Tandem Computers


Tandem Computers, Inc. was the dominant manufacturer of fault-tolerant computer systems for ATM networks, banks, stock exchanges, telephone switching centers, and other similar commercial transaction processing applications requiring maximum uptime and zero data loss. The company was founded by Jimmy Treybig in 1974 in Cupertino, California. It remained independent until 1997, when it became a server division within Compaq. It is now a server division within Hewlett Packard Enterprise, following Hewlett-Packard's acquisition of Compaq and the split of Hewlett Packard into HP Inc. and Hewlett Packard Enterprise.
Tandem's NonStop systems use a number of independent identical processors and redundant storage devices and controllers to provide automatic high-speed "failover" in the case of a hardware or software failure. To contain the scope of failures and of corrupted data, these multi-computer systems have no shared central components, not even main memory. Conventional multi-computer systems all use shared memories and work directly on shared data objects. Instead, NonStop processors cooperate by exchanging messages across a reliable fabric, and software takes periodic snapshots for possible rollback of program memory state.
Besides handling failures well, this "shared-nothing" messaging system design also scales extremely well to the largest commercial workloads. Each doubling of the total number of processors would double system throughput, up to the maximum configuration of 4000 processors. In contrast, the performance of conventional multiprocessor systems is limited by the speed of some shared memory, bus, or switch. Adding more than 4–8 processors in that manner gives no further system speedup. NonStop systems have more often been bought to meet scaling requirements than for extreme fault tolerance. They compete well against IBM's largest mainframes, despite being built from simpler minicomputer technology.

Founding

Tandem Computers was founded in 1974 by James Treybig. Treybig first saw the market need for fault tolerance in OLTP systems while running a marketing team for Hewlett Packard's HP 3000 computer division, but HP was not interested in developing for this niche. He then joined the venture capital firm Kleiner & Perkins and developed the Tandem business plan there. Treybig pulled together a core engineering team hired away from the HP 3000 division: Mike Green, Jim Katzman, Dave Mackie and Jack Loustaunou. Their business plan called for ultra-reliable systems that never had outages and never lost or corrupted data. These were modular in a new way that was safe from all "single-point failures", yet would be only marginally more expensive than conventional non-fault-tolerant systems. They would be less expensive and support more throughput than some existing ad-hoc toughened systems that used redundant but usually required "hot spares".
Each engineer was confident they could quickly pull off their own part of this tricky new design, but doubted that others' areas could be worked out. The parts of the hardware and software design that did not have to be different were largely based on incremental improvements to the familiar hardware and software designs of the HP 3000. Many subsequent engineers and programmers also came from HP. Tandem headquarters in Cupertino, California, were a quarter mile away from the HP offices. Initial venture capital investment in Tandem Computers came from Tom Perkins, who was formerly a general manager of the HP 3000 division.
The business plan included detailed ideas for building a unique corporate culture reflecting Treybig's values.
The design of the initial Tandem/16 hardware was completed in 1975 and the first system shipped to Citibank in May 1976.
The company enjoyed uninterrupted exponential growth up through 1983. Inc. magazine ranked Tandem as the fastest-growing public company in America.

Tandem NonStop (TNS) stack machines

Over 40 years, Tandem's main NonStop product line has grown and evolved in an upward-compatible way from the initial T/16 fault-tolerant system, with three major changes to date to its top-level modular architecture or its programming-level instruction set architecture. Within each series, there have been several major re-implementations as chip technology progressed.
While conventional systems of the era, including large mainframes, had mean-time-between-failures on the order of a few days, the NonStop system was designed to failure intervals 100 times longer, with uptimes measured in years. Nevertheless, the NonStop was designed to be price-competitive with conventional systems, with a simple 2-CPU system priced at just over twice that of a competing single-processor mainframe, as opposed to four or more times of other fault-tolerant solutions.

Nonstop I

The first system was the Tandem/16 or T/16, later re-branded NonStop I. The machine consisted of between two and 16 CPUs, organized as a fault-tolerant computer cluster packaged in a single rack. Each CPU had its own private, unshared memory, its own I/O processor, its own private I/O bus to connect to I/O controllers, and dual connections to all the other CPUs over a custom inter-CPU backplane bus called Dynabus. Each disk controller or network controller was duplicated and had dual connections to both CPUs and devices. Each disk was mirrored, with separate connections to two independent disk controllers. If a disk failed, its data was still available from its mirrored copy. If a CPU or controller or bus failed, the disk was still reachable through alternative CPU, controller, and/or bus. Each disk or network controller was connected to two independent CPUs. Power supplies were each wired to only one side of some pair of CPUs, controllers, or buses, so that the system would keep running well without loss of connections if one power supply failed. The careful complex arrangement of parts and connections in customers' larger configurations were documented in a Mackie diagram, named after lead salesman David Mackie who invented the notation.
None of these duplicated parts were wasted "hot spares"; everything added to system throughput during normal operations.
Besides recovering well from failed parts, the T/16 was also designed to detect as many kinds of intermittent failures as possible, as soon as possible. This prompt detection is called "fail fast". The point was to find and isolate corrupted data before it was permanently written into databases and other disk files. In the T/16, error detection was by some added custom circuits that added little cost to the total design; no major parts were duplicated just to get error detection.
The T/16 CPU was a proprietary design. It was greatly influenced by the HP 3000 minicomputer. They were both microprogrammed, 16-bit, stack-based machines with segmented, 16-bit virtual addressing. Both were intended to be programmed exclusively in high-level languages, with no use of assembler. Both were initially implemented via standard low-density TTL chips, each holding a 4-bit slice of the 16-bit ALU. Both had a small number of top-of-stack, 16-bit data registers plus some extra address registers for accessing the memory stack. Both used Huffman encoding of operand address offsets, to fit a large variety of address modes and offset sizes into the 16-bit instruction format with very good code density. Both relied heavily on pools of indirect addresses to overcome the short instruction format. Both supported larger 32- and 64-bit operands via multiple ALU cycles, and memory-to-memory string operations. Both used "big-endian" addressing of long versus short memory operands. These features had all been inspired by Burroughs B5500-B6800 mainframe stack machines.
The T/16 instruction set changed several features from the HP 3000 design. The T/16 supported paged virtual memory from the beginning. The HP 3000 series did not add paging until the PA-RISC generation, 10 years later. Tandem added support for 32-bit addressing in its second machine; HP 3000 lacked this until its PA-RISC generation. Paging and long addresses was critical for supporting complex system software and large applications. The T/16 treated its top-of-stack registers in a novel way; the compiler, not the microcode, was responsible for deciding when full registers were spilled to the memory stack and when empty registers were re-filled from the memory stack. On the HP 3000, this decision took extra microcode cycles in every instruction. The HP 3000 supported COBOL with several instructions for calculating directly on arbitrary-length BCD strings of digits. The T/16 simplified this to single instructions for converting between BCD strings and 64-bit binary integers.
In the T/16, each CPU consisted of two boards of TTL logic and SRAMs, and ran at about 0.7 MIPS. At any instant, it could access only four virtual memory segments, each limited to 128 kB in size. The 16-bit address spaces were already too small for major applications when it shipped.
The first release of T/16 had only a single programming language, Transaction Application Language. This was an efficient machine-dependent systems programming language but could also be used for non-portable applications. It was derived from HP 3000's System Programming Language. Both had semantics similar to C but a syntax based on Burroughs' ALGOL. Subsequent releases added support for Cobol74, Fortran, and MUMPS.
The Tandem NonStop series ran a custom operating system which was significantly different from Unix or HP 3000's MPE. It was initially called T/TOS but soon named Guardian for its ability to protect all data from machine faults or software faults. In contrast to all other commercial operating systems, Guardian was based on message passing as the basic way for all processes to interact, without shared memory, regardless of where the processes were running. This approach easily scaled to multiple-computer clusters and helped isolate corrupted data before it propagated.
All file system processes and all transactional application processes were structured as master/slave pairs of processes running in separate CPUs. The slave process periodically took snapshots of the master's memory state, and took over the workload if and when the master process ran into trouble. This allowed the application to survive failures in any CPU or its associated devices, without data loss. It further allowed recovery from some intermittent-style software failures. Between failures, the monitoring by the slave process added some performance overhead but this was far less than the 100% duplication in other system designs. Some major early applications were directly coded in this checkpoint style, but most instead used various Tandem software layers which hid the details of this in a semi-portable way.

NonStop II

In 1981, all T/16 CPUs were replaced by the NonStop II. Its main difference from the T/16 was support for occasional 32-bit addressing via a user-switchable "extended data segment". This supported the next ten years of growth in software and was a huge advantage over the T/16 or HP 3000. Unfortunately, visible registers remained 16-bit, and this unplanned addition to the instruction set required executing many instructions per memory reference compared to most 32-bit minicomputers. All subsequent TNS computers were hampered by this instruction set inefficiency. Also, the NonStop II lacked wider internal data paths and so required additional microcode steps for 32-bit addresses. A NonStop II CPU had three boards, using chips and design similar to the T/16. The NonStop II also replaced core memory with battery-backed DRAM memory.

NonStop TXP

In 1983, the NonStop TXP CPU was the first entirely new implementation of the TNS instruction set architecture. It was built from standard TTL chips and Programmed Array Logic chips, with four boards per CPU module. It had Tandem's first use of cache memory. It had a more direct implementation of 32-bit addressing, but still sent them through 16-bit adders. A wider microcode store allowed a major reduction in the cycles executed per instruction; speed increased to 2.0 MIPS. It used the same rack packaging, controllers, backplane, and buses as before. The Dynabus and I/O buses has been overdesigned in the T/16 so they would work for several generations of upgrades.

FOX

Up to 14 TXP and NonStop II systems could now be combined via FOX, a long-distance fault-tolerant fibre optic bus for connecting TNS clusters across a business campus; a cluster of clusters with a total of 224 CPUs. This allowed further scale-up for taking on the largest mainframe applications. Like the CPU modules within the computers, Guardian could failover entire task sets to other machines in the network. Worldwide clusters of 4000 CPUs could also be built via conventional long-haul network links.

NonStop VLX

In 1986, Tandem introduced a third generation CPU, the NonStop VLX. It had 32-bit datapaths, wider microcode, 12 MHz cycle time, and a peak rate of one instruction per microcycle. It was built from three boards of ECL gate array chips. It had a revised Dynabus with speed raised to 20 Mbytes/sec per link, 40 Mbytes/sec total. FOX II increased the physical diameter of TNS clusters to 4 kilometers.
Tandem's initial database support was only for hierarchical, non-relational databases via the ENSCRIBE file system. This was extended into a relational database called ENCOMPASS. In 1986 Tandem introduced the first fault-tolerant SQL database, NonStop SQL. Developed totally in-house, NonStop SQL includes a number of features based on Guardian to ensure data validity across nodes. NonStop SQL is famous for scaling linearly in performance with the number of nodes added to the system, whereas most databases had performance that plateaued quite quickly, often after just two CPUs. A later version released in 1989 added transactions that could be spread over nodes, a feature that remained unique for some time. NonStop SQL continued to evolve, first as SQL/MP and then SQL/MX, which transitioned from Tandem to Compaq to HP. The code remains in use in both HP's SQL/MX and the Apache Trafodion project.

NonStop CLX

In 1987 Tandem introduced the NonStop CLX, a low-cost less-expandable minicomputer system. Its role was for growing the low end of the fault-tolerant market, and for deploying on the remote edges of large Tandem networks. Its initial performance was roughly similar to the TXP; later versions were about 20% slower than a VLX. Its small cabinet could be installed into any "copier room" office environment. A CLX CPU was one board, containing six "compiled silicon" ASIC CMOS chips. The CPU core chip was duplicated and lock stepped for maximal error detection. Pinout was a main limitation of this chip technology. Microcode, cache, and TLB were all external to the CPU core and shared a single bus and single SRAM memory bank. As a result, CLX required at least two machine cycles per instruction.

NonStop Cyclone

In 1989 Tandem introduced the NonStop Cyclone, a fast but expensive system for the mainframe end of the market. Each self-checking CPU took three boards full of hot-running ECL gate array chips, plus memory boards. Despite being microprogrammed, the CPU was superscalar, often completing two instructions per cache cycle. This was accomplished by having a separate microcode routine for every common pair of instructions. That fused pair of stack instructions generally accomplished the same work as a single instruction of normal 32-bit minicomputers. Cyclone processors were packaged as sections of four CPUs each, and the sections joined by a fiber optic version of Dynabus.
Like Tandem's prior high end machines, Cyclone cabinets were styled with lots of angular black to suggest strength and power. Advertising videos directly compared Cyclone to the Lockheed SR-71 Blackbird Mach 3 spy plane. Cyclone's name was supposed to represent its unstoppable speed in roaring through OLTP workloads. Announcement day was October 17 and the press came to town. That afternoon, the region was struck by the magnitude 6.9 Loma Prieta earthquake, causing freeway collapses in Oakland and major fires in San Francisco. Tandem offices were shaken, but no one was badly hurt on site. This was the first and last time that Tandem named its products after a natural disaster.

Other product lines

Rainbow

In 1980–1983, Tandem attempted to re-design its entire hardware and software stack to put its NonStop methods on a stronger foundation than its inherited HP 3000 traits. Rainbow's hardware was a 32-bit register-file machine that aimed to be better than a VAX. For reliable programming, the main programming language was "TPL", a subset of Ada. At that time, people barely understood how to compile Ada to unoptimized code. There was no migration path for existing NonStop system software coded in TAL. The OS and database and Cobol compilers were entirely redesigned. Customers would see it as a totally disjoint product line requiring all-new software from them. The software side of this ambitious project took much longer than planned. The hardware was already obsolete and out-performed by TXP before its software was ready, so the Rainbow project was abandoned. All subsequent efforts emphasized upward compatibility and easy migration paths.
Development of Rainbow's advanced client/server application development framework called "Crystal" continued awhile longer and was spun off as the "Ellipse" product of Cooperative Systems Inc.

Dynamite PC

In 1985, Tandem attempted to grab a piece of the rapidly growing personal computer market with its introduction of the MS-DOS based Dynamite PC/workstation. Sadly, numerous design compromises relegated the Dynamite to serving primarily as a smart terminal. It was quietly and quickly withdrawn from the market.

Integrity

Tandem's message-based NonStop operating system had advantages for scaling, extreme reliability, and efficiently using expensive "spare" resources. But many potential customers wanted just good-enough reliability in a small system, using a familiar Unix operating system and industry-standard programs. Tandem's various fault-tolerant competitors all adopted a simpler hardware-only memory-centric design where all recovery was done by switching between hot spares. The most successful competitor was Stratus Technologies, whose machines were re-marketed by IBM as "IBM System/88".
In such systems, the spare processors do not contribute to system throughput between failures, but merely redundantly execute exactly the same data thread as the active processor at the same instant, in "lock step". Faults are detected by seeing when the cloned processors' outputs diverged. To detect failures, the system must have two physical processors for each logical, active processor. To also implement automatic failover recovery, the system must have three or four physical processors for each logical processor. The triple or quadruple cost of this sparing is practical when the duplicated parts are commodity single-chip microprocessors.
Tandem's products for this market began with the Integrity line in 1989, using MIPS processors and a "NonStop UX" variant of Unix. It was developed in Austin TX. In 1991, the Integrity S2 used TMR, Triple Modular Redundancy, where each logical CPU used three MIPS R2000 microprocessors to execute the same data thread, with voting to find and lock out a failed part. Their fast clocks could not be synchronized as in strict lock stepping, so voting instead happened at each interrupt. Some other version of Integrity used 4x "pair and spares" redundancy. Pairs of processors ran in lock-step to check each other. When they disagreed, both processors were marked untrusted and their workload was taken over by a hot-spare pair of processors whose state was already current. In 1995, the Integrity S4000 was the first to use ServerNet and moved toward sharing peripherals with the NonStop line.

Wolfpack

In 1995–1997, Tandem partnered with Microsoft to implement high-availability features and advanced SQL configurations in clusters of commodity Windows NT machines. This project was called "Wolfpack" and first shipped as Microsoft Cluster Server in 1997. Microsoft benefited greatly from this partnership; Tandem did not.

TNS/R NonStop migration to MIPS

When Tandem was formed in 1974, every computer company had to design and build its CPUs from basic circuits, using its own proprietary instruction set and own compilers etc. With each year of semiconductor progress with Moore's Law, more of a CPU's core circuits could fit into single chips, and run faster and much cheaper as a result. But it became increasingly expensive for a computer company to design those advanced custom chips, or build the plants to fabricate the chips. Facing the challenges of this rapidly changing marketplace and manufacturing landscape, Tandem chose to partner with MIPS and adopted its R3000 and successor chipsets and their advanced optimizing compiler. Subsequent NonStop Guardian machines using the MIPS architecture were known to programmers as TNS/R machines, but had a variety of marketing names.

Cyclone/R

In 1991, Tandem released the Cyclone/R, also known as CLX/R. This was a low cost mid-range system based on CLX components, but used R3000 microprocessors instead of the much slower CLX stack machine board. To minimize time to market, this machine was initially shipped without any MIPS native-mode software. Everything, including its NSK operating system and SQL database, was compiled to TNS stack machine code. That object code was then translated to equivalent partially optimized MIPS instruction sequences at kernel install time by a tool called the Accelerator. Less-important programs could also be executed directly without pre-translation, via a TNS code interpreter. These migration techniques were very successful and are still in use today. Everyone's software was brought over without extra work, and the performance was good enough for mid-range machines, and programmers could ignore the instruction differences, even when debugging at machine code level. These Cyclone/R machines were updated with a faster native-mode NSK in a follow-up release.
The R3000 and later microprocessors had only a typical amount of internal error checking, insufficient for Tandem's needs. So the Cyclone/R ran pairs of R3000 processors in lock step, running the same data thread. It used a curious variation of lock stepping. The checker processor ran 1 cycle behind the primary processor. This allowed them to share a single copy of external code and data caches without putting excessive pinout load on the sysbus and lowering the system clock rate. To successfully run microprocessors in lock step, the chips must be designed to be fully deterministic. Any hidden internal state must be cleared by the chip's reset mechanism. Otherwise, the matched chips will sometimes get out of sync for no visible reason and without any faults, long after the chips are restarted. All chip designers agree that these are good principles because it helps them test chips at manufacturing time. But all new microprocessor chips seemed to have bugs in this area, and required months of shared work between MIPS and Tandem to eliminate or work around the final subtle bugs.

NonStop Himalaya K-series

In 1993, Tandem released the NonStop Himalaya K-series with the faster MIPS R4400, a native mode NSK, and fully expandable Cyclone system components. These were still connected by Dynabus, Dynabus+, and the original I/O bus, which by now were all running out of performance headroom.

Open System Services

In 1994, the NonStop Kernel was extended with a Unix-like POSIX environment called Open System Services. The original Guardian shell and ABI remained available.

NonStop Himalaya S-Series

In 1997 Tandem introduced the NonStop Himalaya S-Series with a new top-level system architecture based on ServerNet connections. ServerNet replaced the obsolete Dynabus, FOX, and I/O buses. It was much faster, more general, and could be extended to more than just two-way redundancy via an arbitrary fabric of point-to-point connections. Tandem designed ServerNet for its own needs but then promoted its use by others; it evolved into the InfiniBand industry standard.
All S-Series machines used MIPS processors, including the R4400, R10000, R12000, and R14000.
The design of the later, faster MIPS cores was primarily funded by Silicon Graphics Inc. But Intel's Pentium Pro overtook the performance of RISC designs and also SGI's graphics business shrunk. After the R10000, there was no investment in significant new MIPS core designs for high-end servers. So Tandem needed to eventually move its NonStop product line yet again onto some other microprocessor architecture with competitive fast chips.

Acquisition by Compaq, attempted migration to Alpha

Jimmy Treybig remained CEO of the company he founded until a downturn in 1996. The next CEO was Roel Pieper, who joined the company in 1996 as president and CEO. Re-branding to promote itself as a true Wintel platform was conducted by their in-house brand and creative team led by Ronald May, who later went on to co-found the Silicon Valley Brand Forum in 1999. The concept worked, and shortly thereafter the company was acquired by Compaq.
Compaq's x86-based server division was an early outside adopter of Tandem's ServerNet/Infiniband interconnect technology. In 1997, Compaq acquired the Tandem Computers company and NonStop customer base to balance Compaq's heavy focus on low-end PCs. In 1998, Compaq also acquired the much larger Digital Equipment Corporation and inherited its DEC Alpha RISC servers with OpenVMS and Tru64 Unix customer bases. Tandem was then midway in porting its NonStop product line from MIPS R12000 microprocessors to Intel's new Itanium Merced microprocessors. This project was restarted with Alpha as the new target to align NonStop with Compaq's other large server lines. But in 2001, Compaq terminated all Alpha engineering investments in favor of the Itanium microprocessors.

Acquisition by Hewlett Packard, TNS/E migration to Itanium

In 2001, Hewlett Packard similarly made the choice to abdicate its successful PA-RISC product lines in favor of Intel's Itanium microprocessors that HP helped to design. Shortly thereafter, Compaq and HP announced their plan to merge and consolidate their similar product lines. This contentious merger became official in May 2002. The consolidations were painful and destroyed the DEC and "HP Way" engineer-oriented cultures, but the combined company did know how to sell complex systems to enterprises and profit, so it was an improvement for the surviving NonStop division and its customers.
In some ways, Tandem's journey from HP-inspired start-up, to an HP-inspired competitor, then to an HP division was "bringing Tandem back to its original roots", but this was definitely not the same HP.
The re-port of the NSK-based NonStop product line from MIPS processors to Itanium-based processors was finally completed and is branded as "HP Integrity NonStop Servers".
Because it was not possible to run Itanium McKinley chips with clock-level lock stepping, the Integrity NonStop machines instead use comparisons between chip states at longer time scales, at interrupt points and at various software sync points in between interrupts. The intermediate sync points are automatically triggered at every n'th taken branch instruction, and are also explicitly inserted into long loop bodies by all NonStop compilers. The machine design supports both dual and triple redundancy, with either two or three physical microprocessors per logical Itanium processor. The triple version is sold to customers needing the utmost reliability. This new checking approach is called NSAA, NonStop Advanced Architecture.
As in the earlier migration from stack machines to MIPS microprocessors, all customer software was carried forward without source changes. "Native mode" source code compiled directly to MIPS machine code was simply recompiled for Itanium. Some older "non native" software was still in TNS stack machine form. These were automatically ported onto Itanium via object code translation techniques.

Itanium migration to Intel X86

The people working for Tandem/HP have a long history of porting the kernel onto new hardware. The latest endeavor was to move from Itanium to the Intel x86 architecture. It was completed in 2014 with the first systems already being commercially available.
The inclusion of the fault-tolerant 4X FDR InfiniBand double-wide switches provides more than a 25 times increase in system interconnect capacity for responding to business growth.

Outlook, other

NSK Guardian also became the base for the HP Neoview OS, the operating system used in the HP Neoview systems that were tailored for use in Business Intelligence and Enterprise Data Warehouse use. NonStop SQL/MX was also the starting point for Neoview SQL, which was tailored to Business Intelligence use. The code was also ported to Linux and served as the basis for the Apache Trafodion project.

User groups