CN103019904B - On-board redundancy computer supports the harmless fault filling method of fault-tolerant checking - Google Patents
On-board redundancy computer supports the harmless fault filling method of fault-tolerant checking Download PDFInfo
- Publication number
- CN103019904B CN103019904B CN201210579484.0A CN201210579484A CN103019904B CN 103019904 B CN103019904 B CN 103019904B CN 201210579484 A CN201210579484 A CN 201210579484A CN 103019904 B CN103019904 B CN 103019904B
- Authority
- CN
- China
- Prior art keywords
- fault location
- direct fault
- direct
- instruction
- interrupt handling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Hardware Redundancy (AREA)
- Test And Diagnosis Of Digital Computers (AREA)
Abstract
The invention provides the harmless fault filling method that a kind of on-board redundancy computer supports fault-tolerant checking.On-board redundancy computer passage master routine is as the destination object being implemented direct fault location, and this harmless fault filling method comprises: direct fault location interactive terminal editor's defect content and the process to the instruction of direct fault location interrupt handling routine transmission direct fault location; Direct fault location interactive terminal sends direct fault location interrupt request, through interrupting the process of the enable direct fault location interrupt handling routine of interlocked control; Perform the process of direct fault location interrupt handling routine.The present invention can make on-board redundancy computer possess the ability supporting fault-tolerant checking, can realize not to cause physical damnification, not lose " can't harm " change direct fault location that product reliability and trouble free service characteristic are cost in fault simulation test.
Description
Technical field
The present invention relates to the fault filling method that a kind of on-board redundancy computer supports fault-tolerant checking.
Background technology
The aircraft mounted control system that flight safety is closely related is improve functional reliability usually to adopt the reliable execution of multichannel redundancy computing machine realization to Core Feature with fault-tolerant ability, as having the triple channel redundancy computer of primary fault/ability to work, the four-way redundancy computer of secondary failure/ability to work, the failure tolerance of multichannel redundancy computer platform needs to verify by fault simulation, fault simulation is tested: in redundancy computer, some calculating passages inject fault to verify that it is to Fault Identification, suppress, the ability that isolation and redundant component switch.Can how to inject fault be the key determining perform fault simulation test, general method has method 1: physical damage type injects, method 2: by the direct fault location circuit realiration direct fault location of redundancy computer design itself, method 3: utilize computing machine break in service functionality change internal data to realize direct fault location.Wherein to belong to product destructive test cost higher for method 1, although method 2 does not have directly destructive but must increase (directly can reduce product basic reliability MTBF index) due to the failure number calculated value devising direct fault location circuit product, the system resource such as power, weight, space of extra consumable products simultaneously, the more front 2 kinds of methods of method 3 have advantage but there is potential safety hazard, if operationally interrupt service routine is caused real-time valid data to be destroyed by exception-triggered, consequence is hardly imaginable.Therefore towards the operating characteristic of mobile system, the direct fault location of redundancy computer should be can not cause physically impaired, " not can't harm " direct fault location mode to lose product reliability and trouble free service characteristic for cost.
Summary of the invention
The present invention seeks to the failure tolerance for verifying multichannel redundancy computing machine in airborne security ststem and provide a kind of harmless fault filling method.With the thinking combined by design of hardware and software for approach by elimination safety risks based on the method 3 of the method in background technology, interrupt service routine adopts the mode of command communication to realize " can't harm " to redundancy computer the direct fault location changed.
This on-board redundancy computer supports the harmless fault filling method of fault-tolerant checking, and on-board redundancy computer passage master routine is as the destination object being implemented direct fault location, and this harmless fault filling method comprises:
Direct fault location interactive terminal editor's defect content and the process to the instruction of direct fault location interrupt handling routine transmission direct fault location;
Direct fault location interactive terminal sends direct fault location interrupt request, through interrupting the process of the enable direct fault location interrupt handling routine of interlocked control;
Perform the process of direct fault location interrupt handling routine, mainly carry out following three steps:
First, differentiate and allow the interlocking hardware condition of direct fault location whether to meet, if condition is set up, continue to perform down-stream, otherwise by directly exiting interrupt handling routine after communication interface output state information;
Then, interrupt handling routine receives after the direct fault location instruction sent direct fault location interactive terminal through communication interface, carry out verification to command content to differentiate, if instruction check is correctly, continue to perform down-stream, otherwise by directly exiting interrupt handling routine after communication interface output state information;
Finally, instruction identification is performed further to the faulting instruction differentiated by verification, if identify successfully, then to execution direct fault location; If what direct fault location interactive terminal sent is " exiting interruption " instruction or illegal command, then by communication interface output state information backed off after random interrupt handling routine.
Restriction can be optimized as follows further to said method:
Whether above-mentioned interlocking hardware condition meets, differentiated by described interruption interlocked control, make to only have when fault interrupting is enable effectively, the wheel carrying signal instruction state of ground effectively, ground enable signal is when effectively these three kinds of states meet jointly, just allow to continue execution down-stream.
The present invention has the following advantages:
1. on-board redundancy computer can be made to possess the ability supporting fault-tolerant checking, can realize not to cause physical damnification, not lose " can't harm " change direct fault location that product reliability and trouble free service characteristic are cost in fault simulation test;
2. design proposal structure is simple and clear, has engineering realizability, can be widely used.
Accompanying drawing explanation
Fig. 1 is principle schematic of the present invention (wherein any one passage).
Embodiment
Technical scheme of the present invention is made up of 4 parts as shown in the figure: redundancy computer passage master routine is the destination object being implemented direct fault location, the direct fault location interrupt service routine with security mechanism resides in the embedded software instrument performing direct fault location in redundancy computer passage, for editing the direct fault location interactive terminal of defect content and performing the server formation direct fault location simulated environment sending direct fault location instruction and interrupt request, direct fault location interrupts interlocked control.
The double protection strategy that this programme mainly adopts design of hardware and software to combine is to ensure that direct fault location interruption executive routine can safe and reliable operation.Hardware aspect is the false triggering preventing interrupt request, the generation of " enable/shielding " mechanism control direct fault location interrupt request is adopted in redundancy computer passage, only when fault interrupting is effectively enable, the wheel carrying signal instruction state of ground is effective, direct fault location interrupt request external fault simulated environment sent is allowed to be sent to the interruptable controller of redundancy computer channel interior below the ground enable signal situation that effectively these three kinds of states meet jointly, otherwise shield this outside interrupt request singal, this effectively can prevent direct fault location interrupt service routine from being started execution by unexpected triggering from hardware input stage.Software aspect ensures trouble free service characteristic mainly through the flow process of strengthening direct fault location interrupt service routine, comprise from suppression false triggering, miscommunication, these three aspect reinforcement schedule safety of illegal command: 1. as in the initial of interrupt service routine, first figure differentiates whether the interlocking hardware condition of permission direct fault location meets, if condition is set up, continue perform direct fault location running program otherwise directly exit interrupt service routine afterwards by communication interface output state information (indicate fault interrupting to server and exit reason), this is for preventing hardware input stage interlock control circuit fault from causing 1 the security hardening measure interrupting false triggering and increase in software, 2. interrupt service routine receives after the direct fault location instruction that server sends through communication interface, carry out verification to command content to differentiate, if instruction check correctly, continue to perform down-stream, otherwise directly exit interrupt service routine afterwards by communication interface output state information (indicate fault interrupting to server and exit reason), this step can avoid the faulting instruction causing down-stream execution error because communication link is abnormal, 3. the faulting instruction pair differentiated by verification performs instruction identification further, if (in fault interrupting service routine, failure definition injects instruction list for " exiting interruption " instruction that what server sent is or illegal command, if the instruction received, not within the scope of list, is considered as illegal command) then by communication interface output state information (indicate fault interrupting to server and exit reason) backed off after random interrupt service routine, can effectively avoid disable instruction to cause operation to be transfinited.Interrupt service routine performs direct fault location operation after above 3 steps.
Shown by above-mentioned technological means, adopt the present invention that the security of injection object-redundancy computer itself can not be made to incur loss.
Relate to the hardware relevant to redundancy computer in the present invention to have: interrupting input, discrete magnitude input (is interrupted enable, wheel carries, ground is enable), interlocked control logical circuit, direct fault location command communication link, wherein discrete magnitude input and interrupting input are the intrinsic resources of on-board redundancy computer passage self, interlocked control logic can directly realize in the large scale programming logical circuit that computer-internal is intrinsic, the debugging exploitation communication interface that command communication link also can directly use computing machine self intrinsic, therefore the failure number calculated value that realizing this technology does not need the extra hardware circuit resource of increase can not increase redundancy computer self makes the basic reliability index of redundancy computer incur loss.
Claims (1)
1. on-board redundancy computer supports the harmless fault filling method of fault-tolerant checking, and on-board redundancy computer passage master routine is as the destination object being implemented direct fault location, and this harmless fault filling method comprises:
Direct fault location interactive terminal editor's defect content and the process to the instruction of direct fault location interrupt handling routine transmission direct fault location;
Direct fault location interactive terminal sends direct fault location interrupt request, through interrupting the process of the enable direct fault location interrupt handling routine of interlocked control;
Perform the process of direct fault location interrupt handling routine, mainly carry out following three steps:
First, differentiate and allow the interlocking hardware condition of direct fault location whether to meet, if condition is set up, continue to perform down-stream, otherwise by directly exiting interrupt handling routine after communication interface output state information;
Then, interrupt handling routine receives after the direct fault location instruction sent direct fault location interactive terminal through communication interface, carry out verification to command content to differentiate, if instruction check is correctly, continue to perform down-stream, otherwise by directly exiting interrupt handling routine after communication interface output state information;
Finally, instruction identification is performed further to the faulting instruction differentiated by verification, if identify successfully, then to execution direct fault location; If what direct fault location interactive terminal sent is " exiting interruption " instruction or illegal command, then by communication interface output state information backed off after random interrupt handling routine;
Whether described interlocking hardware condition meets, differentiated by described interruption interlocked control, make to only have when fault interrupting is enable effectively, the wheel carrying signal instruction state of ground effectively, ground enable signal is when effectively these three kinds of states meet jointly, just allow to continue execution down-stream.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210579484.0A CN103019904B (en) | 2012-12-27 | 2012-12-27 | On-board redundancy computer supports the harmless fault filling method of fault-tolerant checking |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210579484.0A CN103019904B (en) | 2012-12-27 | 2012-12-27 | On-board redundancy computer supports the harmless fault filling method of fault-tolerant checking |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103019904A CN103019904A (en) | 2013-04-03 |
CN103019904B true CN103019904B (en) | 2015-09-30 |
Family
ID=47968533
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210579484.0A Active CN103019904B (en) | 2012-12-27 | 2012-12-27 | On-board redundancy computer supports the harmless fault filling method of fault-tolerant checking |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103019904B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105528284B (en) * | 2014-09-28 | 2018-09-28 | 华为技术有限公司 | A kind of kernel fault filling method and electronic equipment |
CN105446887B (en) * | 2016-01-11 | 2018-01-19 | 中国科学院光电研究院 | A kind of spaceborne embedded type data communication failure Dynamic injection system and method based on Digital Virtual Technique |
CN108226662B (en) * | 2016-12-14 | 2020-04-07 | 中国航空工业集团公司西安航空计算技术研究所 | Airborne computer fault prediction method |
CN114374894B (en) * | 2022-01-21 | 2024-02-02 | 东营航空产业技术研究院 | Method for improving flight verification data integrity of unmanned aerial vehicle |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102760098A (en) * | 2012-06-13 | 2012-10-31 | 北京航空航天大学 | Processor fault injection method oriented to BIT software test and simulator thereof |
-
2012
- 2012-12-27 CN CN201210579484.0A patent/CN103019904B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102760098A (en) * | 2012-06-13 | 2012-10-31 | 北京航空航天大学 | Processor fault injection method oriented to BIT software test and simulator thereof |
Non-Patent Citations (4)
Title |
---|
信息科技辑》.2005,(第1期),第31-32、45-46页. * |
信息科技辑》.2012,(第5期),第29-31、42页. * |
朱鹏.星载SAR控制软件故障注入技术研究.《中国优秀硕士学位论文全文数据库• * |
罗宗扬.基于JTAG的CPU故障注入工具的设计与实现.《中国优秀硕士学位论文全文数据库• * |
Also Published As
Publication number | Publication date |
---|---|
CN103019904A (en) | 2013-04-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103019904B (en) | On-board redundancy computer supports the harmless fault filling method of fault-tolerant checking | |
KR20190079809A (en) | Fault injection test apparatus and method for the same | |
CN102841828B (en) | Fault detect in logical circuit and alleviating | |
CN101369141B (en) | Protection unit for a programmable data processing unit | |
CN110175359B (en) | Method and device for modeling security of complex system based on business process | |
CN104934086A (en) | Equipment multipath instruction control method and preferable control instruction output device of nuclear power station | |
CN101707351B (en) | Protection circuit for preventing microcomputer protection device against interference and error actions | |
Jean et al. | Assurance methods for COTS multi-cores in avionics | |
Rástočný et al. | Safety of signalling systems-opinions and reality | |
CN114910780A (en) | Fault tolerance testing method and device, electronic equipment and storage medium | |
CN114816863A (en) | Burr suppression device and method | |
CN203759492U (en) | Three-plus-one redundancy control communication bus structure for triplex redundancy control system | |
CN113051581A (en) | Highly-integrated complex software security analysis method | |
Irrera et al. | Validating a Safety Critical Railway Application Using Fault Injection | |
CN104966158A (en) | Screening method for influencing operator nonintervention time sensitive accident | |
Zhou et al. | Functional safety analysis and promotion for relay protection device platform | |
Liu et al. | Application of Internal Fire PRA in Elimination of Fire Common Modes | |
Galashi et al. | Hybrid redundancy approach to increase the reliability of FPGA based speed controller core for high speed train | |
Jin et al. | Coordination Method of Functional Safety and Cyber Security for Industrial Control Systems | |
Pan et al. | The FTA based safety analysis method for urban transit signal system | |
Takahashi et al. | A Hazard Analysis Method for Embedded Control Software with STPA | |
CN201338636Y (en) | Version calibration device for railway equipment | |
Wang et al. | Common Cause Failure Analysis and Countermeasure of Digital Instrument and Control System in Nuclear Power Plant | |
Li et al. | Safety-oriented Testing for High-speed Rail Onboard Equipment Using Petri Nets | |
CN108766602A (en) | Nuclear power plant's reactor protection system Channel Test method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |