty sender and non-faulty receivers are synchronized to the local clocks of the switches with a known error (precision), and the sender (SND) sends the redundant copies (MSGA, MSGB) of a message according to a communication schedule and the receivers know when to expect a message according to said communication schedule, and wherein

    (b) the receivers (RCV1, RCV2, RCV3) are configured to detect failures of switches (SWA, SWA1, SWB, SWB1), and wherein

    (c) redundant copies (MSGA, MSGB) of a message are forwarded by the sender (SND) to each of the receivers (RCV1, RCV2, RCV3), wherein each of the redundant copies (MSGA, MSGB) designated for a receiver (RCV1, RCV2, RCV3) is forwarded across a different disjoint communication path connecting the sender (SND) with said receiver (RCV1, RCV2, RCV3), and wherein

    (d) at least one switch of each disjoint communication path from the sender (SND) to the receivers (RCV1, RCV2, RCV3) is configured such that the redundant copies (MSGA, MSGB) of the message are forwarded to each receiver (RCV1, RCV2, RCV3) with a temporal distance, CON, between the disjoint communication paths, wherein the temporal distance, CON, is selected such that all non-faulty receivers of the receivers (RCV1, RCV2, RCV3) will receive the redundant copies (MSGA, MSGB) in the same receive order, when the switches and communication links of the disjoint paths do not exhibit a failure, and wherein

    (e) each receiver (RCV1, RCV2, RCV3) concludes at least from the receive order of the redundant copies (MSGA, MSGB) of the message whether and which redundant copy (MSGA, MSGB) to accept to satisfy the interactive consistency property, and if the conclusion yields to accept a specific copy (MSGA, MSGB) of the received redundant copies of the message, said specific message is accepted by the receiver, and if the conclusion yields to not accept any copy of the receive redundant messages, no copy is accepted by the receiver (RCV1, RCV2, RCV3).


     
    2. Method according to claim 1, wherein in (e), in addition, the validity of the received redundant copies (MSGA, MSGB) of the message is taken into account for concluding whether and which redundant copy (MSGA, MSGB) to accept to satisfy the interactive consistency property, wherein validity criteria of a message are valid checksum of the message, or valid timestamp, or valid sequence number, or cryptographic signature.
     
    3. Method according to claim 1 or 2, wherein according to (e):

    (i) all non-faulty receivers (RCV1, RCV2, RCV3) which receive two or more redundant copies (MSGA, MSGB) of the message are configured to accept the first one valid copy of the redundant copies (MSGA, MSGB) that they receive;

    (ii) all non-faulty receivers (RCV1, RCV2, RCV3) which receive only one valid copy (MSGA, MSGB) of the redundant copies (MSGA, MSGB) of the message are configured to accept this one copy;

    (iii) all non-faulty receivers (RCV1, RCV2, RCV3) which do not receive any redundant copy (MSGA, MSGB) of the redundant copies of the message do not accept a message.


     
    4. Method according to claim 1 or 2, wherein according to (e):

    (i) all non-faulty receivers (RCV1, RCV2, RCV3) which receive two or more redundant copies (MSGA, MSGB) of the message are configured to accept the last one valid copy of the redundant copies (MSGA, MSGB) that they receive;

    (ii) all non-faulty receivers (RCV1, RCV2, RCV3) which receive only one valid copy (MSGA, MSGB) of the redundant copies (MSGA, MSGB) of the message are configured to accept this one copy;

    (iii) all non-faulty receivers (RCV1, RCV2, RCV3) which do not receive any redundant copy (MSGA, MSGB) of the redundant copies of the message do not accept a message.


     
    5. Method according to claim 3 or 4, wherein in item (i) a receiver discards the respective other redundant copy or copies of the received redundant copies (MSGA, MSGB) of the message.
     
    6. Method according to one of the claims 1 to 5, wherein the local clocks of the sender (SND) and/or the local clocks of the receivers (RCV1, RCV2, RCV3) are synchronized by means of the IEEE 1588, and/or the IEEE 802.1AS, and/or the SAE AS6802 protocol.
     
    7. Method according to one of the claims 1 to 6, wherein the local clocks of the switches are synchronized by means of the IEEE 1588, and/or the IEEE 802.1AS, and/or the SAE AS6802 protocol.
     
    8. Method according to one of the claims 1 to 7, wherein one, more or preferably all communication links (110) are Ethernet links.
     
    9. Method according to one of the claims 1 to 8, wherein the temporal distance (duration), CON, is a function of the precision of the communication network, wherein CON > FACTORprecision, where FACTOR is a natural number greater than 0.
     
    10. Computer system, in particular distributed computer system, comprising at least one sender (SND) and receivers (RCV1, RCV2, RCV3), wherein for the exchange of messages a sender (SND) is connected to the receivers (RCV1, RCV2, RCV3) over a communication network, wherein said communication network comprises communication paths for connecting the receivers (RCV1, RCV2, RCV3) to the sender (SND), and wherein for establishing an interactive consistency property between the receivers (RCV1, RCV2, RCV3) of messages (MSGA, MSGB) each of the receivers (RCV1, RCV2, RCV3) is connected to the sender (SND) with at least two disjoint communication paths, wherein each of said disjoint communication paths comprises at least one switch (SWA, SWB; SWA1, SWB1) and communication links (110, 210; 111, 112,113, 211, 212, 213), wherein a communication link (111, 112,113, 211, 212, 213) is connecting a receiver (RCV1, RCV2, RCV3) to a switch (SWA, SWB; SWA1, SWB1) of a disjoint communication path and a communication link (110, 210) is connecting the sender (SND) to a switch of said disjoint communication path, and wherein

    (a) the switches (SWA, SWA1, SWB, SWB1) are equipped with local clocks, wherein local clocks of non-faulty switches of said switches (SWA, SWB, SWA1, SWB1) are synchronized to each other with a maximum error (precision), and the sender (SND) and all receivers (RCV1, RCV2, RCV3) are equipped with local clocks, wherein the local clocks of a non-faulty sender and non-faulty receivers are synchronized to the local clocks of the switches with a known error (precision), and the sender (SND) sends the redundant copies (MSGA, MSGB) of a message according to a communication schedule and the receivers know when to expect a message according to said communication schedule, and wherein

    (b) the receivers (RCV1, RCV2, RCV3) are configured to detect failures of switches (SWA, SWA1, SWA2, SWB, SWB1, SWB2), and wherein

    (c) the sender (SND) is configured to forward redundant copies (MSGA, MSGB) of a message to each of the receivers (RCV1, RCV2, RCV3), wherein each of the redundant copies (MSGA, MSGB) designated for a receiver (RCV1, RCV2, RCV3) is forwarded a across different disjoint communication path connecting the sender (SND) with said receiver (RCV1, RCV2, RCV3), and wherein

    (d) at least one switch of each disjoint communication path from the sender (SND) to the receivers (RCV1, RCV2, RCV3) is configured such that the redundant copies (MSGA, MSGB) of the message are forwarded to each receiver (RCV1, RCV2, RCV3) with a temporal distance, CON, between the disjoint communication paths, wherein the temporal distance, CON, is selected such that all non-faulty receivers of the receivers (RCV1, RCV2, RCV3) will receive the redundant copies (MSGA, MSGB) in the same receive order, when the switches and communication links of the disjoint paths do not exhibit a failure, and wherein

    (e) each receiver (RCV1, RCV2, RCV3) is configured to conclude at least from the receive order of the redundant copies (MSGA, MSGB) of the message whether and which redundant copy (MSGA, MSGB) to accept to satisfy the interactive consistency property, and if the conclusion (RCV1, RCV2, RCV3) yields to accept a specific copy (MSGA, MSGB) of the received redundant copies of the message, to accept said specific message, and if the conclusion yields to not accept any copy of the receive redundant messages, no to accept any copy.


     
    11. Computer system according to claim 10, wherein in (e), in addition, the validity of the received redundant copies (MSGA, MSGB) of the message is taken into account for concluding whether and which redundant copy (MSGA, MSGB) to accept to satisfy the interactive consistency property, wherein validity criteria of a message are valid checksum of the message, or valid timestamp, or valid sequence number, or cryptographic signature.
     
    12. Computer system according to claim 10 or 11, wherein according to (e):

    (i) all non-faulty receivers (RCV1, RCV2, RCV3) which receive two or more redundant copies (MSGA, MSGB) of the message are configured to accept the first one valid copy of the redundant copies (MSGA, MSGB) that they receive;

    (ii) all non-faulty receivers (RCV1, RCV2, RCV3) which receive only one valid copy (MSGA, MSGB) of the redundant copies (MSGA, MSGB) of the message are configured to accept this one copy;

    (iii) all non-faulty receivers (RCV1, RCV2, RCV3) which do not receive any redundant copy (MSGA, MSGB) of the redundant copies of the message do not accept a message.


     
    13. Computer system according to claim 10 or 11, wherein according to (e):

    (i) all non-faulty receivers (RCV1, RCV2, RCV3) which receive two or more redundant copies (MSGA, MSGB) of the message are configured to accept the last one valid copy of the redundant copies (MSGA, MSGB) that they receive;

    (ii) all non-faulty receivers (RCV1, RCV2, RCV3) which receive only one valid copy (MSGA, MSGB) of the redundant copies (MSGA, MSGB) of the message are configured to accept this one copy;

    (iii) all non-faulty receivers (RCV1, RCV2, RCV3) which do not receive any redundant copy (MSGA, MSGB) of the redundant copies of the message do not accept a message.


     
    14. Computer system according to claim 12 or 13, wherein in item (i) a receiver discards the respective other redundant copy or copies of the received redundant copies (MSGA, MSGB) of the message.
     
    15. Computer system according to one of the claims 10 to 14, wherein the local clocks of the sender (SND) and/or the local clocks of the receivers (RCV1, RCV2, RCV3) are synchronized by means of the IEEE 1588, and/or the IEEE 802.1AS, and/or the SAE AS6802 protocol.
     
    16. Computer system according to one of the claims 10 to 15, wherein the local clocks of the switches are synchronized by means of the IEEE 1588, and/ or the IEEE 802.1AS, and/ or the SAE AS6802 protocol.
     
    17. Computer system according to one of the claims 10 to 16, wherein one, more or preferably all communication links (110) are Ethernet links.
     
    18. Computer system according to one of the claims 10 to 17, wherein the temporal distance, CON, is a function of the precision of the communication network, wherein CON > FACTORprecision, where FACTOR is a natural number greater than 0.
     


    Ansprüche

    1. Verfahren zum Herstellen einer interaktiven Konsistenzeigenschaft zwischen Empfängern (RCV1, RCV2, RCV3) von Nachrichten (MSGA, MSGB) in einem Computersystem, insbesondere einem verteilten Computersystem, wobei die Nachrichten (MSGA, MSGB) von einem Sender (SND) des Computersystems über ein Kommunikationsnetzwerk, das die Empfänger (RCV1, RCV2, RCV3) und den Sender (SND) verbindet, zu den Sendern (RCV1, RCV2, RCV3) übertragen werden, wobei das Kommunikationsnetzwerk Kommunikationspfade zum Verbinden der Empfänger (RCV1, RCV2, RCV3) mit dem Sender (SND) umfasst, wobei jeder der Empfänger (RCV1, RCV2, RCV3) mit mindestens zwei disjunkten Kommunikationspfaden mit dem Sender (SND) verbunden ist, wobei jeder der disjunkten Kommunikationspfade mindestens einen Switch (SWA, SWB; SWA1, SWA2, SWB1, SWB2) und Kommunikationslinks (110, 210; 111, 112, 113, 211, 212, 213) umfasst, wobei ein Kommunikationslink (111, 112, 113, 211, 212, 213) einen Empfänger (RCV1, RCV2, RCV3) mit einem Switch (SWA, SWB; SWA1, SWB1) eines disjunkten Kommunikationspfades verbindet und ein Kommunikationslink (110, 210) den Sender (SND) mit einem Switch des disjunkten Kommunikationspfades verbindet und wobei

    (a) die Switches (SWA, SWA1, SWB, SWB1) mit lokalen Takten ausgerüstet sind, wobei lokale Takte von nicht fehlerhaften Switches der Switches (SWA, SWB, SWA1, SWB1) mit einem maximalen Fehler (Präzision) miteinander synchronisiert werden, und der Sender (SND) und alle Empfänger (RCV1, RCV2, RCV3) mit lokalen Takten ausgerüstet sind, wobei die lokalen Takte eines nicht fehlerhaften Senders und von nicht fehlerhaften Empfängern mit einem bekannten Fehler (Präzision) mit den lokalen Takten der Switches synchronisiert werden, und der Sender (SND) die redundanten Kopien (MSGA, MSGB) einer Nachricht gemäß einem Kommunikationsplan sendet und die Empfänger wissen, wann sie eine Nachricht gemäß dem Kommunikationsplan zu erwarten haben, und wobei

    (b) die Empfänger (RCV1, RCV2, RCV3) dazu ausgelegt sind, Ausfälle von Switches (SWA, SWA1, SWB, SWB1) zu detektieren, und wobei

    (c) redundante Kopien (MSGA, MSGB) einer Nachricht vom Sender (SND) zu jedem der Empfänger (RCV1, RCV2, RCV3) weitergeleitet werden, wobei jede der redundanten Kopien (MSGA, MSGB), die für einen Empfänger (RCV1, RCV2, RCV3) bestimmt ist, über einen anderen disjunkten Kommunikationspfad, der den Sender (SND) mit dem Empfänger (RCV1, RCV2, RCV3) verbindet, weitergeleitet wird, und wobei

    (d) mindestens ein Switch jedes disjunkten Kommunikationspfades vom Sender (SND) zu den Empfängern (RCV1, RCV2, RCV3) derart ausgelegt ist, dass die redundanten Kopien (MSGA, MSGB) der Nachricht mit einem zeitlichen Abstand, CON, zwischen den disjunkten Kommunikationspfaden zu jedem Empfänger (RCV1, RCV2, RCV3) weitergeleitet werden, wobei der zeitliche Abstand, CON, derart ausgewählt ist, dass alle nicht fehlerhaften Empfänger der Empfänger (RCV1, RCV2, RCV3) die redundanten Kopien (MSGA, MSGB) in derselben Empfangsreihenfolge empfangen, wenn die Switches und Kommunikationslinks der disjunkten Pfade keinen Ausfall zeigen, und wobei

    (e) jeder Empfänger (RCV1, RCV2, RCV3) aus der Empfangsreihenfolge der redundanten Kopien (MSGA, MSGB) der Nachricht mindestens folgert, ob und welche redundante Kopie (MSGA, MSGB) zu akzeptieren ist, um die interaktive Konsistenzeigenschaft zu erfüllen, und wenn die Folgerung ergibt, dass eine spezifische Kopie (MSGA, MSGB) der empfangenen redundanten Kopien der Nachricht zu akzeptieren ist, die spezifische Nachricht vom Empfänger akzeptiert wird, und wenn die Folgerung ergibt, dass keine Kopie der empfangenen redundanten Nachrichten zu akzeptieren ist, keine Kopie vom Empfänger (RCV1, RCV2, RCV3) akzeptiert wird.


     
    2. Verfahren nach Anspruch 1, wobei in (e) zusätzlich die Gültigkeit der empfangenen redundanten Kopien (MSGA, MSGB) berücksichtigt wird, um zu folgern, ob und welche redundante Kopie (MSGA, MSGB) zu akzeptieren ist, um die interaktive Konsistenzeigenschaft zu erfüllen, wobei Gültigkeitskriterien einer Nachricht eine gültige Prüfsumme der Nachricht oder ein gültiger Zeitstempel oder eine gültige Sequenznummer oder eine kryptographische Signatur sind.
     
    3. Verfahren nach Anspruch 1 oder 2, wobei gemäß (e):

    (i) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die zwei oder mehr redundante Kopien (MSGA, MSGB) der Nachricht empfangen, dazu ausgelegt sind, die erste gültige Kopie der redundanten Kopien (MSGA, MSGB), die sie empfangen, zu akzeptieren;

    (ii) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die nur eine gültige Kopie (MSGA, MSGB) der redundanten Kopien (MSGA, MSGB) der Nachricht empfangen, dazu ausgelegt sind, diese eine Kopie zu akzeptieren;

    (iii) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die keine redundante Kopie (MSGA, MSGB) der redundanten Kopien der Nachricht empfangen, keine Nachricht akzeptieren.


     
    4. Verfahren nach Anspruch 1 oder 2, wobei gemäß (e):

    (i) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die zwei oder mehr redundante Kopien (MSGA, MSGB) der Nachricht empfangen, dazu ausgelegt sind, die letzte gültige Kopie der redundanten Kopien (MSGA, MSGB), die sie empfangen, zu akzeptieren;

    (ii) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die nur eine gültige Kopie (MSGA, MSGB) der redundanten Kopien (MSGA, MSGB) der Nachricht empfangen, dazu ausgelegt sind, diese eine Kopie zu akzeptieren;

    (iii) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die keine redundante Kopie (MSGA, MSGB) der redundanten Kopien der Nachricht empfangen, keine Nachricht akzeptieren.


     
    5. Verfahren nach Anspruch 3 oder 4, wobei in Punkt (i) ein Empfänger die jeweilige andere redundante Kopie oder jeweiligen anderen redundanten Kopien der empfangenen redundanten Kopien (MSGA, MSGB) der Nachricht verwirft.
     
    6. Verfahren nach einem der Ansprüche 1 bis 5, wobei die lokalen Takte des Senders (SND) und/oder die lokalen Takte der Empfänger (RCV1, RCV2, RCV3) mittels des IEEE 1588- und/oder des IEEE 802.1AS- und/oder des SAE AS6802-Protokolls synchronisiert werden.
     
    7. Verfahren nach einem der Ansprüche 1 bis 6, wobei die lokalen Takte der Switches mittels des IEEE 1588- und/oder des IEEE 802.1AS- und/oder des SAE AS6802-Protokolls synchronisiert werden.
     
    8. Verfahren nach einem der Ansprüche 1 bis 7, wobei ein, mehrere oder vorzugsweise alle Kommunikationslinks (110) Ethernetlinks sind.
     
    9. Verfahren nach einem der Ansprüche 1 bis 8, wobei der zeitliche Abstand (Dauer), CON, eine Funktion der Präzision des Kommunikationsnetzwerks ist, wobei CON > FACTORPräzision, wo FACTOR eine natürliche Zahl größer als 0 ist.
     
    10. Computersystem, insbesondere verteiltes Computersystem, das mindestens einen Sender (SND) und Empfänger (RCV1, RCV2, RCV3) umfasst, wobei für den Austausch von Nachrichten ein Sender (SND) über ein Kommunikationsnetzwerk mit den Empfängern (RCV1, RCV2, RCV3) verbunden ist, wobei das Kommunikationsnetzwerk Kommunikationspfade zum Verbinden der Empfänger (RCV1, RCV2, RCV3) mit dem Sender (SND) umfasst und wobei zum Herstellen einer interaktiven Konsistenzeigenschaft zwischen den Empfängern (RCV1, RCV2, RCV3) von Nachrichten (MSGA, MSGB) jeder der Empfänger (RCV1, RCV2, RCV3) mit mindestens zwei disjunkten Kommunikationspfaden mit dem Sender (SND) verbunden ist, wobei jeder der disjunkten Kommunikationspfade mindestens einen Switch (SWA, SWB; SWA1, SWB1) und Kommunikationslinks (110, 210; 111, 112, 113, 211, 212, 213) umfasst, wobei ein Kommunikationslink (111, 112, 113, 211, 212, 213) einen Empfänger (RCV1, RCV2, RCV3) mit einem Switch (SWA, SWB; SWA1, SWB1) eines disjunkten Kommunikationspfades verbindet und ein Kommunikationslink (110, 210) den Sender (SND) mit einem Switch des disjunkten Kommunikationspfades verbindet und wobei

    (a) die Switches (SWA, SWA1, SWB, SWB1) mit lokalen Takten ausgerüstet sind, wobei lokale Takte von nicht fehlerhaften Switches der Switches (SWA, SWB, SWA1, SWB1) mit einem maximalen Fehler (Präzision) miteinander synchronisiert werden, und der Sender (SND) und alle Empfänger (RCV1, RCV2, RCV3) mit lokalen Takten ausgerüstet sind, wobei die lokalen Takte eines nicht fehlerhaften Senders und von nicht fehlerhaften Empfängern mit einem bekannten Fehler (Präzision) mit den lokalen Takten der Switches synchronisiert werden, und der Sender (SND) die redundanten Kopien (MSGA, MSGB) einer Nachricht gemäß einem Kommunikationsplan sendet und die Empfänger wissen, wann sie eine Nachricht gemäß dem Kommunikationsplan zu erwarten haben, und wobei

    (b) die Empfänger (RCV1, RCV2, RCV3) dazu ausgelegt sind, Ausfälle von Switches (SWA, SWA1, SWA2, SWB, SWB1, SWB2) zu detektieren, und wobei

    (c) der Sender (SND) dazu ausgelegt ist, redundante Kopien (MSGA, MSGB) einer Nachricht zu jedem der Empfänger (RCV1, RCV2, RCV3) weiterzuleiten, wobei jede der redundanten Kopien (MSGA, MSGB), die für einen Empfänger (RCV1, RCV2, RCV3) bestimmt ist, über einen anderen disjunkten Kommunikationspfad, der den Sender (SND) mit dem Empfänger (RCV1, RCV2, RCV3) verbindet, weitergeleitet wird, und wobei

    (d) mindestens ein Switch jedes disjunkten Kommunikationspfades vom Sender (SND) zu den Empfängern (RCV1, RCV2, RCV3) derart ausgelegt ist, dass die redundanten Kopien (MSGA, MSGB) der Nachricht mit einem zeitlichen Abstand, CON, zwischen den disjunkten Kommunikationspfaden zu jedem Empfänger (RCV1, RCV2, RCV3) weitergeleitet werden, wobei der zeitliche Abstand, CON, derart ausgewählt ist, dass alle nicht fehlerhaften Empfänger der Empfänger (RCV1, RCV2, RCV3) die redundanten Kopien (MSGA, MSGB) in derselben Empfangsreihenfolge empfangen, wenn die Switches und Kommunikationslinks der disjunkten Pfade keinen Ausfall zeigen, und wobei

    (e) jeder Empfänger (RCV1, RCV2, RCV3) dazu ausgelegt ist, aus der Empfangsreihenfolge der redundanten Kopien (MSGA, MSGB) der Nachricht mindestens zu folgern, ob und welche redundante Kopie (MSGA, MSGB) zu akzeptieren ist, um die interaktive Konsistenzeigenschaft zu erfüllen, und wenn die Folgerung (RCV1, RCV2, RCV3) ergibt, dass eine spezifische Kopie (MSGA, MSGB) der empfangenen redundanten Kopien der Nachricht zu akzeptieren ist, die spezifische Nachricht zu akzeptieren, und wenn die Folgerung ergibt, dass keine Kopie der empfangenen redundanten Nachrichten zu akzeptieren ist, keine Kopie zu akzeptieren.


     
    11. Computersystem nach Anspruch 10, wobei in (e) zusätzlich die Gültigkeit der empfangenen redundanten Kopien (MSGA, MSGB) berücksichtigt wird, um zu folgern, ob und welche redundante Kopie (MSGA, MSGB) zu akzeptieren ist, um die interaktive Konsistenzeigenschaft zu erfüllen, wobei Gültigkeitskriterien einer Nachricht eine gültige Prüfsumme der Nachricht oder ein gültiger Zeitstempel oder eine gültige Sequenznummer oder eine kryptographische Signatur sind.
     
    12. Computersystem nach Anspruch 10 oder 11, wobei gemäß (e) :

    (i) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die zwei oder mehr redundante Kopien (MSGA, MSGB) der Nachricht empfangen, dazu ausgelegt sind, die erste gültige Kopie der redundanten Kopien (MSGA, MSGB), die sie empfangen, zu akzeptieren;

    (ii) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die nur eine gültige Kopie (MSGA, MSGB) der redundanten Kopien (MSGA, MSGB) der Nachricht empfangen, dazu ausgelegt sind, diese eine Kopie zu akzeptieren;

    (iii) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die keine redundante Kopie (MSGA, MSGB) der redundanten Kopien der Nachricht empfangen, keine Nachricht akzeptieren.


     
    13. Computersystem nach Anspruch 10 oder 11, wobei gemäß (e) :

    (i) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die zwei oder mehr redundante Kopien (MSGA, MSGB) der Nachricht empfangen, dazu ausgelegt sind, die letzte gültige Kopie der redundanten Kopien (MSGA, MSGB), die sie empfangen, zu akzeptieren;

    (ii) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die nur eine gültige Kopie (MSGA, MSGB) der redundanten Kopien (MSGA, MSGB) der Nachricht empfangen, dazu ausgelegt sind, diese eine Kopie zu akzeptieren;

    (iii) alle nicht fehlerhaften Empfänger (RCV1, RCV2, RCV3), die keine redundante Kopie (MSGA, MSGB) der redundanten Kopien der Nachricht empfangen, keine Nachricht akzeptieren.


     
    14. Computersystem nach Anspruch 12 oder 13, wobei in Punkt (i) ein Empfänger die jeweilige andere redundante Kopie oder jeweiligen anderen redundanten Kopien der empfangenen redundanten Kopien (MSGA, MSGB) der Nachricht verwirft.
     
    15. Computersystem nach einem der Ansprüche 10 bis 14, wobei die lokalen Takte des Senders (SND) und/oder die lokalen Takte der Empfänger (RCV1, RCV2, RCV3) mittels des IEEE 1588- und/oder des IEEE 802.1AS- und/oder des SAE AS6802-Protokolls synchronisiert werden.
     
    16. Computersystem nach einem der Ansprüche 10 bis 15, wobei die lokalen Takte der Switches mittels des IEEE 1588- und/oder des IEEE 802.1AS- und/oder des SAE AS6802-Protokolls synchronisiert werden.
     
    17. Computersystem nach einem der Ansprüche 10 bis 16, wobei ein, mehrere oder vorzugsweise alle Kommunikationslinks (110) Ethernetlinks sind.
     
    18. Computersystem nach einem der Ansprüche 10 bis 17, wobei der zeitliche Abstand, CON, eine Funktion der Präzision des Kommunikationsnetzwerks ist, wobei CON > FACTORPräzision, wo FACTOR eine natürliche Zahl größer als 0 ist.
     


    Revendications

    1. Procédé pour établir une propriété de cohérence interactive entre des récepteurs (RCV1, RCV2, RCV3) de messages (MSGA, MSGB) dans un système informatique, en particulier un système informatique distribué, dans lequel lesdits messages (MSGA, MSGB) sont transmis auxdits récepteurs (RCV1, RCV2, RCV3) par un émetteur (SND) dudit système informatique sur un réseau de communication reliant les récepteurs (RCV1, RCV2, RCV3) et l'expéditeur (SND), dans lequel ledit réseau de communication comprend des chemins de communication pour connecter les récepteurs (RCV1, RCV2, RCV3) à l'expéditeur (SND), dans lequel chacun des récepteurs (RCV1, RCV2, RCV3) est connecté à l'expéditeur (SND) avec au moins deux chemins de communication disjoints, dans lequel chacun desdits chemins de communication disjoints comprend au moins un commutateur (SWA, SWB, SWA1, SWA2, SWB1, SWB2) et des liaisons de communication (110, 210; 111, 112, 113, 211, 212, 213), dans lequel une liaison de communication (111, 112, 113, 211, 212, 213) connecte un récepteur (RCV1, RCV2, RCV3) à un commutateur (SWA, SWB; SWA1, SWB1) d'un chemin de communication disjoint et une liaison de communication (110, 210) connecte l'expéditeur (SND) à un commutateur dudit chemin de communication disjoint, et dans lequel

    (a) les commutateurs (SWA, SWA1, SWB, SWB1) sont équipés d'horloges locales, dans lequel les horloges locales des commutateurs non défectueux desdits commutateurs (SWA, SWB, SWA1, SWB1) sont synchronisés entre eux avec une erreur maximale (précision), et l'expéditeur (SND) et tous les récepteurs (RCV1, RCV2, RCV3) sont équipés d'horloges locales, dans lequel les horloges locales d'un émetteur non défectueux et les récepteurs non défaillants sont synchronisés avec les horloges locales des commutateurs avec une erreur connue (précision), et l'expéditeur (SND) envoie les copies redondantes (MSGA, MSGB) d'un message selon un calendrier de communication et les récepteurs savent quand escompter un message selon ledit calendrier de communication, et dans lequel

    (b) les récepteurs (RCV1, RCV2, RCV3) sont configurés pour détecter les défaillances des commutateurs (SWA, SWA1, SWB, SWB1), et dans lequel

    (c) des copies redondantes (MSGA, MSGB) d'un message sont transmises par l'expéditeur (SND) à chacun des récepteurs (RCV1, RCV2, RCV3), dans lequel chacune des copies redondantes (MSGA, MSGB) désignée pour un récepteur (RCV1, IRCV2, RCV3) est acheminée sur un chemin de communication disjoint différent reliant l'expéditeur (SND) audit récepteur (RCV1, RCV2, RCV3), et dans lequel

    (d) au moins un commutateur de chaque chemin de communication disjoint de l'expéditeur (SND) vers les récepteurs (RCV1, RCV2, RCV3) est configuré de telle sorte que les copies redondantes (MSGA, MSGB) du message soient transmises à chaque récepteur (RCV1, RCV2, RCV3) avec une distance temporelle, CON, entre les chemins de communication disjoints, dans lequel la distance temporelle, CON, est sélectionnée de telle sorte que tous les récepteurs non défectueux des récepteurs (RCV1, RCV2, RCV3) reçoivent les copies redondantes (MSGA, MSGB) dans le même ordre de réception, lorsque les commutateurs et les liaisons de communication des chemins disjoints ne présentent pas de défaillance, et dans lequel

    (e) chaque récepteur (RCV1, RCV2, RCV3) conclut au moins d'après l'ordre de réception des copies redondantes (MSGA , MSGB) du message si et quelle copie redondante (MSGA, MSGB) accepter pour satisfaire la propriété de cohérence interactive, et si la conclusion aboutit à accepter une copie spécifique (MSGA, MSGB) des copies redondantes reçues du message, ledit message spécifique est accepté par le récepteur, et si la conclusion aboutit à n'accepter aucune copie des messages redondants reçus, aucune copie n'est acceptée par le récepteur (RCV1, RCV2, RCV3).


     
    2. Procédé selon la revendication 1, dans lequel dans (e), en outre, la validité des copies redondantes reçues (MSGA, MSGB) du message est prise en compte pour conclure si et quelle copie redondante (MSGA, MSGB) accepter pour satisfaire la propriété de cohérence interactive, dans laquelle les critères de validité d'un message sont une somme de vérification valide du message, ou un pointeur temporel valide, ou un numéro de séquence valide, ou une signature cryptographique.
     
    3. Procédé selon la revendication 1 ou 2, dans lequel selon (e) :

    (i) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui reçoivent deux copies redondantes ou plus (MSGA, MSGB) du message sont configurés pour accepter la première copie valide des copies redondantes (MSGA, MSGB) qu'ils reçoivent;

    (ii) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui reçoivent une seule copie valide (MSGA, MSGB) des copies redondantes (MSGA, MSGB) du message sont configurés pour accepter cette copie;

    (iii) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui ne reçoivent aucune copie redondante (MSGA, MSGB) des copies redondantes du message n'acceptent pas de message.


     
    4. Procédé selon la revendication 1 ou 2, dans lequel selon (e) :

    (i) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui reçoivent deux copies redondantes ou plus (MSGA, MSGB) du message sont configurés pour accepter la dernière copie valide des copies redondantes (MSGA, MSGB) qu'ils reçoivent;

    (ii) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui ne reçoivent qu'une seule copie valide (MSGA, MSGB) des copies redondantes (MSGA, MSGB) du message sont configurées pour accepter cette copie;

    (iii) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui ne reçoivent aucune copie redondante (MSGA, MSGB) des copies redondantes du message n'acceptent pas de message.


     
    5. Procédé selon la revendication 3 ou 4, dans lequel au point (i) un récepteur rejette la ou les autres copies redondantes respectives des copies redondantes reçues (MSGA, MSGB) du message.
     
    6. Procédé selon une des revendications 1 à 5, dans lequel les horloges locales de l'expéditeur (SND) et / ou les horloges locales des récepteurs (RCV1, RCV2, RCV3) sont synchronisées au moyen de l'IEEE 1588 et / ou du protocole IEEE 802.1AS et / ou du protocole SAE AS6802.
     
    7. Procédé selon une des revendications 1 à 6, dans lequel les horloges locales des commutateurs sont synchronisées au moyen de l'IEEE 1588, et/ou de l'IEEE 802.1 AS, et/ou du protocole SAE AS6802.
     
    8. Procédé selon une des revendications 1 à 7, r dans lequel une, plusieurs ou de préférence toutes les liaisons de communication (110) sont des liaisons Ethernet.
     
    9. Procédé selon une des revendications 1 à 8, dans lequel la distance (durée), CON, est fonction de la précision du réseau de communication, où CON> FACTOR précision, où FACTOR est un nombre naturel supérieur à 0.
     
    10. Système informatique, en particulier système informatique distribué, comprenant au moins un émetteur (SND) et des récepteurs (RCV1, RCV2, RCV3), dans lequel pour l'échange de messages un émetteur (SND) est connecté aux récepteurs (RCV1, RCV2, RCV3) sur un réseau de communication, dans lequel ledit réseau de communication comprend des chemins de communication pour connecter les récepteurs (RCV1, RCV2, RCV3) à l'expéditeur (SND), et dans lequel pour établir une propriété de cohérence interactive entre les récepteurs (RCV1, RCV2, RCV3) de messages (MSGA, MSGB), chacun des récepteurs (RCV1, RCV2, RCV3) est connecté à l'expéditeur (SND) avec au moins deux chemins de communication disjoints, chacun desdits chemins de communication disjoints comprenant au moins un commutateur (SWA, SWB ; SWA1, SWB1) et des liaisons de communication (110, 210; 111, 112, 113, 211, 212, 213), dans lequel une liaison de communication (111, 112, 113, 211, 212, 213) connecte un récepteur (RCV1, RCV2, RCV3) à un commutateur (SWA, SWB; SWA1, SWB1) d'un chemin de communication disjoint et d'une liaison de communication (110, 210) connecte l'expéditeur (SND) à un commutateur dudit chemin de communication disjoint, et dans lequel

    (a) les commutateurs (SWA, SWA1, SWB, SWB1) sont équipés d'horloges locales, dans lequel les horloges locales des commutateurs non défectueux desdits commutateurs (SWA, SWB , SWA1, SWB1) sont synchronisées les unes aux autres avec une erreur maximale (précision), et l'expéditeur (SND) et tous les récepteurs (RCV1, RCV2, RCV3) sont équipés d'horloges locales, dans lequel les horloges locales d'un émetteur non défectueux et les récepteurs non défectueux sont synchronisés avec les horloges locales des commutateurs avec une erreur connue (précision), et l'expéditeur (SND) envoie les copies redondantes (MSGA, MSGB) d'un message selon un calendrier de communication et les récepteurs savent quand attendre un message selon ledit calendrier de communication, et dans lequel

    (b) les récepteurs (RCV1, RCV2, RCV3) sont configurés pour détecter les défaillances des commutateurs (SWA, SWA1, SWA2, SWB, SWB1, SWB2), et dans lequel

    (c) l'expéditeur (SND) est configuré pour transmettre des copies redondantes (MSGA, MSGB) d'un message à chacun des récepteurs (RCV1, RCV2, RCV3), dans lequel chacune des copies redondantes (MSGA, MSGB) désignée pour un récepteur (RCV1, RCV2, RCV3) est transmise sur un chemin de communication disjoint différent reliant l'expéditeur (SND) audit récepteur (RCV1, RCV2, RCV3), et dans lequel

    (d) au moins un commutateur de chaque chemin de communication disjoint de l'expéditeur (SND) vers les récepteurs (RCV1, RCV2, RCV3) est configuré de telle sorte que les copies redondantes (MSGA, MSGB) du message soient transmises à chaque récepteur (RCV1, RCV2, RCV3) avec une distance temporelle, CON, entre les chemins de communication disjointes, où la distance temporelle, CON, est sélectionnée de telle sorte que tous les récepteurs non défectueux des récepteurs (RCV1, RCV2, RCV3) reçoivent les copies redondantes (MSGA, MSGB) dans le même ordre de réception, lorsque les commutateurs et les liaisons de communication des chemins disjoints ne présentent pas de panne, et dans lequel

    (e) chaque récepteur (RCV1, RCV2, RCV3) est configuré pour conclure au moins d'après l'ordre de réception des copies redondantes (MSGA, MSGB) du message si et quelle copie redondante (MSGA, MSGB) accepter pour satisfaire la propriété de cohérence interactive, et si la conclusion (RCV1, RCV2, RCV3) aboutit à accepter une copie spécifique (MSGA, MSGB) des copies redondantes reçues du message, à accepter ledit message spécifique, et si la conclusion aboutit à n'accepter aucune copie des messages redondants reçus, ne pas accepter une quelconque copie.


     
    11. Système informatique selon la revendication 10, dans lequel dans (e), en outre, la validité des copies redondantes reçues (MSGA, MSGB) du message est prise en compte pour conclure si et quelle copie redondante (MSGA, MSGB) accepter pour satisfaire la propriété de cohérence interactive, dans laquelle les critères de validité d'un message sont une somme de vérification valide du message, ou un pointeur temporel valide, ou un numéro de séquence valide, ou une signature cryptographique.
     
    12. Système informatique selon la revendication 10 ou 11, dans lequel selon (e) :

    (i) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui reçoivent deux copies redondantes ou plus (MSGA, MSGB) du message sont configurés pour accepter la première copie valide des copies redondantes (MSGA, MSGB) qu'ils reçoivent;

    (ii) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui reçoivent une seule copie valide (MSGA, MSGB) des copies redondantes (MSGA, MSGB) du message sont configurés pour accepter cette copie;

    (iii) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui ne reçoivent aucune copie redondante (MSGA, MSGB) des copies redondantes du message n'acceptent pas de message.


     
    13. Système informatique selon la revendication 10 ou 11, dans lequel selon (e) :

    (i) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui reçoivent deux copies redondantes ou plus (MSGA, MSGB) du message sont configurés pour accepter la dernière copie valide des copies redondantes (MSGA, MSGB) qu'ils reçoivent;

    (ii) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui reçoivent une seule copie valide (MSGA, MSGB) des copies redondantes (MSGA, MSGB) du message sont configurés pour accepter cette copie;

    (iii) tous les récepteurs non défectueux (RCV1, RCV2, RCV3) qui ne reçoivent aucune copie redondante (MSGA, MSGB) des copies redondantes du message n'acceptent pas de message.


     
    14. Système informatique selon la revendication 12 ou 13, dans lequel, au point (i), un récepteur rejette la ou les autres copies redondantes respectives des copies redondantes reçues (MSGA, MSGB) du message.
     
    15. Système informatique selon une des revendications 10 à 14, dans lequel les horloges locales de l'émetteur (SND) et/ou les horloges locales des récepteurs (RCV1, RCV2, RCV3) sont synchronisées au moyen de l'IEEE 1588, et/ou du IEEE 802.1AS et/ou le protocole SAE AS6802.
     
    16. Système informatique selon une des revendications 10 à 15, dans lequel les horloges locales des commutateurs sont synchronisées au moyen de l'IEEE 1588 et/ou de l'IEEE 802.1 AS et/ou du protocole SAE AS6802.
     
    17. Système informatique selon une des revendications 10 à 16, dans lequel plusieurs ou de préférence, toutes les liaisons de communication (110) sont des liaisons Ethernet.
     
    18. Système informatique selon une des revendications 10 à 17, dans lequel la distance temporelle, CON, est fonction de la précision du réseau de communication, où CON> FACTOR précision, où FACTOR est un nombre naturel supérieur à 0.
     




    Drawing




















    Cited references

    REFERENCES CITED IN THE DESCRIPTION



    This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

    Patent documents cited in the description




    Non-patent literature cited in the description