CN1099075C - Redundant electronic device with certified and non-certified channels - Google Patents
Redundant electronic device with certified and non-certified channels Download PDFInfo
- Publication number
- CN1099075C CN1099075C CN98802340A CN98802340A CN1099075C CN 1099075 C CN1099075 C CN 1099075C CN 98802340 A CN98802340 A CN 98802340A CN 98802340 A CN98802340 A CN 98802340A CN 1099075 C CN1099075 C CN 1099075C
- Authority
- CN
- China
- Prior art keywords
- channel
- identification
- electronic device
- authenticated
- certified
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 claims description 8
- 238000006243 chemical reaction Methods 0.000 claims 2
- 230000009897 systematic effect Effects 0.000 abstract description 10
- 230000000712 assembly Effects 0.000 description 9
- 238000000429 assembly Methods 0.000 description 9
- 238000004519 manufacturing process Methods 0.000 description 4
- 239000004065 semiconductor Substances 0.000 description 4
- 230000000704 physical effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0428—Safety, monitoring
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B9/00—Safety arrangements
- G05B9/02—Safety arrangements electric
- G05B9/03—Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24191—Redundant processors are different in structure
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1629—Error detection by comparing the output of redundant processing systems
- G06F11/1641—Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Programmable Controllers (AREA)
- Signal Processing For Digital Recording And Reproducing (AREA)
- Measurement Of Resistance Or Impedance (AREA)
Abstract
一种具有至少两个通道的均匀冗余结构的电子设备(EG),特别是一个存储器可编程控制器的双通道均匀冗余结构的中央单元,其具有至少一个认证通道(A)和至少一个非认证通道(B),其中认证通道(A)是一个系统错误足够少的通道,而在非认证通道(B)中可以使用尚未明确证明系统错误足够少的那些部件。
An electronic device (EG) with a homogeneously redundant structure of at least two channels, in particular a dual-channel homogeneously redundant central unit of a memory programmable controller, which has at least one authentication channel (A) and at least one A non-certified channel (B), where a certified channel (A) is a channel with sufficiently few systematic errors and in which those components that have not been explicitly proven to have sufficiently few systematic errors can be used.
Description
本发明涉及一种至少两个通道结构的电子设备,特别是一个双通道结构的可编程逻辑电路,其中该可编程逻辑电路例如是一个存储器可编程控制器的中央单元。The invention relates to an electronic device with at least two channels, especially a programmable logic circuit with a dual channel structure, wherein the programmable logic circuit is, for example, a central unit of a memory programmable controller.
对于涉及安全的任务来说,需要性能高度可靠的电子设备,这里的术语“性能可靠”是根据国际文件草案IEC 1508的“功能安全性”选取的。For safety-related tasks, highly reliable electronic equipment is required. The term "reliable performance" here is chosen according to the draft international document IEC 1508 "Functional safety".
性能可靠的电子设备的出色之处在于为其提供专门措施以便避免、识别和控制错误和故障。The great thing about reliable electronic equipment is that it provides special measures to avoid, identify and control errors and malfunctions.
避免、识别和控制错误和故障的一种常用方法是电子设备的多通道冗余结构,其中在各通道内并行执行同样的操作。通过比较结果或者输出值来识别在一个通道中是否出现错误。A common approach to avoiding, identifying and controlling errors and failures is the multi-channel redundant structure of electronic equipment, where the same operation is performed in parallel within each channel. Identify whether an error has occurred in a channel by comparing the results or output values.
与保障设备性能可靠地运行特别相关的某组错误可能是一个通道的组件、元件或者部件的所谓系统错误。这种错误例如可以通过逻辑结构或者其物理特性引起。所谓物理结构是指单个部件和组件的彼此错接,而物理特性取决于每次使用的制造过程。对于所计划的应用,通过多种认证措施来证明足够少的系统错误。A certain group of errors that is particularly relevant to ensure the reliable operation of equipment performance may be the so-called systematic errors of components, elements or parts of a channel. Such errors can be caused, for example, by the logical structure or its physical properties. By physical construction is meant the interconnection of individual parts and assemblies, while the physical characteristics depend on the manufacturing process for each use. For the intended application, a sufficiently low number of system errors has been demonstrated by various certification measures.
在当今迅速发展的半导体技术中,制造方法在很短时间后即改变。其结果是,对所涉及的部件或组件必须重新证明其没有系统错误,因为在一个作为性能可靠地分级的系统中,这样的部件和组件的操作只有通过多种认证措施才允许。In today's rapidly advancing semiconductor technology, manufacturing methods change after a short period of time. As a result, the components or assemblies involved must be re-certified as being free from system errors, since the operation of such components and assemblies in a system classified as reliable in performance is only permitted by means of various certification measures.
半导体领域内快速的技术革新周期要求必须为例如每一代新型微处理器或者新型存储器组件重新执行这一认证,其中,由于为认证过程需提供测试和/或证明运行可靠性,预计花费在这上面的时间导致新型组件只有在相当延迟之后才能应用在与安全有关的某些用途上。The rapid technological innovation cycle in the semiconductor field requires that this certification must be re-executed for, for example, each new generation of microprocessors or new memory components, where costs are expected due to the need to provide tests and/or prove operational reliability for the certification process The timing of new types of components has resulted in certain safety-related uses only after considerable delay.
因此,本发明的目的在于提供一种电子设备,通过该设备可以在涉及安全的、带有均匀冗余通道的系统中使用尚未被证明系统错误足够少的组件、元件或部件。It is therefore the object of the present invention to provide an electronic device by means of which components, elements or parts which have not yet been proven to have a sufficiently low system error rate can be used in a safety-relevant system with uniformly redundant channels.
本发明的目的是通过这样一种至少双通道均匀冗余结构的电子设备来实现的,该至少两个通道的均匀冗余结构的电子设备尤其可以是一个双通道均匀冗余结构的可编程逻辑电路,它具有至少一个认证通道和至少一个非认证通道,其中认证通道是一个系统错误足够少的通道。The object of the present invention is achieved by such an electronic device with at least two channels of uniform redundant structure, the electronic device of at least two channels with uniform redundant structure can be a programmable logic with dual-channel uniform redundant structure A circuit having at least one authenticated channel and at least one non-authenticated channel, wherein the authenticated channel is a channel with sufficiently few system errors.
作为系统错误足够少的通道相应地可理解为在一个规定时间期间的故障概率不超过一个规定的受当时应用影响的阈值,它例如是按照国际文件草案IEC 1508的一个阈值。Correspondingly, a channel with a sufficiently low number of systematic errors is understood to mean that the failure probability during a defined period of time does not exceed a defined threshold value depending on the application at the time, which is, for example, a threshold value according to the draft international document IEC 1508.
当为每一个通道提供一个可询问的标识符,例如一个专门的存储器单元或者一个机械开关或者电子开关时,此时在询问认证通道的该标识符时可得到一个第一标识,在询问非认证通道的该标识符时,可得到一个第二标识,该电子设备仅当在询问各个通道的标识时第一标识出现至少一次的情况下才开始其运行,这样对该电子设备实现自检,它保证该电子设备仅在确认至少双通道结构的电子设备的至少一个通道是一个系统错误足够少的通道,亦即是一个认证通道时才开始其运行。When each channel is provided with an interrogable identifier, such as a dedicated memory unit or a mechanical or electronic switch, a first identification can be obtained when interrogating the identifier of an authenticated channel, and when interrogating a non-authenticated When this identifier of the channel, a second identification can be obtained, the electronic device only starts its operation when the first identification appears at least once when the identification of each channel is inquired, so that the electronic device realizes self-test, it It is guaranteed that the electronic device starts its operation only when it is confirmed that at least one channel of the electronic device with at least a dual-channel structure is a channel with sufficiently few system errors, that is, an authentication channel.
当顺序询问各个通道的标识时,可以确定地获知哪一个通道是一个系统错误足够少的通道,亦即认证通道,哪一个通道是系统错误不足够少的通道,亦即非认证通道。When the identifications of each channel are inquired in sequence, it can be determined which channel is a channel with sufficiently few system errors, that is, an authentication channel, and which channel is a channel with insufficient system errors, that is, a non-authentication channel.
在该电子设备运行时,非认证通道的标识在一个可预先给定的没有识别错误的时间段之后可从表征非认证通道的第二标识向表征认证通道的第一标识转换,此时在足够的运行期间和在对迄今尚未认证的通道的工作性能作足够的分析之后,可将该通道本身作为参考通道使用,使得利用该电子设备可以使用例如尚未认证的下一代的元件、部件或组件,而不必事先证明其不存在错误。When the electronic device is running, the identification of the non-authentication channel can be converted from the second identification representing the non-authentication channel to the first identification representing the authentication channel after a pre-determinable period of time without identification errors. during operation and after a sufficient analysis of the performance of a hitherto uncertified channel, the channel itself may be used as a reference channel, so that with this electronic equipment it is possible to use, for example, next-generation components, components or assemblies which have not yet been certified, It is not necessary to prove in advance that there is no error.
从下面参考附图对一个实施例的说明中可以了解本发明的其它优点和发明细节。Further advantages and inventive details of the invention emerge from the following description of an exemplary embodiment with reference to the drawing.
图1是一个存储器可编程控制器的双通道均匀冗余结构的中央单元的方框图。Fig. 1 is a block diagram of the central unit of a dual-channel uniform redundant structure of a memory programmable controller.
根据图1,电子设备EG是一个存储器可编程控制器的双通道均匀冗余结构的中央单元。这里的均匀冗余表示各个通道是用具有至少同样功能的元件、部件或者组件对称构造的。According to FIG. 1, the electronic device EG is the central unit of a two-channel homogeneously redundant structure of a memory-programmable controller. Uniform redundancy here means that the individual channels are constructed symmetrically with elements, parts or assemblies which have at least the same function.
在图1所示的实施例中,通道A具有一个微处理器P、一个程序存储器I和一个数据存储器R。微处理器P的操作通过监视单元W,即所谓的看门狗来监视。通道B对于通道A来说是均匀冗余结构,这从分别具有相同附图标记的同样的部件P、I、R来看,特别明确。In the exemplary embodiment shown in FIG. 1, channel A has a microprocessor P, a program memory I and a data memory R. The operation of the microprocessor P is monitored by a monitoring unit W, a so-called watchdog. Channel B is uniformly redundant with respect to channel A, which is particularly clear from the fact that identical components P, I, R each bear the same reference numerals.
通道A必须由证明为系统错误足够少的部件P、I、R、W构造,因此各部件、元件和组件是经过认证的。因而通道A整体看起来为系统错误足够少的通道。Channel A must be constructed from parts P, I, R, W that have proven to be systematically error-free enough so that the individual parts, elements and assemblies are certified. Therefore, channel A as a whole appears to be a channel with sufficiently few system errors.
在通道B中使用一个或者多个各种变型的部件P、I、R、W,它们曾经以某种方式例如由于新的或者修改过的制造方法被改动过,且在无系统故障方面未做足够证明。In channel B use one or more components P, I, R, W of various variants which have been altered in some way, e.g. due to new or modified manufacturing methods, without systematic failure Proof enough.
如果在通道B中所涉及的元件、部件或者组件中可能存在的系统错误显现其作用,则这一点通过与通道A的结果比较被识别并因此得以控制。所述结果比较可以通过存在于通道A和B之间的连接K实现。If a possible systematic error in the element, component or assembly involved in channel B manifests its effect, this is identified by comparison with the results of channel A and thus controlled. The comparison of the results can be effected via the connection K existing between the channels A and B.
由此可以在不恶化冗余电子设备EG的通道A、B内的安全特性的情况下使用尚未充分证明无错误性的亦即尚未认证的元件、部件或组件。It is thus possible to use elements, components or assemblies which have not yet been sufficiently proven to be error-free, ie not yet certified, without compromising the safety properties in the channels A, B of the redundant electronics EG.
通过结果比较,可以识别例如由于各电子元件、部件或者组件的物理特性或者由于改变了的制造或者安装过程引起的系统错误。By comparing the results, systematic errors can be identified, for example due to the physical properties of the individual electronic components, components or assemblies or due to altered manufacturing or assembly processes.
本发明的电子设备EG允许一个此种设备的供货商直接对例如半导体工业的技术革新周期作出反应,在性能可靠的系统中总是供给相应于当前发展水平的元件、部件或组件,即使在对这些元件就其系统错误足够少这一点迄今尚未通过认证而明确证明的场合。The electronic equipment EG of the present invention allows a supplier of such equipment to respond directly to technological innovation cycles of, for example, the semiconductor industry, always supplying elements, components or assemblies corresponding to the current state of the art in reliable systems, even in Where such components have not been clearly demonstrated by certification that they have sufficiently low systematic errors so far.
就这一点而言,能够利用本发明的方法或者本发明的电子设备EG隐含地实现这一认证想必是特别有利的。In this regard, it must be particularly advantageous to be able to implement this authentication implicitly with the method of the invention or with the electronic device EG of the invention.
为此目的,为电子设备EG的每一通道A、B管理一个标识,该标识说明各通道A、B是否可被看作是系统错误足够少的通道。在一定的特别是由用户自由选择的时间段之后,如果在该段时间期间在电子设备的运行中在迄今未认证的通道A、B中未识别到任何系统错误,则该标识可从“未认证”向“已认证”转换。这样,迄今未明确认证的但其没有系统错误这一点在具体操作中被充分证明的通道,也可以象一个明确认证的通道一样使用。For this purpose, an identifier is administered for each channel A, B of the electronic device EG, which indicates whether the respective channel A, B can be regarded as a channel with sufficiently few systematic errors. After a certain period of time, in particular freely chosen by the user, if no system errors have been detected during the operation of the electronic equipment in the hitherto uncertified channels A, B during this period, the identification can be changed from "not Authenticated" to "Authenticated". In this way, a hitherto unambiguously authenticated channel, which has been sufficiently proven in practice to be free from system errors, can also be used like an explicitly authenticated channel.
这点特别能在结合有现在的“在线-认证通道”的电子设备EG中在另一个冗余通道A、B内使用由下一代半导体元件制造的构件、组件或部件,然后根据上述过程也对这些部件证明其系统错误足够少的可能性。This enables, in particular, components, components or components produced from next-generation semiconductor components to be used in an electronic device EG combined with the present "online-authentication channel" in another redundant channel A, B, which are then also The likelihood that these components demonstrate a sufficiently low level of systematic error.
由此,通过使用本发明的电子设备或者采用本发明的方法,可以在任何时候自由采用最新元件,组件或部件,而不必在相当耗时的认证过程后才将它们应用到涉及安全的系统中。Thus, by using the electronic device according to the invention or using the method according to the invention, the latest elements, components or parts can be used freely at any time without having to implement them into safety-relevant systems after a rather time-consuming certification process .
Claims (6)
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| EP97103151.3 | 1997-02-26 | ||
| EP97103151 | 1997-02-26 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1246938A CN1246938A (en) | 2000-03-08 |
| CN1099075C true CN1099075C (en) | 2003-01-15 |
Family
ID=8226528
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN98802340A Expired - Fee Related CN1099075C (en) | 1997-02-26 | 1998-02-13 | Redundant electronic device with certified and non-certified channels |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN1099075C (en) |
| DE (1) | DE59800963D1 (en) |
| ES (1) | ES2160407T3 (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102018121885A1 (en) * | 2018-09-07 | 2020-03-12 | Phoenix Contact Gmbh & Co. Kg | Electronic device for use in an automation system and an automation system |
| CN114253124A (en) * | 2021-12-22 | 2022-03-29 | 浙江中控技术股份有限公司 | High-availability hot standby redundancy system and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE3718582A1 (en) * | 1986-06-05 | 1987-12-10 | Zf Herion Systemtechnik Gmbh | Electronic security device |
| US5136704A (en) * | 1989-06-28 | 1992-08-04 | Motorola, Inc. | Redundant microprocessor control system using locks and keys |
| DE19504404C1 (en) * | 1995-02-10 | 1996-06-20 | Pilz Gmbh & Co | System architecture |
| EP0742507A1 (en) * | 1995-05-12 | 1996-11-13 | The Boeing Company | Method and apparatus for synchronizing flight management computers |
-
1998
- 1998-02-13 ES ES98910662T patent/ES2160407T3/en not_active Expired - Lifetime
- 1998-02-13 DE DE59800963T patent/DE59800963D1/en not_active Expired - Lifetime
- 1998-02-13 CN CN98802340A patent/CN1099075C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE3718582A1 (en) * | 1986-06-05 | 1987-12-10 | Zf Herion Systemtechnik Gmbh | Electronic security device |
| US5136704A (en) * | 1989-06-28 | 1992-08-04 | Motorola, Inc. | Redundant microprocessor control system using locks and keys |
| DE19504404C1 (en) * | 1995-02-10 | 1996-06-20 | Pilz Gmbh & Co | System architecture |
| EP0742507A1 (en) * | 1995-05-12 | 1996-11-13 | The Boeing Company | Method and apparatus for synchronizing flight management computers |
Also Published As
| Publication number | Publication date |
|---|---|
| DE59800963D1 (en) | 2001-08-09 |
| CN1246938A (en) | 2000-03-08 |
| ES2160407T3 (en) | 2001-11-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102446125B (en) | The method of the application program of access control device and the control device of execution the method | |
| US10165043B2 (en) | Multi-core device with separate redundancy schemes in a process control system | |
| US20100123987A1 (en) | Apparatus for Fault Tolerant Digital Outputs | |
| CN103168292A (en) | A method for monitoring at least two microcontrollers | |
| CN107957692B (en) | Controller redundancy method, device and system | |
| CN108347432B (en) | Communication system, mobile object, and communication method | |
| CN110780590B (en) | Technology for providing safe control parameters for multi-channel control of machines | |
| JP2008530626A (en) | Method for monitoring program execution in a microcomputer | |
| JP2004227575A (en) | Single signal transmission of safety-related process information | |
| CN100382474C (en) | Systems and methods for securely transmitting data | |
| CN100476642C (en) | Diagnostics for parallel redundant signal output channels | |
| CN1099075C (en) | Redundant electronic device with certified and non-certified channels | |
| JP2010529530A (en) | Machine tool recognition using Profinet | |
| JP3486747B2 (en) | Vehicle control device and single processor system incorporated therein | |
| US11720090B2 (en) | Fault tolerant backplane slot assignment | |
| US20100259862A1 (en) | Safety switching device and modular failsafe control system | |
| US11290881B2 (en) | Method for functionally secure connection identification | |
| US8321495B2 (en) | Byzantine fault-tolerance in distributed computing networks | |
| US7284152B1 (en) | Redundancy-based electronic device having certified and non-certified channels | |
| CN108693813B (en) | Safety-oriented automation systems | |
| US6832331B1 (en) | Fault tolerant mastership system and method | |
| EP3532931B1 (en) | Multi-core device with separate redundancy schemes in a process control system | |
| JP7267400B2 (en) | Automated system for monitoring safety-critical processes | |
| CN110262215B (en) | Control method, device and system based on dissimilar redundancy technology | |
| CN107430539A (en) | Safety-related computer system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20030115 Termination date: 20150213 |
|
| EXPY | Termination of patent right or utility model |