DK170451B1 - Multiple microcomputer security sequence circuit which processes the same data - Google Patents

Multiple microcomputer security sequence circuit which processes the same data Download PDF

Info

Publication number
DK170451B1
DK170451B1 DK133188A DK133188A DK170451B1 DK 170451 B1 DK170451 B1 DK 170451B1 DK 133188 A DK133188 A DK 133188A DK 133188 A DK133188 A DK 133188A DK 170451 B1 DK170451 B1 DK 170451B1
Authority
DK
Denmark
Prior art keywords
output
signal
microcomputer
comparator
coupling
Prior art date
Application number
DK133188A
Other languages
Danish (da)
Other versions
DK133188A (en
DK133188D0 (en
Inventor
Michael Gronemeyer
Original Assignee
Siemens Ag
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens Ag filed Critical Siemens Ag
Publication of DK133188D0 publication Critical patent/DK133188D0/en
Publication of DK133188A publication Critical patent/DK133188A/en
Application granted granted Critical
Publication of DK170451B1 publication Critical patent/DK170451B1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • G06F11/1645Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components and the comparison itself uses redundant hardware
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2205Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
    • G06F11/2215Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested to test error correction or detection circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0796Safety measures, i.e. ensuring safe condition in the event of error, e.g. for controlling element

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Safety Devices In Control Systems (AREA)
  • Hardware Redundancy (AREA)
  • Electric Propulsion And Braking For Vehicles (AREA)
  • Train Traffic Observation, Control, And Security (AREA)
  • Air Bags (AREA)

Abstract

Multi-channel safety switching devices require comparators for data to be output to the process so that a signal divergence can be recognised in time and possibly false information items can be kept away from the process. This requires a data-flow-independent checking of the comparators. A release signal (FG1) to be output by the comparator (VG1) when the microcomputer (MR1, MR2) to be monitored is operating correctly is output indirectly via an AND gate (UD1) to output signal converters (AR). A test circuit (TSG1) which has a bistable characteristic is connected to the AND gate (UD1). The test circuit evaluates a key information item (SN1) output by the microcomputer (MR1), which counts as acknowledgement of a predetermined computer routine of the microcomputer (MR1). In dependence on this, an enable code is output for the AND gate (UD1). The abovementioned safety switching devices can be used, in particular, in the case of process controls with safety responsibility, for example in the case of railway signalling. <IMAGE>

Description

DK 170451 B1DK 170451 B1

Opfindelsen angår en sikkerhedssekvenskreds med flere mikrocomputere, som bearbejder de samme data, og til hvilke der er tilsluttet mindst én komparator til kontrol af overensstemmelse mellem informationer, der 5 af mikrocomputerne over udgangssignalomsættere skal afgives til en proces, som skal styres, hvorhos kompara-toren ved konstateret informationsdivergens frakobler et frigivesignal, som over et OG-led kun aktiverer udgangssignalomsætterne ved reglementeret drift.BACKGROUND OF THE INVENTION 1. Field of the Invention The invention relates to a security sequence circuit having multiple microcomputers which process the same data and to which at least one comparator is connected for checking compliance between information to be output by the microcomputers over output signal converters to a process to be controlled by which the comparator upon detected information divergence, a release signal is deactivated which, over an AND link, activates the output signal converters only in regulated operation.

10 Ved mange moderne tekniske processer, eksempel vis ved styringen af kernereaktorer eller i jernbanesikringsanlæg, har man i mange år arbejdet efter et anerkendt sikringsteknisk princip, efter hvilket den proces, der skal styres, i tilfælde af eventuelle tek-15 niske fejl, som der skal regnes med ved anvendelse af ikke sikre databearbejdningsanlæg, overføres til en for mennesker og materiel ufarlig tilstand. Dette kan eksempelvis opnås ved, at der til alle procesaktiverende signaler knyttes et højt signalniveau, som ved en tek-20 nisk forstyrrelse i databearbejdningsanlægget frakobles på alle udlæsningskanaler.10 For many modern technical processes, for example in the management of nuclear reactors or in railway safety installations, many years have worked on a recognized principle of security, according to which the process to be controlled, in the event of any technical errors, such as must be taken into account using non-secure data processing facilities, transferred to a human and material hazardous condition. This can be achieved, for example, by attaching a high signal level to all process-activating signals, which is disconnected on all read-out channels in the event of a technical disturbance in the data processing system.

En sikkerhedssekvenskreds med mikrocomputere af den indledningsvis omhandlede art, som følger den i det foranstående forklarede sikkerhedsfilosofi, er eksem-25 pelvis beskrevet nærmere i tysk patentskrift nr.For example, a security sequence circuit with microcomputers of the kind initially provided, which follows the security philosophy explained above, is described in more detail in German patent specification no.

30 03 291, navnlig imidlertid i fagtidsskriftet "Elek-tronische Rechenanlagen", 22. årgang, 1980, hæfte 5, siderne 229-236. Disse kendte sikkerhedssekvenskredse er opbygget med to mikrocomputere, som parallelt be-30 arbejder de samme informationer, og de drives således, at mikrocomputernes aktiviteter efter en konstateret ulighed mellem de to kanaler direkte undertrykkes. Dette realiseres ved tilbageholdelse af de taktimpulser, som driver de to mikroprocessorer. Den kendte tokanale-35 de 2v2-sikkerhedssekvenskreds opfylder også allerede fordringen om en kort defektafsløringstid, nemlig dels DK 170451 B1 2 ved, at de to computergrenes, altså begge kanalers, tilstande efter hvert taktskridt sammenlignes med hinanden i sekvenskredsen, dels sørger specielle kontrolprogrammer for en kort, af procesdatastrømmen uafhængig 5 defektafsløring. Således er det da muligt i tilfælde af fejl at koble udgangssignalomsætterne for alle mikrocomputersignaler ikke-overførende som følge af, at mikrocomputernes taktsignaler da sætter ud og/eller som følge af frakoblede forsyningsspændinger. Herved bliver 10 indstillingsstrømkredse, der som følge af fejlagtige styresignaler kunne bringe mennesker og materiel i fare, strømløse.30 03 291, especially, however, in the journal "Elek-tronische Rechenanlagen", Year 22, 1980, booklet 5, pages 229-236. These known security sequence circuits are constructed with two microcomputers, which process the same information in parallel, and are operated so that the microcomputer's activities are directly suppressed after an inequality between the two channels. This is realized by retaining the clock pulses that drive the two microprocessors. The known two-channel 2v2 security sequence circuit also already satisfies the requirement for a short defect detection time, namely partly that the states of the two computer branches, ie both channels, are compared with each other in the sequence circuit after each step and partly provide special control programs a short, defect detection, independent of the process data stream. Thus, in the event of a failure, it is possible to connect the output signal converters for all microcomputer signals non-transmitting as a result of the microcomputer's clock signals switching off and / or as a result of disconnected supply voltages. As a result, 10 setting circuits that could endanger people and equipment as a result of incorrect control signals become powerless.

I den tokanalede databearbejdningsopstilling, der kendes fra tysk patentskrift nr. 30 03 291, bli-15 ver i tilfælde af fejl et af komparatoren afgivet frigivesignal frakoblet. Dette har til følge, at et efter komparatoren indkoblet OG-led ligeledes frakobler yderligere informationsløse taktimpulser, som tilføres dette led.In the two-channel data processing arrangement known from German Patent Specification No. 30 03 291, in the event of a failure, a release signal emitted by the comparator is disconnected. As a result, an AND link connected to the comparator is also deactivated by further informationless clock pulses supplied to this link.

20 De kendte sikkerhedssekvenskredse har hidtil svaret til forventningerne i praksis. En forudsætning for deres anvendelse er imidlertid, at de enkelte kom-paratorer til kontrol af overensstemmelse mellem informationer, der afgives af mikrocomputerne, til stadighed 25 er funktionsdygtige. Komparatorernes funktionsdygtighed kontrolleres, idet komparatorerne fra tid til anden bevidst tilføres data som afviger fra hinanden. Komparatorerne reagerer herpå ved at spærre frigivesignalet for de efterkoblede OG-led. Deres reaktion detekteres 30 af mikrocomputerne ved tilbagelæsning og bedømmelse af OG-leddenes udgangssignaler; i tilfælde af fejl skal «* computersystemet slås fra.20 The known safety sequence circuits have so far met expectations in practice. A prerequisite for their use, however, is that the individual comparators for checking the conformity of information given by the microcomputers are continuously functioning. The performance of the comparators is checked, from time to time the comparators consciously supplying data that differ from one another. The comparators respond to this by blocking the release signal for the post-linked AND joints. Their response is detected by the microcomputers by reading and assessing the AND signals output signals; in case of failure, the computer system must be switched off.

Hvorledes dette i detaljer skal foregå, er ikke åbenbart i tysk patentskrift nr. 30 03 291. Undertiden 35 er det ikke engang nødvendigt at slå hele computersystemet fra; tværtimod kan det være tilstrækkeligt kun DK 170451 B1 3 at forhindre afgivelse af sikkerhedsrelevant information i tilfælde af fejl og yderligere at tillade afgivelse af ikke-sikkerhedsrelevant information, fordi denne jo ikke kan føre til at processikkerheden sættes 5 på spil.How this should be done in detail is not apparent in German Patent Publication No. 30 03 291. Sometimes 35 it is not even necessary to shut down the entire computer system; on the contrary, it may be sufficient only to prevent the release of security-relevant information in the event of errors and to further allow the release of non-security-relevant information, since this cannot jeopardize the process security 5.

Det er imidlertid ikke i alle tilfælde tilstrækkeligt til at sikre en sikker påvirkning af procesforløbet, at kontrollere komparatorernes funktionsforhold; det må yderligere sikres, at sekvenskredsen i tilfælde 10 af fejl står i en sådan tilstand, at den virker på den proces, som skal styres og/eller overvåges, på forudbestemt måde, og dermed reagerer på den indtrådte fejl på en forudbestemt måde. Dette er dog kun muligt, når det sikres, at den bedømmende mikrocomputer med sikkerhed 15 kan detektere udeblivelsen af komparator-frigivesigna-lerne, og når det sikres, at den også kan indvirke på udgangssignalomsætteren til processen på signalteknisk sikker måde.However, it is not sufficient in all cases to ensure a safe influence on the process, to check the functioning of the comparators; it must further be ensured that the sequence of cases in case 10 of errors is in such a state that it acts on the process to be controlled and / or monitored in a predetermined manner, and thus responds to the error occurring in a predetermined manner. However, this is only possible when it is ensured that the assessing microcomputer can confidently detect the absence of the comparator release signals and when it is ensured that it can also affect the output signal converter for the process in a signal-safe manner.

Opfindelsen har til opgave at forbedre en sik-20 kerhedssekvenskreds således, at den af datastrømmen uafhængige funktionskontrol af komparatoren eller kom-paratorerne tillige i det mindste ledsages af en funktionskontrol af de tilsvarende dele af mikrocomputeren og skifteorganer, som anvendes til styring af de ud-25 gangssignalomsættere, som direkte anvendes til den eventuelle spærring af afgivelse af information i tilfælde af fejl.The object of the invention is to improve a security sequence circuit such that the functional control independent of the data stream of the comparator or comparators is also at least accompanied by a functional control of the corresponding parts of the microcomputer and switching means used for controlling the output. 25 turn signal transducers which are used directly for the possible blocking of information delivery in the event of a failure.

Ifølge opfindelsen løses denne opgave ved, at hvert OG-led på indgangssiden foruden med den tilhøren-30 de komparator er forbundet med udgangen på en testkobling, som har en bistabil funktion, og som i tilfælde af et sætte-signal, der afgives af mikrocomputeren og i komparatoren igen udløser frigivesignalet, afgiver et frakoblingssignal til den tilhørende udgangssignalom-35 sætter, og som efter en bedømmelse med godt resultat af en kodningsinformation, som kvitterer en i mikrocompu- DK 170451 B1 4 teren forløbet forudgivet datamatrutine og i testkoblingen er konstateret som reglementeret, afgiver et tilkoblingssignal til den tilhørende udgangssignalomsætter.According to the invention, this task is solved by the fact that each AND-link on the input side, in addition to the associated comparator, is connected to the output of a test coupling which has a bistable function and which in the case of a set signal emitted by the microcomputer and in the comparator again releases the release signal, emits a disconnect signal to the corresponding output signal converter, and which, after a good result of a coding information, acknowledges a predetermined data routine in the microcomputer and is detected in the test coupling as regulated, outputs a connection signal to the corresponding output signal converter.

5 En særlig fordel ved en sådan foranstaltning er, at komparatorerne som ønsket uafhængigt af datastrømmen kan kontrolleres med hensyn til en eventuel fejl, og at mikrocomputeren som følge af den indførte datamatrutine i det mindste delvis ligeledes medinddrages i kontrol-10 processen. Hvis der nemlig afgives en fejlagtig kodningsinformation, afgiver testkoblingen til det efter denne indkoblede OG-led stadig frakoblingssignalet, hvorved et OG-leddet utilladeligt tilført frigivesignal undertrykkes.A particular advantage of such a measure is that, as desired, independently of the data stream, the comparators can be checked for any error, and that the microcomputer, as a result of the introduced computer routine, is at least partly also involved in the control process. Namely, if an incorrect coding information is output, the test coupling to the AND-linked AND-switched link still emits the switch-off signal, thereby suppressing an AND-link relentlessly supplied release signal.

15 I en videreudvikling af sikkerhedssekvenskred- ssen ifølge opfindelsen, som fortrinsvis består af et 2v2-system, findes der på fordelagtig måde som datamatrutine et datamatkontrolprogram, i hvilket der for kom-paratoren forudgives mindst én informationsdivergens, 20 der skal konstateres, og testkoblingen mindst én fejlagtig og derefter en reglementeret kodningsinformation. Kodningsinformationen kan bestå af en bitfølge, som er fast forudgivet af mikrocomputeren. Dette forudsætter en testkobling, som indeholder en dekoderkobling til 25 konstatering af de specielt kodede kodningsinformatio ner. Testkoblingen afgiver således kun tilkoblingssignalet til det efter denne indkoblede OG-led, hvis der kunne detekteres en reglementeret kodning.In a further development of the security sequence circuit according to the invention, which preferably consists of a 2v2 system, there is advantageously as a computer routine a computer control program in which at least one information divergence 20 is to be detected for the comparator and the test coupling at least one incorrect and then a regulated coding information. The coding information may consist of a bit sequence fixed predetermined by the microcomputer. This requires a test coupling, which contains a decoder coupling for detecting the specially encoded coding information. Thus, the test coupler only emits the coupling signal to the AND switched on this link if a regulated coding could be detected.

Uafhængigt af den forannævnte foranstaltning el-30 ler ud over denne er det i en videreudvikling af sikkerhedssekvenskredsen ifølge opfindelsen fordelagtigt, at testkoblingen indeholder en portkreds, som kan startes af hvert sætsignal og tjener til kontrol af, om kodningsinformationen er tidskorrekt.Irrespective of the aforementioned measure or beyond, in a further development of the security sequence circuit according to the invention, it is advantageous for the test coupling to contain a gate circuit which can be started by each set signal and serves to check whether the coding information is time-correct.

35 Udførelseseksempler ifølge opfindelsen er i det følgende forklaret nærmere med henvisning til tegningen, hvor DK 170451 B1 5 fig. 1 viser en sikkerhedssekvenskreds med to mikrocomputere, som bearbejder de samme data, i forbindelse med komparatorer, der kan overvåges, fig. 2 en foretrukket udførelsesform for en hver 5 af komparatorerne tilknyttet testkobling til kontrol af kodningsinformationerne med hensyn til en tidskorrekt beliggenhed, og figurerne 3-5 hver især i flere diagramlinier signalkonfigurationer i målepunkter i den i fig. 2 vis-10 te kobling.35 Examples of embodiments of the invention are explained in more detail below with reference to the drawing, in which FIG. Figure 1 shows a security sequence circuit with two microcomputers, which process the same data, in connection with monitorable comparators; 2 shows a preferred embodiment of each of the comparators associated with test coupling for checking the coding information for a time-correct location, and FIGS. 3-5 each in several diagram lines signal configurations at measurement points in the FIG. 2 vis-10th coupling.

Blokdiagrammet i fig. 1 viser en sikkerhedssekvenskreds med to mikrocomputere MRl og MR2, som bearbejder de samme data, og som arbejder efter det kendte 2v2-system. Da forklaringen af sikkerhedssekvens-15 kredsen ifølge opfindelsen er uafhængig af en speciel proces, er der ved forklaringen kun fremhævet væsentligt, og uvæsentligt er udeladt. Hertil hører eksempelvis ledninger eller bussystemer til tilførsel af de data, der skal bearbejdes af mikrocomputerne MRl og 20 MR2. I udførelseseksemplet er der gået ud fra, at kun de data i de to mikrocomputere MRl og MR2 sammenlignes med hinanden, som skal tilføres en proces (ikke vist), der skal styres over udgangssignalomsættere AR. Således er der til overensstemmelseskontroller til de 25 fra mikrocomputerne MRl og MR2 afgående busser Bl · og B2 tilsluttet to komparatorer VG1 og VG2. Principielt ville det naturligvis være muligt at benytte yderligere komparatorer, som kunne tjene til kontrol af overensstemmelse mellem styresignaler, der ud-30 går fra de to mikrocomputere MRl og MR2. Busserne Bl og B2 er principielt forbundet med udgangssignalomsætterne AR. Komparatorerne VGl og VG2 er opbygget således, at de over deres respektive udgang VG10 hhv. VG20 kan afgive et frigivesignal FGl 35 hhv. FG2 til et efterkoblet OG-led UDI hhv. UD2.The block diagram of FIG. Figure 1 shows a security sequence circuit with two microcomputers MR1 and MR2 which process the same data and operate according to the known 2v2 system. Since the explanation of the safety sequence circuit according to the invention is independent of a particular process, the explanation is only substantially emphasized and has been omitted substantially. This includes, for example, wires or bus systems for supplying the data to be processed by the microcomputers MR1 and 20 MR2. In the exemplary embodiment, it is assumed that only the data in the two microcomputers MR1 and MR2 are compared to each other to be fed into a process (not shown) to be controlled over output signal converters AR. Thus, for compatibility checks for the buses B1 and B2 departing from the microcomputers MR1 and MR2, two comparators VG1 and VG2 are connected. In principle, of course, it would be possible to use additional comparators that could serve to check for compliance between control signals starting from the two microcomputers MR1 and MR2. The buses B1 and B2 are in principle connected to the output signal converters AR. The comparators VG1 and VG2 are designed so that they are above their respective output VG10 and VG10 respectively. VG20 can deliver a release signal FG1 35 and 35 respectively. FG2 for a post-connected AND-joint UDI respectively. UD2.

Så længe OG-leddene over den respektive anden indgang DK 170451 B1 6 modtager et tilkoblingssignal, overføres frigivesignalet FGI hhv. FG2 til udgangssignalomsætterne AR.As long as the AND joints over the respective second input DK 170451 B1 6 receive a switching signal, the release signal FGI or transmit signal is transmitted respectively. FG2 to the output signal converters AR.

Disse er på kendt måde opbygget således, at de kun afgiver de over busserne Bl og B2 tilførte data, hvis 5 de to OG-led UDI og UD2 gennemkobler de tilførte frigivesignaler FGI og FG2. Så snart én af de to i komparatorer VGl hhv. VG2 på grundlag af en konstateret informationsdivergens mellem de over de to busser Bl og B2 tilførte informationer, bortfalder mindst 10 ét af de to frigivesignaler FGI hhv. FG2. Som regel bliver imidlertid - da den nævnte fejl med sikkerhed konstateres af begge komparatorer VGl og VG2 - begge frigivesignaler FGI og FG2 frakoblet. Da er udgangssignalomsætterne AR blokeret for enhver data-15 afgivelse til den proces, der skal styres.These are constructed in a known manner so that they only transmit the data supplied over the buses B1 and B2 if the two OG-links UDI and UD2 pass through the supplied release signals FGI and FG2. As soon as one of the two in the comparators VG1 respectively. VG2 on the basis of a found information divergence between the information supplied over the two buses B1 and B2, at least 10 one of the two release signals FGI and 1, respectively, lapses. FG2. As a rule, however - since the said error is certainly detected by both comparators VG1 and VG2 - both release signals FGI and FG2 are switched off. Then, the output signal converters AR are blocked from any data output to the process to be controlled.

Med henblik på uafhængigt af datastrømmen at kunne kontrollere komparatorerne - VGl og VG2 med hensyn til eventuelle udfald foretages følgende foran-* staltninger: 20 Udgangen VG10 hhv. VG20 på komparatoren VGl hhv.In order to be able to independently control the comparators - VG1 and VG2 with respect to possible outcomes, the following measures are taken: * The output VG10 and VG10 respectively. VG20 on the comparator VG1 respectively.

VG2 er over en ledning Li hhv. L2 forbundet med den tilhørende mikrocomputer MR1 hhv. MR2. Herved kan det fra mikrocomputernes side konstateres,' om den respektive komparator VGl. hhv. VG2 afgiver fri-25 givesignalet FGI hhv. om den anden komparator VG2 afgiver frigivesignalet FG2. Desuden er OG-leddet UDI hhv. UD2 på udgangssiden ved hjælp af en ledning L3 hhv. L4 forbundet med den tilknyttede mikrocomputer MRl hhv. MR2. Som følge af denne foranstaltning 30 kan den respektive mikrocomputer MRl hhv. MR2 konstatere, om udgangssignalomsætterne AR får tilført frigivesignalet FGI hhv. FG2 eller ikke.VG2 is over one wire Li respectively. L2 connected to the associated microcomputer MR1 respectively. MR2. Hereby it can be ascertained from the microcomputers whether the respective comparator VG1. respectively. VG2 delivers the release signal FGI respectively. whether the second comparator VG2 outputs the release signal FG2. In addition, the AND joint is UDI and UDI respectively. UD2 on the output side by means of a cable L3 respectively. L4 connected to the associated microcomputer MR1, respectively. MR2. As a result of this measure 30, the respective microcomputer MR1 or MR2 ascertains whether the output signal converters AR are supplied with the release signal FGI respectively. FG2 or not.

Endvidere findes der til aktivering af OG-leddet UDI hhv. UD2 en testkobling TSG1 hhv. TSG2, som c 35 på udgangssiden over en ledning L5 hhv. L6 er forbundet med en indgang på OG-leddet UDI hhv. UD2.Furthermore, there is for activating the AND-member UDI respectively. UD2 and test coupling TSG1 respectively. TSG2, which c 35 on the output side over a line L5 respectively. L6 is connected to an input on the AND-joint UDI respectively. UD2.

DK 170451 B1 7DK 170451 B1 7

Testkoblingerne TSG1 og TSG2 har som sluteffekt en bistabil funktion; de afgiver i den ene koblingstilstand et frakoblingssignal og i den anden kobletilstand et tilkoblingssignal over ledningen L5 hhv. L6.The test couplings TSG1 and TSG2 have a bistable function as a final effect; in one coupling mode they emit a disconnect signal and in the other coupling mode a coupling signal over the line L5 and respectively. L6.

5 Testkoblingerne TSGl og TSG2 har hver især til op gave at kontrollere en over ledningen L7 hhv. L8 af mikrocomputeren MR1 hhv. MR2 afgivet kodningsinformation SN1 hhv. SN2 eksempelvis med henblik på en korrekt tidsbeliggenhed. Hvis den tidsmæssige be-10 liggenhed af den respektive kodningsinformation SNl hhv. SN2 bekræftes som værende reglementeret, afgiver den konstaterende testkobling TSGl hhv. TSG2 over ledningen L5 hhv. L6 tilkoblingssignalet til det pågældende OG-led UDI hhv. UD2. Omkoblet bliver 15 testkoblingen TSGl hhv. TSG2 til afgivelse af fra koblingssignalet ved hjælp af et sætsignal SL1 hhv..5 The test couplings TSG1 and TSG2 each have the task of controlling one over the line L7 respectively. L8 of the microcomputer MR1 respectively. MR2 provided coding information SN1 and SN1 respectively. SN2, for example, for a correct time location. If the temporal location of the respective coding information SN1 or SN2 is confirmed as being regulated, the test test coupling delivers TSG1, respectively. TSG2 over line L5 respectively. The L6 connection signal to the respective AND joint UDI respectively. UD2. If switched, the test coupling becomes TSG1 and TSG1 respectively. TSG2 for output of the coupling signal by means of a set signal SL1 or ..

SL2, som afgives af mikrocomputeren MR1 hhv. MR2 over en udgangsledning L9 hhv. L10, der forgrener sig. Disse sætsignaler når også frem til komparatoren 20 VG1 hhv. VG2 og foranlediger derved - navnlig efter en forudgående frakoblingsproces - påny afgivelse af frigivesignalet FGI hhv. FG2.SL2, which is emitted by the microcomputer MR1 respectively. MR2 over an output line L9 respectively. L10 branching. These set signals also reach the comparator 20 VG1 respectively. VG2 and thereby causes - in particular after a previous disconnection process - releasing of the release signal FGI and DMS respectively. FG2.

Til udløsning af kontrolprocesser med hensyn til komparatorerne VG1 og VG2 findes der til mikrocom-25 puterne MR1 og MR2 specielle datamatrutiner, som indeholder et komparatorkontrolprogram. Disse hhv. samtlige tilhørende datamatrutiner er tidsmæssigt så korte, at den proces, der skal styres, på ingen måde påvirkes deraf. Det hænger eksempelvis sammen med ikke 30 nærmere viste relæer, der i sammenhæng med udgangssignalomsætterne AR tjener til afgivelse af styredata til processen. Sådanne relæer er med hensyn til deres frafaldsfunktion så træge, at de ved kortvarige, afbrydelser af deres aktivering under forløbet af de foran-35 nævnte datamatrutiner ikke falder fra. Så snart datamatrutinerne med komparatorkontrolprogrammet forløber i DK 170451 B1 8 mikrocomputerne MRl og MR2, modtager komparatorerne VGl og VG2 over busserne Bl og B2 datatelegrammer, der i det mindste er forskellige på én bitplads.For triggering control processes with respect to comparators VG1 and VG2, special computer routines are provided for the microcomputers MR1 and MR2 which contain a comparator control program. These, respectively. all associated computer routines are so short in time that the process to be controlled is in no way affected by it. For example, it is related to non-30 relays, which are shown in conjunction with the output signal converters AR, for supplying control data to the process. Such relays are so sluggish with respect to their drop-off function that they do not drop by short interruptions of their activation during the course of the aforementioned computer routines. As soon as the computer routines with the comparator control program are running in the DK 170451 B1 8 microcomputers MR1 and MR2, the comparators VG1 and VG2 receive over the buses B1 and B2 data telegrams, which are at least different in one bit place.

Som følge af en sådan informationsdivergens skal begge 5 komparatorer VGl og VG2 frakoble deres frigivesig-naler FGI og FG2. Da de efterfølgende koblingsprocesser i begge sikkerhedssekvenskredsens kanaler forløber overensstemmende, bliver de for enkeltheds skyld kun forklaret nærmere med hensyn til mikrocomputeren 10 MRl, komparatoren VGl og testkoblingen TSG1 i forbindelse med OG-leddet UDI. Bortfaldet af frigivesignalet FGI konstaterer mikrocomputeren MRl, og den kan derudfra slutte, at komparatoren VGl endnu er funktionsdygtig. Nu afgiver mikrocomputerne MRl og 15 MR2 igen overensstemmende datatelegrammer over deres busser Bl og B2. Derpå udløser mikrocomputeren MRl over udgangsledningen L9 sættesignalet SL1, soft ved komparatoren VGl har frigivesignalet FGI til følge.As a result of such information divergence, both 5 comparators VG1 and VG2 must disable their release signals FGI and FG2. Since the subsequent coupling processes in both channels of the security sequence circuit proceed concurrently, for simplicity they are explained in more detail only with respect to the microcomputer 10 MR1, the comparator VG1 and the test coupling TSG1 in connection with the OG-joint UDI. The loss of the release signal FGI detects the microcomputer MR1, and it may conclude from this that the comparator VG1 is still functional. Now, the microcomputers MR1 and 15 MR2 again output corresponding data telegrams over their buses B1 and B2. Subsequently, the microcomputer MR1 triggers the set signal SL1 over the output line L9, soft at the comparator VG1, the release signal FGI results.

Det samme sættesignal SL1 bringer testkoblingen TSG1 20 i en kobletilstand, hvor frakoblingssignalet afgives over ledningen L5. Med andre ord, signalet på ledningen L5 skifter fra H til L. Herved bliver det nu igen foreliggende frigivesignal FGI blokeret af OG-leddet UDI og ikke videregivet til udgangssignalom-25 sætterne AR. Dette forhold meldes til mikrocomputeren MRl over ledningen L3. Yderligere meldes over ledningen LI tilstedeværelsen af frigivesignalet FGI.The same set signal SL1 brings the test coupling TSG1 20 into a coupling state where the disconnect signal is output over line L5. In other words, the signal on line L5 switches from H to L. Hereby, the now-available release signal FGI is blocked by the OG link UDI and not passed to the output signal converters AR. This ratio is reported to the microcomputer MR1 over line L3. The presence of the release signal FGI is also reported over the line LI.

Nu følger i mikrocomputeren MRl1 s komparatorkontrol-program afgivelsen af en fejlagtig kodningsinformation 30 SNl til testkoblingen TSGl. Denne erkender fejlagtigheden af kodningsinformationen SNl og forbliver ί derfor i den herskende kobletilstand, i hvilken frakoblingskendetegnet afgives over ledningen L5. Mikrocomputeren MRl afspørger derpå informationen på led-35 ningen L3 over forventer der ved reglementeret drift stadig intet frigivesignal FGI. Alligevel afgives der DK 170451 B1 9 yderligere et sættesignal SL1, som ved en forudgående eventuel fejlagtig funktion igen ville have bragt testkoblingen TSG1 i den kobletilstand, i hvilken frakoblingssignalet afgives over ledningen L5. I fort-5 sættelse af det løbende komparatorkontrolprogram afgiver mikrocomputeren MR1 dernæst over ledningen L7 en reglementeret kodningsinformation SNl, som efter stedfunden bedømmelse i testkoblingen TSG1 styrer denne til kodning og/eller tidsmæssige beliggenhed i 10 den anden koblingstilstand, i hvilken tilkoblingssignalet afgives over ledningen L5. Først da når det stadig forhåndenværende frigivesignal FGI over OG-leddet UDI frem til udgangssignalomsætterne AR. Dermed er komparatorkontrolprogrammet afarbejdet, og den i mel-15 lemtiden afbrudte normale drift kan fortsættes.Now, in the microcomputer MR1's comparator control program, the output of an incorrect coding information 30 SN1 follows the test switch TSG1. This acknowledges the incorrectness of the coding information SN1 and therefore remains in the prevailing switching state in which the disconnection characteristic is transmitted over line L5. The microcomputer MR1 then interrogates the information on line L3 above, with regulated operation no release signal FGI still expects. Nevertheless, an additional set signal SL1 is output which DK 170451 B1 9 would, in the event of a previous eventual malfunction, again have put the test coupling TSG1 in the coupling state in which the disconnection signal is output over line L5. In continuation of the current comparator control program, the microcomputer MR1 then outputs over the line L7 a regulated coding information SN1 which, upon site evaluation in the test switch TSG1, directs it to the coding and / or temporal location in the second switching state in which the switching signal is output over the line L5 . Only then does the still-available release signal FGI over the OG-link UDI reach the output signal converters AR. Thus, the comparator control program is completed and the normal operation interrupted at times can be continued.

Kredsløbet i fig. 2 viser nærmere enkeltheder ved en testkobling, som den er betegnet med TSG1 i blokdiagrammet i fig. 1. indgangsledningerne og udgangsledningen har de hidtil anvendte henvisningsbeteg-20 neiser L7, L9 og L5. Den i fig. 2 viste testkobling har til opgave at kontrollere, om en over ledningen 7 tilført kodningsinformation SNl har en korrekt tidsmæssig beliggenhed inden for et komparatorkontrolprogram i mikrocomputeren MR1.The circuit of FIG. 2 shows details of a test coupling as designated by TSG1 in the block diagram of FIG. 1. The input lines and the output line have the reference numerals L7, L9 and L5 used so far. The FIG. 2 is intended to check whether a coding information SN1 provided over the line 7 has a correct temporal location within a comparator control program in the microcomputer MR1.

25 Den i fig. 2 viste testkobling TSG1 har to monostabile kipled MK1 og MK2. Tilbagefaldstiden T2 fra den ustabile tilstand af kipleddet MK2 er væsentligt kortere end tilbagefaldstiden Ti for kipleddet MKl. Det monostabile kipled MK2 kan før udløbet 30 af tilbagefaldstiden T2 tilbagestilles ved hjælp af et bistabilt kipled BK1. Endvidere findes der et andet bistabilt kipled BK2, som på udgangssiden er forbundet med ledningen L5. Begge bistabile koblingsorganer BKl og BK2 bliver ved et over ledningen L9 35 tilført sættesignal SL1 styret fra den bestående til den anden kobletilstand. Nærmere enkeltheder viser for- DK 170451 B1 10 skellige diagramlinier i fig. 3. De enkelte diagramliniers henvisningsbetegnelser er overensstemmende i alle tre figurer 3, 4 og 5 samt med henvisningsbetegnelserne til de forskellige ind- og udgangsledninger i 5 den i fig. 2 viste testkobling TSG1.The embodiment of FIG. 2 test coupling TSG1 has two monostable tilted MK1 and MK2. The relapse time T2 from the unstable state of the tilt joint MK2 is substantially shorter than the relapse time Ti for the tilt joint MK1. The monostable tilting link MK2 can be reset before the expiry of the relapse time T2 by a bistable tilting link BK1. Furthermore, there is another bistable tilting link BK2 which is connected to the line L5 on the output side. Both bistable coupling means BK1 and BK2 are controlled by a set signal SL1 supplied via the line L9 35 from the existing to the second switching state. Details show various diagram lines in FIG. 3. The reference numerals of the individual diagram lines are consistent in all three Figures 3, 4 and 5 as well as with the reference numerals for the different input and output lines in Fig. 5. 2, test coupling TSG1.

Som det blev forklaret med henvisning til den i - fig. 1 viste kobling, afgiver mikrocomputeren MR1 i forbindelse med et komparatorkontrolprogram sættesignalet SL1; dette kan eventuelt ske til tidspunktet 10 ti. Efter dette tidspunkt befinder det .monostabile kipled MK1 sig i den ustabile tilstand, og det monostabile kipled MK2 befinder sig endnu i den stabile tilstand. Koblingsleddet BK1 afgiver et højt potential over ledningen F, og koblingsleddet BK2's led-15 ning L5 fører lavt potential og dermed frakoblingssignalet. Efter udløb af det monostabile kipled MKl's tilbagefaldstid fører potentialskiftet på ledningen A til indstilling af den ustabile tilstand af det monostabile kipled MK2. Dette kipled MK2's tilbagefalds-20 tid T2 bestemmer ved sin varighed - jf. diagramlinien B - et tidsvindue, under hvilket den næste kodningsinformation SN1 skal foreligge ved reglementeret drift af mikrocomputeren MR1. Den fremkommer på ledningen L7 til tidspunktet t2 i en reglementeret 25 tidsmæssig beliggenhed - T2 er endnu ikke udløbet - og indstiller det bistabile kipled BK2 i den anden stabile tilstand, således at tilkoblingssignalet igen afgives over ledningen L5. På den anden side omstyres det bistabile kipled BK1, således at det monostabile 30 kipled MK2 før udløbet af tilbagefaldstiden over ledningen F igen bringes tilbage til den stabile tilstand .As explained with reference to the FIG. 1, the microcomputer MR1 in connection with a comparator control program emits the set signal SL1; this may be done until 10 am. After this time, the monostable tilted MK1 is in the unstable state and the monostable tilted MK2 is still in the stable state. The switching link BK1 gives a high potential over the line F, and the switching link BK2's line L5 conducts low potential and thus the switch-off signal. Upon expiration of the relapse time of the monostable tilted MK1, the potential shift on line A leads to the adjustment of the unstable state of the monostable tilted MK2. This reverses MK2's relapse time T2 by its duration - cf. diagram line B - determines a time window during which the next coding information SN1 must be present in regulated operation of the microcomputer MR1. It appears on line L7 until time t2 in a regulated 25 temporal location - T2 has not yet expired - and sets the bistable tilting link BK2 in the second stable state so that the switch signal is again output over line L5. On the other hand, the bistable flip-flop BK1 is redirected so that the monostable flip-flop MK2, before the expiry of the relapse time across the line F, is brought back to the stable state.

Diagramlinierne i fig. 4 viser et arbejdseksem-pel for den i fig. 2 viste testkobling, hvor kodnings- s 35 informationen SN1 ikke fremkommer i det af det monostabile kipled MK2 forudgivne tidsvindue, men senereThe diagram lines in FIG. 4 shows a working example of the one shown in FIG. 2, the coding information SN1 does not appear in the time window provided by the monostable tilted MK2, but later

Claims (4)

1. Sikkerhedssekvenskreds med flere mikrocompu tere (MR1, MR2), som bearbejder de samme data, og til hvilke der er tilsluttet mindst én komparator (VG1, VG2) til kontrol af overensstemmelse mellem informationer, der af mikrocomputerne over udgangssignalomsættere 25 (AR) skal afgives til en proces, som skal styres, hvor- ' hos komparatoren (VG1, VG2) ved konstateret informationsdivergens frakobler et frigivesignal (FGI, FG2), som over et tilhørende OG-led (UDI, UD2) kun aktiverer udgangssignalomsætterne (AR) ved reglementeret drift, 30 og hvorved komparatorerne er kontrollerbare for eventuelle fejl uafhængigt af datastrømmen, idet der tilføres dem data, som bevidst er forskellige, og deres reaktioner herpå detekteres og bedømmes af mikrocomputeren (MRl, MR2), kendetegnet ved, at hvert OG-led 35 (f.eks. UDI) på indgangssiden foruden med den tilhørende komparator (VG1) er forbundet med udgangen på en 12 DK 170451 B1 testkobling (TSG1), som har en bistabil funktion, og som i tilfælde af et sættesignal (SLl), der afgives af mikrocomputeren (MR1) og i komparatoren (VG1) igen udløser frigivesignalet (FGI), afgiver et frakoblingssig- 5 nal til den tilhørende udgangssignalomsætter, og som efter en bedømmelse med godt resultat af en kodningsin- ^ formation (SN1), som kvitterer en i mikrocomputeren (MR1) forløbet forudgivet datamatrutine og i testkoblingen er konstateret som reglementeret, afgiver et 10 tilkoblingssignal til den tilhørende udgangssignalomsætter .1. Multiple microcomputers (MR1, MR2) security sequence circuit that process the same data and to which at least one comparator (VG1, VG2) is connected for checking the conformity of information required by the microcomputers over output signal converters (AR) is output to a process to be controlled, whereby the comparator (VG1, VG2), upon detected information divergence, disables a release signal (FGI, FG2) which, over an associated AND link (UDI, UD2), activates only the output signal converters (AR) at regulated operation, 30 and whereby the comparators are controllable for any errors independent of the data stream, providing them with data that are deliberately different and their responses thereto detected and judged by the microcomputer (MR1, MR2), characterized in that each AND joint 35 (e.g. UDI) on the input side in addition to the associated comparator (VG1) is connected to the output of a 12 DK 170451 B1 test coupling (TSG1) which has a bistable function and which in the case of a set signal (SL1), which is output by the microcomputer (MR1) and in the comparator (VG1) again releases the release signal (FGI), emits a switch-off signal to the corresponding output signal converter, and which, after a good result evaluation of a coding information (SN1), which acknowledges a predetermined data routine in the microcomputer (MR1) and is detected as regulated in the test circuit, outputs a 10 signal to the corresponding output signal converter. 2. Kreds ifølge krav i, kendetegnet ved, at der som datamatrutine findes et datamatkontrolprogram, i hvilket der for komparatoren (VG1) forudgi- 15 ves mindst én informationsdivergens, der skal konstateres, og testkoblingen (TSG1) mindst én fejlagtig og derefter en reglementeret kodningsinformation (SN1).2. Circuit according to claim i, characterized in that, as a computer routine, there is a computer control program in which at least one information divergence is to be detected for the comparator (VG1) and the test coupling (TSG1) at least one faulty and then a regulated one. coding information (SN1). 3. Kreds ifølge krav 2, kendetegnet, ved, at testkoblingen (TSG1) indeholder en dekoderkob- 20 ling til konstatering af kodningsinformationen.Circuit according to claim 2, characterized in that the test coupling (TSG1) contains a decoder coupling for determining the coding information. 4. Kreds ifølge krav 2 eller 3, kendetegnet ved, at testkoblingen (TSG1) indeholder en portkobling (MK1, MK2, BK1, BK2) i fig. 2, som kan startes af hvet sættesignal (SL1) og tjener til kontrol 25 af, om kodningsinformationen (SL1) er tidskorrekt. 30 ί 35Circuit according to claim 2 or 3, characterized in that the test coupling (TSG1) contains a gate coupling (MK1, MK2, BK1, BK2) in FIG. 2, which can be started by wheat set signal (SL1) and serves to check if the coding information (SL1) is time-correct. 30 ί 35
DK133188A 1987-03-12 1988-03-11 Multiple microcomputer security sequence circuit which processes the same data DK170451B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE19873708055 DE3708055A1 (en) 1987-03-12 1987-03-12 SAFETY SWITCHGEAR WITH MULTIPLE MICROCOMPUERS PROCESSING THE SAME DATA
DE3708055 1987-03-12

Publications (3)

Publication Number Publication Date
DK133188D0 DK133188D0 (en) 1988-03-11
DK133188A DK133188A (en) 1988-09-13
DK170451B1 true DK170451B1 (en) 1995-09-04

Family

ID=6322923

Family Applications (1)

Application Number Title Priority Date Filing Date
DK133188A DK170451B1 (en) 1987-03-12 1988-03-11 Multiple microcomputer security sequence circuit which processes the same data

Country Status (6)

Country Link
EP (1) EP0281890B1 (en)
AT (1) ATE108570T1 (en)
DE (2) DE3708055A1 (en)
DK (1) DK170451B1 (en)
ES (1) ES2056070T3 (en)
ZA (1) ZA881754B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10332557A1 (en) 2003-07-11 2005-02-17 Siemens Ag Method and computer system for operating a security system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE2217634C3 (en) * 1972-04-12 1974-08-29 Siemens Ag, 1000 Berlin Und 8000 Muenchen Safety circuit for counting pulses according to the binary number system in digital data processing systems, especially in railway systems
DE3003291C2 (en) * 1980-01-30 1983-02-24 Siemens AG, 1000 Berlin und 8000 München Two-channel data processing arrangement for railway safety purposes
DE3137450C2 (en) * 1981-09-21 1984-03-22 Siemens AG, 1000 Berlin und 8000 München Safety output circuit for a data processing system
DE3332802A1 (en) * 1983-09-12 1985-03-28 Siemens AG, 1000 Berlin und 8000 München CIRCUIT ARRANGEMENT FOR CHECKING THE CORRECT STARTING OF A TWO-CHANNEL FAIL-SAFE MICROCOMPUTER SWITCHGEAR, ESPECIALLY FOR RAILWAY LOCKING SYSTEMS

Also Published As

Publication number Publication date
DK133188A (en) 1988-09-13
ZA881754B (en) 1988-08-31
EP0281890B1 (en) 1994-07-13
EP0281890A3 (en) 1990-08-01
EP0281890A2 (en) 1988-09-14
ES2056070T3 (en) 1994-10-01
ATE108570T1 (en) 1994-07-15
DK133188D0 (en) 1988-03-11
DE3708055A1 (en) 1988-09-22
DE3850591D1 (en) 1994-08-18

Similar Documents

Publication Publication Date Title
US4198678A (en) Vehicle control unit
US5086499A (en) Computer network for real time control with automatic fault identification and by-pass
JPS626263B2 (en)
EP0006309A1 (en) Railway control signal dynamic input interlocking systems
US11823759B2 (en) Testing of fault detection circuit
DK170451B1 (en) Multiple microcomputer security sequence circuit which processes the same data
CN117785614A (en) Fault monitoring and switching method for dual-redundancy computer
US20120078575A1 (en) Checking of functions of a control system having components
JP2505386B2 (en) Signal light control system
KR20220084148A (en) safety test equipment
US6412016B1 (en) Network link bypass device
JPH07146802A (en) Railroad safety system
CA2467972A1 (en) Method for controlling a safety-critical railroad operating process and device for carrying out said method
JP2778691B2 (en) Bus monitoring circuit
JP3395288B2 (en) Information processing apparatus and information processing method
JPS60214048A (en) Data processor quaranteed in signal technology
JP2006146320A (en) Duplex system
JP3392938B2 (en) Double system equipment
JP2008021264A (en) Digital output holding device
JP4413442B2 (en) Interlocking device
JP5278267B2 (en) END COVER, PROGRAMMABLE LOGIC CONTROLLER DEVICE EQUIPPED WITH THE SAME, END COVER INSTALLATION CHECK METHOD, AND PROGRAMMABLE LOGIC CONTROLLER FAILURE DIAGNOSIS METHOD
JP2006344023A (en) Control unit
EP1684157A1 (en) Circuit for controlling power supply to electronic processing circuits, and especially electronic processing circuits having a redundant architecture
WO2014118985A1 (en) Bus module and bus system
JP2003216451A (en) Duplex system device

Legal Events

Date Code Title Description
B1 Patent granted (law 1993)
PBP Patent lapsed