System and method for supporting automatic protection switching between multiple node pairs using common agent architecture

Abstract

An apparatus and method for a computer system is used for implementing an extended distributed recovery block fault tolerance scheme. The computer system includes a supervisory node, an active node and a standby node. Each of the nodes has a primary routine, an alternate routine and an acceptance test for testing the output of the routines. Each node also includes a device driver, a monitor and a node manager for determining the operational configuration of the node as well as a common agent, the common agent being a hybrid software agent comprising both the characteristics of an EDRB model and a virtual circuit state machine, wherein the attachment objects of the agent are identical regardless of where instances of the agent are located. The supervisory node acts as an arbitrator and coordinates the operation of the active and standby nodes. A reliable data link extends between the monitors of the active and standby nodes.

Description

BACKGROUND OF THE DISCLOSED SUBJECT MATTER

A distributed recovery block integrates hardware and software fault tolerance in a single structure without having to resort to N-version programming. In N-version programming, the goal is to design and code the software module n times and vote on the n results produced by these modules. The recovery block structure represents a dynamic redundancy approach to software fault tolerance. In dynamic redundancy, a single program or module is executed and the result is subject to an acceptance test. Alternate versions are invoked only if the acceptance test fails. The selection of the routine is made during program execution. In its simplest form, as shown in FIG. 1, a standard recovery block structure 100 consists of: a primary routine 110 which executes critical software function; an acceptance test 120 which tests the output of the primary routine after each execution; and at least one alternate routine 115 that performs the same function as the primary routine and is invoked by the acceptance test 120 upon detection of a failure.

In a distributed recovery block 101 the primary and alternate routines are both replicated and are resident on two or more nodes interconnected by a network. This technique enables standby sparing fault tolerance where one node 105a (the active node) is designated primary and another node 105b (the standby node) is a backup. Under fault-free circumstances, the primary node 105a runs the primary routine 110 whereas the backup node 105b runs the alternate routine 115 concurrently.

In case of a failure, the primary node 105a attempts to inform the backup node 105b through the monitor 108 via a heartbeat thread 107. When the backup node 105b receives notification, it assumes the role of the primary node 105a. Since the backup node 105b has been processing the alternate routine 115 concurrently, a result is available immediately for output. Subsequently, recovery time for this type of failure should be much shorter than if both blocks were running on the same node. If the primary node 105a stops processing entirely, no update message will be passed to the backup. The backup detects the crash by means of a local timer in which timer expiry constitutes the time acceptance test. The failed primary node thus transitions to a backup node and through employment of a recovery block reconfiguration strategy, both nodes do not execute the same routine.

A distributed recovery block with real time process control may be referred to as an extended distributed recovery block (EDRB) 102. The EDRB 102 includes a supervisor node 103 connected to the network to verify failure indications and arbitrate inconsistencies and regular, periodic heartbeat status messages.

In the EDRB 102, nodes responsible for control of the process and of related systems are called operational nodes and are considered critical. The operational nodes perform real time control and store unrecoverable state information. A set of dual redundant operational nodes is called a node pair. Multiple redundant operational nodes are node sets.

Regular, periodic status messages are exchanged between node pairs in a node set. The messages are typically referred to as heartbeats. A node is capable of recovering from failures in its companion in standalone fashion if the malfunction has been declared as part of the heartbeat message. If a node detects the absence of a companion's heartbeat, the node requests confirmation of the failure from a secondary node called a supervisor node 103. Although the supervisor node 103 is important to EDRB 102 operation, the supervisor node 103 is typically not crucial because the node's failure only impacts the ability of the system to recover from failures requiring its confirmation or arbitration. The EDRB system can continue to operate without a supervisor node 103 if no other failures occur.

A software structure in a node pair is shown in FIG. 1. Operational nodes employ active redundancy. One node pair member is always active and the other node pair is always in standby if it is functional. The active node 105a executes a primary version of a control process in parallel with an alternate version executed in the standby node 105b. Both nodes check the correctness of the control outputs with the acceptance test 120.

Within an operational node, the EDRB 102 is implemented as a set of processes communicating between node pairs and the supervisor node 103 to control fault detection and recovery. The two processes responsible for node-level fault decision making are the node manager 106 and the monitor 108. The node manager 106 determines the role of the local node (active or standby) and subsequently triggers the use of either the primary routine 110 or the alternate routine 115. If the primary routine 110 acceptance test is passed, the node manager 106 permits a control signal to be passed to device drivers 130 under its control. If the acceptance test 120 is not passed, the active node manager 106a requests the standby node manager 106b to promote to active and immediately send out a result to thereby minimize recovery time.

The monitor 108 associated with the node manager 106 is concerned primarily with generating the heartbeat and determining the state of the companion node. The heartbeat is generally a ping or other rudimentary signal indicating functionality of the respective node. When an operational node fails to issue a heartbeat, the monitor 108 requests permission from the supervisor node 103 to assume control if not already in an active role. If the supervisor node 103 concurs that a heartbeat is absent, consent is transmitted and the standby node 105b is promoted to an active node.

If an active node spuriously decides to become a standby node or a standby node makes an incorrect decision to assume control, the supervisor node 103 will detect the problem from periodic status reports. The supervisor node 103 will then send an arbitration message to the operational nodes to restore consistency.

In many computer networks, particularly in communication systems, the supervisor node 103 is critical and provides frame synchronization and connection routes between the network and users. Thus, the loss of a supervisor node 103 results in loss of the node function. Thus, there is a need for a multiple redundant architecture in which the nodes replicated and the network is replicated. In addition, there is a need for implementation of agent oriented software to facilitate the functionality of such an architecture.

SUMMARY OF THE DISCLOSED SUBJECT MATTER

It is therefore an object of the disclosed subject matter to prove a novel improvement of a computer system implementing an extended distributed recovery block fault tolerance scheme comprising a supervisory node, an active node and a standby node. The active and standby node have a primary routine for executing a software function; an alternate routine for executing the software function; and an acceptance test routine for testing the output of the primary routine and providing a control signal in response thereto. The active and standby nodes also having a device driver for receiving the control signal, a monitor for communicating state information with one or more active or standby nodes, and are operationally connected to a node manager for determining the operational configuration of the node. The primary routine is executed in response to a determination that the node is in an active state and the alternate routine is executed in response to a determination that the node is in a standby state. The supervisory node coordinates the operation of the active node and the standby node. The improvement being the primary and alternate routines of one of the active or standby node are implemented with an application task comprising a plurality of agent objects each operating as a finite state machine operating in either a primary mode executing the primary routine or in an alternate mode executing the alternate routine.

Another object of the disclosed subject matter is an improvement of a computer system, for example an SONET, system implementing an extended distributed recovery block fault tolerance scheme comprising a supervisory node, an active node, and a standby node. The improvement being the primary and alternate routines of the active and standby nodes are each implemented with a plurality of dedicated application tasks each with a plurality of agent objects operating as a finite state machine in either a primary mode executing the primary routine or in an alternate mode executing the alternate routine. The determination of the mode of operation of the agents in a one of the plural dedicated application tasks is determined independently of the mode of operation of the agents in the other of the plural dedicated application tasks.

Still another object of the disclosed subject matter is an improvement of a computer system implementing an extended distributed recovery block fault tolerance scheme having a supervisory node, an active node, and a standby node. The improvement being a primary and alternate routines of the active and standby nodes are each implemented with a plurality of dedicated application tasks each with a plurality of agent objects operating as a finite state machine operating in either a primary mode executing the primary routine or in an alternate mode executing the alternate routine. Each of the agents is implemented with an attachment list comprising data common to the attachment list of at least one other agent.

Yet another object of the disclosed subject matter is an improvement of a single bus software architecture for supporting hardware hot standby redundancy with a supervisor processing node. The improvement of adding a second supervisor processor node, alternatively in an active state, connected to the bus to provide for a redundant supervisory node set.

Another object of the disclosed subject matter is an improvement of a communication system with an active node and a standby node that form a node pair or node set, each node with a node agent. The improvement of using a reliable datalink between the heartbeat monitors of the node pair or set.

Another object of the disclosed subject matter is an improvement of a communication system with an active node and a standby node that form a node pair or node set, each node with a node agent. The improvement involving supporting automatic protection switching between multiple node sets or pairs using common agent architecture.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an illustration of an extended distributed recovery block EDRB.

FIG. 2 is a representation of an exemplary state transition diagram for Agent Objects.

FIG. 3 is a common agent relationship diagram.

FIG. 4 is a representation of an exemplary node employing agent architecture.

FIG. 5 is a representation of an exemplary heartbeat message cell.

FIG. 6 is a representation of exemplary node sets employing a reliable data link.

FIG. 7 is a representation of an exemplary dual redundancy protection scheme employing a redundant supervisor node and a second data bus.

FIG. 8 is a representation of M:N redundacy for the prior art and the disclosed subject matter.

FIG. 9 is a representation of M:N redundancy for the disclosed subject matter.

DETAILED DESCRIPTION

The implementation of EDRB of the disclosed subject matter employs a hybrid solution, as it blends agent objects (agents) with the structure and control of the EDRB. Application tasks are implemented by agents that are instances of C++ programming. The agents are implemented as finite state machines (circuit state machines) that recognized two distinct modes of operation. One mode executes a primary routine block, and the other executes an alternate routine block. An application task performs the acceptance test block and outputs the results for use by the node manager in that processor node. The present disclosed subject matter is particularly applicable to SONET networks.

As illustrated in FIG. 2, a circuit state machine 200, implementing the agent objects is comprised of 5 states including NOT PRESENT 201, RESTORE 202, STAND-BY 203, ACTIVE 204, and OUT OF SERVICE 205. Circuit state machines are not limited to these states and more or less states are envisioned as required by the requisite application.

The circuit state machine 200 begins in the NOT PRESENT state 201 and stays in this state until a detected event is received. Once detected, the RESTORE state 202 is entered whereby the circuit is reset and circuit initialization is performed. This transition can include successful diagnostic test execution as part of the initialization sequence. If a problem arises during the transition, the state machine may be transitioned to the OUT OF SERVICE state 205 to await further instructions. The OUT OF SERVICE state 205 is a holding state for situations where fatal or unrecoverable errors have occurred. It is also a deliberate state to enter when conducting diagnostic test or when attempting to restore normal operation.

The circuit state machine 200 will stay in the RESTORE state 202 until a ready event is received. Further time may be provided to allow adequate time for concurrent activity that may be required to initialize a circuit. Upon expiration, the state machine automatically transitions to the OUT OF SERVICE state 205.

Upon receipt of a ready event, the circuit state machine 200 transitions to the STAND-BY state 203. In the STAND-BY state 203, the circuit is identified as operational, but not in service for normal use. The circuit state machine 200 stays in the STAND BY state 203 until an enable event is received, whereby it transitions to the ACTIVE state 204. In the ACTIVE state 204, the circuit is operational, i.e. routing traffic, monitoring defects, counting errors, and so on.

Software implements the circuit state machine state event matrix, event procedures and generic methods to provide a virtual behavior mechanism. A common agent is a hybrid software agent comprising both the characteristics of an EDRB model and a virtual circuit state machine, where the attachment objects are identical regardless of where instances of the agent are located or the task the agent is required to perform, and therefore share common behaviors. The common agent uses this generic behavior for software circuits, where blocks of executable code 250 perform as though they are hot-swappable components. In each of the state transitions depicted in FIG. 2, a chain of executable blocks of code are attached. These executable blocks of code are attachments which together form an attachment list 251. When a state transition occurs, each attachment in the attachment list 251 for that transition is executed in order. After each attachment run, a status code is returned. If the status code is anything other than a success, execution of the chain is aborted.

Two additional execution chains are provided for handling the receipt of messages through the corresponding task service queue. One execution chain is provided for messages received when in the ACTIVE state, the other execution chain is provided for messages received while in the STAND-BY state. These chains, as discussed earlier, are the primary and alternate routines, respectively.

When a message is received in the ACTIVE state, it is passed along to each attachment in the primary execution chain 253 until the end is reached or a routine returns unsuccessfully. Likewise, when a message is received while in the STAND-BY state, it is passed along to each attachment in the alternate execution chain 252. If a message is received while the state machine is in any other state, it is ignored. This supports the desired behavior where the agent object is operational when it is either active or stand-by.

The common agent object 300 relationship with neighboring external entities is illustrated in FIG. 3. The Application Support Package (ASP) subsystem 301 (an operating system utility to provide state machines) acts upon the agent object by invoking its operation during task initialization and processing registered state events at startup. The ASP provides a generic task library used by application tasks. The library provides for a standardized internal task architecture and facilitates common software test hooks. The generic task interfaces with the implementation of the application by means of specified user supplied hooks. The task library also uses all of the task level runtime library services to which the application subscribes. These services may include Finite State Machine dispatch and a guaranteed FSM timer service.

As state machine event transitions occur and as service queue task messages are received, the common agent object 300 acts on the executable blocks of code 302 attached at startup or at any point after startup. The circuit state machine behavior can be directed by a redundancy node manager 303 during conditions when system reconfiguration is required and resources in stand by become active for those resources that may have failed. The redundancy node manager 303 can issue commands to groups of agent objects instead of requiring software for each explicit function and procedure to thereby invoke the reconfiguration process.

Common agent objects contain list of common attachment objects which, as discussed above, are blocks of executable code. Agent objects may contain similar or application-specific attachments added in such a fashion as to perform their intended roles and inherently support the redundant system architecture. The attachment lists may also be dynamically modifiable.

FIG. 4 shows an example of an active or standby node 400 having a plurality of dedicated application tasks 404a-c implemented with a plurality of agents 450. The application tasks implement the primary 410 and alternate 415 routines of the active or standby node via the agents 450. The agents 450 execute an attachment list for a primary 410 or alternate 415 routine within the application task each subject to an acceptance test. A plurality of agents within an application task may run the primary or alternate routines, which may or may not have different attachment lists. As illustrated in FIG. 4, the operation of the agents 450 in application task 404a are independent of the operation of the agents 450 in the other application tasks 404b, 404c.

A first set of agents within an application task operate in the primary mode while the remainder of agents operate in the alternate mode. The agents are configured such that a number of agents in a second set backup a number of agents in the first set of agents. The number of agents in each set may or may not be equal; furthermore, each agent of the second set of agents may back up each of the agents in the first set. Such a system allows for M to N protection of the computer system at the application task level.

During system initialization, agents register data ownership and subscribe to data required for accomplishing assigned roles and processes. The data is common to all the agents. Blocks of the same executable code shared by the agents are contained in common attachment lists. The attachment lists are dynamically modifiable as a function of the status of the computer system.

One or more agent objects can implement each of the application tasks. The application tasks perform the acceptance test block 420 and output the results for use by the node manager in that processor node. The acceptance test block 420 is a test dedicated and contained within the application task. The node manager, upon acceptance, sends the data to the respective one or more device drivers 430.

Each node in the node pair or set is connected to a companion node, as discussed above, via a heartbeat thread to a monitor and the node agent of each companion node. The heartbeat thread carries a heartbeat signal. The heartbeat signal contains the node roles, version and frame number incremented at the beginning of each new heartbeat frame. Preferably the heartbeat thread is a reliable datalink between the monitors of the node pair. For example, applying high-level data link control (HDLC) procedures would be a desirable implementation for the heartbeat thread, where the datalink message retransmission queues can be tuned to the needs of the system in a deterministic fashion. Such an implementation is illustrated in the heartbeat message cell of FIG. 5.

As illustrated in FIG. 5, the content of the heartbeat message cell 500 is in octet format. The contents form either unnumbered 510, supervisory 520, or heartbeat 530 information message frames, depending upon the state of the monitors in each participating node pair and address frame 501. The message format enforces a level of integrity between node pairs to manage standby activation and signaling between field replacement units (FRU). An FRU is a unit that service personnel replace in the field. The message is terminated with a frame check sequence (FCS) field 540. In this instance, the FCS field 540 is an 8 bit sequence and invalid frames are frames which have fewer than 3 octets, contains a frame check sequence error, or contain an address that is not supported.

The address field 501 consists of a command/response bit (C/R) 502, a service access point identifier (SAPI) subfield 503 and a terminal endpoint identifier (TEI) subfield 504. The C/R bit identifies a frame as either a command or a response. The backup node sends commands with the C/R bit set to 0 and responses with the C/R bit set to 1. The primary node does the opposite, commands are sent with the C/R bit set to 1 and responses are sent with the C/R bit set to 0. In conformance with HDLC high-level data link control rules, both node pair entities use the same datalink connection identifier composed of the SAPI-TEI pair. The SAPI is used to correspond the processor node slot with the computer system connection. The TEI is used to map the connection to a specific network interface.

An unnumbered (U) format 510 is used to provide data link control function which is primarily utilized in establishing and relinquishing link control. A supervisory (S) format 520 is used to perform data link supervisory control function such as acknowledging heartbeat information format (I-frames), requesting transmissions of I-frames, and requesting temporary suspension of the transmission of I-frames. Each supervisory frame has an N(R) sequence number which may or may not acknowledge additional I-frames. The I-frames 530 are used to perform normal information transfer between node pairs or node sets regarding automatic protection switching and operational status. Each I-frame has an N(S) sequence number, an N(R) sequence number which may or may not acknowledge additional I-frames, and a P bit that may be set to 0 or 1. K1 and K2 are signaling byte information maintained between node pairs and sets of node pairs. A poll/final (P/F) bit is incorporated in all frames. The P/F bit serves a function in both command frames and response frames. In command frames the P/F bit may be referred to as the P bit (poll), in response frames it is referred to as the F bit (final). The P bit is set to 1 by a node pair to solicit a response frame from the peer node. The F bit is set to 1 by a node pair to a response frame transmitted as a result of a soliciting command. The function of N(S), N(R), P and P/F are independent.

The receive sequence number N(R) is the expected send sequence number of the next received I-frame. At the time that an I or S frame is designated for transmission, the value of N(R) is equal to the number of I frames acknowledged by the node entity. N(R) indicates that the node entity transmitting the N(R) has correctly received all the I-frames numbered up to and including N(R)−1. The send sequence number N(S) is the send sequence number of transmitted I-frames. It is only used in I-frames. At the time that an in-sequence I-frame is designated for transmission, the value of N(S) is set equal to the current sequence number for the I-frame to be transmitted.

The supervisory command sequence comprises receive ready, reject and receive not ready commands. The unnumbered control function includes expand mode, disconnected mode, disconnect unnumbered acknowledgment and frame reject.

The expand mode command is used to place the addressed backup or primary node into multiple frame acknowledged operation. A node pair confirms acceptance of any expand mode command by the transmission at the first opportunity of an unnumbered acknowledgement response. Upon acceptance of this command, the node pair entity sequence and transmission counter are set to 0. The transmission of an expand mode command indicates the clearance of all exception conditions. Exception conditions are delays, retransmit counters, erred messages of other conditions outside of normal messages. Previously transmitted I-frames that are unacknowledged when the expand mode command is processed remain unacknowledged and are discarded.

The disconnected command terminates the multiple frame operation, such as when the network operator decides to take a node pair out of service or change the backup node. The node pair entity receiving the disconnect command confirms the acceptance by the transmission of an unnumbered acknowledgement response. The node pair entity sending the disconnect command terminates the multiple frame operation upon receipt of the unnumbered acknowledgment response or the disconnected mode response.

The receive ready command indicates when a node set is ready to receive an I-frame, acknowledge previously received I-frames or clear a busy condition indicated by an earlier transmission of a receive not ready command by the same node set. The reject command is used by a node pair entity to request retransmission of I-frames starting with the frame numbered N(R). The value of N(R) in the reject frame acknowledges I-frames numbered up to and including N(R)−1. Only one rejection exception condition for a given direction of information transfer is established at a time. The rejection condition is cleared upon the receipt of an I frame with an N(S) equal to the N(R) of the reject frame.

The receive not ready command indicates a busy condition, that is, a temporary inability to accept additional incoming I-frames. The value N(R) in the receive not ready command acknowledges I-frames numbered up to and including N(R)−1. The unnumbered response acknowledges the receipt and acceptance of mode setting commands expand and disconnected. The disconnected mode response reports to its peer that the heartbeat link is in a state such that multiple frame operation cannot be performed. The frame reject response reports an error condition not recoverable by retransmission of the identical frame.

A configuration of nodes employing a reliable data link is shown in FIG. 6. Node pair 601 includes processor nodes 605a and 605b connected by a reliable data link 680. Similarly, node set 602 includes multiple processor nodes 605c-e which are connected by the reliable data link 680. Each node contains a node agent 650 and a monitor. Again the node agent 650 is preferable an instance of C++ programming and resides on the node. The device or line interfaces relay data messages to the node agent 650 which can include externally generated SONET automatic protection switching commands and line interface status. The node pairs or node sets may also include a recovery agent.

The node agent though the monitor accepts and filters line interface statuses and SONET external automatic protection switching commands though the reliable data link and provide a more sophisticated communication between node agents in a node pair or set. As a result, if a card failure occurs, i.e. the node goes down, the reliable data link will break, and thus as discussed earlier, the standby node will attempt to go on line unless preempted by the supervisor node or the recovery agent. However, in case of a line failure, the data link stays up and the active processor node signals standby processor node of failure and the standby node becomes active unless preempted.

FIG. 7 illustrates an exemplary node pair 701 and node set 702 with dual redundant supervisor nodes. Each node 705a-e containing a monitor 708 are attached to other node sets via a heartbeat thread 707. The nodes execute application tasks 704 implemented by agents 750 which run a primary 710 or alternate 715 routine. For each node set, one node is active while the remainder are in standby mode. The first supervisor node 730 is active and connected to the node sets via a first bus 732. The second supervisor node 731 is connected to node sets via a second bus 733. The first and the second buses are operationally connected to the processor nodes. The supervisor nodes abstractly operate much like a node pair, in that when one is active the other is in standby mode. Likewise, the supervisor nodes 730 and 731 may employ the use of a heartbeat signal between their respective monitors 708. Each of the supervisor nodes is connected to the processor nodes via a different bus or buses. A multitude of additional supervisor nodes may be used, along with additional buses configured much in the same manner as described above. Implementation of more than two supervisor nodes allows for multiple redundancies in which multiple stand by supervisor nodes backup multiple active supervisor nodes.

A plurality of agents may reside upon the supervisor nodes including, as previously discussed, a recovery agent which is an instance of C++ programming. The recovery agent directs or overrides the transition of nodes between active and standby. The recovery agent fulfills one or more of the supervisory roles.

The processor and agent architecture described herein is particularly suited for use in a point-to-multipoint wireless communication system used to communicate from a central location to each of a plurality of remotes sites where reliable connections are required such as a SONET system. Such a system that provides high speed bridging of a physical gap between a plurality of processor based systems is ultimately dependent on the fault tolerance and recovery capability of the processors which comprise its structure.

A feature of automatic protection switching between multiple node pairs using common agent architecture as eluded to previously is M:N redundancy which has many benefits over the prior art.

As shown in FIG. 8, a specific node set 800 is illustrated where 2 nodes are active 801, 802 and 3 nodes are in standby 803, 804, 805. The prior art solution requires 6 heartbeat links as shown: A-C 851; A-D 852; A-E 853; B-C 861; B-D 862; and B-E 863.

This, of course, assumes that the prior art solution can be shown to arbitrate as to which of the 3 standby nodes (C, D, or E) will take over if A, B, or both A and B fail. However, the prior art solution does not reveal such capability directly or indirectly. As a result, the prior art solution results in an inefficient use of resource in an M:N situation such that as each subsequent node is added or removed (active or standby) and a number of links equal to the number of opposing nodes (standby or active, respectively) must be added or removed.

Applying the present subject matter to the above example, the common agent solution requires only 2 heartbeat links 881, 882 between each active node and a corresponding standby node from the available pool of standby nodes in the node set: A-C 881; B-D 882; E (standby, available to replace C or D at any time) as shown in FIG. 9.

Multiple instances of shared behavior, which is characteristic of common agents, permit any number of standby nodes to participate and establish a new heartbeat link if the current standby for any of the active nodes becomes inactive or inoperable. The supervisory node acts as arbitrator as to which of the available standby nodes replaces the previous standby node in a real-time environment where agents can respond more quickly. No such mechanism is directly or indirectly expressed in the prior art.

Using the above example further, an additional standby node (F) 806 is installed in the running system and added to the node set 800 as shown in FIG. 8. In the common agent solution, the addition is recognized by all agents, and F 806 seeing all active nodes is protected and does nothing. In the prior art, two additional heartbeat links are established 854, 864 as part of the manual installation provisioning.

If another active node (G) 807 is installed and added to this node set as shown in FIG. 10b, the prior art solution requires four more heartbeat line to be established 871, 872, 873, 874 as part of the manual installation provisioning; whereas, in the common agent solution, the addition is recognized by all agents, E 805 and F 806 and upon identifying that G 807 is unprotected, both agents respond. The arbitration node elects E (not shown) 805 to establish the heartbeat link 883. F 806 stops responding and does nothing. The arbitration node equally may have selected F; however, this example is meant to be illustrative only and not exhaustive.

Assuming, for illustration purposes, standby node D fails: in the common agent solution as before, the change is recognized by all agents, and F 806, being the only unassigned standby node in the node set, responds by establishing a new heartbeat link 884 with B 802. In the prior art solution, heartbeat links are lost with A, B, and G.

FIG. 9 illustrates an example where active node A fails: in the common agent solution, C is immediately promoted as an active node and A is moved to standby. There are not any standby nodes that are unassigned, thus the other standby nodes do not respond. The arbitration node then elects F (which is also protecting B) to establish another heartbeat link 885 with C. All active nodes remain protected. In the prior art solution as noted, it is unclear which of the three standby nodes (C, E, F) will replace A. No arbitration mechanism or method is expressed or implied to take corrective action in 1:N or even M:N redundancy. For the sake of making a comparison, it was broadly assumed earlier in this scenario that there was some means to use the prior art solution in a layered fashion with multiple 1:1 links to standby nodes. Further assumptions were made to say that these links were prioritized by which links were established first.

By broadly continuing in this fashion for the prior art solution, C is still a subordinate to the nodes it protected (A, B, and G). Even if another standby node was added, the prior art solution does not provide a mechanism or method to allow C to automatically pair with anything other than what is was paired with originally.

If standby node D is restored: in the common agent solution using the same identical behavior as noted previously, the failure is recognized by all agents, and D, seeing all active nodes are protected does nothing. The arbitration node elects D to establish another heartbeat link with C and instructs F to break its heartbeat link with C, thus automatically taking advantage of the additional standby asset. No such facility exists in the prior art, other than manually re-provisioning the system which may or may not induce traffic loss.

The scenario described previously is a simple description of the differences between both solutions. A more involved scenario can be described where the arbitration node is involved during race conditions between multiple node failures and node activations. In absence of such an arbitration node in the McKnight specification, the common agent approach ensures full continuity in 1:1, 1:N, and M:N redundancy configurations. This continuity is extended throughout a system where, typically, multiple node sets would be used.

The prior art solution could be used in an M:N configuration as the scenario illustrates. But as the scenario also illustrates, those skilled in the art would likely exclude such a solution due to the unnecessary communication overhead, additional processing requirements, and provisioning complexity to maintain the equivalent functionality found in the common agent approach.

Although the disclosed subject matter has been described in a preferred form with a certain degree of particularity, it is understood that the present disclosure of the preferred form has been made only by way of example, and that numerous changes in the details of construction and combination and arrangement of parts may be made without departing from the spirit and scope of the disclosed subject matter as hereinafter claimed. It is intended that the patent shall cover by suitable expression in the appended claims, those features of patentable novelty that exists in the disclosed subject matter disclosed.

Claims

1. A communication system with an active node and a standby node forming a node pair, each node with a node agent and a heartbeat monitor, the improvement comprising a reliable datalink between heartbeat monitors of the node pair and wherein the node agent is a common agent.

2. The system of claim 1 wherein the common node agents include line interface status and external SONET automatic protection switching commands filters.

3. The method of claim 2 wherein the active node initiates the SONET automatic protection switching commands.

4. The system of claim 1, wherein the reliable datalink transmits a heartbeat message.

5. The system of claim 4, wherein the heartbeat message comprises an address field.

6. The system of claim 5, wherein the heart beat message further comprises a data link control field establishing and relinquishing link control.

7. The system of claim 5, wherein the heart beat message further comprises supervisory fields to perform data link supervisory control functions.

8. The system of claim 7, wherein the supervisory control functions comprises acknowledge I frames, request retransmission of I frames, or request temporary suspension of transmission of I frames.

9. The system of claim 5, wherein the heartbeat message further comprises heartbeat information fields to perform information transfer between the node pair.

10. The system of claim 1, wherein the communication system is for broadband short distance radio communication of bursty data from one computer network to another computer network and wherein the communication system is an adaptive Time Division duplex system.

11. A communication system with at least one active node and at least one standby node, forming a node set, each node with a node agent and a heartbeat monitor, the improvement comprising a reliable data link between the heartbeat monitor of each active node and the heartbeat monitor of a corresponding standby node selected from the node set by an arbitration node.

12. The system of claim 11, wherein the node agents include SONET Automatic protection switching command filters.

13. The method of claim 12, wherein the at least one active node initiates the SONET Automatic protection switching commands.

14. The system of claim 11, wherein the reliable datalink transmits a heartbeat message.

15. The system of claim 14, wherein the heartbeat message comprises an address field.

16. The system of claim 15, wherein the heart beat message further comprises a data link control field establishing and relinquishing link control.

17. The system of claim 15, wherein the heart beat message further comprises supervisory fields to perform data link supervisory control functions.

18. The system of claim 17, wherein the supervisory control functions comprises acknowledge I frames, request retransmission of I frames, or request temporary suspension of transmission of I frames.

19. The system of claim 15, wherein the heartbeat message further comprises heartbeat information fields to perform information transfer between the nodes in the node set.

20. The system of claim 11, wherein the communication system is a time division duplex communication system for broadband short distance radio communication of bursty data from one computer network to another computer network and the communication system is an adaptive Time Division duplex system.

21. In a communication system with at least one active node and at least one standby node forming a node set, each node with a node agent, the improvement of supporting automatic protection switching between the at least one active node and a corresponding one of the at least one standby node of the node set-using common Agent architecture wherein the node agent is a common agent.

22. The system of claim 21, wherein the node agents filter line interface status and external SONET APS commands.

23. The method of claim 22, wherein the SONET APS commands are initiated from the active node.

24. The method of claim 21, wherein the corresponding one of the at least one standby node is selected from the node set by an arbitration node.

25. The method of claim 24, wherein the arbitration node comprises a recovery agent, the recovery agent capable of directing or overriding transition of nodes between active and standby.

26. The method of claim 25, wherein upon failure of a card forming the active node, the reliable data link breaks and the standby node transitions to active.

27. The method of claim 25, wherein upon failure of a line of the active node the active node signals the standby node to transition to active.

28. The system of claim 11, wherein the agent is a hybrid software agent comprising both the characteristics of an EDRB model and a virtual circuit state machine, wherein the attachment objects of the agent are identical regardless of where instances of the agent are located.