CN101710376B - Hardware platform of safe computer 2-out-of-3 voting method - Google Patents
Hardware platform of safe computer 2-out-of-3 voting method Download PDFInfo
- Publication number
- CN101710376B CN101710376B CN2009101556305A CN200910155630A CN101710376B CN 101710376 B CN101710376 B CN 101710376B CN 2009101556305 A CN2009101556305 A CN 2009101556305A CN 200910155630 A CN200910155630 A CN 200910155630A CN 101710376 B CN101710376 B CN 101710376B
- Authority
- CN
- China
- Prior art keywords
- module
- cpu
- communication
- bus
- modules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention discloses a hardware platform of a safe computer 2-out-of-3 voting method, comprising three independent CPU modules, I/O modules and communication modules, wherein the interior of each I/O module comprises three mutually independent channels, the '2-out-of-3' hardware voting is completed in the interior, each I/O module and each communication module are combined into a thermal standby by a main module and a spare module, the communication of the three CPU modules adopts a high-speed serial bus based on LVDS, the communication of each CPU module and each I/O module adopts an independent CAN bus, the communication of each CPU module and each communication module adopts the Ethernet, the communication of the platform and the exterior is realized by two superfluous Ethernets of the communication modules, and all the modules have hot plug function. The hardware platform of the safe computer 2-out-of-3 voting method ensures 2-out-of-3 voting real-time high-speed data exchange, improves reliability, usability, maintainability and expandability under the condition of a compact structure and has wide popularization and application prospects.
Description
Technical field
The present invention relates to a kind of computer failure-safety method, relate in particular to the hardware platform of a kind of " 3 get 2 " fail-safe computing machine.
Background technology
The supervisory system of the important key equipments in field such as track traffic, aviation and electric power chemical industry has very high requirement to reliability, security and maintainability.The reliability assurance system of system non-fault for a long time moves reliably; Security guarantees any part failure to the safe side side under the situation of breaking down of system; Be that its consequence can not cause the Monitoring and Controlling object to produce danger or heavy losses, maintainable then under assurance system normal operation, the trouble unit of system is safeguarded and changed.This high reliability, high security and high maintainable its core of supervisory system are fault-fail-safe computers; And the hardware platform of the fail-safe computing machine most important basic content that is fault-fail-safe computer; It is the basic assurance that various fault-tolerant techniques, fault avoidance technology and redundancy realize; Because be directly connected to reliability, security and the maintainable performance of total system, the hardware platform of fail-safe computing machine is the key component of whole monitoring system.
At present the structure of fail-safe computer hardware platforms commonly used has two-node cluster hot backup, 2 to take advantage of 2 to get 2 and 3 and get 2 three kinds of forms.The two-node cluster hot backup structure is to improve a kind of more early stage redundancy structure that system reliability proposes; Because it is fault-tolerant relatively low with the fault avoidance ability; Reach same reliability and security requirement and need take more reliability and security measures to comprise the parts and the device of requirements at the higher level, it is not very high occasion that the two-node cluster hot backup structure is mainly used in reliability and security requirement at present.2 take advantage of 2 to get 2 structures and 3 and get 2 structures characteristics are respectively arranged, and 2 take advantage of 2, and to get 2 structures are a kind of combined fault Security Architectures that on the two-node cluster hot backup architecture basics, grow up, and promptly 2 get 2 structures and add two-node cluster hot backup.Improved security though 2 get 2 structure, reliabilty and availability is reduced, need reach reliability, security and maintainable integrated performance index through two-node cluster hot backup.Owing to be the structure of two-node cluster hot backup on the whole, 2 take advantage of 2, and to get the volume of 2 structures relatively large, and cost is also higher relatively.3 get a kind of fault masking structure that 2 structures are employing fault redundance technology.In this structure, three independently its operation result of module compare each other in twos, as long as when having the operation result of two modules consistent, just think safe and reliable.Since three independently in the module two probability that occur same error simultaneously be considered to lower, therefore 3 get 2 structures reliability (avoid system's failover out of service) when security (not producing dangerous output) is able to guarantee and also be improved.3 get 2 structures no matter on reliability, security and availability integrated performance index, still on the quantity of device and cost all are to belong to compact and efficiently, more and more are widely used in various occasions.
3 get 2 structures key content be 3 get 2 the voting, comprise the voting of CPU module result of calculation and the voting of input and output.3 of input and output are got 2 votings and are adopted special-purpose hardware voting circuit usually.Get 2 votings for 3 of CPU module, between three CPU synchronously, exchanges data and voting be a key of this structural system.Though the data volume of exchanges data is not very big between the CPU, must equally with voting accomplish in real time and high speed.At present most 3 get exchange data using Ethernet, common universal serial bus and special-purpose parallel bus between the CPU of 2 structures; Preceding two kinds of communication interfaces are difficult to accomplish in real time and high speed; A kind of highway width in back is often than broad, and 3 get 2 structure and need between three CPU mutual communication in twos, and this makes the non-constant width of whole communication bus; Make 3 to get 2 structures and become quite complicated; Also increased the possibility of fault, and parallel bus since sequential on bottleneck, speed also is restricted to a certain extent.Communicating by letter between CPU and the input/output module is also similar; Although the requirement that speed and real-time do not have to communicate by letter between the CPU is high like this; The data volume of communication is also little; But owing to be three independently communication ports, and input/output module need expand (a plurality of machine cage) easily, and parallel bus mode commonly used exists limitation and rationality problems such as communication distance, complicacy and configuration dirigibility.Although 3 get security, the reliabilty and availability that 2 structures have improved system simultaneously, maintainability is its weak link.Because the CPU module of this structure is no matter be modular form (module of a CPU) or the modular form of one (module of three CPU) all is installed in the same machine cage independently; And input/output module all is the modular form of one generally; If one of them fault is difficult to change timely and keep in repair under the prerequisite that does not influence system's operate as normal.
Summary of the invention
The present invention proposes a kind of fail-safe computer 3 and get 2 hardware platform structures, to satisfy the high performance requirements of supervisory system reliability, security, maintainability and the availability of safety computer platform.
The present invention realizes through following technical solution: a kind of fail-safe computer " 3 get 2 " hardware platform; Constitute by CPU module, communication module and I/O module; Wherein the CPU module is three independent CPUs modules; The version that the heat that communication module is made up of active and standby two modules is equipped with, the version that the heat that the I/O module is made up of active and standby two modules is equipped with; All CPU modules, communication module and I/O module are all supported the hot plug function, in the maintainability and the availability that guarantee to have improved on reliability and the security basis whole flat;
Adopt between the CPU module that cpu bus carries out synchronously, exchanges data and voting, adopt communication bus to carry out data transmission between described CPU module and the communication module, employing I/O bus is carried out data transmission between said CPU module and the I/O module.
Described I/O module by three independently passage constitute, each passage has a MPU and a CAN (controller area network, controller local area network) EBI; The CAN EBI of each passage is connected with a said CPU module through the CAN bus, and the MPU of each passage is responsible for the communication of this passage, signal Processing and decides by vote at the hardware of inside modules realization " 3 get 2 " with other two passages.
Described I/O bus is made up of three mutual independent CAN buses; Three mutual independent CAN buses connect three autonomous channels of CPU module and each I/O module respectively; Realize the data communication between I/O module and the CPU module, when guaranteeing communication reliability and reducing platform complex property, improved the extensibility of platform;
Described each CPU module has two cpu bus interfaces, a CAN EBI and two Ethernet interfaces, and two cpu bus interfaces link to each other with the cpu bus interface of two other CPU module respectively through cpu bus and intercom mutually in twos;
Described CAN EBI is connected to the CAN EBI of each I/O module through the independent CAN bus; The high-speed serial bus based on LVDS is adopted in communication between three CPU modules; The high-speed serial bus mode has guaranteed between the CPU module synchronously, the real time high-speed requirement of data transmission and voting; Simultaneously reduce highway width greatly, reduced the complicacy of platform, improved reliability;
Described two Ethernet interfaces are connected to two host-standby communication modules through communication bus respectively.
The two-way Redundant Ethernet is adopted in the PERCOM peripheral communication of platform; Communication module by platform realizes; The main backup module of communication module respectively has five Ethernet interfaces; Wherein three Ethernet interfaces are connected to form inner ethernet communication bus, the Dual-Ethernet redundancy structure of two other Ethernet interface implementation platform correspondence with foreign country with the Ethernet interface of three CPU modules respectively.
Described cpu bus is made up of two pairs of order wires of transmitting-receiving; For based on LVDS (Low-VoltageDifferential Signaling; Low-voltage differential signal) high-speed serial bus; Adopt FPGA (FieldProgrammable Gate Array, element programmable gate array) to realize that its message transmission rate is greater than 100Mbps.
Described CPU module, communication module and I/O module are equipped with hot connecting and disconnecting source controller, hot plug button and the hot plug indication of supporting hot plug.
Redundant double loop power supply is adopted in the power supply of described CPU module, communication module and I/O module.
Described CPU module, communication module and I/O module have corresponding fixing slot position in the machine cage; Described CPU module can be exchanged between the CPU slot; Described I/O module can be exchanged between the I/O slot, and each I/O slot has fixedly corresponding address at machine cage backboard.
Fail-safe computer provided by the invention " 3 get 2 " hardware platform; Can realize the hardware voting of " 3 get 2 " in inside modules; Simultaneously; All CPU modules, communication module and I/O module are all supported the hot plug function, in the maintainability and the availability that guarantee to have improved on reliability and the security basis whole flat; And the I/O bus is made up of three mutual independent CAN buses, when guaranteeing communication reliability and reducing platform complex property, has improved the extensibility of platform; The high-speed serial bus based on LVDS is adopted in communication between three CPU modules; This bus mode has guaranteed between the CPU module synchronously, the real time high-speed requirement of data transmission and voting; Simultaneously reduce highway width greatly, reduced the complicacy of platform, improved reliability.
Description of drawings
Fig. 1 gets 2 means of voting hardware platform theory diagrams for fail-safe computer 3 of the present invention.
Embodiment
Below in conjunction with accompanying drawing principle of the present invention and practical implementation method are further described.
As shown in Figure 1, whole 3 get the industrial standard machine cage that 2 hardware platforms are 6U, and all modules all assign in the machine cage.Module comprises that three independent CPUs modules, two formation heat are equipped with active and standby COM (Communication, communication) communication module, the hot I/O module and the machine cage backboard that is equipped with structure of several formations of structure.
Three kinds of different communication buss are adopted in communicating by letter between three CPU modules, between CPU module and the active and standby COM communication module, between CPU module and the I/O module respectively, are called cpu bus, communication bus and I/O bus.Three kinds of communication buss are serial communication bus, satisfy real time high-speed, reduction complicacy, the requirements such as raising reliability, compactedness and extensibility of platform.Cpu bus adopts the specialized high-speed universal serial bus based on LVDS; Exchanges data speed is greater than 100Mbps; Carry out between the CPU module synchronously to satisfy, the real time high-speed data communication requirement of exchanges data and voting, communication bus adopts Ethernet, speed is greater than 2Mbps; The I/O bus adopts the high CAN bus of reliability, and traffic rate is greater than 100kbps.
The cpu bus of each CPU module has two EBIs, connects the cpu bus interface of two other CPU module respectively, forms the structure of mutual communication in twos between three CPU.
Each cpu bus is made up of two pairs of order wires of transmitting-receiving, is realized based on the LVDS mode by FPGA.
Each CPU module has two Ethernet interfaces; Be connected respectively to two active and standby COM communication modules; Active and standby COM communication module respectively has five Ethernet interfaces; Wherein three interfaces are connected to form inner ethernet communication bus with three CPU modules respectively, and two other interface is as the external redundant Dual-Ethernet interface of platform.The I/O bus of each CPU module is made up of three mutual independent CAN buses, is connected respectively to three autonomous channels of each I/O module.
The CPU module adopts the embedded type CPU and the embedded real-time operating system of high-performance technical grade.Active and standby COM communication module adopts CPU and the operating system with CPU module same model, and high-performance Ethernet switch module, the Ethernet interface that implementation platform is inside and outside.The I/O module by three independently passage form, each passage has the universal MPU of technical grade to realize that communication, input and output logic control, computing function and input and output 3 get 2 hardware voting functions.
The slot of machine cage is made up of three fixing CPU slots of groove position, two communication slots and several I/O slots, and two communication slots have fixedly corresponding address with each I/O slot through machine cage backboard.Machine cage backboard is realized connection, the module for power supply of three kinds of buses between the module, the connection of input/output signal etc.; In any exchange that guarantees in the connection of various signal wires between all kinds of module slots; I.e. exchange, the exchange between the host-standby communication module and the exchange between the I/O module between three CPU modules; Active and standby slot has guaranteed the versatility of each module also through the active and standby address decision of machine cage backboard.
Each module requires design according to hot plug, and each module all has hot connecting and disconnecting source controller, hot plug button and the hot plug indication of supporting hot plug, and the maintainability of active and standby construction module is improved greatly, has also improved the availability of platform.Because 3 get the power supply that 2 voting functions do not relate to platform, the power supply of platform adopts the dual power supply redundancy mode, is connected to each module through machine cage backboard.The mode of this redundant power makes that the structure of platform has more simply, compactness and efficient under the reliability that ensures platform, security and availability performance require.
Claims (9)
1. a fail-safe computer 3 is got 2 hardware platforms, is made up of CPU module, communication module and I/O module, it is characterized in that:
(1) said CPU module is three independent CPUs modules, the version that the heat that said communication module is made up of active and standby two modules is equipped with, the version that the heat that said I/O module is made up of active and standby two modules is equipped with;
(2) adopt between the said CPU module that cpu bus carries out synchronously, exchanges data and voting, adopt communication bus to carry out data transmission between said CPU module and the communication module, employing I/O bus is carried out data transmission between said CPU module and the I/O module;
Described voting is that 3 of CPU module is got 2 votings.
2. hardware platform according to claim 1 is characterized in that: said I/O module by three independently passage constitute, each passage has a MPU and a CAN EBI; The CAN EBI of each passage is connected with a said CPU module through the CAN bus, and the MPU of each passage is responsible for the communication of this passage, signal Processing and decides by vote at the hardware of inside modules realization " 3 get 2 " with other two passages;
Described hardware voting is the voting of input and output.
3. hardware platform according to claim 2; It is characterized in that: described I/O bus is made up of three mutual independent CAN buses; Three mutual independent CAN buses connect three autonomous channels of CPU module and each I/O module respectively, realize the data communication between I/O module and the CPU module.
4. hardware platform according to claim 2; It is characterized in that: described each CPU module has two cpu bus interfaces, a CAN EBI and two Ethernet interfaces, and two cpu bus interfaces link to each other with the cpu bus interface of two other CPU module respectively through cpu bus and intercom mutually in twos; Described CAN EBI is connected to the CAN EBI of each I/O module through the independent CAN bus; Described two Ethernet interfaces are connected to the main backup module of communication module respectively through communication bus.
5. hardware platform according to claim 4; It is characterized in that: the main backup module of described communication module respectively has five Ethernet interfaces; Wherein three Ethernet interfaces are connected to form inner ethernet communication bus, the Dual-Ethernet redundancy structure of two other Ethernet interface implementation platform correspondence with foreign country with the Ethernet interface of three CPU modules respectively.
6. hardware platform according to claim 1 is characterized in that: described cpu bus is made up of two pairs of order wires of transmitting-receiving, is the high-speed serial bus based on LVDS, adopts FPGA to realize.
7. hardware platform according to claim 1 is characterized in that: described CPU module, communication module and I/O module are equipped with hot connecting and disconnecting source controller, hot plug button and the hot plug indicator of supporting hot plug.
8. hardware platform according to claim 1 is characterized in that: redundant double loop power supply is adopted in the power supply of described CPU module, communication module and I/O module.
9. hardware platform according to claim 1; It is characterized in that: described CPU module, communication module and I/O module have corresponding fixing slot position in the machine cage; Said CPU module can be exchanged between the CPU slot; Said I/O module can be exchanged between the I/O slot, and each I/O slot has fixedly corresponding address at machine cage backboard.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101556305A CN101710376B (en) | 2009-12-18 | 2009-12-18 | Hardware platform of safe computer 2-out-of-3 voting method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009101556305A CN101710376B (en) | 2009-12-18 | 2009-12-18 | Hardware platform of safe computer 2-out-of-3 voting method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101710376A CN101710376A (en) | 2010-05-19 |
| CN101710376B true CN101710376B (en) | 2012-08-22 |
Family
ID=42403162
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009101556305A Expired - Fee Related CN101710376B (en) | 2009-12-18 | 2009-12-18 | Hardware platform of safe computer 2-out-of-3 voting method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101710376B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3699764A4 (en) * | 2017-10-19 | 2020-12-23 | CRSC Research & Design Institute Group Co., Ltd. | Redundant ethernet-based secure computer system |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103391298A (en) * | 2012-05-08 | 2013-11-13 | 上海富欣智能交通控制有限公司 | Rail transit real-time data synchronization system based on network communication |
| CN103927285B (en) * | 2014-04-23 | 2017-01-25 | 上海乐耘电气技术有限公司 | High-reliability data transmission method for two-channel serial buses |
| CN103970705A (en) * | 2014-04-24 | 2014-08-06 | 浪潮电子信息产业股份有限公司 | Multi-path server architecture design with redundant and symmetrical hot-plugging IO boxes |
| CN104071166B (en) * | 2014-07-08 | 2016-04-06 | 上海自仪泰雷兹交通自动化系统有限公司 | 2 get 2 cab signal security of system interface subrack and container structures thereof |
| CN105323133A (en) * | 2015-11-12 | 2016-02-10 | 浙江大学 | CAN bus redundant communication method and system |
| CN105938356B (en) * | 2016-01-07 | 2018-12-07 | 杭州优稳自动化系统有限公司 | The hardware redundancy of control module and operation cadence synchronization system in DCS system |
| CN106201971B (en) * | 2016-07-01 | 2019-07-02 | 中国铁道科学研究院集团有限公司 | A kind of railway signal safety computer platform based on bus synchronous verification |
| CN110389871B (en) * | 2019-07-24 | 2023-08-01 | 北京交大思诺科技股份有限公司 | Safety computer platform with system integrity confirmation function |
| CN112181886A (en) * | 2020-10-16 | 2021-01-05 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Information interaction system, method and medium based on LVDS channel |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4616312A (en) * | 1982-03-10 | 1986-10-07 | International Standard Electric Corporation | 2-out-of-3 Selecting facility in a 3-computer system |
| CN1321004A (en) * | 2000-04-25 | 2001-11-07 | 华为技术有限公司 | Method and equipment for swapping active with standby switches |
-
2009
- 2009-12-18 CN CN2009101556305A patent/CN101710376B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4616312A (en) * | 1982-03-10 | 1986-10-07 | International Standard Electric Corporation | 2-out-of-3 Selecting facility in a 3-computer system |
| CN1321004A (en) * | 2000-04-25 | 2001-11-07 | 华为技术有限公司 | Method and equipment for swapping active with standby switches |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3699764A4 (en) * | 2017-10-19 | 2020-12-23 | CRSC Research & Design Institute Group Co., Ltd. | Redundant ethernet-based secure computer system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101710376A (en) | 2010-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101710376B (en) | Hardware platform of safe computer 2-out-of-3 voting method | |
| CN205068381U (en) | A secure computer platform for track traffic | |
| CN103455005B (en) | Controller redundancy and switching method | |
| CN103149907B (en) | Hot-redundancy CAN (Controller Area Network)-bus high-fault-tolerance control terminal and method based on dual DSPs (Digital Signal Processors) | |
| CN110351174A (en) | A kind of safety computer platform of module redundancy | |
| RU2674493C1 (en) | Method for exchanging smoke and fire alarm data of train based on combination of independent modules and 3u chassis design | |
| CN110361979A (en) | A kind of safety computer platform in railway signal field | |
| CN106740999A (en) | All-electronin computer interlock system based on performing module redundancy | |
| CN107967194B (en) | Safety computer system based on redundant Ethernet | |
| US11718331B2 (en) | Non-national standard turnout drive system based on double 2-vote-2 architecture | |
| CN104571040A (en) | Construction method of control system redundancy framework | |
| CN104669268B (en) | A kind of redundancy underwater robot self-control system based on Hot Spare and method | |
| CN103139060A (en) | High-fault-tolerance controller area network (CAN) bus digital gateway based on double digital signal processors (DSPs) | |
| CN110376876A (en) | A kind of safety computer platform that double systems are synchronous | |
| CN105045181A (en) | Overall redundant architecture of PAS 100 control system | |
| CN105334729A (en) | Method for redundancy switch of two independent PLC systems in railway locomotive depot signal control | |
| CN202617154U (en) | Train communication system | |
| CN106656625B (en) | Based on the train of ARM CAN communication switching control method and conversion module | |
| CN102156669B (en) | Arbitration system of vehicle-mounted train control equipment | |
| CN204883335U (en) | PAS100 control system's redundant framework of bus | |
| CN206440960U (en) | A kind of active power filter control system based on FPGA | |
| CN204904019U (en) | PAS100 control system's overall redundant framework | |
| CN204883339U (en) | PAS100 control system's communication module and redundant framework of bus | |
| CN203097556U (en) | Door controller beside platform | |
| CN104182307A (en) | Serial port redundancy switching method on basis of independent redundancy server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120822 Termination date: 20141218 |
|
| EXPY | Termination of patent right or utility model |