CN100570519C - Safety cut-off method of exporting in the three-mould redundancy safety computer and device - Google Patents
Safety cut-off method of exporting in the three-mould redundancy safety computer and device Download PDFInfo
- Publication number
- CN100570519C CN100570519C CNB2007100643059A CN200710064305A CN100570519C CN 100570519 C CN100570519 C CN 100570519C CN B2007100643059 A CNB2007100643059 A CN B2007100643059A CN 200710064305 A CN200710064305 A CN 200710064305A CN 100570519 C CN100570519 C CN 100570519C
- Authority
- CN
- China
- Prior art keywords
- output
- safety
- circuit
- triode
- safe
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000001143 conditioned effect Effects 0.000 claims abstract description 7
- 230000000630 rising effect Effects 0.000 claims description 8
- 238000006243 chemical reaction Methods 0.000 claims description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000009825 accumulation Methods 0.000 description 4
- 239000007787 solid Substances 0.000 description 4
- 231100001261 hazardous Toxicity 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000005622 photoelectricity Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 230000003278 mimic effect Effects 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
- 238000010189 synthetic method Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Landscapes
- Safety Devices In Control Systems (AREA)
Abstract
The invention discloses the safety cut-off method of exporting in a kind of three-mould redundancy safety computer, the present invention mainly utilizes the safe shutdown conditioned signal of three-mould redundancy safety computer output to judge, by multigroup safety turn-off criterion signal is put to the vote, judge whether to carry out safe shutdown.By the change-over circuit of Dynamic Signal to level signal, generate cut-off signals, directly the power supply of control module output safety breaking circuit is realized safe shutdown output.The safety cut-off method of this three-mould redundancy safety computer output itself also is safe.
Description
Technical field
The safety cut-off method that the present invention relates to export in the three-mould redundancy safety computer for fields such as the control system of fail-safe computer safety output, particularly train operation control, nuclear power station controls, also relates to the operation control of magnetic suspension train.
Background technology
Triplication redundancy system (Triple Modular Redundancy (TMR) claims that also three get two) is a kind of fault-tolerant technique the most frequently used in the present trusted computer system.Triplication redundancy is meant: three identical modules of function are carried out identical operations simultaneously, do big numerical table with the output of three modules and determine, the correct output of the identical output of majority as this triplication redundancy system.This system is also referred to as three usually and gets two system based on the error correction principles of " the minority is subordinate to the majority ".
Figure a is triplication redundancy (TMR) system principle diagram.M1 among the figure, M2, M3 are three operational modules that function is identical, and V is an output voting machine.
Under the normal condition, the result of three module outputs should be identical, and V will finally export this result, as the correct output of TMR system.Under the abnormal conditions, if a certain module is made mistakes, its output will be different from the output of other two modules, and according to " the minority is subordinate to the majority " principle, V will export correct result.Therefore, can write out the logical expression of output voting machine: F=M
1M
2+ M
2M
3+ M
1M
3, be not difficult to design a kind of logical circuit of this voting machine according to this expression formula, shown in figure b.
Can find out that from above-mentioned logical diagram in the triplication redundancy system, when having two modules to make mistakes simultaneously, and produce identical error condition, mistake output will appear in the output of voting machine V.Generally speaking, the reliability of each separate modular in the triplication redundancy system is all very high, and therefore, having two modules to occur the probability of transient error simultaneously in three modules can be very little.But, must consider the situation of error accumulation: promptly mistake appears in a module, if system is left intact, mistake also appears in another module after a while, at this moment the voting output that obtains of voting machine V will be wrong output, or system's cisco unity malfunction.If this explanation is in the three mould voting systems, after a module breaks down, if its output also keeps original value or other value, no matter its correctness all may cause system's output dangerous.In the safe class higher system, the mistake output under the system failure may cause dangerous operation, causes serious casualties or property loss.Therefore in the design of security system, the system that should guarantee as far as possible is failure to the safe side output under failure condition.
In view of above situation, the present invention proposes a kind of safety cut-off method of three-mould redundancy safety computer output, make trusted computer system its export orientation secure side under failure condition.
Summary of the invention
The objective of the invention is at fail-safe computer safety output problem, propose safety cut-off method and the device exported in a kind of three-mould redundancy safety computer, the hazardous side that also can not lead under the wrong situation occurs in module even guarantee the voting output of triplication redundancy system.Output when this method forces module to be made mistakes is set to the safety value of prior appointment, and this lock-on circuit itself also is safe simultaneously, and the Shi Buhui that promptly breaks down makes the export orientation hazardous side of system.
For achieving the above object, the present invention is achieved through the following technical solutions.
The safety cut-off method of exporting in a kind of three-mould redundancy safety computer may further comprise the steps;
Select the side step of fail-safe computer output safety rapid;
Set safe shutdown condition step;
The safe shutdown conditioned signal carries out determining step;
Control module output safety breaking circuit step.
The state that output should be in when determining the system failure.For control system, the secure side of output can be set at the state after energy discharges.This state relation is to the shutoff logic of output safety breaking circuit.
Utilize the safe shutdown conditioned signal of three-mould redundancy safety computer output to judge, whether turn-off output according to corresponding principle decision, and realize safe shutdown output by the power supply of direct control module output safety breaking circuit.
Each module of three-mould redundancy safety computer is exported the conditioned signal of 3 groups of safe shutdowns, judge whether safe shutdown adopt " self thinking makes mistakes then must turn-off; perhaps other two module think to make mistakes then must turn-off " principle, it is safe shutdown condition step, judge whether that the step that safe shutdown adopts is: in the three-mould redundancy safety computer, a certain computer module thinks that by self check self makes mistakes, then necessary its output of safe shutdown, perhaps, other two computer modules consistently assert that mistake appears in this computer module by deciding by vote, then must this computer module output of safe shutdown.
Three-mould redundancy safety computer is by the power supply of direct control module output safety breaking circuit, realizes safe shutdown output, and adopt string and structure or and string structure, improve the security and the reliability of breaking circuit.
The Dynamic Signal of three-mould redundancy safety computer output is realized by the counter circuit of Digital Logic to the conversion of level signal.
The safe output circuit of safety cut-off method of exporting in the three-mould redundancy safety computer and device adopts the method shown in Fig. 6~9.
Beneficial effect of the present invention; Use the present invention, can under the situation that fail-safe computer breaks down, make the export orientation secure side of fail-safe computer, thereby improve the reliability and the security of fail-safe computer, avoid the life that the fail-safe computer fault may bring and the loss of property.Simultaneously, the present invention also has wider range of application, extends in other multi-mode redundant fail-safe computer, improves the security of output.
Description of drawings
Fig. 1 is the schematic diagram of the safety cut-off method of three-mould redundancy safety computer;
Figure a is triplication redundancy (TMR) system principle diagram;
Figure b three gets two voting logic figure;
Fig. 2 is safe shutdown circuit supply power supply control principle figure;
Fig. 3 is the synthetic method of a plurality of output safety turn-off criterion level signals;
Fig. 4 is the change-over circuit of the Dynamic Signal of numeral to level signal;
Fig. 5 arrives the change-over circuit of level signal for the Dynamic Signal of simulation;
Fig. 6 is safe output logic circuit one;
Fig. 7 is safe output logic circuit two;
Fig. 8 is safe output logic circuit three;
Fig. 9 is safe output logic circuit four.
Embodiment
The present invention is further illustrated below in conjunction with the drawings and specific embodiments.
(1) secure side of selection output
The state that output should be in the time of at first will determining the system failure.For control system, the secure side of output can be set at the state after energy discharges.In the triplication redundancy system, selected ground connection (logical zero) is the output safety side.This selection is extremely important, and it is related to the shutoff logic of output safety breaking circuit.That is to say that output safety breaking circuit described later is that to be based upon logical zero be on this precondition of output safety side.
(2) condition of output safety shutoff
In three-mould redundancy safety computer, be that three modules all are provided with the conditioned signal that 3 groups of output safeties turn-off, wherein 1 group of judgement of representing this module to self duty, 2 groups of judgements of representing this module to other two pack modules duty respectively in addition.Like this, obtain 9 groups of output safety turn-off criterion signals, that is: module M altogether
1Export 3 groups of output safety turn-off criterion signal GD
AA, GD
AN, GD
ACModule M
2Export 3 groups of output safety turn-off criterion signal GD
BB, GD
BA, GD
BCModule M
3Export 3 groups of output safety turn-off criterion signal GD
CC, GD
CA, GD
CN
For each module, utilize the power supply of above-mentioned 3 groups of its safe shutdown circuit of output safety turn-off criterion signal controlling.When this module failure or other two modules when thinking that it breaks down, will disconnect the power supply of its safe shutdown circuit, the level "0" of its export orientation safety.Like this, can avoid when this module failure its output also to keep wrong state, thus the potential safety hazard of bringing.
The logical expression of control module safe shutdown circuit supply power supply is: GD
XX(GD
XY+ GD
XZ), X, Y, Z represent A, B, C respectively in the formula.The implication of this expression formula is: if this module thinks that self mistake occurs, then must turn-off output; If perhaps other two modules think that all mistake appears in this module, then also must turn-off output.
(3) structure of safe shutdown circuit supply power supply
When the power supply of each module output safety breaking circuit of control, adopt relay (photoelectricity, machinery) device to realize safe shutdown to power supply.This adaptive polarizing memory voltage time constant can adopt series connection or the string and the structure of combination, generally speaking, adopt string and structure or and string structure, the security of this safe shutdown circuit and reliability are all guaranteed like this.Certainly, can adopt simple series arrangement, this moment, the safety indexes of safe shutdown circuit can not descend yet, but reliability index can descend.
(4) selection of output safety turn-off criterion signal
9 groups of above-mentioned output safety turn-off criterion signals can be selected common level signal (TTL, CMOS etc.).Consider reliability and security, every group of output safety turn-off criterion signal comprises 2 level signals at least, in general, need to consider signal wire what to the influence of system complexity, so select every group of output safety turn-off criterion signal to comprise 2 or 3 level signals.When adopting a plurality of level signal, need to consider how a plurality of level signals are synthesized 1 module output safety breaking circuit power supply control signal.Generally speaking, when adopting 2 level signals, adopt two two the modes of getting to compare more, promptly have only when two-way level signal when all indication mechanism is working properly, module could output safety breaking circuit power supply; When adopting 3 level signals, adopt three two the modes of getting to put to the vote more, promptly working properly as most level signal indication mechanisms, module could output safety breaking circuit power supply.
In addition, when losing efficacy owing to digital circuit, can cause level signal that the mistake of solid " 0 " or solid " 1 " takes place, but specifically be that " 0 " or " 1 " is not fixed, probability of occurrence is roughly suitable.Therefore, don't work " 0 " or " 1 " represent that the trusted computer system fault all may bring potential safety hazard.But kept certain fixed level when losing efficacy the overwhelming majority, and therefore can use Dynamic Signal to replace above-mentioned level signal (TTL, CMOS etc.), as trusted computer system sign working properly owing to digital circuit.Here, Dynamic Signal is meant the alternately signal of upset of high-low level, can distinguish mutually with output signal solid " 0 " or solid " 1 " mistake that the digital circuit inefficacy brings, so Dynamic Signal itself is safe.
Certainly, Dynamic Signal itself is the element of pilot relay and so on directly, can't utilize Dynamic Signal directly to turn-off the power supply of safe shutdown signal.Therefore must carry out the conversion of Dynamic Signal to level signal.Dynamic Signal can adopt traditional analogy method to the conversion of level signal, also can adopt the digital circuit conversion method.Wherein, utilize counter circuit conversion, can set the time of overflowing flexibly, have higher dirigibility.
(5) safe output logic circuit
Safe output logic can adopt multiple mode to realize, but must guarantee: during the module operate as normal, output safety breaking circuit power supply is normal, module output normal logic.In case this module work is undesired, output safety breaking circuit power supply disconnects, and it exports certain failure to the safe side side: 0 level (ground connection).
Fig. 1 has exemplarily represented the principle of the safety cut-off method of three-mould redundancy safety computer, and the each several part block diagram will be in the follow-up embodiment of introducing in detail.
Control the output of each module the control of safe shutdown circuit supply power supply principle as Fig. 2 (a) (b) shown in, the exemplary face of land of this figure has shown the safe shutdown logic of output power supply.Be turned off part and use relay (photoelectricity, machinery).The safe shutdown logic can adopt the string and structure or and string structure, like this, the security of system and reliability are all guaranteed.Simultaneously, the safe shutdown logic also can be simplified to the circuit shown in Fig. 2 (c), and this moment, safety indexes can not descend, but reliability index can descend.
Fig. 3 has represented that a plurality of output safety turn-off criterion signals synthesize the method for an output safety breaking circuit power supply control signal.When every group of output safety turn-off criterion signal is 2 level signals, can adopt parallel way (" or " logic) to synthesize 1 module output safety breaking circuit power supply control signal, as long as promptly there is a travel permit spare signal effective, it is effective then to export control signal, shown in Fig. 3 (a); When every group of output safety turn-off criterion signal is 3 level signals, can adopt 3 to get 2 voting formulas and synthesize 1 module output safety breaking circuit power supply control signal, promptly have only when most conditioned signals are effective, the output control signal is just effective, shown in Fig. 3 (b).
The topmost characteristic of fail-safe computer is a fault-safety principle, so the fault diagnosis signal that provides in the fail-safe computer is the Dynamic Signal logic with secure side.Fig. 5 has provided the mimic channel implementation method that Dynamic Signal is converted to level signal.Wherein, Dynamic Signal is the alternately signal of upset of high-low level.Among the figure, DTOUTA1 is the Dynamic Signal input end, and TJA1 is the level signal output terminal.
When the fail-safe computer duty for just often, DTOUTA1 is the dynamic signal of upset.When DTOUTA1 was in this half cycle of low level, triode N7 emitter voltage was 0, and triode N7 ends, so the TJ01 end is high level.This moment triode N1 emitter positively biased, triode N1 conducting, the emitter voltage of triode P1 is about 0, triode P1 ends.Triode N1 conducting and triode P1 make electric capacity E4 accumulation of energy by power supply is charged to electric capacity E4 by N1, E4, this loop of D29.Simultaneously, if be in energy accumulating state before the electric capacity E5, then this electric capacity E5 can release energy by the load of back level.
When DTOUTA1 is in this half cycle of high level, triode N7 emitter positively biased, triode N7 conducting, so the TJ01 end is low level.According to aforementioned, electric capacity E4 accumulation of energy this moment, TJ02 is a high level, so the emitter of triode N1 is anti-inclined to one side, triode N1 ends, the emitter positively biased of triode P1, triode P1 conducting.Triode N1 makes electric capacity E5 accumulation of energy by with triode P1 conducting meeting electric capacity E4 is charged to electric capacity E5 by P1, E5, this loop of D28, and electric capacity E4 releases energy simultaneously.
To sum up, when DTOUTA1 was the signal of dynamically upset, circuit was in the state that electric capacity E4 and E5 alternately discharge and recharge, thereby makes TJA1 keep negative voltage.And if the fail-safe computer operation irregularity when promptly input signal is the fixed level signal, perhaps in the circuit during certain element unusual (short circuit or open circuit), electric capacity E4 and E5 are are alternately discharged and recharged, thereby output level is fixed as 0 level.
Dynamic Signal also can adopt the method for Digital Logic to realize counter circuit as shown in Figure 4 to the conversion of level signal.At first utilize a counter to count, utilize a rising edge and negative edge to extract circuit then, the pulse signal that each rising edge and the negative edge of Dynamic Signal all is converted to a weak point, and as the asynchronous reset signal of counter.In addition, utilize one simple with or logic and latch, make circuit output low level when counting down to certain numerical value, all the other export high level.Under the normal condition, Dynamic Signal keeps upset, and rising edge and negative edge extract circuit rising edge or negative edge unification are transformed to the pulse signal of a weak point, promptly unifiedly is transformed to a negative edge.This negative edge carries out asynchronous reset to counter, and counter will be reset at set intervals like this, and count value can not surpass overflowing the time of setting all the time.When fail-safe computer occurs when unusual, be that Dynamic Signal stops upset, the asynchronous reset of this hour counter is invalid all the time, the counter counting that will always make progress, after in case counter values reaches the numerical value of prior appointment, with or logical circuit will make the latch output low level to latch output latch signal.Like this, when Dynamic Signal is invalid, circuit export orientation secure side-zero level, thus output safety breaking circuit power supply is disconnected, reach the purpose of fault-safety principle.When Dynamic Signal recovers just often, can produce a negative edge latch is carried out set, circuit continues again to have worked under normal condition like this.
This circuit can be provided with the threshold value of Dynamic Signal upset flexibly, how long not upset can be set think that promptly this Dynamic Signal is invalid.By to or logic design, produce latch signal in the time of can determining how many rolling counters forwards arrives.In addition, utilize this circuit can produce the two-way output signal, and two paths of signals is got two principle with two compare, can improve the security of this circuit.When producing the two-way output signal, can be transformed in the circuit of level signal being input to identical Dynamic Signal after another road Dynamic Signal negate, also can make the counter counts downward on another road, make circuit possess the double track output function, the security that also further improves circuit simultaneously.
The logic of safety output adopts following four kinds of circuit to realize, as shown in Figure 6; First resistance R 1 connects the first triode N2 base stage, and the first triode N2 collector connects an end of second resistance R 2 and the 3rd resistance R 3, another termination second triode P2 base stage of the 3rd resistance R 3, and the second triode P2 emitter connects second resistance R 2 and the controlled source; The second triode P2 collector connects the 4th resistance R 4 and output; The first triode N2 emitter connects an end and the ground of the 4th resistance R 4.
When the power supply of this circuit during not by safety cut-off, this circuit is in normal output state: when being input as high level, the first triode N2 conducting is pulled down to low level with the base stage of the second triode P2, and the second triode P2 conducting is output as high level; When being input as low level, the first triode N2 ends, and is high level with the base stage of the second triode P2, and the second triode P2 ends, and is output as low level;
When the power supply of this circuit during by safety cut-off, this circuit is in safe output state: though the low level of being input as or high level, no matter the first triode N2 conducting is whether, no matter the second triode P2 conducting is whether, because power supply is by safety cut-off, output all can be low level.
As shown in Figure 7; Input connects the end 1 of photoelectrical coupler UA, and the end 2 of photoelectrical coupler UA connects the 5th resistance R 5, and the other end 16 of photoelectrical coupler UA is accepted the control power supply; The other end 15 of photoelectrical coupler UA connects the other end ground connection of output and the 6th resistance R 6, the five resistance R 5 and the 6th resistance R 6.
When the power supply of this circuit during not by safety cut-off, this circuit is in normal output state: when being input as high level, the LED of photoelectrical coupler UA lights, and the triode conducting of photoelectrical coupler UA is output as high level; When being input as low level, the LED of photoelectrical coupler UA extinguishes, and the triode of photoelectrical coupler UA ends, and is output as low level;
When the power supply of this circuit during by safety cut-off, this circuit is in safe output state: though the low level of being input as or high level, no matter whether the LED of photoelectrical coupler UA lights, no matter the triode conducting of photoelectrical coupler UA is whether, because power supply is by safety cut-off, output all can be low level.
As shown in Figure 8; Connect the 3rd triode N3 base stage after input connects the 7th resistance R 7, the 3rd triode N3 emitter connects the 8th resistance R 8 and output; The 3rd triode N3 collector is accepted the control power supply; The other end ground connection of the 8th resistance R 8.
When the power supply of this circuit during not by safety cut-off, this circuit is in normal output state: when being input as high level, the 3rd triode N3 conducting is output as high level; When being input as low level, the 3rd triode N3 ends, and is output as low level;
When the power supply of this circuit during by safety cut-off, this circuit is in safe output state: no matter the low level of being input as or high level, whether the 3rd triode N3 conducting, because power supply is by safety cut-off, output all can be low level.
As shown in Figure 9; Connect the 4th triode P3 base stage after input connects the 9th resistance R 9, the 4th triode P3 collector connects the tenth resistance R 10 and output; The four or four triode P3 emitter is accepted the control power supply; The other end ground connection of the tenth resistance R 10.
When the power supply of this circuit during not by safety cut-off, this circuit is in normal output state: when being input as high level, the 4th triode P3 ends, and is output as low level; When being input as low level, the 4th triode P3 conducting is output as high level;
When the power supply of this circuit during by safety cut-off, this circuit is in safe output state: no matter the low level of being input as or high level, whether the 4th triode P3 conducting, because power supply is by safety cut-off, output all can be low level.
Their common characteristic are: when the fail-safe computer operate as normal, output safety breaking circuit power supply is normal, module output normal logic.In case the fail-safe computer operation irregularity according to above-mentioned implementation method, can cause output safety breaking circuit power supply to disconnect, and at this moment exports certain failure to the safe side side-0 level (ground connection).In addition, because what the method that these four circuit output safeties turn-off all adopted is directly to cut off power supply, therefore even the element in the circuit breaks down (no matter the fault that short circuit occurs or open circuit), its output is all with failure to the safe side side-0 level, so these four circuit itself also are fail-safe.
Claims (8)
1. the safety cut-off method of exporting in the three-mould redundancy safety computer is characterized in that may further comprise the steps:
Selected ground connection is as the step of fail-safe computer output safety side;
Set safe shutdown condition step;
The safe shutdown conditioned signal carries out determining step;
Control module output safety turn-off criterion step;
Judge whether that the step that meets the employing of safe shutdown condition is: in the three-mould redundancy safety computer, a certain computer module thinks that by self check self makes mistakes, then must export by this computer module of safe shutdown, perhaps, other two computer modules consistently assert that mistake appears in this computer module by deciding by vote, then must this computer module output of safe shutdown.
2. the safety cut-off method of exporting in a kind of three-mould redundancy safety computer according to claim 1, it is characterized in that: under the situation of the some computer module faults of supposition, no matter the fault of which kind of type appears in this computer module, all make the export orientation secure side of fail-safe computer, the export orientation secure side guarantees by cutting off the output circuit power supply; The circuit that cuts off the switch of output circuit power supply uses relay, by series parallel structure or parallel-series structure, guarantees the security and the reliability of fail-safe computer.
3. the safety cut-off method of exporting in a kind of three-mould redundancy safety computer according to claim 1, it is characterized in that: the level energizing signal of control module output safety turn-off criterion step is to the conversion of level signal, counter circuit by Digital Logic is realized, simultaneously, this implementation method itself is safe, this circuit middle part sub-unit breaks down, and the output of this circuit also can failure to the safe side.
4. the safety cut-off method of exporting in a kind of three-mould redundancy safety computer according to claim 3 is characterized in that counter circuit is as follows with the step that the level energizing signal is converted to level signal:
At first utilize a counter that the level energizing signal is counted, utilize a rising edge and negative edge to extract circuit then, the pulse signal that each rising edge and the negative edge of level energizing signal all is converted to a weak point, and as the asynchronous reset signal of counter, in addition, utilize one simple with or logical circuit and a latch, make counter circuit output low level when counting down to certain numerical value, all the other export high level, under the normal condition, the level energizing signal keeps upset, rising edge and negative edge extract the pulse signal that circuit is transformed to rising edge or negative edge unification a weak point, i.e. unification is transformed to a negative edge, this negative edge carries out asynchronous reset to counter, counter will be reset at set intervals like this, when fail-safe computer occurs when unusual, be that the level energizing signal stops upset, the asynchronous reset of this hour counter is invalid all the time, the counter counting that will always make progress, after in case counter values reaches the numerical value of prior appointment, with or logical circuit will be to latch output latch signal, make the latch output low level, like this, when the level energizing signal is invalid, counter circuit export orientation secure side, it is zero level, output safety breaking circuit power supply is disconnected,, produces a negative edge latch is carried out set when the level energizing signal recovers just often.
5. the safety cut-off method of exporting in a kind of three-mould redundancy safety computer according to claim 1, it is characterized in that: the safe output logic circuit that control module output safety turn-off criterion step adopts is: input signal links to each other with an end of first resistance (R1), another termination first triode (N2) base stage of first resistance (R1), first triode (N2) collector connects an end of second resistance (R2) and an end of the 3rd resistance (R3), another termination second triode (P2) base stage of the 3rd resistance (R3), second triode (P2) emitter connects the other end and the controlled source of second resistance (R2); Second triode (P2) collector connects an end and the output of the 4th resistance (R4); First triode (N2) emitter connects the other end and the ground of the 4th resistance (R4);
When the power supply of this circuit during not by safety cut-off, this circuit is in normal output state: when being input as high level, first triode (N2) conducting is pulled down to low level with the base stage of second triode (P2), second triode (P2) conducting is output as high level; When being input as low level, first triode (N2) ends, and is high level with the base stage of second triode (P2), and second triode (P2) ends, and is output as low level;
When the power supply of this circuit during by safety cut-off, this circuit is in safe output state: though the low level of being input as or high level, no matter first triode (N2) conducting is whether, no matter second triode (P2) conducting is whether, because power supply is by safety cut-off, output all can be low level.
6. the safety cut-off method of exporting in a kind of three-mould redundancy safety computer according to claim 1, it is characterized in that: the safe output logic circuit that control module output safety turn-off criterion step adopts is: input connects first end (1) of photoelectrical coupler (UA), second end (2) of photoelectrical coupler (UA) connects an end of the 5th resistance (R5), and the 3rd end (16) of photoelectrical coupler (UA) is accepted the control power supply; The 4th end (15) of photoelectrical coupler (UA) connects an end of output and the 6th resistance (R6), the other end ground connection of the other end of the 6th resistance (R6) and the 5th resistance (R5);
When the power supply of this circuit during not by safety cut-off, this circuit is in normal output state: when being input as high level, the LED of photoelectrical coupler (UA) lights, and the triode conducting of photoelectrical coupler (UA) is output as high level; When being input as low level, the LED of photoelectrical coupler (UA) extinguishes, and the triode of photoelectrical coupler (UA) ends, and is output as low level;
When the power supply of this circuit during by safety cut-off, this circuit is in safe output state: no matter the low level of being input as or high level, no matter whether the LED of photoelectrical coupler (UA) lights, no matter whether the triode conducting of photoelectrical coupler (UA), because power supply is by safety cut-off, output all can be low level.
7. the safety cut-off method of exporting in a kind of three-mould redundancy safety computer according to claim 1, it is characterized in that: the safe output logic circuit that control module output safety turn-off criterion step adopts is: connect the 3rd triode (N3) base stage after input connects the 7th resistance (R7), the 3rd triode (N3) emitter connects an end and the output of the 8th resistance (R8); The 3rd triode (N3) collector is accepted the control power supply; The other end ground connection of the 8th resistance (R8);
When the power supply of this circuit during not by safety cut-off, this circuit is in normal output state: when being input as high level, the 3rd triode (N3) conducting is output as high level; When being input as low level, the 3rd triode (N3) ends, and is output as low level;
When the power supply of this circuit during by safety cut-off, this circuit is in safe output state: no matter the low level of being input as or high level, whether the 3rd triode (N3) conducting, because power supply is by safety cut-off, output all can be low level.
8. the safety cut-off method of exporting in a kind of three-mould redundancy safety computer according to claim 1, it is characterized in that: the safe output logic circuit that control module output safety turn-off criterion step adopts is: connect the 4th triode (P3) base stage after input connects the 9th resistance (R9), the 4th triode (P3) collector connects an end and the output of the tenth resistance (R10); The 4th triode (P3) emitter is accepted the control power supply; The other end ground connection of the tenth resistance (R10);
When the power supply of this circuit during not by safety cut-off, this circuit is in normal output state: when being input as high level, the 4th triode (P3) ends, and is output as low level; When being input as low level, the 4th triode (P3) conducting is output as high level;
When the power supply of this circuit during by safety cut-off, this circuit is in safe output state: no matter the low level of being input as or high level, whether the 4th triode (P3) conducting, because power supply is by safety cut-off, output all can be low level.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100643059A CN100570519C (en) | 2007-03-09 | 2007-03-09 | Safety cut-off method of exporting in the three-mould redundancy safety computer and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100643059A CN100570519C (en) | 2007-03-09 | 2007-03-09 | Safety cut-off method of exporting in the three-mould redundancy safety computer and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101046678A CN101046678A (en) | 2007-10-03 |
| CN100570519C true CN100570519C (en) | 2009-12-16 |
Family
ID=38771345
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100643059A Active CN100570519C (en) | 2007-03-09 | 2007-03-09 | Safety cut-off method of exporting in the three-mould redundancy safety computer and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100570519C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101893848A (en) * | 2010-07-22 | 2010-11-24 | 北京交通大学 | Method for realizing failure safety by power cutoff |
Families Citing this family (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101931519B (en) * | 2010-08-26 | 2012-01-11 | 北京交大资产经营有限公司 | Triple-modular redundancy implementation method based on synchronous communication exchange |
| CN102096401B (en) * | 2010-12-22 | 2015-03-11 | 北京昊图科技有限公司 | Redundant and fault-tolerant safety instrument control system based on fieldbus and ARM (advanced RISC machines) |
| CN103186100B (en) * | 2011-12-31 | 2016-03-02 | 北京圣涛平试验工程技术研究院有限责任公司 | Redundancy guard system and method |
| CN102606331A (en) * | 2012-03-20 | 2012-07-25 | 西安航天动力试验技术研究所 | Triple-redundancy voting control system and triple-redundancy voting control method |
| FR2999352A1 (en) * | 2012-12-11 | 2014-06-13 | Sagem Defense Securite | REDUNDANCED ELECTRIC CIRCUIT FOR THE ELECTRONIC POWER SUPPLY OF AN EQUIPMENT |
| CN103092186B (en) * | 2012-12-28 | 2014-12-31 | 北京交控科技有限公司 | Voting structure of two out of three secure output and voting method thereof |
| CN104866390B (en) * | 2015-04-15 | 2018-07-20 | 中国科学院高能物理研究所 | Asynchronous static random access memory triplication redundancy controller |
| CN105204389A (en) * | 2015-10-08 | 2015-12-30 | 武汉聚鑫源机电工程设备有限公司 | Programmable rotating speed signal device based on software and hardware dual TMR type |
| CN105245426B (en) * | 2015-11-05 | 2018-07-17 | 湖南中车时代通信信号有限公司 | A kind of platform plug-in with plate position identification function |
| CN105398472B (en) * | 2015-11-06 | 2017-08-11 | 湖南中车时代通信信号有限公司 | A kind of platform host plug-in unit |
| CN105278328A (en) * | 2015-11-24 | 2016-01-27 | 上海空间电源研究所 | Three-take-two redundancy switching control circuit for analog circuit and control method thereof |
| CN107291580A (en) * | 2017-05-04 | 2017-10-24 | 复旦大学 | MATLAB software system and method |
| CN107978108A (en) * | 2017-12-27 | 2018-05-01 | 上海欣能信息科技发展有限公司 | A kind of system and method for electric power terminal device instruction operation troubles |
| CN110413456B (en) * | 2019-07-30 | 2023-05-26 | 上海航天计算机技术研究所 | Triple redundant data step-by-step voting system and method |
| CN110347095B (en) * | 2019-08-07 | 2022-02-11 | 天津津航计算技术研究所 | Three-redundancy switching circuit applied to aviation electric heating control system |
| CN111679621B (en) * | 2020-07-15 | 2020-12-08 | 南京科远智慧科技集团股份有限公司 | Circuit method for improving current output reliability in triple redundancy |
| CN111839573A (en) * | 2020-08-31 | 2020-10-30 | 上海大骋医疗科技有限公司 | CT heterogeneous redundant exposure control system and method |
| CN112230751B (en) * | 2020-10-13 | 2022-04-15 | 北京中科宇航技术有限公司 | High-reliability triple-modular redundancy computer power supply circuit |
| CN113219817A (en) * | 2021-04-07 | 2021-08-06 | 中国船舶重工集团公司第七一九研究所 | Pressure safety control system and control method for multiple redundancy voting |
-
2007
- 2007-03-09 CN CNB2007100643059A patent/CN100570519C/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101893848A (en) * | 2010-07-22 | 2010-11-24 | 北京交通大学 | Method for realizing failure safety by power cutoff |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101046678A (en) | 2007-10-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100570519C (en) | Safety cut-off method of exporting in the three-mould redundancy safety computer and device | |
| CN102935849B (en) | Redundancy input and output achievement system of vehicle-mounted signal equipment | |
| CN104503272A (en) | Automatic train driving system based on double-system hot standby redundancy | |
| CN111007713A (en) | Heterogeneous redundant vehicle control unit conforming to functional safety | |
| CN105187248A (en) | Redundancy switching system | |
| CN102497002B (en) | Fully-duplicated protective redundancy system for direct-current transmission project | |
| CN110007663A (en) | The output switch parameter dynamic diagnostics system and method for nuclear safe level DCS | |
| CN202218041U (en) | Dual-redundancy aero power supply | |
| CN106877291A (en) | A kind of safe torque breaking circuit and system | |
| CN109450064B (en) | Intelligent solid-state power distribution controller based on dual redundant circuits and control method | |
| CN106154145A (en) | A kind of fault test set being applied to high-tension battery contactor and fault detection method | |
| CN102969693B (en) | Electronic control valve driving protective circuit of railway vehicles | |
| CN105938356B (en) | The hardware redundancy of control module and operation cadence synchronization system in DCS system | |
| CN107492684A (en) | The battery management system and vehicle of electrokinetic cell | |
| CN103557116B (en) | The safety device for wind generating set that a kind of hardwire is built | |
| CN203027126U (en) | Protection circuit for preventing output end alternating-current voltage misconnection, and alternating-current/direct-current conversion apparatus | |
| CN201319498Y (en) | Signal output module for selecting two from three in direct current power transmission system | |
| CN201315486Y (en) | Module for redundancy logical switch in direct current power transmission system | |
| CN201315470Y (en) | Module for either-or signal output in direct current power transmission system | |
| CN111694268A (en) | Two-out-of-three voting control system | |
| CN103051045A (en) | Distributed triple redundant power supply circuit of triple redundant control system | |
| CN104442923A (en) | Urban rail vehicle electric control method based on logic control unit | |
| CN211374997U (en) | Parallel circuit for fault detection of high-voltage battery management system | |
| CN2896292Y (en) | Circuit for detecting external voltage | |
| CN102306116A (en) | Voting structure for two-out-of-three safety output in static mode and voting method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING JIAOTONG UNIVERSITY ASSETS MANAGEMENT CO., Free format text: FORMER OWNER: BEIJING COMMUNICATION UNIV. Effective date: 20110902 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20110902 Address after: 100044 Beijing city Haidian District sorghum Bridge Street No. 44 Building Room 806 Patentee after: Beijing Jiaotong University Address before: 100044 Beijing Xizhimen Shangyuan Village No. 3 Patentee before: Beijing Jiaotong University |
|
| ASS | Succession or assignment of patent right |
Owner name: BEIJING TRAFFIC CONTROL TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: BEIJING JIAOTONG UNIVERSITY ASSET MANAGEMENT CO., LTD. Effective date: 20120809 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100044 HAIDIAN, BEIJING TO: 100070 FENGTAI, BEIJING |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20120809 Address after: 100070 Beijing science and Technology Park of Fengtai District Haiying Road No. 6 hospital of Beijing, the headquarters of the International 2 Building No. 3 Patentee after: Beijing Traffic Control Technology Co., Ltd. Address before: 100044, room 44, science building, 806 Jiao Feng street, Haidian District, Beijing Patentee before: Beijing Jiaotong University |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100070 Beijing science and Technology Park of Fengtai District Haiying Road No. 6 hospital of Beijing, the headquarters of the International 2 Building No. 3 Patentee after: TRAFFIC CONTROL TECHNOLOGY Co.,Ltd. Address before: 100070 Beijing science and Technology Park of Fengtai District Haiying Road No. 6 hospital of Beijing, the headquarters of the International 2 Building No. 3 Patentee before: Beijing Traffic Control Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |
Address after: 100070 Beijing science and Technology Park of Fengtai District Seahawks Hospital No. 6 2, No. 3 (Park) Patentee after: TRAFFIC CONTROL TECHNOLOGY Co.,Ltd. Address before: 100070 Beijing science and Technology Park of Fengtai District Haiying Road No. 6 hospital of Beijing, the headquarters of the International 2 Building No. 3 Patentee before: TRAFFIC CONTROL TECHNOLOGY Co.,Ltd. |
|
| CP03 | Change of name, title or address |