CN101046678A - Safety cut-off method and device for output in three-mould redundancy safety computer - Google Patents
Safety cut-off method and device for output in three-mould redundancy safety computer Download PDFInfo
- Publication number
- CN101046678A CN101046678A CN 200710064305 CN200710064305A CN101046678A CN 101046678 A CN101046678 A CN 101046678A CN 200710064305 CN200710064305 CN 200710064305 CN 200710064305 A CN200710064305 A CN 200710064305A CN 101046678 A CN101046678 A CN 101046678A
- Authority
- CN
- China
- Prior art keywords
- safety
- output
- circuit
- triode
- signal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 30
- 230000000630 rising effect Effects 0.000 claims description 8
- 238000006243 chemical reaction Methods 0.000 claims description 7
- 230000001143 conditioned effect Effects 0.000 claims description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000009825 accumulation Methods 0.000 description 4
- 239000007787 solid Substances 0.000 description 4
- 231100001261 hazardous Toxicity 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000005622 photoelectricity Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 230000003278 mimic effect Effects 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
- 238000010189 synthetic method Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
Images
Landscapes
- Safety Devices In Control Systems (AREA)
Abstract
The present invention discloses a safe turn-off method for output in triple modular redundancy safety computer. Said invention mainly utilizes the safe turn-off condition signal outputted by triple modular redundancy safety computer to make judgement, and utilizes several groups of safe turn-off condition signals to make decision and judge that it has need of making safe turn-off or not. It is characterized by that said invention utilizes a change-over circuit from dynamic signal to level signal to generate turn-off signal, and can directly control the power supply of modular output safe turn-off circuit so as to implement safe turn-off output.
Description
Technical field
The safety cut-off method that the present invention relates to export in the three-mould redundancy safety computer for fields such as the control system of fail-safe computer safety output, particularly train operation control, nuclear power station controls, also relates to the operation control of magnetic suspension train.
Background technology
Triplication redundancy system (Triple Modular Redundancy (TMR) claims that also three get two) is a kind of fault-tolerant technique the most frequently used in the present trusted computer system.Triplication redundancy is meant: three identical modules of function are carried out identical operations simultaneously, do big numerical table with the output of three modules and determine, the correct output of the identical output of majority as this triplication redundancy system.This system is also referred to as three usually and gets two system based on the error correction principles of " the minority is subordinate to the majority ".
Figure a is triplication redundancy (TMR) system principle diagram.M1 among the figure, M2, M3 are three operational modules that function is identical, and V is an output voting machine.
Under the normal condition, the result of three module outputs should be identical, and V will finally export this result, as the correct output of TMR system.Under the abnormal conditions, if a certain module is made mistakes, its output will be different from the output of other two modules, and according to " the minority is subordinate to the majority " principle, V will export correct result.Therefore, can write out the logical expression of output voting machine: F=M
1M
2+ M
2M
3+ M
1M
3, be not difficult to design a kind of logical circuit of this voting machine according to this expression formula, shown in figure b.
Can find out that from above-mentioned logical diagram in the triplication redundancy system, when having two modules to make mistakes simultaneously, and produce identical error condition, mistake output will appear in the output of voting machine V.Generally speaking, the reliability of each separate modular in the triplication redundancy system is all very high, and therefore, having two modules to occur the probability of transient error simultaneously in three modules can be very little.But, must consider the situation of error accumulation: promptly mistake appears in a module, if system is left intact, mistake also appears in another module after a while, at this moment the voting output that obtains of voting machine V will be wrong output, or system's cisco unity malfunction.If this explanation is in the three mould voting systems, after a module breaks down, if its output also keeps original value or other value, no matter its correctness all may cause system's output dangerous.In the safe class higher system, the mistake output under the system failure may cause dangerous operation, causes serious casualties or property loss.Therefore in the design of security system, the system that should guarantee as far as possible is failure to the safe side output under failure condition.
In view of above situation, the present invention proposes a kind of safety cut-off method of three-mould redundancy safety computer output, make trusted computer system its export orientation secure side under failure condition.
Summary of the invention
The objective of the invention is at fail-safe computer safety output problem, propose safety cut-off method and the device exported in a kind of three-mould redundancy safety computer, the hazardous side that also can not lead under the wrong situation occurs in module even guarantee the voting output of triplication redundancy system.Output when this method forces module to be made mistakes is set to the safety value of prior appointment, and this lock-on circuit itself also is safe simultaneously, and the Shi Buhui that promptly breaks down makes the export orientation hazardous side of system.
For achieving the above object, the present invention is achieved through the following technical solutions.
The safety cut-off method of exporting in a kind of three-mould redundancy safety computer may further comprise the steps;
Select the side step of fail-safe computer output safety rapid;
Set safe shutdown condition step;
The safe shutdown conditioned signal carries out determining step;
Control module output safety breaking circuit step.
The state that output should be in when determining the system failure.For control system, the secure side of output can be set at the state after energy discharges.This state relation is to the shutoff logic of output safety breaking circuit.
Utilize the safe shutdown conditioned signal of three-mould redundancy safety computer output to judge, whether turn-off output according to corresponding principle decision, and realize safe shutdown output by the power supply of direct control module output safety breaking circuit.
Each module of three-mould redundancy safety computer is exported the conditioned signal of 3 groups of safe shutdowns, judge whether safe shutdown adopt " self thinking makes mistakes then must turn-off, perhaps other two module think to make mistakes then must turn-off " principle.
Three-mould redundancy safety computer is by the power supply of direct control module output safety breaking circuit, realizes safe shutdown output, and adopt string and structure or and string structure, improve the security and the reliability of breaking circuit.
The Dynamic Signal of three-mould redundancy safety computer output is realized by the counter circuit of Digital Logic to the conversion of level signal.
The safe output circuit of safety cut-off method of exporting in the three-mould redundancy safety computer and device adopts the method shown in Fig. 6~9.
Beneficial effect of the present invention; Use the present invention, can under the situation that fail-safe computer breaks down, make the export orientation secure side of fail-safe computer, thereby improve the reliability and the security of fail-safe computer, avoid the life that the fail-safe computer fault may bring and the loss of property.Simultaneously, the present invention also has wider range of application, extends in other multi-mode redundant fail-safe computer, improves the security of output.
Description of drawings
Fig. 1 is the schematic diagram of the safety cut-off method of three-mould redundancy safety computer;
Fig. 1 a is triplication redundancy (TMR) system principle diagram;
Fig. 1 b three gets two voting logic figure;
Fig. 2 is safe shutdown circuit supply power supply control principle figure;
Fig. 3 is the synthetic method of a plurality of output safety turn-off criterion level signals;
Fig. 4 is the change-over circuit of the Dynamic Signal of numeral to level signal;
Fig. 5 arrives the change-over circuit of level signal for the Dynamic Signal of simulation;
Fig. 6 is safe output logic circuit one;
Fig. 7 is safe output logic circuit two;
Fig. 8 is safe output logic circuit three;
Fig. 9 is safe output logic circuit four.
Embodiment
The present invention is further illustrated below in conjunction with the drawings and specific embodiments.
Embodiment 1;
(1) secure side of selection output
The state that output should be in the time of at first will determining the system failure.For control system, the secure side of output can be set at the state after energy discharges.In the triplication redundancy system, selected ground connection (logical zero) is the output safety side.This selection is extremely important, and it is related to the shutoff logic of output safety breaking circuit.That is to say that output safety breaking circuit described later is that to be based upon logical zero be on this precondition of output safety side.
(2) condition of output safety shutoff
In three-mould redundancy safety computer, be that three modules all are provided with the conditioned signal that 3 groups of output safeties turn-off, wherein 1 group of judgement of representing this module to self duty, 2 groups of judgements of representing this module to other two pack modules duty respectively in addition.Like this, obtain 9 groups of output safety turn-off criterion signals, that is: module M altogether
1Export 3 groups of output safety turn-off criterion signal GD
AA, GD
AN, GD
ACModule M
2Export 3 groups of output safety turn-off criterion signal GD
BB, GD
BA, GD
BCModule M
3Export 3 groups of output safety turn-off criterion signal GD
CC, GD
CA, GD
CN
For each module, utilize the power supply of above-mentioned 3 groups of its safe shutdown circuit of output safety turn-off criterion signal controlling.When this module failure or other two modules when thinking that it breaks down, will disconnect the power supply of its safe shutdown circuit, the level "0" of its export orientation safety.Like this, can avoid when this module failure its output also to keep wrong state, thus the potential safety hazard of bringing.
The logical expression of control module safe shutdown circuit supply power supply is: GD
XX(GD
XY+ GD
XZ), X, Y, Z represent A, B, C respectively in the formula.The implication of this expression formula is: if this module thinks that self mistake occurs, then must turn-off output; If perhaps other two modules think that all mistake appears in this module, then also must turn-off output.
(3) structure of safe shutdown circuit supply power supply
When the power supply of each module output safety breaking circuit of control, adopt relay (photoelectricity, machinery) device to realize safe shutdown to power supply.This adaptive polarizing memory voltage time constant can adopt series connection or the string and the structure of combination, generally speaking, adopt string and structure or and string structure, the security of this safe shutdown circuit and reliability are all guaranteed like this.Certainly, can adopt simple series arrangement, this moment, the safety indexes of safe shutdown circuit can not descend yet, but reliability index can descend.
(4) selection of output safety turn-off criterion signal
9 groups of above-mentioned output safety turn-off criterion signals can be selected common level signal (TTL, CMOS etc.).Consider reliability and security, every group of output safety turn-off criterion signal comprises 2 level signals at least, in general, need to consider signal wire what to the influence of system complexity, so select every group of output safety turn-off criterion signal to comprise 2 or 3 level signals.When adopting a plurality of level signal, need to consider how a plurality of level signals are synthesized 1 module output safety breaking circuit power supply control signal.Generally speaking, when adopting 2 level signals, adopt two two the modes of getting to compare more, promptly have only when two-way level signal when all indication mechanism is working properly, module could output safety breaking circuit power supply; When adopting 3 level signals, adopt three two the modes of getting to put to the vote more, promptly working properly as most level signal indication mechanisms, module could output safety breaking circuit power supply.
In addition, when losing efficacy owing to digital circuit, can cause level signal that the mistake of solid " 0 " or solid " 1 " takes place, but specifically be that " 0 " or " 1 " is not fixed, probability of occurrence is roughly suitable.Therefore, don't work " 0 " or " 1 " represent that the trusted computer system fault all may bring potential safety hazard.But kept certain fixed level when losing efficacy the overwhelming majority, and therefore can use Dynamic Signal to replace above-mentioned level signal (TTL, CMOS etc.), as trusted computer system sign working properly owing to digital circuit.Here, Dynamic Signal is meant the alternately signal of upset of high-low level, can distinguish mutually with output signal solid " 0 " or solid " 1 " mistake that the digital circuit inefficacy brings, so Dynamic Signal itself is safe.
Certainly, Dynamic Signal itself is the element of pilot relay and so on directly, can't utilize Dynamic Signal directly to turn-off the power supply of safe shutdown signal.Therefore must carry out the conversion of Dynamic Signal to level signal.Dynamic Signal can adopt traditional analogy method to the conversion of level signal, also can adopt the digital circuit conversion method.Wherein, utilize digital circuit conversion, can set the time of overflowing flexibly, have higher dirigibility.
(5) safe output logic circuit
Safe output logic can adopt multiple mode to realize, but must guarantee: during the module operate as normal, output safety breaking circuit power supply is normal, module output normal logic.In case this module work is undesired, output safety breaking circuit power supply disconnects, and it exports certain failure to the safe side side: 0 level (ground connection).
Fig. 1 has exemplarily represented the principle of the safety cut-off method of three-mould redundancy safety computer, and the each several part block diagram will be in the follow-up embodiment of introducing in detail.
Control the output of each module the control of safe shutdown circuit supply power supply principle as Fig. 2 (a) (b) shown in, the exemplary face of land of this figure has shown the safe shutdown logic of output power supply.Be turned off part and use relay (photoelectricity, machinery).The safe shutdown logic can adopt the string and structure or and string structure, like this, the security of system and reliability are all guaranteed.Simultaneously, the safe shutdown logic also can be simplified to the circuit shown in Fig. 2 (c), and this moment, safety indexes can not descend, but reliability index can descend.
Fig. 3 has represented that a plurality of output safety turn-off criterion signals synthesize the method for an output safety breaking circuit power supply control signal.When every group of output safety turn-off criterion signal is 2 level signals, can adopt parallel way (" or " logic) to synthesize 1 module output safety breaking circuit power supply control signal, as long as promptly there is a travel permit spare signal effective, it is effective then to export control signal, shown in Fig. 3 (a); When every group of output safety turn-off criterion signal is 3 level signals, can adopt 3 to get 2 voting formulas and synthesize 1 module output safety breaking circuit power supply control signal, promptly have only when most conditioned signals are effective, the output control signal is just effective, shown in Fig. 3 (b).
The topmost characteristic of fail-safe computer is a fault-safety principle, so the fault diagnosis signal that provides in the fail-safe computer is the Dynamic Signal logic with secure side.Fig. 5 has provided the mimic channel implementation method that Dynamic Signal is converted to level signal.Wherein, Dynamic Signal is the alternately signal of upset of high-low level.Among the figure, DTOUTA1 is the Dynamic Signal input end, and TJA1 is the level signal output terminal.
When the fail-safe computer duty for just often, DTOUTA1 is the dynamic signal of upset.When DTOUTA1 was in this half cycle of low level, triode N7 emitter voltage was 0, and triode ends, so the TJ01 end is high level.This moment triode N1 emitter positively biased, triode N1 conducting, the emitter voltage of triode P1 is about 0, triode P1 ends.Triode N1 conducting and triode P1 make electric capacity E4 accumulation of energy by power supply is charged to electric capacity E4 by N1, E4, this loop of D29.Simultaneously, if be in energy accumulating state before the electric capacity E5, then this electric capacity E5 can release energy by the load of back level.
When DTOUTA1 is in this half cycle of high level, triode N7 emitter positively biased, triode N7 conducting, so the TJ01 end is low level.According to aforementioned, electric capacity E4 accumulation of energy this moment, TJ02 is a high level, so the emitter of triode N1 is anti-inclined to one side, triode N1 ends, the emitter positively biased of triode P1, triode P1 conducting.Triode N1 makes electric capacity E5 accumulation of energy by with triode P1 conducting meeting electric capacity E4 is charged to electric capacity E5 by P1, E5, this loop of D28, and electric capacity E4 releases energy simultaneously.
To sum up, when DTOUTA1 was the signal of dynamically upset, circuit was in the state that electric capacity E4 and E5 alternately discharge and recharge, thereby makes TJA1 keep negative voltage.And if the fail-safe computer operation irregularity when promptly input signal is the fixed level signal, perhaps in the circuit during certain element unusual (short circuit or open circuit), electric capacity E4 and E5 are are alternately discharged and recharged, thereby output level is fixed as 0 level.
Dynamic Signal also can adopt the method for Digital Logic to realize to the conversion of level signal, as shown in Figure 4.At first utilize a counter to count, utilize a rising edge and negative edge to extract circuit then, the pulse signal that each rising edge and the negative edge of Dynamic Signal all is converted to a weak point, and as the asynchronous reset signal of counter.In addition, utilize one simple with or logic and latch, make circuit output low level when counting down to certain numerical value, all the other export high level.Under the normal condition, Dynamic Signal keeps upset, and rising edge and negative edge extract circuit rising edge or negative edge unification are transformed to the pulse signal of a weak point, promptly unifiedly is transformed to a negative edge.This negative edge carries out asynchronous reset to counter, and counter will be reset at set intervals like this, and count value can not surpass overflowing the time of setting all the time.When fail-safe computer occurs when unusual, be that Dynamic Signal stops upset, the asynchronous reset of this hour counter is invalid all the time, the counter counting that will always make progress, after in case counter values reaches the numerical value of prior appointment, with or logical circuit will make the latch output low level to latch output latch signal.Like this, when Dynamic Signal is invalid, circuit export orientation secure side-zero level, thus output safety breaking circuit power supply is disconnected, reach the purpose of fault-safety principle.When Dynamic Signal recovers just often, can produce a negative edge latch is carried out set, circuit continues again to have worked under normal condition like this.
This circuit can be provided with the threshold value of Dynamic Signal upset flexibly, how long not upset can be set think that promptly this Dynamic Signal is invalid.By to or logic design, produce latch signal in the time of can determining how many rolling counters forwards arrives.In addition, utilize this circuit can produce the two-way output signal, and two paths of signals is got two principle with two compare, can improve the security of this circuit.When producing the two-way output signal, can be transformed in the circuit of level signal being input to identical Dynamic Signal after another road Dynamic Signal negate, also can make the counter counts downward on another road, make circuit possess the double track output function, the security that also further improves circuit simultaneously.
The logic of safety output adopts following four kinds of circuit to realize, as shown in Figure 6; Resistance R 1 connects triode N2 base stage, an end of triode N2 collector connecting resistance R2 and resistance R 3, another termination triode P2 base stage of resistance R 3, triode P2 emitter connecting resistance R2 and controlled source; Triode P2 collector connecting resistance R4 and output; The end of triode N2 emitter connecting resistance R4 and ground.
As shown in Figure 7; Input connects the end 1 of photoelectrical coupler UA, an end 2 connecting resistance R5 of photoelectrical coupler UA, and the other end 16 of photoelectrical coupler UA is accepted the control power supply; The other end 15 of photoelectrical coupler UA connects output and resistance R 6, the other end ground connection of resistance R 5 and resistance R 5.
As shown in Figure 8; Connect triode N3 base stage, triode N3 emitter connecting resistance R8 and output behind the input connecting resistance R7; Triode N3 collector is accepted the control power supply; The other end ground connection of resistance R 8.
As shown in Figure 9; Connect triode P3 base stage, triode P3 collector connecting resistance R10 and output behind the input connecting resistance R9; Triode P3 emitter is accepted the control power supply; The other end ground connection of resistance R 10.
Their common characteristic are: when the fail-safe computer operate as normal, output safety breaking circuit power supply is normal, module output normal logic.In case the fail-safe computer operation irregularity according to above-mentioned implementation method, can cause output safety breaking circuit power supply to disconnect, and at this moment exports certain failure to the safe side side-0 level (ground connection).In addition, because what the method that these four circuit output safeties turn-off all adopted is directly to cut off power supply, therefore even the element in the circuit breaks down (no matter the fault that short circuit occurs or open circuit), its output is all with failure to the safe side side-0 level, so these four circuit itself also are fail-safe.
Claims (9)
1. the safety cut-off method of exporting in the three-mould redundancy safety computer is characterized in that:
May further comprise the steps;
Select the side step of fail-safe computer output safety rapid;
Set safe shutdown condition step;
The safe shutdown conditioned signal carries out determining step;
Control module output safety breaking circuit step.
2. the safety cut-off method of a kind of three-mould redundancy safety computer output according to claim 1, it is characterized in that: safe shutdown condition step, judge whether safe shutdown adopt " self thinking makes mistakes then must turn-off, perhaps other two module think to make mistakes then must turn-off " method.
3. the safety cut-off method of a kind of three-mould redundancy safety computer output according to claim 1, it is characterized in that: the control module output safety breaking circuit of control module output safety breaking circuit step adopts string and structure or and string structure, the directly power supply of control module output safety breaking circuit.
4. the safety cut-off method of a kind of three-mould redundancy safety computer output according to claim 1 is characterized in that: the Dynamic Signal of control module output safety breaking circuit step is realized by the counter circuit of Digital Logic to the conversion of level signal.
5. the safety cut-off method of a kind of three-mould redundancy safety computer output according to claim 1, it is characterized in that: control module output safety breaking circuit step is; At first utilize a counter to count, utilize a rising edge and negative edge to extract circuit then, the pulse signal that each rising edge and the negative edge of Dynamic Signal all is converted to a weak point, and as the asynchronous reset signal of counter, in addition, utilize one simple with or logic and latch, make circuit output low level when counting down to certain numerical value, all the other export high level, under the normal condition, Dynamic Signal keeps upset, rising edge and negative edge extract the pulse signal that circuit is transformed to rising edge or negative edge unification a weak point, i.e. unification is transformed to a negative edge, this negative edge carries out asynchronous reset to counter, counter will be reset at set intervals like this, when fail-safe computer occurs when unusual, be that Dynamic Signal stops upset, the asynchronous reset of this hour counter is invalid all the time, the counter counting that will always make progress, after in case counter values reaches the numerical value of prior appointment, with or logical circuit will be to latch output latch signal, make the latch output low level, like this, when Dynamic Signal was invalid, circuit export orientation secure side-zero level was disconnected output safety breaking circuit power supply, when Dynamic Signal recovers just often, produce a negative edge latch is carried out set.
6. the safety cut-off method of a kind of three-mould redundancy safety computer output according to claim 1 is characterized in that: the circuit that control module output safety breaking circuit step adopts is; Resistance (R1) connects triode (N2) base stage, an end of triode (N2) collector connecting resistance (R2) and resistance (R3), another termination triode (P2) base stage of resistance (R3), triode (P2) emitter connecting resistance (R2) and controlled source; Triode (P2) collector connecting resistance (R4) and output; One end of triode (N2) emitter connecting resistance (R4) and ground.
7. the safety cut-off method of a kind of three-mould redundancy safety computer output according to claim 1 is characterized in that: the circuit that control module output safety breaking circuit step adopts is; Input connects an end (1) of photoelectrical coupler (UA), and an end (2) connecting resistance (R5) of photoelectrical coupler (UA), the other end (16) of photoelectrical coupler (UA) are accepted the control power supply; The other end (15) of photoelectrical coupler (UA) connects output and resistance (R6), the other end ground connection of resistance (R5) and resistance (R5).
8. the safety cut-off method of a kind of three-mould redundancy safety computer output according to claim 1 is characterized in that: the circuit that control module output safety breaking circuit step adopts is; Connect triode (N3) base stage behind the input connecting resistance (R7), triode (N3) emitter connecting resistance (R8) and output; Triode (N3) collector is accepted the control power supply; The other end ground connection of resistance (R8).
9. the safety cut-off method of a kind of three-mould redundancy safety computer output according to claim 1 is characterized in that: the circuit that control module output safety breaking circuit step adopts is; Connect triode (P3) base stage behind the input connecting resistance (R9), triode (P3) collector connecting resistance (R10) and output; Triode (P3) emitter is accepted the control power supply; The other end ground connection of resistance (R10).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100643059A CN100570519C (en) | 2007-03-09 | 2007-03-09 | Safety cut-off method of exporting in the three-mould redundancy safety computer and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100643059A CN100570519C (en) | 2007-03-09 | 2007-03-09 | Safety cut-off method of exporting in the three-mould redundancy safety computer and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101046678A true CN101046678A (en) | 2007-10-03 |
| CN100570519C CN100570519C (en) | 2009-12-16 |
Family
ID=38771345
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100643059A Active CN100570519C (en) | 2007-03-09 | 2007-03-09 | Safety cut-off method of exporting in the three-mould redundancy safety computer and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100570519C (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101893848A (en) * | 2010-07-22 | 2010-11-24 | 北京交通大学 | Method for realizing failure safety by power cutoff |
| CN101931519A (en) * | 2010-08-26 | 2010-12-29 | 北京交通大学 | Triple-modular redundancy implementation method based on synchronous communication exchange |
| CN102096401A (en) * | 2010-12-22 | 2011-06-15 | 北京昊图科技有限公司 | Redundant and fault-tolerant safety instrument control system based on fieldbus and ARM (advanced RISC machines) |
| CN102606331A (en) * | 2012-03-20 | 2012-07-25 | 西安航天动力试验技术研究所 | Triple-redundancy voting control system and triple-redundancy voting control method |
| CN103092186A (en) * | 2012-12-28 | 2013-05-08 | 北京交控科技有限公司 | Voting structure of two out of three secure output and voting method thereof |
| CN103186100A (en) * | 2011-12-31 | 2013-07-03 | 北京圣涛平试验工程技术研究院有限责任公司 | Redundancy protection system and redundancy protection method |
| CN104866390A (en) * | 2015-04-15 | 2015-08-26 | 中国科学院高能物理研究所 | Triple modular redundancy controller for static random access memory |
| CN105204389A (en) * | 2015-10-08 | 2015-12-30 | 武汉聚鑫源机电工程设备有限公司 | Programmable rotating speed signal device based on software and hardware dual TMR type |
| CN105245426A (en) * | 2015-11-05 | 2016-01-13 | 株洲南车时代电气股份有限公司 | Platform plug-in having board position identification function |
| CN105278328A (en) * | 2015-11-24 | 2016-01-27 | 上海空间电源研究所 | Three-take-two redundancy switching control circuit for analog circuit and control method thereof |
| CN105398472A (en) * | 2015-11-06 | 2016-03-16 | 株洲南车时代电气股份有限公司 | Platform host plug-in |
| CN105026265B (en) * | 2012-12-11 | 2017-03-08 | 萨基姆防卫安全 | For the redundant circuit that the equipment of cutting off is powered |
| CN107291580A (en) * | 2017-05-04 | 2017-10-24 | 复旦大学 | MATLAB software system and method |
| CN107978108A (en) * | 2017-12-27 | 2018-05-01 | 上海欣能信息科技发展有限公司 | A kind of system and method for electric power terminal device instruction operation troubles |
| CN110347095A (en) * | 2019-08-07 | 2019-10-18 | 天津津航计算技术研究所 | A kind of triplex redundance switching circuit applied to aviation electric heating control system |
| CN110413456A (en) * | 2019-07-30 | 2019-11-05 | 上海航天计算机技术研究所 | Triple redundance data voting system and method step by step |
| CN111839573A (en) * | 2020-08-31 | 2020-10-30 | 上海大骋医疗科技有限公司 | CT heterogeneous redundant exposure control system and method |
| CN112230751A (en) * | 2020-10-13 | 2021-01-15 | 北京中科宇航技术有限公司 | High-reliability triple-modular redundancy computer power supply circuit |
| CN113219817A (en) * | 2021-04-07 | 2021-08-06 | 中国船舶重工集团公司第七一九研究所 | Pressure safety control system and control method for multiple redundancy voting |
| WO2022011801A1 (en) * | 2020-07-15 | 2022-01-20 | 南京科远智慧科技集团股份有限公司 | Circuit method for improving reliability of current output in triple redundancy |
-
2007
- 2007-03-09 CN CNB2007100643059A patent/CN100570519C/en active Active
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101893848A (en) * | 2010-07-22 | 2010-11-24 | 北京交通大学 | Method for realizing failure safety by power cutoff |
| CN101931519A (en) * | 2010-08-26 | 2010-12-29 | 北京交通大学 | Triple-modular redundancy implementation method based on synchronous communication exchange |
| CN101931519B (en) * | 2010-08-26 | 2012-01-11 | 北京交大资产经营有限公司 | Triple-modular redundancy implementation method based on synchronous communication exchange |
| CN102096401A (en) * | 2010-12-22 | 2011-06-15 | 北京昊图科技有限公司 | Redundant and fault-tolerant safety instrument control system based on fieldbus and ARM (advanced RISC machines) |
| CN102096401B (en) * | 2010-12-22 | 2015-03-11 | 北京昊图科技有限公司 | Redundant and fault-tolerant safety instrument control system based on fieldbus and ARM (advanced RISC machines) |
| CN103186100B (en) * | 2011-12-31 | 2016-03-02 | 北京圣涛平试验工程技术研究院有限责任公司 | Redundancy guard system and method |
| CN103186100A (en) * | 2011-12-31 | 2013-07-03 | 北京圣涛平试验工程技术研究院有限责任公司 | Redundancy protection system and redundancy protection method |
| CN102606331A (en) * | 2012-03-20 | 2012-07-25 | 西安航天动力试验技术研究所 | Triple-redundancy voting control system and triple-redundancy voting control method |
| CN105026265B (en) * | 2012-12-11 | 2017-03-08 | 萨基姆防卫安全 | For the redundant circuit that the equipment of cutting off is powered |
| CN103092186A (en) * | 2012-12-28 | 2013-05-08 | 北京交控科技有限公司 | Voting structure of two out of three secure output and voting method thereof |
| CN104866390B (en) * | 2015-04-15 | 2018-07-20 | 中国科学院高能物理研究所 | Asynchronous static random access memory triplication redundancy controller |
| CN104866390A (en) * | 2015-04-15 | 2015-08-26 | 中国科学院高能物理研究所 | Triple modular redundancy controller for static random access memory |
| CN105204389A (en) * | 2015-10-08 | 2015-12-30 | 武汉聚鑫源机电工程设备有限公司 | Programmable rotating speed signal device based on software and hardware dual TMR type |
| CN105245426B (en) * | 2015-11-05 | 2018-07-17 | 湖南中车时代通信信号有限公司 | A kind of platform plug-in with plate position identification function |
| CN105245426A (en) * | 2015-11-05 | 2016-01-13 | 株洲南车时代电气股份有限公司 | Platform plug-in having board position identification function |
| CN105398472A (en) * | 2015-11-06 | 2016-03-16 | 株洲南车时代电气股份有限公司 | Platform host plug-in |
| CN105398472B (en) * | 2015-11-06 | 2017-08-11 | 湖南中车时代通信信号有限公司 | A kind of platform host plug-in unit |
| CN105278328A (en) * | 2015-11-24 | 2016-01-27 | 上海空间电源研究所 | Three-take-two redundancy switching control circuit for analog circuit and control method thereof |
| CN107291580A (en) * | 2017-05-04 | 2017-10-24 | 复旦大学 | MATLAB software system and method |
| CN107978108A (en) * | 2017-12-27 | 2018-05-01 | 上海欣能信息科技发展有限公司 | A kind of system and method for electric power terminal device instruction operation troubles |
| CN110413456B (en) * | 2019-07-30 | 2023-05-26 | 上海航天计算机技术研究所 | Triple redundant data step-by-step voting system and method |
| CN110413456A (en) * | 2019-07-30 | 2019-11-05 | 上海航天计算机技术研究所 | Triple redundance data voting system and method step by step |
| CN110347095A (en) * | 2019-08-07 | 2019-10-18 | 天津津航计算技术研究所 | A kind of triplex redundance switching circuit applied to aviation electric heating control system |
| CN110347095B (en) * | 2019-08-07 | 2022-02-11 | 天津津航计算技术研究所 | Three-redundancy switching circuit applied to aviation electric heating control system |
| WO2022011801A1 (en) * | 2020-07-15 | 2022-01-20 | 南京科远智慧科技集团股份有限公司 | Circuit method for improving reliability of current output in triple redundancy |
| CN111839573A (en) * | 2020-08-31 | 2020-10-30 | 上海大骋医疗科技有限公司 | CT heterogeneous redundant exposure control system and method |
| CN112230751A (en) * | 2020-10-13 | 2021-01-15 | 北京中科宇航技术有限公司 | High-reliability triple-modular redundancy computer power supply circuit |
| CN112230751B (en) * | 2020-10-13 | 2022-04-15 | 北京中科宇航技术有限公司 | High-reliability triple-modular redundancy computer power supply circuit |
| CN113219817A (en) * | 2021-04-07 | 2021-08-06 | 中国船舶重工集团公司第七一九研究所 | Pressure safety control system and control method for multiple redundancy voting |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100570519C (en) | 2009-12-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101046678A (en) | Safety cut-off method and device for output in three-mould redundancy safety computer | |
| CN102935849B (en) | Redundancy input and output achievement system of vehicle-mounted signal equipment | |
| CN100555235C (en) | The N-modular redundancy voting system | |
| CN205484533U (en) | Battery voltage monitored control system | |
| CN209690872U (en) | Anti-back flow circuit and power supply | |
| CN1746695A (en) | Fuel cell monolithic voltage monitor of vehicle | |
| CN108418192A (en) | A kind of direct current limiter and its control method for coordinating with dc circuit breaker | |
| DE102011076757A1 (en) | Security architecture, battery and a motor vehicle with a corresponding battery | |
| CN103928910A (en) | Protection system of ultra-high-voltage direct-current transmission converter station | |
| CN1767306A (en) | Photoelectricity triggering and detecting system for static reactive-load compensation equipment based on multi-mode optical fibre | |
| CN102638048A (en) | Automatic bypass processing method of H-bridge cascaded chain type static synchronous compensator (STATCOM) | |
| CN103064322B (en) | Small size controller suitable for super multi-node modular multilevel converter (MMC) flexibility direct current test platform | |
| CN205706226U (en) | A kind of batteries of electric automobile group die set | |
| CN116095026A (en) | BYPASS device and method of switch and switch | |
| CN111694268A (en) | Two-out-of-three voting control system | |
| CN207977911U (en) | A kind of motor driver | |
| CN110854826B (en) | Fault diagnosis and processing method for two-out-of-three protection system of flexible direct converter valve | |
| CN2896292Y (en) | Circuit for detecting external voltage | |
| CN102692907A (en) | Super capacitor CAN (controller area network) electric modular integrated system | |
| CN1481061A (en) | Power supply module for communication equipment | |
| CN221862707U (en) | Safety torque turn-off control circuit and motor driver | |
| CN2869948Y (en) | Self protective voltage switch-over circuit | |
| CN221322799U (en) | Multipath fan control detection circuit and energy storage inverter | |
| CN219477870U (en) | Motor controller input/output system based on functional safety design | |
| CN211830564U (en) | Unit control plate structure based on high-voltage inverter dual-channel drive |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| ASS | Succession or assignment of patent right |
Owner name: BEIJING JIAOTONG UNIVERSITY ASSETS MANAGEMENT CO., Free format text: FORMER OWNER: BEIJING COMMUNICATION UNIV. Effective date: 20110902 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20110902 Address after: 100044 Beijing city Haidian District sorghum Bridge Street No. 44 Building Room 806 Patentee after: Beijing Jiaotong University Address before: 100044 Beijing Xizhimen Shangyuan Village No. 3 Patentee before: Beijing Jiaotong University |
|
| ASS | Succession or assignment of patent right |
Owner name: BEIJING TRAFFIC CONTROL TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: BEIJING JIAOTONG UNIVERSITY ASSET MANAGEMENT CO., LTD. Effective date: 20120809 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100044 HAIDIAN, BEIJING TO: 100070 FENGTAI, BEIJING |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20120809 Address after: 100070 Beijing science and Technology Park of Fengtai District Haiying Road No. 6 hospital of Beijing, the headquarters of the International 2 Building No. 3 Patentee after: Beijing Traffic Control Technology Co., Ltd. Address before: 100044, room 44, science building, 806 Jiao Feng street, Haidian District, Beijing Patentee before: Beijing Jiaotong University |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100070 Beijing science and Technology Park of Fengtai District Haiying Road No. 6 hospital of Beijing, the headquarters of the International 2 Building No. 3 Patentee after: TRAFFIC CONTROL TECHNOLOGY Co.,Ltd. Address before: 100070 Beijing science and Technology Park of Fengtai District Haiying Road No. 6 hospital of Beijing, the headquarters of the International 2 Building No. 3 Patentee before: Beijing Traffic Control Technology Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 100070 Beijing science and Technology Park of Fengtai District Seahawks Hospital No. 6 2, No. 3 (Park) Patentee after: TRAFFIC CONTROL TECHNOLOGY Co.,Ltd. Address before: 100070 Beijing science and Technology Park of Fengtai District Haiying Road No. 6 hospital of Beijing, the headquarters of the International 2 Building No. 3 Patentee before: TRAFFIC CONTROL TECHNOLOGY Co.,Ltd. |