CN114284985A - Safe cutting and holding device and method based on two-out-of-two architecture - Google Patents
Safe cutting and holding device and method based on two-out-of-two architecture Download PDFInfo
- Publication number
- CN114284985A CN114284985A CN202111599534.7A CN202111599534A CN114284985A CN 114284985 A CN114284985 A CN 114284985A CN 202111599534 A CN202111599534 A CN 202111599534A CN 114284985 A CN114284985 A CN 114284985A
- Authority
- CN
- China
- Prior art keywords
- fuse
- state
- safety
- subunit
- control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000007664 blowing Methods 0.000 claims abstract description 8
- 238000002955 isolation Methods 0.000 claims description 37
- 230000008569 process Effects 0.000 claims description 12
- 238000012360 testing method Methods 0.000 claims description 6
- 238000001514 detection method Methods 0.000 claims description 5
- 238000010998 test method Methods 0.000 claims description 2
- 230000014759 maintenance of location Effects 0.000 claims 1
- 238000002360 preparation method Methods 0.000 claims 1
- 238000013461 design Methods 0.000 abstract description 4
- 238000012423 maintenance Methods 0.000 abstract description 4
- 238000004891 communication Methods 0.000 description 7
- 230000009471 action Effects 0.000 description 3
- 230000000737 periodic effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000011084 recovery Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 229910002056 binary alloy Inorganic materials 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000005611 electricity Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 101000879673 Streptomyces coelicolor Subtilisin inhibitor-like protein 3 Proteins 0.000 description 1
- 101000879675 Streptomyces lavendulae Subtilisin inhibitor-like protein 4 Proteins 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000005669 field effect Effects 0.000 description 1
- 229910044991 metal oxide Inorganic materials 0.000 description 1
- 150000004706 metal oxides Chemical class 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Images
Landscapes
- Hardware Redundancy (AREA)
- Safety Devices In Control Systems (AREA)
Abstract
The invention provides a safety cut-off and hold device based on a two-out-of-two framework, which is used for forming a part of an output subsystem of a combined fail-safe system and can enable the combined fail-safe system to enter and hold a safe state by blowing a safety fuse, and comprises: the safety fuse wire has two states of unblown state and fused state, can be switched into the fused state from the unblown state after a certain time of high temperature and cannot be recovered; and the fuse management circuit is used for managing the safety fuse. The invention also provides a safe cutting and keeping method based on the two-out-of-two architecture, which comprises the following steps: t1: fusing the safety fuse; t2: it is detected whether the safety fuse has been blown. In addition, the invention also provides a safe cutting and keeping device self-checking method based on the two-out-of-two architecture. The invention has the advantages of high safety, simple circuit design, low failure rate, simple and easy maintenance method and the like.
Description
Technical Field
The invention relates to the technical field of combined failure safety architecture design, in particular to a safety cut-off and hold device and method based on a two-out-of-two architecture.
Background
The two-out-of-two architecture is a combined failure safety architecture, is generally adopted in the fields of railway signals and the like, and is used for improving the safety and reliability of train control. The term "two out of two" refers to that 2 CPUs (central processing units) are arranged in parallel to perform independent operation on input information, then processing results are compared and voted, if the results are consistent, the output is normal, and if the results are inconsistent, a fault is reported.
For SIL3(safety integrity level3, safety integrity level3 level) or SIL4 level systems, subsystems or devices, and using a combined fail-safe architecture, if a fault occurs, a safe state should be entered, and even if a new fault occurs later, the safe state cannot be exited, i.e., maintained, after the fault occurs. Controlled access is required to exit an enabled security state.
In the prior art, in order to realize safe disconnection and maintain a safe state, a complex circuit needs to be built, and complex steps are needed during maintenance, so that inconvenience is brought to practical use.
Disclosure of Invention
The invention aims to provide a safety cut-off and holding device and a method based on a two-out-of-two architecture, and the device can be applied to an output module of a combined fault safety system.
In order to achieve the purpose, the invention is realized by the following technical scheme:
a two-out-of-two architecture based safety disconnect and hold apparatus electrically connected to a power supply and a voting unit, respectively, and forming part of a combined failsafe system output subsystem for bringing said combined failsafe system into and holding a safe state by blowing a safety fuse, comprising:
the safety fuse wire has two states of unblown state and fused state, can be switched into the fused state from the unblown state after a certain time of high temperature and cannot be recovered; when the safety fuse is in an unblown state, the combined fail-safe system is maintained in a normal state by continuously supplying the output of a power supply; after the safety fuse is fused, the combined fault safety system enters and maintains a safety state by cutting off the output of a power supply;
and the fuse management circuit is electrically connected with the safety fuse and the voting unit respectively and is used for managing the safety fuse according to the command of the voting unit.
Preferably, the two-out-of-two architecture based safety cut-off and hold device is further electrically connected to an isolation unit and forms part of the combined failsafe system output subsystem,
the output of the continuous power supply means that when the safety fuse is in an unblown state, the isolation unit and the voting unit are continuously electrically driven;
and the output of the cut-off power supply means that after the safety fuse is fused, the electric drive of the isolation unit and the voting unit loses power.
Preferably, the managing of the security fuse includes blowing or self-checking operation of the security fuse, or reading a fuse state.
Preferably, the fuse management circuit includes:
fuse control circuit, including fuse control module 1 and fuse control module 2, fuse control module 1 and fuse control module 2 are the identical parallel module, and inside all is provided with fusing circuit, works as fusing circuit during operation can make safety fuse is at the high temperature, maintains for a certain time will after the time will safety fuse fuses.
Preferably, the fuse management circuit further includes:
the fuse state circuit is connected with the fuse control circuit in series and comprises a fuse state module 1 and a fuse state module 2, wherein the fuse state module 1 and the fuse state module 2 are completely the same parallel modules and can independently judge whether the safety fuse is in a fusing state or not and whether the fuse management circuit fails or not.
Preferably, the voting unit is a two-out-of-two architecture and is composed of 2 first subunits and 2 second subunits which have the same hardware structure and function, and each subunit is provided with 2 control ports; wherein, the control port of the first subunit is: fuse control 1_ a and fuse control 2_ a; the control port of the second subunit is: fuse control 1_ B and fuse control 2_ B;
the fuse control module 1 is electrically connected with the fuse control 1_ A of the first subunit of the voting unit and the fuse control 1_ B of the second subunit, and the fuse control module 1 can be independently controlled by the drive of the fuse control 1_ A or the fuse control 1_ B to enable the fusing circuit in the body to work; the fuse control module 2 is electrically connected with the fuse control 2_ a of the first subunit of the voting unit and the fuse control 2_ B of the second subunit, and the fuse control module 2 can be independently controlled by the drive of the fuse control 2_ a or the fuse control 2_ B to enable the fusing circuit in the body to work.
Preferably, each subunit of the voting unit is further provided with 2 read ports; wherein, the read port of the first subunit is: fuse state 1 readback _ a and fuse state 2 readback _ a; the read port of the second subunit is: fuse state 1 readback _ B and fuse state 2 readback _ B;
the fuse state module 1 is electrically connected with a fuse state 1 readback _ A of the first subunit of the voting unit and a fuse state 1 readback _ B of the second subunit, and the fuse state 1 readback _ A or the fuse state 1 readback _ B can both read back the state of the safety fuse through the fuse state module 1; the fuse state module 2 is electrically connected with a fuse state 2 readback _ a of the first subunit of the voting unit and a fuse state 2 readback _ B of the second subunit, and the fuse state 2 readback _ a or the fuse state 2 readback _ B can both read back the state of the safety fuse through the fuse state module 2.
A safety cut-off and holding method based on a two-out-of-two architecture is realized by the safety cut-off and holding device based on the two-out-of-two architecture, and comprises the following steps:
t1: the first subunit or the second subunit of the voting unit drives to blow the safety fuse;
t2: detecting, by a first subunit or a second subunit of the voting unit, whether the security fuse has blown:
if yes, quitting;
and if not, other safety measures are taken.
Preferably, step T1 includes:
the first subunit controls the fuse control module 1 and the fuse control module 2 respectively through the fuse control 1_ A and the fuse control 2_ A to enable the fusing circuit in the body to work, and maintains a certain time to fuse the safety fuse, and the execution redundancy is improved in the two-way parallel mode;
or the second subunit controls the fuse control module 1 and the fuse control module 2 through the fuse control 1_ B and the fuse control 2_ B respectively to enable the fusing circuit in the body to work, and maintains a certain time to fuse the safety fuse, so that the execution redundancy is improved in the two-way parallel mode.
Preferably, step T2 includes:
the first subunit reads back the states of the fuse state module 1 and the fuse state module 2 respectively through the fuse state 1 readback _ A and the fuse state 2 readback _ A, and the execution redundancy is improved in the two-way parallel mode;
or the second subunit reads back the states of the fuse state module 1 and the fuse state module 2 respectively through the fuse state 1 read-back _ B and the fuse state 2 read-back _ B, and the execution redundancy is improved in the two-way parallel mode.
A self-checking method of a safety cut-off and holding device based on a two-out-of-two architecture is realized by the safety cut-off and holding device based on the two-out-of-two architecture, and comprises the following steps:
s1: judging whether the fuse detection times in the self-checking sequence of the current round is more than 2:
if yes, go to step S4;
otherwise, go to step S2;
s2: detecting the state of the fuse management circuit and recording the error number of the execution result;
s3: judging whether the error number of the execution result is less than 2:
if yes, go to step S7;
otherwise, go to step S4;
s4: the first subunit or the second subunit of the voting unit drives to blow the safety fuse;
s5: detecting, by a first subunit or a second subunit of the voting unit, whether the security fuse has blown:
if yes, ending the self-checking process;
otherwise, go to step S6;
s6: adopting other safety measures, and finishing the self-checking process after finishing the other safety measures;
s7: judging whether the error number of the execution result is equal to 1:
if yes, go to step S8;
otherwise, returning to step S1;
s8: and exiting the self-checking process and not entering the self-checking process within a certain time length.
Preferably, the self-test method for a safety cut-off and hold device based on a two-out-of-two architecture includes a self-test logic table for self-test comparison, and step S2 includes:
according to the self-checking logic table, the control values of the fuse control 1_ A, the fuse control 1_ B, the fuse control 2_ A and the fuse control 2_ B of each fuse control port are combined into a fuse control combination value with 4 bits; the combination of the readback values of the fuse state 1 readback _ A, the fuse state 1 readback _ B, the fuse state 2 readback _ A and the fuse state 2 readback _ B of each fuse state reading port is a fuse state readback combination value with 4 bits;
and sequentially controlling each fuse control port to be a corresponding control value according to the fuse control combination value in each step according to 6 steps of the self-checking logic table, simultaneously reading the fuse state read-back combination value and comparing the fuse state read-back combination value with the self-checking logic table, if the fuse state read-back combination value is consistent with the self-checking logic table, detecting the fuse management circuit normally in the step, if the fuse state read-back combination value is inconsistent with the self-checking logic table, detecting the fuse management circuit abnormally in the step, and recording the error number of the execution result.
In summary, compared with the prior art, the secure cut-off and hold device and method based on the two-out-of-two architecture provided by the invention have the following beneficial effects:
1. after the fuse is fused, the system can not be powered on again to recover work, so that the system can be kept in a safe state, and the safety is ensured;
2. the circuit is simple in design, is mainly a resistor, a metal-oxide semiconductor field effect transistor (MOSFET) and other mature devices, and has low failure rate;
3. the recovery is carried out after manual confirmation, only the fuse needs to be replaced, and the maintenance method is simple and easy to implement.
Drawings
FIG. 1 is a system diagram of a combined fail-safe system output subsystem to which the present invention is applied;
FIG. 2 is a system diagram of a secure cut-off and hold device based on the binary architecture of the present invention;
FIG. 3 is a flow chart of a secure cut-off and hold device self-check method based on a two-out-of-two architecture according to the present invention;
FIG. 4 is a logic table of the security cut-off and hold device self-check based on the two-out-of-two architecture of the present invention.
Detailed Description
The following describes a secure cut-off and hold device and method based on a binary-two architecture in detail with reference to the accompanying drawings and the detailed description. The advantages and features of the present invention will become more apparent from the following description. It should be noted that the drawings are simplified in form and not to precise scale, and are only used for convenience and clarity to assist in describing the embodiments of the present invention, but not for limiting the conditions of the embodiments of the present invention, and therefore, the present invention is not limited by the technical spirit, and any structural modifications, changes in the proportional relationship, or adjustments in size, should fall within the scope of the technical content of the present invention without affecting the function and the achievable purpose of the present invention.
It is to be noted that, in the present invention, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The working principle of the invention is as follows:
as shown in fig. 1, the safety cut-off and holding device based on the two-out-of-two architecture provided by the invention is applied to a combined fault safety system of the two-out-of-two architecture, and the device, a power supply, a communication unit, a voting unit, an isolation unit and an output unit form an output subsystem of the combined fault safety system; wherein the content of the first and second substances,
the communication unit is used for analyzing and outputting an external driving command from the superior subsystem;
the voting unit is a two-out-of-two framework and consists of 2 subunits A and B with completely same hardware structures and functions, the two subunits independently operate the external drive command input by the communication unit, the operation result of the subunit and the operation result of the subunit on the other side are independently compared, and the external drive command can be output only if the operation results are consistent, so that the safety control is realized. The voting unit is respectively and electrically connected with the power supply, the communication unit, the device, the isolation unit and the output unit, and has the main functions of: firstly, the device is driven (the driving is controlled by a control signal) to carry out periodic self-checking or safety fuse blowing operation, and the state of the device is read back; the A subunit and the B subunit cross and compare periodic self-checking results of the device, so as to judge whether the device has the capability of blowing out a safety fuse, and ensure the device to have the capability of entering a safety state; when the self-checking fails and meets a certain condition, the device is driven to fuse the safety fuse; secondly, the isolation unit is driven to work, so that the isolation unit can drive the output unit to work; thirdly, the self-communication unit receives an external driving command, the A subunit and the B subunit independently perform two-out-of-two judgment on the consistency of the external driving command respectively, and when the results are consistent, the voting unit drives the output unit to execute the external driving command; when the two are inconsistent, the voting unit drives the device to fuse the safety fuse; fourthly, the voting unit judges whether the output unit correctly executes the external driving command or not by reading back the state of the output unit, periodically detects the output unit, and stops driving the output unit to execute the external driving command when detecting that the external driving command is not correctly executed or the output unit is abnormal; fifthly, after the output unit is stopped to be driven, if the voting unit still detects that the output unit is not well cut off through the state of the output unit, the voting unit stops driving the isolation unit; and sixthly, after the voting unit stops driving the isolation unit, if the voting unit still detects that the isolation unit is not well cut off through reading back the state of the isolation unit, the device is driven to blow out the safety fuse.
This device includes safety fuse and fuse management circuit, is connected with power, voting unit and isolation unit electricity respectively, and the main function includes: firstly, when the safety fuse is not fused, the isolation unit and the voting unit are electrically driven (the electric drive means controlling power supply and generally controlling through a relay); secondly, feeding back the state of the safety fuse to the voting unit, and executing corresponding operation of fusing the safety fuse or self-checking operation according to the driving of the voting unit; and thirdly, after the safety fuse is fused, the electric drive of the isolation unit and the voting unit is powered off and cut off, the combined fault safety system enters a safety state after the power is lost, and the combined fault safety system cannot be automatically recovered after the safety fuse is fused, so that the combined fault safety system is kept in the safety state until manual treatment and recovery are carried out.
The isolation unit is electrically connected with the power supply, the voting unit, the device and the output unit respectively, and has the functions of: when the isolation unit is not cut off, the isolation unit electrically drives the output unit and drives the output unit; when the isolation unit is cut off, the electric drive of the output unit is powered off, the isolation unit also powers off the drive of the output unit, and the output unit does not output signals to the outside; and secondly, feeding back the body state to the voting unit.
The output unit is electrically connected with the voting unit and the isolation unit respectively, and has the functions of: firstly, when the electric drive with the isolation unit and the drive of the isolation unit and the voting unit are simultaneously provided, an external drive command is executed; and secondly, feeding back the body state to the voting unit.
The work flow of the output subsystem of the combined fault safety system is as follows:
(1) self-checking the system after power-on;
(2) the device keeps an electric drive voting unit and an isolation unit, and the isolation unit keeps an electric drive and a drive output unit;
(3) the voting unit periodically drives the device to perform self-checking, sends a self-checking result to the subunit A and the subunit B to perform cross comparison, and judges whether the device has fusing capability so as to ensure the capability of entering a safe state; if the self-checking failure meets a certain condition, the voting unit drives the device to fuse the safety fuse, and the safety fuse jumps to (8) after being fused;
(4) the A subunit and the B subunit independently perform two-out-of-command consistency judgment on the driving command to be voted output by the communication unit respectively:
when the results are consistent, the combined fault safety system maintains a normal state, and the output subsystem of the combined fault safety system outputs an external driving command;
when the results are inconsistent, the voting unit drives the device to blow out the safety fuse, and the safety fuse jumps to (8) after being blown out;
(5) the voting unit drives the output unit to perform periodic detection, judges whether the output unit correctly executes the driving command or not by reading back the state information of the output unit, and stops driving the output unit to execute the driving command when the detection condition is abnormal and the driving command is detected or not correctly executed;
(6) after the output unit is stopped being driven, if the voting unit still detects that the output unit is not well cut off, the voting unit stops driving the isolation unit, so that the isolation unit stops driving the voting unit to output actual output electricity;
(7) after the voting unit stops driving the isolation unit, if the voting unit still detects that the isolation unit is not well cut off, the device is driven to fuse the safety fuse;
(8) after the safety fuse is fused, the device loses power to the electric drive of the isolation unit and the voting unit, further, the isolation unit loses power to the electric drive and the drive of the output unit, the voting unit loses power to the drive of the output unit, so that the output subsystem of the combined fault safety system does not have any output to the outside, the combined fault safety system enters and keeps a safety state, and the safety fuse is always kept in a fused state until manual intervention processing.
Specifically, as shown in fig. 1 to 3, the present embodiment provides a safety cut-off and hold device based on a two-out-of-two architecture, which is electrically connected to a power supply, a voting unit, and an isolation unit, respectively, and forms a part of an output subsystem of a combined fail-safe system, and is used for enabling the combined fail-safe system to enter and hold a safe state by blowing a safety fuse.
The voting unit is a two-out-of-two architecture and consists of 2A subunits and B subunits which have the same hardware structure and function; each subunit comprises a CPU and an FPGA/CPLD (field programmable gate array/complex programmable logic device) electrically connected with the CPU, wherein the FPGA/CPLD is used for executing corresponding operation according to the instruction of the connected CPU; wherein, the FPGA/CPLD of the A subunit is provided with 4 GPIO ports (General-purpose input/output ports): fuse control 1_ a, fuse control 2_ a, fuse state 1 readback _ a, and fuse state 2 readback _ a; 4 GPIO ports are symmetrically arranged on the FPGA/CPLD of the B subunit: fuse control 1_ B, fuse control 2_ B, fuse state 1 readback _ B, and fuse state 2 readback _ B.
As shown in fig. 2, the secure cutting and holding device based on the binary architecture of the present embodiment includes a secure fuse and a fuse management circuit, and the circuit connection relationship is as follows: a power supply 12VDC (12V direct current power supply) is changed into 12VF (forward voltage) through a safety fuse, the 12VF electric drives an isolation unit and a voting unit, meanwhile, the 12VF is grounded through a fuse management circuit, and the voting unit is electrically connected with the fuse management circuit for data communication; wherein:
the safety fuse is an unrecoverable fuse and has two states of unblown and fused, and the unblown state is usually unblown and can be fused after a certain time of high temperature; when the safety fuse is in an unblown state, the isolation unit and the voting unit are continuously driven by 12VF power supply, so that the combined fault safety system is maintained in a normal state; when the safety fuse is fused, the 12VF electric drive of the isolation unit and the voting unit is powered off, so that the combined fault safety system enters and keeps a safety state, the safety fuse is always kept in a fused state, and the safety fuse cannot be restored to work through power-on again until manual intervention;
the fuse management circuit is used for executing the fusing or self-checking operation of the safety fuse according to the command of the voting unit or reading the state of the fuse; the method comprises the following steps:
the fuse state circuit comprises a fuse state module 1 and a fuse state module 2, wherein the fuse state module 1 and the fuse state module 2 are completely the same parallel modules and can independently judge whether the safety fuse is in a fusing state or not and whether the fuse management circuit fails or not; the fuse state module 1 is electrically connected with a fuse state 1 read-back _ A of the voting unit A subunit and a fuse state 1 read-back _ B of the B subunit, and the fuse state 1 read-back _ A or the fuse state 1 read-back _ B can read back the state of the safety fuse through the fuse state module 1; the fuse state module 2 is electrically connected with the fuse state 2 read-back _ A of the voting unit A subunit and the fuse state 2 read-back _ B of the B subunit, and the fuse state 2 read-back _ A or the fuse state 2 read-back _ B can read back the state of the safety fuse through the fuse state module 2;
the fuse control circuit comprises a fuse control module 1 and a fuse control module 2, wherein the fuse control module 1 and the fuse control module 2 are identical parallel modules, and the fuse control circuit is connected with the fuse state circuit in series; in the embodiment, the fuse control module 1 and the fuse control module 2 are both internally provided with fusing circuits, the fusing circuits adopt MOS transistors, the drain electrodes of the MOS transistors are communicated with a safety fuse, the source electrodes of the MOS transistors are grounded, and the grid electrodes of the MOS transistors are communicated with a voting unit; the fuse control module 1 is electrically connected with the fuse control 1_ A of the voting unit A subunit and the fuse control 1_ B of the voting unit B subunit, and the fuse control module 1 can be independently controlled by the drive of the fuse control 1_ A or the fuse control 1_ B to enable the fusing circuit in the body to work; the fuse control module 2 is electrically connected with the fuse control 2_ A of the voting unit A subunit and the fuse control 2_ B of the voting unit B subunit, and the fuse control module 2 can be independently controlled by the drive of the fuse control 2_ A or the fuse control 2_ B to enable the fusing circuit in the body to work.
The embodiment further provides a secure cutting and holding method based on a two-out-of-two architecture, which is implemented by the secure cutting and holding device based on a two-out-of-two architecture, and includes the steps of:
t1: the A subunit or the B subunit of the voting unit drives the fusing safety fuse, and the method specifically comprises the following steps:
the A subunit respectively controls the fuse control module 1 and the fuse control module 2 through the fuse control 1_ A and the fuse control 2_ A to enable the fusing circuit in the body to work, and maintains a certain time to fuse the safety fuse, and the execution redundancy is improved in the two-way parallel mode;
or the B subunit respectively controls the fuse control module 1 and the fuse control module 2 through the fuse control 1_ B and the fuse control 2_ B to enable the fusing circuit in the body to work, and maintains a certain time to fuse the safety fuse, and the execution redundancy is improved in the two-way parallel mode;
t2: whether the safety fuse is blown or not is detected by the A subunit or the B subunit, and the method specifically comprises the following steps:
the A subunit reads back the states of the fuse state module 1 and the fuse state module 2 respectively through the fuse state 1 read-back _ A and the fuse state 2 read-back _ A, and the execution redundancy is improved in the two-way parallel mode; or the B subunit reads back the states of the fuse state module 1 and the fuse state module 2 respectively through the fuse state 1 read-back _ B and the fuse state 2 read-back _ B, and the execution redundancy is improved in the two-way parallel mode; judging whether the safety fuse wire is blown or not through read-back:
if yes, quitting;
and if not, other safety measures are taken.
In addition, the present embodiment further provides a self-checking method of a safety cut-off and holding device based on a binary system, in which the safety cut-off and holding device based on a binary system operates periodically, as shown in fig. 3, and the method includes the steps of:
step 1: judging whether the fuse wire detection times in the self-checking sequence of the current round are more than 2 (if 2 errors are accumulated in the complete self-checking sequence of the first round, judging that the safety cutting and holding device based on the two-out-of-two framework has faults and the safety fuse wire is blown):
if yes, executing step 4;
if not, executing the step 2;
step 2: detecting the state of the fuse management circuit, and recording the error number of the execution result:
according to the self-checking logic table (fig. 4), the control values of the fuse control ports, namely the fuse control 1_ A, the fuse control 1_ B, the fuse control 2_ A and the fuse control 2_ B, are combined into a fuse control combination value with 4 bits; the read-back values of the fuse state 1 read-back _ A, the fuse state 1 read-back _ B, the fuse state 2 read-back _ A and the fuse state 2 read-back _ B of each fuse state read port are combined into a fuse state read-back combined value with 4 bits;
sequentially controlling each fuse control port to be a corresponding control value according to 6 steps of the self-checking logic table and the fuse control combination value in each step, simultaneously reading the fuse state read-back combination value and comparing the fuse state read-back combination value with the self-checking logic table, if the fuse state read-back combination value is consistent with the self-checking logic table, detecting the fuse management circuit normally in the step, if the fuse state read-back combination value is inconsistent with the self-checking logic table, detecting the fuse management circuit abnormally in the step, and recording the error number of an execution result;
and step 3: judging whether the error number of the execution result is less than 2:
if yes, executing step 7 (if only 1 execution result in a complete self-checking sequence is wrong, considering that the self-checking fails, and executing the self-checking again);
if not, executing step 4 (if more than 1 execution result in a complete self-checking sequence is wrong, judging that the fuse management circuit is in fault, and executing the operation of fusing the safety fuse);
and 4, step 4: the method for fusing the safety fuse specifically comprises the following steps:
the A subunit respectively controls the fuse control module 1 and the fuse control module 2 through the fuse control 1_ A and the fuse control 2_ A to enable the fusing circuit in the body to work, and maintains a certain time to fuse the safety fuse, and the execution redundancy is improved in the two-way parallel mode; or the B subunit respectively controls the fuse control module 1 and the fuse control module 2 through the fuse control 1_ B and the fuse control 2_ B to enable the fusing circuit in the body to work, and maintains a certain time to fuse the safety fuse, and the execution redundancy is improved in the two-way parallel mode;
and 5: whether the safety fuse is blown or not is detected by the A subunit or the B subunit, and the method specifically comprises the following steps:
the A subunit reads back the states of the fuse state module 1 and the fuse state module 2 respectively through the fuse state 1 read-back _ A and the fuse state 2 read-back _ A, and the execution redundancy is improved in the two-way parallel mode; or the B subunit reads back the states of the fuse state module 1 and the fuse state module 2 respectively through the fuse state 1 read-back _ B and the fuse state 2 read-back _ B, and the execution redundancy is improved in the two-way parallel mode; to distinguish whether the safety fuse has been blown:
if yes, ending the self-checking process;
if not, executing the step 6;
step 6: adopting other safety measures, and finishing the self-checking process after finishing the other safety measures;
and 7: judging whether the number of errors of the record execution result is equal to 1:
if yes, executing step 8;
if not, returning to the step 1;
and 8: the self-test flow is exited and no longer entered for a certain length of time (in order to cool the safety fuse before the next round of self-test is performed).
In summary, the secure cutting and retaining device and method based on the two-out-of-two architecture provided by the invention have the advantages that by adopting the unrecoverable fuse, the system can not be powered on again to recover work after the fuse is cut off, so that the system can be kept in a secure state, and the security is ensured; the circuit is simple in design, is mainly composed of resistors, MOSFETs and other mature devices, and is low in failure rate; the manual recovery only needs to replace the fuse, and the maintenance method is simple and easy to implement.
While the present invention has been described in detail with reference to the preferred embodiments, it should be understood that the above description should not be taken as limiting the invention. Various modifications and alterations to this invention will become apparent to those skilled in the art upon reading the foregoing description. Accordingly, the scope of the invention should be determined from the following claims.
Claims (12)
1. A two-out-of-two architecture based safety disconnect and hold apparatus electrically connected to a power supply and a voting unit, respectively, and forming part of a combined failsafe system output subsystem for bringing said combined failsafe system into and holding a safe state by blowing a safety fuse, comprising:
the safety fuse wire has two states of unblown state and fused state, can be switched into the fused state from the unblown state after a certain time of high temperature and cannot be recovered; when the safety fuse is in an unblown state, the combined fail-safe system is maintained in a normal state by continuously supplying the output of a power supply; after the safety fuse is fused, the combined fault safety system enters and maintains a safety state by cutting off the output of a power supply;
and the fuse management circuit is electrically connected with the safety fuse and the voting unit respectively and is used for managing the safety fuse according to the command of the voting unit.
2. The two-out-of-two architecture based safety disconnect and hold device of claim 1, further electrically connected to an isolation unit and forming part of the combined failsafe system output subsystem,
the output of the continuous power supply means that when the safety fuse is in an unblown state, the isolation unit and the voting unit are continuously electrically driven;
and the output of the cut-off power supply means that after the safety fuse is fused, the electric drive of the isolation unit and the voting unit loses power.
3. The binary architecture based secure cut-and-hold apparatus of claim 1, wherein the managing of the security fuse comprises blowing or self-checking operations on the security fuse, or reading a fuse state.
4. The secure cut-and-hold apparatus based on a binary architecture of claim 3, wherein the fuse management circuit comprises:
fuse control circuit, including fuse control module 1 and fuse control module 2, fuse control module 1 and fuse control module 2 are the identical parallel module, and inside all is provided with fusing circuit, works as fusing circuit during operation can make safety fuse is at the high temperature, maintains for a certain time will after the time will safety fuse fuses.
5. The secure cut-and-hold apparatus based on a two-out-of-two architecture of claim 4, wherein the fuse management circuit further comprises:
the fuse state circuit is connected with the fuse control circuit in series and comprises a fuse state module 1 and a fuse state module 2, wherein the fuse state module 1 and the fuse state module 2 are completely the same parallel modules and can independently judge whether the safety fuse is in a fusing state or not and whether the fuse management circuit fails or not.
6. The two-out-of-two architecture based security cut-off and hold device as claimed in claim 4, wherein the voting unit is a two-out-of-two architecture and is composed of 2 first sub-units and second sub-units with identical hardware structures and functions, and each sub-unit is provided with 2 control ports; wherein, the control port of the first subunit is: fuse control 1_ a and fuse control 2_ a; the control port of the second subunit is: fuse control 1_ B and fuse control 2_ B; it is characterized in that the preparation method is characterized in that,
the fuse control module 1 is electrically connected with the fuse control 1_ A of the first subunit of the voting unit and the fuse control 1_ B of the second subunit, and the fuse control module 1 can be independently controlled by the drive of the fuse control 1_ A or the fuse control 1_ B to enable the fusing circuit in the body to work; the fuse control module 2 is electrically connected with the fuse control 2_ a of the first subunit of the voting unit and the fuse control 2_ B of the second subunit, and the fuse control module 2 can be independently controlled by the drive of the fuse control 2_ a or the fuse control 2_ B to enable the fusing circuit in the body to work.
7. The two-out-of-two architecture based security cut-off and retention device of claim 6, each subunit of the voting unit further provided with 2 read ports; wherein, the read port of the first subunit is: fuse state 1 readback _ a and fuse state 2 readback _ a; the read port of the second subunit is: fuse state 1 readback _ B and fuse state 2 readback _ B; the voting unit is characterized in that the fuse state module 1 is electrically connected with a fuse state 1 readback _ A of a first subunit of the voting unit and a fuse state 1 readback _ B of a second subunit, and the fuse state 1 readback _ A or the fuse state 1 readback _ B can both read back the state of the safety fuse through the fuse state module 1; the fuse state module 2 is electrically connected with a fuse state 2 readback _ a of the first subunit of the voting unit and a fuse state 2 readback _ B of the second subunit, and the fuse state 2 readback _ a or the fuse state 2 readback _ B can both read back the state of the safety fuse through the fuse state module 2.
8. A method for safely disconnecting and holding a device based on a binary architecture, the method being implemented by the device based on the binary architecture according to any one of claims 1 to 7, and comprising the steps of:
t1: the first subunit or the second subunit of the voting unit drives to blow the safety fuse;
t2: detecting, by a first subunit or a second subunit of the voting unit, whether the security fuse has blown:
if yes, quitting;
and if not, other safety measures are taken.
9. The secure cut-off and hold method based on the binary architecture of claim 8, wherein step T1 comprises:
the first subunit controls the fuse control module 1 and the fuse control module 2 respectively through the fuse control 1_ A and the fuse control 2_ A to enable the fusing circuit in the body to work, and maintains a certain time to fuse the safety fuse, and the execution redundancy is improved in the two-way parallel mode;
or the second subunit controls the fuse control module 1 and the fuse control module 2 through the fuse control 1_ B and the fuse control 2_ B respectively to enable the fusing circuit in the body to work, and maintains a certain time to fuse the safety fuse, so that the execution redundancy is improved in the two-way parallel mode.
10. The secure cut-off and hold method based on the binary architecture of claim 8, wherein step T2 comprises:
the first subunit reads back the states of the fuse state module 1 and the fuse state module 2 respectively through the fuse state 1 readback _ A and the fuse state 2 readback _ A, and the execution redundancy is improved in the two-way parallel mode;
or the second subunit reads back the states of the fuse state module 1 and the fuse state module 2 respectively through the fuse state 1 read-back _ B and the fuse state 2 read-back _ B, and the execution redundancy is improved in the two-way parallel mode.
11. A self-checking method of a security cut-off and hold device based on a binary architecture, which is implemented by the security cut-off and hold device based on the binary architecture according to any one of claims 1 to 7, comprising the steps of:
s1: judging whether the fuse detection times in the self-checking sequence of the current round is more than 2:
if yes, go to step S4;
otherwise, go to step S2;
s2: detecting the state of the fuse management circuit and recording the error number of the execution result;
s3: judging whether the error number of the execution result is less than 2:
if yes, go to step S7;
otherwise, go to step S4;
s4: the first subunit or the second subunit of the voting unit drives to blow the safety fuse;
s5: detecting, by a first subunit or a second subunit of the voting unit, whether the security fuse has blown:
if yes, ending the self-checking process;
otherwise, go to step S6;
s6: adopting other safety measures, and finishing the self-checking process after finishing the other safety measures;
s7: judging whether the error number of the execution result is equal to 1:
if yes, go to step S8;
otherwise, returning to step S1;
s8: and exiting the self-checking process and not entering the self-checking process within a certain time length.
12. The method according to claim 11, wherein the self-test method comprises a self-test logic table for self-test comparison, and wherein the step S2 comprises:
according to the self-checking logic table, the control values of the fuse control 1_ A, the fuse control 1_ B, the fuse control 2_ A and the fuse control 2_ B of each fuse control port are combined into a fuse control combination value with 4 bits; the combination of the readback values of the fuse state 1 readback _ A, the fuse state 1 readback _ B, the fuse state 2 readback _ A and the fuse state 2 readback _ B of each fuse state reading port is a fuse state readback combination value with 4 bits;
and sequentially controlling each fuse control port to be a corresponding control value according to the fuse control combination value in each step according to 6 steps of the self-checking logic table, simultaneously reading the fuse state read-back combination value and comparing the fuse state read-back combination value with the self-checking logic table, if the fuse state read-back combination value is consistent with the self-checking logic table, detecting the fuse management circuit normally in the step, if the fuse state read-back combination value is inconsistent with the self-checking logic table, detecting the fuse management circuit abnormally in the step, and recording the error number of the execution result.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111599534.7A CN114284985B (en) | 2021-12-24 | 2021-12-24 | Safety cut-off and holding device and method based on two-in-two architecture |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111599534.7A CN114284985B (en) | 2021-12-24 | 2021-12-24 | Safety cut-off and holding device and method based on two-in-two architecture |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114284985A true CN114284985A (en) | 2022-04-05 |
| CN114284985B CN114284985B (en) | 2024-03-12 |
Family
ID=80875041
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111599534.7A Active CN114284985B (en) | 2021-12-24 | 2021-12-24 | Safety cut-off and holding device and method based on two-in-two architecture |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114284985B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090303650A1 (en) * | 2008-06-10 | 2009-12-10 | Hynix Semiconductor, Inc. | Monitoring circuit for semiconductor device |
| CN102749575A (en) * | 2011-04-18 | 2012-10-24 | 安凯(广州)微电子技术有限公司 | Electronic fuse state reader |
| CN104967438A (en) * | 2015-06-30 | 2015-10-07 | 中国电子科技集团公司第二十四研究所 | Current type fuse control circuit |
| WO2017159308A1 (en) * | 2016-03-15 | 2017-09-21 | 株式会社オートネットワーク技術研究所 | Power source device |
| CN110416968A (en) * | 2019-08-09 | 2019-11-05 | 无锡启腾电子科技有限公司 | A kind of electrical fuse and its working method |
| US10755799B1 (en) * | 2019-04-15 | 2020-08-25 | Micron Technology, Inc. | Apparatuses and methods for fuse latch redundancy |
| CN211720255U (en) * | 2020-01-08 | 2020-10-20 | 浙江众合科技股份有限公司 | Signal machine self-fusing circuit based on fault safety |
| CN112782966A (en) * | 2020-12-30 | 2021-05-11 | 卡斯柯信号有限公司 | Scattered equipment driving system for rail transit signal control |
| CN113690965A (en) * | 2021-07-09 | 2021-11-23 | 东莞新能安科技有限公司 | Protection circuit and circuit board, battery management system and battery package |
-
2021
- 2021-12-24 CN CN202111599534.7A patent/CN114284985B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090303650A1 (en) * | 2008-06-10 | 2009-12-10 | Hynix Semiconductor, Inc. | Monitoring circuit for semiconductor device |
| CN102749575A (en) * | 2011-04-18 | 2012-10-24 | 安凯(广州)微电子技术有限公司 | Electronic fuse state reader |
| CN104967438A (en) * | 2015-06-30 | 2015-10-07 | 中国电子科技集团公司第二十四研究所 | Current type fuse control circuit |
| WO2017159308A1 (en) * | 2016-03-15 | 2017-09-21 | 株式会社オートネットワーク技術研究所 | Power source device |
| US10755799B1 (en) * | 2019-04-15 | 2020-08-25 | Micron Technology, Inc. | Apparatuses and methods for fuse latch redundancy |
| CN110416968A (en) * | 2019-08-09 | 2019-11-05 | 无锡启腾电子科技有限公司 | A kind of electrical fuse and its working method |
| CN211720255U (en) * | 2020-01-08 | 2020-10-20 | 浙江众合科技股份有限公司 | Signal machine self-fusing circuit based on fault safety |
| CN112782966A (en) * | 2020-12-30 | 2021-05-11 | 卡斯柯信号有限公司 | Scattered equipment driving system for rail transit signal control |
| CN113690965A (en) * | 2021-07-09 | 2021-11-23 | 东莞新能安科技有限公司 | Protection circuit and circuit board, battery management system and battery package |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114284985B (en) | 2024-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102431549B (en) | For the control electronics of vehicle | |
| US4926281A (en) | Fail-safe and fault-tolerant alternating current output circuit | |
| US10120772B2 (en) | Operation of I/O in a safe system | |
| JPH055121B2 (en) | ||
| WO2020143243A1 (en) | Dual-system hot backup switching method and system applied to automatic running system of train | |
| CN115195814B (en) | Station ground control system and code unit control method | |
| JP6983991B2 (en) | Battery control device | |
| CN105259863A (en) | PLC warm backup redundancy method and system | |
| CN107153591B (en) | Detection method and device for power supply architecture of memory | |
| CN114284985A (en) | Safe cutting and holding device and method based on two-out-of-two architecture | |
| CN115123339B (en) | Coding unit for station ground control system | |
| CN109491842B (en) | Signal pairing for module extension of fail-safe computing systems | |
| JP2012068907A (en) | Bus connection circuit and bus connection method | |
| JPH0798601A (en) | Fault-tolerant programmable controller | |
| CN113885392B (en) | Fuse-free discrete output safety state escape protection system for safety output | |
| CN111755763A (en) | BMS function safety control system and control method | |
| JPH03103044A (en) | Fault detecting system for diode in duplex power supply | |
| JP3497855B2 (en) | Double system equipment | |
| JP5040466B2 (en) | Data processing system | |
| CN117951069B (en) | Server system, communication method and server | |
| JP3392938B2 (en) | Double system equipment | |
| US20210216393A1 (en) | Protection Against Internal Faults In Burners | |
| KR0128198Y1 (en) | Trouble detecting circuit of distribution control system | |
| CN112532126A (en) | Door control unit motor loop containing independent motor drive authorization | |
| JP3570334B2 (en) | System switching device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |