CN114675583A - System for double-system main/standby state judgment according with SIL4 safety level - Google Patents
System for double-system main/standby state judgment according with SIL4 safety level Download PDFInfo
- Publication number
- CN114675583A CN114675583A CN202210463311.6A CN202210463311A CN114675583A CN 114675583 A CN114675583 A CN 114675583A CN 202210463311 A CN202210463311 A CN 202210463311A CN 114675583 A CN114675583 A CN 114675583A
- Authority
- CN
- China
- Prior art keywords
- fpga module
- mode channel
- cpu
- interface
- dual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0423—Input/output
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/25—Pc structure of the system
- G05B2219/25257—Microcontroller
Abstract
The invention discloses a system for judging the main and standby states of a dual system, which accords with the SIL4 safety level, and relates to the technical field of dual-system hot standby systems; the single-mode power supply comprises a first single-mode channel and a second single-mode channel which are connected to a back plate and have the same structure; the first single-mode channel comprises a first CPU, a second CPU, a first FPGA module, a second FPGA module and a back plate interface, the first FPGA module and the second FPGA module are both connected to the back plate interface, and a master-slave state output circuit and a master-slave state acquisition circuit are arranged between the first FPGA module and the back plate interface and between the second FPGA module and the back plate interface; the first single-mode channel and the second single-mode channel are respectively connected to a backboard through respective backboard interfaces, and the first single-mode channel and the second single-mode channel respectively output two groups of SP I signals through SP I communication interface circuits between the first single-mode channel and the backboard interfaces; the invention has the beneficial effects that: the method can effectively judge the main and standby states of the dual systems and ensure the data exchange between the dual systems.
Description
Technical Field
The invention relates to the technical field of dual-system hot standby systems, in particular to a system which accords with the SIL4 safety level and is used for judging the dual-system main and standby states.
Background
The dual-computer hot standby system has higher availability and reliability, has certain fault-tolerant capability and is convenient for operators to maintain, so the dual-computer hot standby system is widely applied to various control systems.
In the dual-computer hot-standby system, the presetting and switching of the main system and the standby system are the key for realizing the functions of the dual-computer hot-standby system. In the dual-computer hot standby system, the interlocking logic realized by hardware or software is used between the two systems to confirm the 'master' or 'standby' state of the two systems. The two systems exchange information mutually through a specific communication mode to realize interlocking logic between the two systems.
In the prior art, since information exchange depends on mutual communication between two systems, the communication is necessarily affected by various interferences. In an extreme case, once the communication between the two systems is cut off, the interlocking logic between the two systems cannot exchange information with each other, and cannot judge whether the opposite system of the dual-system hot-standby system exists, which will cause the original main system to keep the main state, and the original standby system to raise the main system by mistake, thereby generating the dual-main state. The dual-master state may affect the control logic of the dual-master hot-standby system, and may bring a greater risk to the normal operation of the dual-master hot-standby system to enter an unsafe state.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a system for judging the active/standby state of a dual system, which accords with the SIL4 safety level.
The technical scheme adopted by the invention for solving the technical problems is as follows: the system for judging the main and standby states of the dual system, which accords with the safety level of SIL4, is improved in that the system comprises a first single-mode channel and a second single-mode channel which are connected to a back plate and have the same structure;
the first single-mode channel comprises a first CPU, a second CPU, a first FPGA module, a second FPGA module and a backboard interface, the first FPGA module and the first CPU as well as the second FPGA module and the second CPU exchange data through an external bus EMIF, and GPIO signals between the first FPGA module and the first CPU and between the second FPGA module and the second CPU are used for hard line synchronization between the first CPU and the second CPU and current main state output;
the first FPGA module and the second FPGA module are both connected to the back plate interface, and a master-slave state output circuit and a master-slave state acquisition circuit are arranged between the first FPGA module and the back plate interface and between the second FPGA module and the back plate interface;
first single mode channel and second single mode channel are respectively through respective backplate interface connection on the backplate, first single mode channel and second single mode channel respectively through with the backplate interface between the SPI communication interface circuit output two sets of SPI signals, through keeping apart after export to the backplate to be used for the data transmission between first single mode channel and the second single mode channel.
Further, the first CPU and the second CPU are TI safety MCU chips which meet ISO26262 ASIL D and IEC 61508 SIL 3 certification and are a high-performance vehicle-scale series microcontroller for a safety system.
Furthermore, a synchronization line and a communication line are arranged between the first FPGA module and the second FPGA module, and the first FPGA module and the second FPGA module are isolated to realize data synchronization and exchange between the first single-mode channel and the second single-mode channel.
Further, the master-slave state output circuit between the first FPGA module and the backplane interface comprises a field effect transistor relay RL6, a signal input pin of the field effect transistor relay RL6 is connected to the first FPGA module, and an output pin of the field effect transistor relay RL6 is connected to the backplane interface.
Further, the model of the field effect transistor relay RL6 is G3VM-201G 1.
Furthermore, the master-slave state acquisition circuit between the first FPGA module and the backboard interface comprises a photoelectric coupler U64, the input end of the photoelectric coupler U64 is connected to the backboard interface, and the output end of the photoelectric coupler U64 is connected to the first FPGA module;
and the master-slave state acquisition circuit between the second FPGA module and the backboard interface comprises a photoelectric coupler U68, the input end of the photoelectric coupler U68 is connected to the backboard interface, and the output end of the photoelectric coupler U68 is connected to the second FPGA module.
Further, the model of the photocoupler U64 and U68 is TLP 281.
Further, the SPI communication interface circuit includes a chip U35, and a signal of the chip U35 is admm 7643.
The invention has the beneficial effects that: the system for judging the main and standby states of the double systems, which accords with the SIL4 safety level, can effectively judge the main and standby states of the double systems and ensure the data exchange between the double systems; and the occurrence of a dual master state can be effectively prevented.
Drawings
Fig. 1 is a schematic diagram of a system for dual system active/standby state determination according to SIL4 security level according to the present invention.
FIG. 2 is a schematic diagram of a master-slave state output circuit according to the present invention.
Fig. 3 and 4 are schematic structural diagrams of the master-slave state acquisition circuit in the invention.
FIG. 5 is a schematic diagram of an SPI communication interface circuit according to the present invention.
FIG. 6 is a diagram illustrating a process of determining redundancy status in initialization phase according to the present invention.
FIG. 7 is a diagram illustrating a cyclic redundancy control flow according to the present invention.
Fig. 8 is a schematic diagram of a communication-based redundancy flow in the present invention.
Detailed Description
The invention is further illustrated with reference to the following figures and examples.
The conception, the specific structure, and the technical effects produced by the present invention will be clearly and completely described below in conjunction with the embodiments and the accompanying drawings to fully understand the objects, the features, and the effects of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments, and those skilled in the art can obtain other embodiments without inventive effort based on the embodiments of the present invention, and all embodiments are within the protection scope of the present invention. In addition, all the connection/connection relations referred to in the patent do not mean that the components are directly connected, but mean that a better connection structure can be formed by adding or reducing connection auxiliary components according to specific implementation conditions. All technical characteristics in the invention can be interactively combined on the premise of not conflicting with each other.
Referring to fig. 1, the present invention discloses a system for dual system active/standby state determination conforming to the SIL4 safety class, specifically, the system includes a first single mode channel and a second single mode channel both connected to a backplane and having the same structure, and since the first single mode channel and the second single mode channel have the same structure, only the structure of the first single mode channel will be described in detail below. The system adopts a 2 x 2oo2 system architecture, and a single board main control circuit is designed for the 2oo2 architecture.
In this embodiment, the first single-mode channel includes a first CPU, a second CPU, a first FPGA module, a second FPGA module, and a backplane interface, where the first CPU and the second CPU are TI safety MCU chips that meet ISO26262 ASIL D and IEC 61508 SIL 3 certification, and are a high-performance vehicle-scale series microcontroller for a safety system. The first FPGA module and the first CPU as well as the second FPGA module and the second CPU carry out data exchange through an external bus EMIF, and GPIO signals between the first FPGA module and the first CPU and between the second FPGA module and the second CPU are used for hard wire synchronization and current main state output between the first CPU and the second CPU;
furthermore, the first FPGA module and the second FPGA module are both connected to the back plate interface, and a master-slave state output circuit and a master-slave state acquisition circuit are arranged between the first FPGA module and the back plate interface and between the second FPGA module and the back plate interface; first single mode channel and second single mode channel are respectively through respective backplate interface connection on the backplate, first single mode channel and second single mode channel respectively through with the backplate interface between two sets of SPI signals of SPI communication interface circuit output, through keeping apart after exporting to the backplate to be used for the data transmission between first single mode channel and the second single mode channel. In addition, a synchronization line and a communication line are arranged between the first FPGA module and the second FPGA module, and the first FPGA module and the second FPGA module are used for realizing data synchronization and exchange between the first single-mode channel and the second single-mode channel after being isolated.
Therefore, the first CPU and the second CPU of the first single-mode channel are respectively communicated with the first FPGA module and the second FPGA module through the EMIF, the first FPGA module and the second FPGA module are isolated and then communicated with the FPGA module of the other channel through the serial port, and the FPGA module is transparent transmission.
Referring to fig. 2, for the master-slave state output circuit, according to a specific embodiment of the present invention, the master-slave state output circuit between the first FPGA module and the backplane interface includes a fet relay RL6, a signal input pin of the fet relay RL6 is connected to the first FPGA module, and an output pin of the fet relay RL6 is connected to the backplane interface. In the embodiment, the model of the field-effect transistor relay RL6 is G3VM-201G 1. The main state instruction is sent by the CPU, is driven by a field effect transistor (RL 6) after passing through the FPGA module, is isolated and output, and is output to the alignment system through the backboard to acquire the state.
Referring to fig. 3, for the master-slave state acquisition circuit, a specific embodiment is provided in the present invention, the master-slave state acquisition circuit between the first FPGA module and the backplane interface includes a photoelectric coupler U64, an input end of the photoelectric coupler U64 is connected to the backplane interface, and an output end is connected to the first FPGA module; referring to fig. 4, the master-slave state collecting circuit between the second FPGA module and the backplane interface includes a photoelectric coupler U68, an input end of the photoelectric coupler U68 is connected to the backplane interface, and an output end of the photoelectric coupler U68 is connected to the second FPGA module. In this embodiment, the models of the photocoupler U64 and U68 are TLP 281. One path of the master-slave state acquisition circuit acquires the master state output of the system single-mode channel, and the other path of the master-slave state acquisition circuit acquires the master state output of the system single-mode channel.
For the two-way SPI communication interface circuit, referring to fig. 5, the SPI communication interface circuit includes a chip U35, and the signal of the chip U35 is admm 7643. The SPI communication interface circuit is mainly used for synchronization of communication between double systems and transmission of a main state between a main system and a standby system so as to prevent the double main state from occurring and dangerous output to a VIO (video on demand) board, the communication between the systems adopts CRC (cyclic redundancy check) of 32Bit, and a CPU (Central processing Unit) only uses and analyzes correct communication data to ensure the safety of the communication data. The two paths of SPI interfaces are respectively in a master-slave mode, the communication master module is used as a data sending end, and the communication slave module is used as a data receiving end.
With the above structure, the system for determining the active/standby states of the dual system according to the SIL4 security level of the present invention includes two states: a main mode (ACTIVE state) and a STANDBY mode (STANDBY state). The redundancy control management is divided into an initialization stage redundancy management and a periodic operation stage redundancy management according to different operation stages. Dual-system redundancy employs defensive programming: and judging the validity of all parameters influencing the judgment of the switching logic, and if any parameter is illegal, considering that the adjustment fails and quitting the software. The main and standby state modes returned by the module can be continuously used only after passing the 2oo2 verification.
Fig. 6 is a schematic diagram of the redundancy status determination process in the initialization stage. The dual-system redundancy adopts a redundancy control method based on communication, an independent hardware channel is used between the dual systems for redundant information interaction, and 32-bit CRC (cyclic redundancy check) is adopted for the interactive information; after the redundancy control is started, firstly, the redundancy control information of the peer-to-peer CPU is waited to be received, the time-out threshold value is set as 2 seconds, if the redundancy information sent by the opposite side is not received in 2 seconds, the hardware channel is read to obtain the master-to-backup state of the opposite side, and the master-to-backup state mode of the local side is set according to the master-to-backup state of the opposite side. And if the pairing system state information cannot be received after 2s overtime, judging the current main/standby state according to the RTC time, interacting redundant state information with a pairing system CPU, and judging the current main/standby state through the main/standby information of the hardware channel if the pairing system redundant control information cannot be received. If the redundant state information of the opposite system is received, whether the redundant state information conflicts with the state of the opposite system is judged, if not, the current main/standby state mode is kept, and if so, the current main/standby state (namely the main/standby state of the first single-mode channel and the second single-mode channel) is judged according to the A/B system.
Fig. 7 is a schematic diagram of the cyclic redundancy control process. And the periodic redundancy management is based on the software communication redundancy, judges whether the redundant state is double-main conflict or not through a hardware channel according to a communication result returned by the software communication redundancy, and finally obtains a system redundancy mode.
The communication-based redundancy flow is part of the cyclic redundancy management, and the detailed flow is shown in fig. 8. And based on the dual-system redundancy control of communication, current state information is interacted through the communication channel between systems. The dual CPUs synchronously receive the pairing redundant message, and when the dual CPUs receive the pairing redundant message, the redundant message received by the machine A is adopted by default; if the opposite terminal information is received, after the consistency judgment is carried out through 2oo2, but the channel disconnection count is clear 0, whether the state of the system is consistent with the opposite system or not is judged, and corresponding processing is carried out. Furthermore, the VIO board has a double-master-prevention design, when receiving the output data frame of the AB double system at the same time, the VIO board does not execute the output instruction, and will immediately lead to the safety side (safety shutdown), and report the fault at the same time.
In summary, the system for determining the main/standby state of the dual system, which meets the safety level of SIL4, according to the present invention can effectively determine the main/standby state of the dual system, thereby ensuring data exchange between the dual systems; and the occurrence of a dual master state can be effectively prevented.
While the preferred embodiments of the present invention have been illustrated and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (8)
1. A system for judging the main and standby states of a dual system, which accords with the safety class SIL4, is characterized by comprising a first single-mode channel and a second single-mode channel which are connected to a back plate and have the same structure;
the first single-mode channel comprises a first CPU, a second CPU, a first FPGA module, a second FPGA module and a backboard interface, the first FPGA module and the first CPU as well as the second FPGA module and the second CPU exchange data through an external bus EMIF, GPIO signals between the first FPGA module and the first CPU and between the second FPGA module and the second CPU are used for hard wire synchronization between the first CPU and the second CPU and current main state output;
the first FPGA module and the second FPGA module are both connected to the back plate interface, and a master-slave state output circuit and a master-slave state acquisition circuit are arranged between the first FPGA module and the back plate interface and between the second FPGA module and the back plate interface;
first single mode channel and second single mode channel are respectively through respective backplate interface connection on the backplate, first single mode channel and second single mode channel respectively through with the backplate interface between the SPI communication interface circuit output two sets of SPI signals, through keeping apart after export to the backplate to be used for the data transmission between first single mode channel and the second single mode channel.
2. The system for dual system active-standby state judgment according to the SIL4 security level of claim 1, wherein the first CPU and the second CPU are TI safety MCU chips meeting ISO26262 ASIL D and IEC 61508 SIL 3 certification as a high performance vehicle-scale microcontroller for safety systems.
3. The system for dual system active/standby state determination according to SIL4 security level of claim 1, wherein the first FPGA module and the second FPGA module have a synchronization line and a communication line therebetween, and are isolated to implement data synchronization and exchange between the first single mode channel and the second single mode channel.
4. The system for dual system active/standby state judgment according to the SIL4 safety class of claim 1, wherein the master/slave state output circuit between the first FPGA module and the backplane interface comprises a fet relay RL6, a signal input pin of the fet relay RL6 is connected to the first FPGA module, and an output pin of the fet relay RL6 is connected to the backplane interface.
5. The system for dual system active/standby state judgment according to the SIL4 safety level, wherein the model of the FET relay RL6 is G3VM-201G 1.
6. The system for judging the active/standby state of a dual system according with the safety class SIL4 of claim 1, wherein the master/slave state acquisition circuit between the first FPGA module and the backplane interface comprises a photocoupler U64, an input terminal of the photocoupler U64 is connected to the backplane interface, and an output terminal thereof is connected to the first FPGA module;
and the master-slave state acquisition circuit between the second FPGA module and the backboard interface comprises a photoelectric coupler U68, the input end of the photoelectric coupler U68 is connected to the backboard interface, and the output end of the photoelectric coupler U68 is connected to the second FPGA module.
7. The system for judging the active/standby state of a dual system according to the safety level of SIL4 of claim 6, wherein the model of the photocoupler U64 and photocoupler U68 is TLP 281.
8. The system for dual-system active-standby state judgment according to the SIL4 security level of claim 1, wherein the SPI communication interface circuit comprises a chip U35, and a signal of the chip U35 is ADUM 7643.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210344497 | 2022-03-31 | ||
| CN2022103444973 | 2022-03-31 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114675583A true CN114675583A (en) | 2022-06-28 |
Family
ID=82080245
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210463311.6A Pending CN114675583A (en) | 2022-03-31 | 2022-04-28 | System for double-system main/standby state judgment according with SIL4 safety level |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114675583A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116203888A (en) * | 2023-05-06 | 2023-06-02 | 常州今创电工有限公司 | Dual-system redundancy real-time synchronous complementary system and method based on FPGA |
-
2022
- 2022-04-28 CN CN202210463311.6A patent/CN114675583A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116203888A (en) * | 2023-05-06 | 2023-06-02 | 常州今创电工有限公司 | Dual-system redundancy real-time synchronous complementary system and method based on FPGA |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Barranco et al. | An active star topology for improving fault confinement in CAN networks | |
| CN101625568B (en) | Synchronous data controller based hot standby system of main control unit and method thereof | |
| CN102984059B (en) | Gigabit Ethernet redundancy network interface card and link switching condition criterion output control method thereof | |
| CN110445533B (en) | Dual-redundancy optical fiber Ethernet transmission system | |
| CN104407556B (en) | Hot standby redundancy module switching device | |
| CN112511394B (en) | Management and maintenance method of RapidIO bus system | |
| CN114675583A (en) | System for double-system main/standby state judgment according with SIL4 safety level | |
| CN102763087B (en) | Method and system for realizing interconnection fault-tolerance between CPUs | |
| CN210608666U (en) | Control device of redundant power supply and power supply system | |
| CN106452668B (en) | FPGA-based IED dual-channel data transmission and dual-logic verification system and method | |
| CN218772141U (en) | Dual-processor circuit and control mainboard of distributed control system | |
| CN113050475A (en) | CAN and 1553b dual-redundancy architecture design method based on VPX | |
| CN112422175B (en) | Cascade device | |
| CN101299205A (en) | Priority queuing arbitration system bus control method based on voting | |
| US11928074B2 (en) | USB active optical cable and plug capable of managing power consumption and status | |
| CN102880583A (en) | Device and method for configuring dynamic link of multi-way server | |
| CN104541479A (en) | Communication controller | |
| CN103840956A (en) | Backup method for gateway device of Internet of Things | |
| CN210927649U (en) | Gigabit dual-redundancy network card based on Compact PCI bus | |
| CN115168253A (en) | USB working mode switching method and electronic equipment | |
| CN112000613A (en) | Multi-unit server management unit and multi-unit server | |
| CN220254490U (en) | Low-power-consumption power-on reset circuit and main board | |
| CN215267628U (en) | Overcurrent protection system based on inverter circuit | |
| CN202906941U (en) | Ethernet switch chip port loopback detection device | |
| CN216146323U (en) | 5G broadband power line communication safety dual-mode communication terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |