CN110837233B - Safety control system for improving functional safety - Google Patents
Safety control system for improving functional safety Download PDFInfo
- Publication number
- CN110837233B CN110837233B CN201810936309.XA CN201810936309A CN110837233B CN 110837233 B CN110837233 B CN 110837233B CN 201810936309 A CN201810936309 A CN 201810936309A CN 110837233 B CN110837233 B CN 110837233B
- Authority
- CN
- China
- Prior art keywords
- chip
- control system
- channel
- cores
- core
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012545 processing Methods 0.000 claims abstract description 32
- 238000003745 diagnosis Methods 0.000 abstract description 11
- 238000000034 method Methods 0.000 description 16
- 101000879673 Streptomyces coelicolor Subtilisin inhibitor-like protein 3 Proteins 0.000 description 4
- 101000879675 Streptomyces lavendulae Subtilisin inhibitor-like protein 4 Proteins 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000004069 differentiation Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- PEDCQBHIVMGVHV-UHFFFAOYSA-N Glycerine Chemical compound OCC(O)CO PEDCQBHIVMGVHV-UHFFFAOYSA-N 0.000 description 1
- 101000836873 Homo sapiens Nucleotide exchange factor SIL1 Proteins 0.000 description 1
- 102100027096 Nucleotide exchange factor SIL1 Human genes 0.000 description 1
- 101000880156 Streptomyces cacaoi Subtilisin inhibitor-like protein 1 Proteins 0.000 description 1
- 101000880160 Streptomyces rochei Subtilisin inhibitor-like protein 2 Proteins 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 150000003071 polychlorinated biphenyls Chemical class 0.000 description 1
- 238000012502 risk assessment Methods 0.000 description 1
- 238000004092 self-diagnosis Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0421—Multiprocessor system
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24182—Redundancy
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Safety Devices In Control Systems (AREA)
Abstract
The invention relates to a safety control system for improving functional safety, comprising two sets of subsystems, wherein the two sets of subsystems form a redundant relation, each subsystem forms a 1oo2D structure and is provided with a first channel and a second channel respectively, each channel is provided with a signal processing unit and a diagnosis unit, wherein the safety control system comprises two dual-core first chips and a four-core second chip, each subsystem comprises two cores of the second chip and one first chip, and each channel of the subsystems comprises one of the two cores of the one first chip and one of the two cores of the second chip, wherein the two cores of the one first chip in the subsystem respectively serve as a signal processing unit of the first channel and a diagnosis unit of the second channel, and the two cores of the second chip respectively serve as a diagnosis unit of the first channel and a signal processing unit of the second channel.
Description
Technical Field
The present invention relates to a safety control system for improving functional safety.
Background
The IEC61508 standard, namely the "functional safety of Electrical/electronic/programmable electronic safety System", establishes a basic evaluation method for the overall safety lifecycle of an electrical/electronic/programmable electronic System (E/E/PE) composed of electrical/electronic/programmable electronic components that is functioning as safety. In this standard, a division SIL (Safety Integrity Level) of functional security classes is mentioned, which is translated into a security integrity class. IEC61508 divides SIL into 4 stages, i.e. SIL1, SIL2, SIL3 and SIL4. The level to which the SIL of a safety-related device or system should reach is determined by risk analysis, with higher levels requiring lower risk failure probabilities. In particular in the field of rail transit, for example, traffic automation signal control systems, which have decisive roles in ensuring traffic safety, improving operating efficiency, etc., in case of failure, significant casualties and property losses are likely to result, and therefore safety-relevant devices or systems in the field of rail transit are specified to reach SIL4.
In the prior art, architectural measures can be introduced to improve the safety or reliability of safety-related devices or systems, reduce the probability of dangerous failure, and force the safety-related devices or systems into a safe failure state if necessary. For example, hardware fault tolerance techniques, system redundancy techniques, and diagnostic and monitoring techniques are introduced. In general, it is possible to consider the use of voting mechanisms, such as "MooN" which means "N" takes "M" (M out of N). Taking a "1oo2D" as an example, it means that there are 2 separate devices in the subsystem that are connected together in such a way that only 1 channel is functioning properly enough to meet the higher SIL level, and "D" means that the subsystem is a one-out-of-two voting structure with diagnostic capabilities. For example, a two-out-of-one architecture functional security controller is disclosed in CN 106094629 a. For another example, in CN 201941780U, a TMS 570-based ATP-based vehicle-mounted two-by-two subsystem is disclosed, where two sets of identical "two-by-two" subsystems are included, the two sets of subsystems are independent of each other, and are interconnected by a high-speed reliable channel. In addition, a two-out-of-one redundancy control system and a multiple voting method thereof are disclosed in CN 106527115 a.
In the system with the redundancy structure, when one module fails, the system is simultaneously provided with more than two identical modules, so that the common random hardware failure can be avoided. However, the system may also suffer from co-occurrence failures. Common cause failure refers to failure of more than one identical component, module, unit, or system by the same cause. The occurrence of co-occurrence failures significantly compromises the role of various redundancy methods in reducing the probability of dangerous failure of safety-related devices or systems, enhancing reliability.
In addition, in the existing redundancy system, the same components are generally used for realizing the redundancy structure, which is not beneficial to reducing the risk of common cause failure on one hand, and on the other hand, some repeated functional modules in the components are often wasted by using the same components. Furthermore, since redundant components are arranged on different PCBs, the safety control system of the safety-relevant device or system is large in size.
Disclosure of Invention
The object of the present invention is therefore to develop a safety control system with a redundant design, which has a high functional safety, in particular a functional safety level that can be achieved by the IEC61508SIL4 standard, and which has a compact design.
The above-mentioned technical problem is solved in particular by a safety control system for the field of rail transit, comprising two sets of subsystems, which constitute a redundant relationship and each constitute a 1oo2D structure and have two channels, a first channel and a second channel, respectively, each channel having a signal processing unit and a diagnostic unit. According to the invention, the safety control system comprises two first chips with two cores and one second chip with four cores, respectively, wherein each set of the subsystems comprises two cores of one first chip and two cores of the second chip, and each channel of the subsystem comprises one of the two cores of the one first chip and one of the two cores of the second chip, wherein the two cores of the one first chip in the subsystem serve as a signal processing unit of the first channel and a diagnostic unit of the second channel, respectively, and the two cores of the second chip serve as a diagnostic unit of the first channel and a signal processing unit of the second channel, respectively.
In the present invention, the safety control system is used for safety-related devices or systems, for example in the field of rail transit. The safety control system is a real-time control system and mainly consists of two subsystems with 1oo2D structures and a system voter which form a redundant relation. Thus, the two subsystems each have two channels and a subsystem voter, so that there are a total of four channels in the safety control system, wherein each channel has an arithmetic processing unit for processing the field signal and a diagnostic unit for diagnosing the result of the field signal processing. The field signal is, for example, a signal which is detected by a sensor and which contains safety-critical information of a safety-relevant device or system. The sensor can detect multiple points of one module of the safety related device or system or detect multiple points of different modules, and multiple sensors can also be used for detecting multiple points, so that the sensor redundancy is realized. The arithmetic processing units process the field signals and output the output signals, wherein each arithmetic processing unit converts the field signals in the same manner such that the field signals and the output signals are mapped one by one. The voter of each subsystem compares the output signals of the arithmetic processing units of the two channels within that subsystem, e.g., if the two channels agree, then outputs the corresponding voter output signal; if the two channels are not identical, the security related device or system can be forced into a security failure state or a voter output signal of another subsystem can be used. In addition, the diagnosis unit of each channel realizes the self-diagnosis function in the channel, for example, the field signal is processed through another operation method, the output signal of the operation processing unit must be judged by the diagnosis unit to be transmitted to the subsystem voter, and if the two channels are diagnosed to have faults in one subsystem, the safety related equipment or system can be forced to enter the safety failure state or the voter of the other subsystem is adopted to output the signal. Finally, the system voter compares the voter output signals output by the two subsystem voters, for example, if the two subsystems are identical, a control signal corresponding to the normal operation mode is output to the execution unit of the safety-related device or system, and if the comparison results are not identical, the safety-related device or system can be forced to enter a safety failure state. The safety control system thus reduces the risk of dangerous failure by means of such a redundant structure. When the four paths are in common cause dangerous failure, and the common cause failure leads to the same and wrong output signals of all links, safety related equipment or systems can be in dangerous failure.
According to the invention, two dual-core first chips and a four-core second chip are provided in a security control system. Of course, the safety control system also includes the necessary communication module and power module. For example, one of the two first chips includes a first core and a second core, the other of the two first chips includes a third core and a fourth core, the second chip includes a fifth core, a sixth core, a seventh core, and an eighth core that are independent of each other, wherein in one channel of a first subsystem of the safety control system, the first core is used for signal processing and the fifth core is used for diagnosis, in the other channel of the first subsystem, the sixth core is used for signal processing and the second core is used for diagnosis, in one channel of a second subsystem of the safety control system, the third core is used for signal processing and the seventh core is used for diagnosis, and in the other channel of the second subsystem, the eighth core is used for signal processing and the fourth core is used for diagnosis. Thus, the components constituting the redundant structure can be differentiated, so that common-cause failures caused by the same physical structure or the same manufacturing process of the same components, for example, can be avoided. In the present invention, an arithmetic processing unit for processing a field signal is verified by one of the cores, respectively, in the first chips of the two dual cores, and a diagnostic unit for diagnosing a result of the field signal processing is verified by the other core. In the second chip, two cores are used for realizing the operation processing unit, and the other two cores are used for realizing the diagnosis unit. Furthermore, the cores of the first chip and the cores of the second chip are functionally arranged crosswise in a total of four channels of the two subsystems, whereby differentiation is achieved to the greatest extent, as far as possible, a dangerous failure of the whole safety-relevant device or system due to a common cause failure is avoided, and thus functional safety can be improved.
In a preferred embodiment, the safety control system is arranged on a PCB board. Thereby reducing the structural size of the safety control system and facilitating deployment in a safety-related device or system.
Advantageously, the two first chips are arranged in parallel and the second chip is arranged obliquely to the two first chips. Thus, in each subsystem, there is a core for processing the field signal and a core for diagnosis, which are arranged obliquely, so that, for example, when an impact is applied, the magnitude of the component of the impact force applied to each core in the direction in which its structure is weaker is different, thereby reducing the risk of mechanical co-occurrence failure or at least differentiating the degree of mechanical co-occurrence failure.
It is particularly advantageous if the angle between the second chip and the two first chips is in the range of 30 ° to 60 °, particularly preferably 45 °. The force component of the impact force in both directions perpendicular to each other can thus be made as small as possible, whereby the risk of mechanical co-occurrence failures is reduced.
Advantageously, the second chip is arranged between the two first chips. In this way, the distance between the two first chips can be relatively increased, and the risk of mechanical common-cause failure is reduced.
In another preferred embodiment, the respective two cores of the two first chips and the four cores of the second chip each have an independent power supply. Thereby reducing the risk of common cause failure in power electronics, for example, common cause failure due to short circuits can be avoided.
In another preferred embodiment, each subsystem has a subsystem voter, each subsystem voter being implemented in a first chip of the corresponding subsystem, respectively. For example, a first voter of a first subsystem is implemented in one first chip and a second voter of a second subsystem is implemented in another first chip. The first voter and the second voter can be logic gates with voting logic, and the arrangement of the first voter and the second voter in two corresponding first chips can reduce the complexity of wiring and save space and cost. Alternatively, the first voter and the second voter can also be implemented by the second chip.
In another preferred embodiment, the voter of the system of the security control system is implemented in the second chip. The implementation of the system voter, i.e. the third voter, e.g. a logic gate, in the second chip advantageously enables the use of existing components, saving space and costs. Alternatively, the third voter can also be implemented in one of the two first chips.
In another preferred embodiment, the first chip is an MCU (Microcontroller Unit, micro control unit, also known as a single chip microcomputer) chip and the second chip is an FPGA (Field Programmable Gate Array ) chip. In order to achieve the functional security level of the IEC61508SIL4 standard, the FPGA chip and the two MCU chips are devices authenticated by the IEC61508SIL3 standard or achieve the functional security level equivalent to the IEC61508SIL3, and the authentication process is not necessary in the technology. For example, a dual-core MCU chip adopts TMS570 series chips, and an FPGA chip adopts Xilinx Virtex 5 series chips. According to the definition of IEC61508, the architecture of security integrity level SIL3 can be achieved by SIL3 based components by introducing a 1oo2D redundancy structure, and the SIL4 system can be theoretically achieved by setting a dual SIL3 system by redundancy. The invention relates only to hardware redundancy structures, but in particular also to sensing modules, execution modules, etc. in safety-relevant devices or systems, and also to complex problems related to e.g. software redundancy designs, etc., the authentication of SIL4 also requires a comprehensive conclusion in combination with various factors.
Drawings
Preferred embodiments of the present invention are schematically illustrated below with reference to the accompanying drawings. The attached drawings are as follows:
fig. 1 is a schematic diagram of a safety control system according to a preferred embodiment of the present invention.
Detailed Description
Fig. 1 schematically shows a safety control system according to a preferred embodiment of the invention. The safety control system can be used in the field of rail traffic, such as emergency driving systems for trains.
Two dual-core first chips and a four-core second chip are arranged in the safety control system, wherein the two first chips adopt MCU chips, namely a first MCU chip 1 and a second MCU chip 2, and the second chip adopts a four-core FPGA chip 5. The safety control system also comprises a necessary communication module and a power supply module. For example, the dual-core MCU chips 1 and 2 adopt TMS570 series chips, and the FPGA chip 5 adopts Xilinx Virtex 5 series chips. Therefore, differentiation of devices is realized, and common cause failure is avoided as much as possible. Therefore, the first MCU chip 1 includes the first core 11 and the second core 12, the second MCU chip 2 includes the third core 21 and the fourth core 22, and the fpga chip 5 includes the fifth core 51, the sixth core 52, the seventh core 53 and the eighth core 54, where the eight cores all have independent power supplies, so as to reduce the risk of common cause failure in terms of power electronics, for example, to avoid common cause failure caused by a short circuit.
The safety control system is arranged on one PCB board, thereby reducing the structural size of the safety control system. The FPGA chip 5 is arranged between the first MCU chip 1 and the second MCU chip 2. Furthermore, the FPGA chip 5 is arranged obliquely to the first and second MCU chips 2, and the angle α of the FPGA chip 5 to the first and second MCU chips 1,2 is in the range of 30 ° to 60 °, particularly preferably 45 °. Thereby, the risk of mechanical co-cause failure is reduced, or at least the degree of mechanical co-cause failure is differentiated.
The safety control system is a real-time control system and is mainly composed of two subsystems with a 1oo2D structure and a system voter, namely a third voter 6 in the system architecture. Thus, the two subsystems each have two channels, so that there are a total of four channels in the safety control system, wherein each channel has an arithmetic processing unit for processing the field signal and a diagnostic unit for diagnosing the result of the field signal processing. The field signal is a signal collected by the sensor that includes safety critical information.
In the first channel, the first core 11 of the first MCU chip 1 is used to process the field signal and output the output signal, and the fifth core 51 of the FPGA chip 5 is used to diagnose the result of the first core 11 processing the field signal. In the second channel, the sixth core 52 of the FPGA chip 5 is used to process the field signal, and the second core 12 of the first MCU chip 1 is used to diagnose the result of the sixth core 52 processing the field signal. The first voter 3 is implemented in the first MCU chip 1, and the first voter 3 compares the output signals of the first core 11 and the sixth core 52, and if they are identical, outputs the corresponding first voter output signal; if not, the security-related device or system can be forced into a security failure state or a second voter output signal can be employed. In addition, the fifth core 51 and the second core 12 process the field signals through another operation method, diagnose the output signals of the first core 11 and the sixth core 52, and if it is diagnosed that the first channel and the second channel have faults, the safety related device or system can be forced to enter a safe failure state or the second voter is adopted to output signals.
In the third channel, the third core 21 of the second MCU chip 2 is used to process the field signal and output the output signal, and the seventh core 53 of the FPGA chip 5 is used to diagnose the result of the processing of the field signal by the third core 21. In the fourth channel, the eighth core 54 of the FPGA chip 5 is used to process the field signal, and the fourth core 22 of the second MCU chip 2 is used to diagnose the result of the processing of the field signal by the eighth core 54. The second voter 4 is implemented in the second MCU chip 2, and the second voter 4 compares the output signals of the third core 21 and the eighth core 54, and if they are identical, outputs a corresponding second voter output signal; if not, a security-related device or system can be forced into a security failure state or a first voter output signal can be employed. In addition, the seventh core 53 and the fourth core 22 process the field signals through another operation method, diagnose the output signals of the third core 21 and the eighth core 54, and if it is diagnosed that the third channel and the fourth channel have faults, the safety related device or system can be forced to enter a safe failure state or output signals by using the first voter.
The third voter 6 is for example a logic gate and is implemented in the FPGA chip 5 for comparing the first voter output signal with the second voter output signal and outputting a control signal to the execution unit. Therefore, safety-related devices or systems will fail dangerously only if a common cause of dangerous failure occurs in the four paths, and the common cause of failure results in the same and erroneous output signals from each link. The safety control unit according to the present embodiment advantageously co-causes the possibility of failure.
While possible embodiments are exemplarily described in the above description, it should be understood that there are numerous variations of the embodiments still through all known and furthermore easily conceivable combinations of technical features and embodiments by the skilled person. It should also be appreciated that the exemplary embodiment or exemplary embodiments are only examples, and are not intended to limit the scope, applicability, or configuration of the invention in any way. The technical teaching for converting at least one exemplary embodiment is provided more in the foregoing description to the skilled person, wherein various changes may be made without departing from the scope of the claims, in particular with regard to the function and structure of the components.
List of reference numerals
1. First MCU chip
11. A first core
12. A second core
2. Second MCU chip
21. A third core
22. Fourth core
3. Subsystem voter, first voter
4. Subsystem voter, second voter
5 FPGA chip
51. Fifth core
52. Sixth core
53. Seventh core
54. Eighth core
6. System voter, third voter
Alpha included angle
Claims (9)
1. A safety control system comprising two sets of subsystems, said sets of subsystems constituting a redundant relationship and each constituting a 1oo2D structure and having two channels, a first channel and a second channel, respectively, each channel having a signal processing unit and a diagnostic unit, characterized in that,
the security control system comprises two first chips (1, 2) each having two cores and one second chip (5) having four cores, wherein each set of the subsystems comprises two cores of the second chip and one first chip, and each channel of the subsystem comprises one of the two cores of the one first chip and one of the two cores of the second chip, wherein the two cores of the one first chip in the subsystem serve as signal processing units of the first channel and diagnostic units of the second channel, respectively, and the two cores of the second chip serve as diagnostic units of the first channel and signal processing units of the second channel, respectively.
2. The safety control system of claim 1, wherein the safety control system is disposed on a PCB board.
3. Safety control system according to claim 2, characterized in that two first chips (1, 2) are arranged in parallel and the second chip (5) is arranged obliquely to the two first chips (1, 2).
4. A safety control system according to claim 3, characterized in that the angle of the second chip (5) with respect to the two first chips (1, 2) is in the range of 30 ° to 60 °.
5. Safety control system according to claim 2, characterized in that the second chip (5) is arranged between the two first chips (1, 2).
6. The safety control system according to claim 1, characterized in that the respective two cores (11, 12, 21, 22) of the two first chips (1, 2) and the four cores (51, 52, 53, 54) of the second chip (5) each have an independent power supply.
7. A safety control system according to claim 1, characterized in that each subsystem has a subsystem voter (3, 4), each subsystem voter being implemented in the first chip (1, 2) of the corresponding subsystem, respectively.
8. The security control system according to claim 1, characterized in that the security control system further comprises a system voter (6), the system voter (6) being implemented in the second chip (5).
9. Safety control system according to claim 1, characterized in that the first chip (1, 2) is an MCU chip and the second chip (5) is an FPGA chip.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810936309.XA CN110837233B (en) | 2018-08-16 | 2018-08-16 | Safety control system for improving functional safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810936309.XA CN110837233B (en) | 2018-08-16 | 2018-08-16 | Safety control system for improving functional safety |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110837233A CN110837233A (en) | 2020-02-25 |
| CN110837233B true CN110837233B (en) | 2024-03-05 |
Family
ID=69573332
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810936309.XA Active CN110837233B (en) | 2018-08-16 | 2018-08-16 | Safety control system for improving functional safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110837233B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112147988A (en) * | 2020-10-15 | 2020-12-29 | 济宁科力光电产业有限责任公司 | Synchronous logic diagnosis method for dangerous failure |
| CN112526979B (en) * | 2020-12-16 | 2023-06-09 | 中国兵器装备集团自动化研究所 | Serial communication interface diagnosis system and method with multiple redundancy architecture |
| CN114280919B (en) * | 2022-03-08 | 2022-05-31 | 浙江中控技术股份有限公司 | Redundancy control device |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102096401A (en) * | 2010-12-22 | 2011-06-15 | 北京昊图科技有限公司 | Redundant and fault-tolerant safety instrument control system based on fieldbus and ARM (advanced RISC machines) |
| KR20120136955A (en) * | 2011-06-10 | 2012-12-20 | 김봉택 | Train contol system for obtain safty integrity |
| CN102938014A (en) * | 2012-09-03 | 2013-02-20 | 北京广利核系统工程有限公司 | Method for calculating probability of dangerous failure on demand (PFD) and probability of dangerous failure per hour (PFH) in two out of four channel logic structure system |
| CN102968109A (en) * | 2012-12-03 | 2013-03-13 | 西南大学 | Safety instrument system based on D-S (Dempster/Shafer) evidence theory |
| CN105550074A (en) * | 2015-12-08 | 2016-05-04 | 中国计量学院 | Aerospace computer |
| CN105683919A (en) * | 2013-06-11 | 2016-06-15 | Abb 技术有限公司 | Multicore processor fault detection for safety critical software applications |
| CN106130537A (en) * | 2016-06-20 | 2016-11-16 | 北京安控科技股份有限公司 | A kind of 1OO2D functional safety digital quantity output circuit |
| CN107942808A (en) * | 2017-12-08 | 2018-04-20 | 中国核动力研究设计院 | A kind of DCS capacity extensions device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104798046A (en) * | 2012-10-01 | 2015-07-22 | Abb技术有限公司 | Symmetric multi-processor arrangement, safety critical system, and method therefor |
| US20170090999A1 (en) * | 2015-09-25 | 2017-03-30 | Netapp, Inc. | Storage System Multiprocessing and Mutual Exclusion in a Non-Preemptive Tasking Environment |
-
2018
- 2018-08-16 CN CN201810936309.XA patent/CN110837233B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102096401A (en) * | 2010-12-22 | 2011-06-15 | 北京昊图科技有限公司 | Redundant and fault-tolerant safety instrument control system based on fieldbus and ARM (advanced RISC machines) |
| KR20120136955A (en) * | 2011-06-10 | 2012-12-20 | 김봉택 | Train contol system for obtain safty integrity |
| CN102938014A (en) * | 2012-09-03 | 2013-02-20 | 北京广利核系统工程有限公司 | Method for calculating probability of dangerous failure on demand (PFD) and probability of dangerous failure per hour (PFH) in two out of four channel logic structure system |
| CN102968109A (en) * | 2012-12-03 | 2013-03-13 | 西南大学 | Safety instrument system based on D-S (Dempster/Shafer) evidence theory |
| CN105683919A (en) * | 2013-06-11 | 2016-06-15 | Abb 技术有限公司 | Multicore processor fault detection for safety critical software applications |
| CN105550074A (en) * | 2015-12-08 | 2016-05-04 | 中国计量学院 | Aerospace computer |
| CN106130537A (en) * | 2016-06-20 | 2016-11-16 | 北京安控科技股份有限公司 | A kind of 1OO2D functional safety digital quantity output circuit |
| CN107942808A (en) * | 2017-12-08 | 2018-04-20 | 中国核动力研究设计院 | A kind of DCS capacity extensions device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110837233A (en) | 2020-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110837233B (en) | Safety control system for improving functional safety | |
| CN109976141B (en) | UAV sensor signal redundancy voting system | |
| US20100100259A1 (en) | Fault diagnosis device and method for optimizing maintenance measures in technical systems | |
| US8612920B2 (en) | Field device for determining or monitoring a physical or chemical variable | |
| CN110955571B (en) | Fault management system for functional safety of vehicle-specification-level chip | |
| CN102472769A (en) | Sensing device | |
| US5630046A (en) | Fault-tolerant computer architecture | |
| D'Angelo et al. | Fault-tolerant voting mechanism and recovery scheme for TMR FPGA-based systems | |
| CN108255123B (en) | Train LCU control equipment based on two software and hardware voting | |
| Dobias et al. | FPGA based design of the railway's interlocking equipments | |
| JP5089693B2 (en) | Control device and function control method | |
| Durmus et al. | Modular fault diagnosis in fixed-block railway signaling systems | |
| CN103135460A (en) | Systems, circuits and a method for generating a configurable feedback | |
| CN103092186A (en) | Voting structure of two out of three secure output and voting method thereof | |
| US7237653B2 (en) | Elevator controller | |
| JP5517432B2 (en) | Elevator safety system | |
| CN117425881A (en) | Zxfoom zxfoom zxfoom zxfoom device and method for controlling the same And to be used for A kind of electronic device with high-pressure air-conditioning system | |
| Chen et al. | A newly developed safety-critical computer system for China metro | |
| CN101943910A (en) | Self-checking method for fault-tolerant control | |
| CN115562233B (en) | Safety control device of track traffic vehicle-mounted control system | |
| US7337020B2 (en) | Open-loop and closed-loop control unit | |
| CN114630783B (en) | Analysis device and motor vehicle steering device | |
| US20090307551A1 (en) | Mixed Signal Circuit for an Electronic Protected Control or Regulation System | |
| CN1289345C (en) | Method for controlling safety-critical railway operating process and device for carrying out said method | |
| Ban et al. | Design guideline of the EMB controller based on ISO26262 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |