DE4407867C1 - Dual computer system - Google Patents

Abstract

The dual computer system contains an operational active computer (WR) and an operationally available backup computer (ER), which each contain a preprocessing unit (VE1, VE2), a preliminary memory (VS1, VS2), a further-processing unit (WV1, WV2) and a main memory (HS1, HS2). The further-processing unit (WV2) of the active computer (WR) additionally writes its final results (END2) to the main memory (HS1), too, of the backup computer (ER) at least when the contents of the main memory (HS2) are altered. <IMAGE>

Description

The invention relates to a double computer system, in particular one for controlling the operation of a railway system Railway control system, with two parallel, communicating Computer channels.

From the article Fault Tolerant Computers in Use "by H. Kirrmann, Bull. SEV / VSE 80 (1989), pp. 639-648 Dual computer systems with two parallel computer channels known. Each computer channel contains at least one zen central processing unit and a memory. The talk dante computer channel (replacement computer) can, if necessary Function of the failed operational computer Take over nals (active computer). The intended Er Set hardware must be used for a bumpless function takeover kept as current as possible. To This update will be two alternative updates principles, namely tracking or synchronous operation, described. With both principles only there is one Knitting computer its final results in the form of commands a system to be controlled, while the replacement computer is ineffective.

The real computer performs the substitute rake during the tracking ner in regular, through reset points of the operation programs (software) according to defined intervals. The Use of reset points is related to Tandem computer systems for processing financial transactions actions from "Design and Analysis of Fault-Tolerant Digital Systems ", B.W. Johnson, ISBN 0-201-07570-9, 1989,  Pages 346 to 348, also under the term "checkpoin ting ". A processor receives the replacement computer regularly at critical program points status descriptive messages ("checkpoint messages") of the im Real computer running program. For tracking exchange the two computer channels for rescue or Restoration of a state of necessary data indirectly from each other and must accordingly be coordinated. The necessary regular  Adequate data transfer can be particularly large amount of data processed per unit of time (high data an case) relatively complex and time-consuming his. In the event of a fault, the replacement computer can only do the work resume at the last reset point; the shawl tion is therefore not seamless.

In synchronous operation, the host computer and substitute computer run the same programs in parallel. Because an absolute Synchronization of the two computer channels due to the computer individual delay and tax times are not guaranteed is, their situation-related calculation results un turn out differently and for different dishes content. Since both computers for subsequent Decisions and processing routines on ih their individual - possibly different - memory just fall back on current events under different reactions occur, some of which are different can speak. That is why a bumpless takeover do not guarantee this update principle either continuous To be largely seamless when synchronized Acquisition must be proportionate to agile precautionary measures are taken. From the DE-OS In this context, 26 12 100 is a comparative one elaborate monitoring device has become known.

The object of the present invention is that Creation of a double computer system that is possible with a minimal update effort and data transfer an almost bumpless function between the computer channels ons takeover by the replacement computer, especially at a high level of input data.  

This object is achieved by a double computer system with two parallel, communicating computer channels, each containing at least the following components:
a preprocessing unit that can be loaded with status data of a system, a downstream pre-memory for storing the pre-results of the preprocessing unit; a further processing unit to generate final results from the preliminary results; a main memory for storing the final results and an output unit which, based on the final results, generates commands as required for controlling the system,
wherein the one computer channel forms an operational active computer which issues the commands generated from the status data to the system,
and the other computer channel forms an operational He set computer and
the further processing unit of the host computer also at least additionally writes its final results into the main memory of the backup computer when the content of the host computer main memory changes.

An essential aspect of the present invention be is that the processing unit of the Host computer also their event-driven results in writes the main memory of the replacement computer. Out of it results in a significant advantage of the invention Computer system that is in an operational, only at Change the main memory content necessary Data transfer from the host computer to the replacement computer consists. In contrast to through an operating program (Software) defined reset times are thus carried out a considerably easier computer communication, company-dependent data transfer. The invention  Dual computer system does not synchronize the Computer channels ("hot stand by") and the required elaborate coordination and monitoring directions. Nevertheless, there is always an extensive To status correspondence without that in an autonomous syn deviations occurring in chronological order and the result guaranteed competency problem. The calculator channels can be accessed via a common network (Local Area Net communicate work (LAN <).

Another significant advantage of the invention Dual computer system is that during the loading operational readiness of the replacement computer only when necessary the - preprocessed and in its information content considerably compressed - transfer the main memory content becomes; this also makes the one to be transmitted regularly Data volume significantly reduced. The previous replacement In the event of a takeover, the computer relies on the one provided Status data of the system and the content of its main menu chers on.

An advantageous further development of the inventions in this regard dual computer system according to the invention provides that the Zu status data also the preprocessing unit of the Er act on the rate calculator and that its preprocessing unit their preliminary results in the pre-memory of the Substitute computer. In this configuration of the dop pel computer systems process both computer channels status data and present the preliminary results in their respective temporary memory. However, are ready for use Replacement calculator the further processing and an effect of Final results on the plant - e.g. B. by interruption the processing unit's access to the pre memory - prevented. The replacement computer has so  already during the operational readiness over a ver equally complete status information about the Plant without the preliminary results - that of a plant with a large amount of data represents very large amounts of data can place - regularly from the active computer to Replacement computers must be transferred.

An advantageous further development of the Erfin for test purposes tion is that the com components of the replacement computer together like a computer act, the preprocessing unit from the Zu status data is applied and the effect of the replacement computer on the system is prevented. In the free The replacement computer carries the same running status Functions like the knitting computer, but its Expenses have no effect on the system. Outdoors run the function of the replacement computer check without impairing the operation of the system.

After one for the resumption of the effect redundants Function of the double computer system particularly advantageous The active computer rewrites the embodiment of the invention End of the freewheeling state in the pre-memory and the main memory of the replacement computer the contents of its Memory or its main memory.

An embodiment of the invention is described below in Relation to a particularly preferred use in a railway system explained in more detail using a drawing; show it:

FIG. 1 shows various situations on the railway system and the resulting states,

Fig. 2 shows a cooperation of a double computer system with an interlocking of the railway system and

Fig. 3 is a schematic representation of the double computer system.

Fig. 1 shows a system to be monitored and controlled ge in the form of a railway system BA, the area limits GR are indicated. Track response devices GAG are installed at area boundaries GL of the BA railway system that report the entry or exit of vehicles. A vehicle F be initially found on a section A1 of a route ST with a plurality of sections A1, A2, which issues a corresponding occupancy message to an interlocking STW of the railway installation BA. The vehicle F then moves (shown in dashed lines) into section A2, so that section A2 is reported to the signal box STW as occupied (cf. vertical time axis t in FIG. 1). A signal SIG positioned on section ST in front of section A2 and securing section A2 and subsequent sections then goes into the "stop" position, and section A1 is then released to the signal box STW. A sequence of these messages or events in their chronological order results in a sequence SEQ. The rail system-side messages such. B. this sequence SEQ are as status data from the signal box in the form of sequential bit streams D1, D2 with a period of z. B. 1.75 s cyclically transmitted to a (train) control system LA.

Referring to FIG. 2, the (train) comprises guide arrangement LA next not shown in detail, operating computers and display elements including two computer channels in the form of Zuglenkrechnern ZLR1, ZLR2, which are connected via direct data lines V1, V2 with a Fernkoppelkonzentrator FKK of the interlocking STW in connection. The train control computers ZLR1, ZLR2 communicate via a common local area network (LAN). The FKK remote coupling concentrator controls the connections V1, V2 to the train steering computers ZLR1, ZLR2 by monitoring the arrival of acknowledgments for messages from the signal box STW. In addition, the train steering computers ZLR1, ZLR2 can monitor the cyclical arrival of interlocking messages.

The computer channels ZLR1, ZLR2 shown in Fig. 3 are equipped identically in terms of their hardware and software and each contain a preprocessing unit VE1, VE2, which, via the connections V1, V2 from the signal box STW with the status data D1, D2 of the system BA can be opened. The preprocessing units VE1, VE2 are each connected on the output side to a preliminary memory VS1, VS2, in which their preliminary results VQR1, VOR2 can be stored. A further processing unit WV1, WV2 can be connected via a (software) switch S1, S1 'to the respective preliminary memory VS1, VS2. The output-side end results END1, END2 of the further processing units WV1, WV2 can thus be written into the main memory HS1 or HS2. From an output unit AU1 or AU2, commands generated from the final results (e.g. for route-configuring switch movements) can be transmitted to the signal box STW as needed and thus act on the railway system BA. The further processing units WV1, WV2 can additionally be supplied with additional data ZD which, for. B. from a track response device GAG to the control center LA if a vehicle F enters the railroad station BA via the limit GR and the corresponding track response device GAG ( FIG. 1) in order to record its train number for the first time and thus to enable a train route tracking . The further processing units WV1, WV2 can each be connected to the main memory HS2 or HS1 of the other computer channel ZLR1, ZLR2 via switches S2, S2 '.

In the present example, the computer channel ZLR2 is operated as an operational active computer WR ( FIG. 2), while the other computer channel ZLR1 functions as an operational replacement computer ER. For this purpose, the components of the host computer WR, namely the preprocessing unit VE2, the pre-memory VS2 via the switch S1 ', the further processing unit WV2, the main memory HS2 and the switch S3' the output unit AU2 connected to each other. The preprocessing unit VE2 of the host computer WR processes the status data D2 supplied by the remote coupling concentrator FKK to the extent that a process image PA2 of the rail system BA is stored in the pre-memory VS2. The process image PA2 reproduces the current occupancy image of the rail system BA obtained from the route-specific messages (cf. FIG. 1). From the contents of the preliminary memory VS2, the further processing unit WV2 determines the positions and travel movements of the trains or vehicles (train run) as the final results END2. The further processing unit WV2 recognizes, for example, a movement of the vehicle F from the sequence SEQ shown in FIG. 1 with respect to the sections A1, A2 and generates corresponding data for updating the main memory (train memory) HS2 on the basis of this sequence. The train run or the current train positions can be called up by the output unit AUS2 from the main memory HS2.

Via the closed switch S2 'the final result END2 of the processing unit WV2 additionally also in the main memory HS1 of the replacement computer ER written. The from the final results END2 from the Output unit AU2 generated commands are via the Ver  Connection cable V2 to the STW signal box for execution (e.g. route settings = signal and turnouts positions).

The ready-to-use replacement computer ER also becomes one of the State data D2 applied to identical data D1 and generated by processing in the preprocessing unit VE1 a process corresponding to the condition of the railway system image PA1. Through the open switch S1, the Processing unit WV1 not on the pre-memory VS1 fall back, so the memory content of the main memory HS1 from the final results END2 of further processing work unit WV2 of the host computer WR. There also that between the main memory HS1 and the output Unit AU1 provided switch S3 is open, the Replacement computer via the connecting line V1 none We on the STW interlocking or the BA railway system.

Only then will a new entry be made in the main menu cher HS1 when the processing unit WV2 des End computer has generated new end results END2 by from the previous memory content of the main memory HS2 give way. This is event-driven - when there is a change the final results END2 (or the main memory HS2) - an update of the content of the main memory HS1 performed. The data exchange between the host computer and the replacement computer is significantly restricted. The active computer and the lo used for data exchange This greatly relieves the strain on LAN networks.

Nevertheless, the replacement computer is always functional takeover ready because on the one hand its pre-storage VS1 due to the computer-specific preprocessing contains current process image PA1 and the main memory  HS1 always up to date with the main memory HS2 of the real computer WR. This makes comparative low data transfer between the computer channels seamless transition in the event of a malfunction of the Guaranteed computer. The initially described with an autonomous synchronous operation of both computer channels problem of deviations in the contents of the memory does not occur.

For test purposes, the replacement computer ER can be used in a free run state in which both switches S2 and S2 ′ open and both switches S1, S1 'are closed. Further the switch S3 is open and the switch S3 'ge closed. The replacement computer then carries out the same radio tions like the knitting computer, whereby through the open Switch S3 the effect of its final results END1 on that Signal box STW is prevented.

Claims (4)

1. Double computer system with two parallel, communicating computer channels (ZLR1, ZLR2), each containing at least the following components:
a preprocessing unit (VE1, VE2) which can be loaded with status data (D1, D2) of a system (BA);
a downstream pre-memory (VS1, VS2) for storing the pre-results (VOR1, VOR2) of the pre-processing unit (VE1, VE2);
a further processing unit (WV1, WV2) in order to generate final results (END1, END2) from the preliminary results (VOR1, VOR2);
a main memory (HS1, HS2) for storing the final results (END1, END2) and
an output unit (AU1, AU2) which, based on the final results (END1, END2), generates commands for controlling the system (BA) as required,
one computer channel (ZLR2) forms an operational management of the active computer (WR), which transmits the commands generated from the status data (D2) to the system (BA),
and the other computer channel (ZLR1) forms an operational replacement computer (ER) and
wherein the further processing unit (WV2) of the host computer (WR) at least additionally also writes its final results (END2) into the main memory (HS1) of the substitute computer (ER) when the content of the main computer main memory (HS2) changes. 2. double computer system according to claim 1, characterized in that the status data (D1) also the preprocessing unit (VE1) of the replacement computer (ER) and that the their preprocessing unit (VE1) their preliminary results (VOR1) in the preliminary memory (VS1) of the replacement computer (ER) discards.   3. double computer system according to claim 1, characterized in that the components (VE1, VS1, WV1, HS1) of the substitute computer (ER) work together like an effective computer process, the preprocessing unit (VE1) from the Condition data (D1) is applied and the effect of Substitute computer (ER) on the system (BA) is prevented. 4. double computer system according to claim 3, characterized in that the active computer (WR) after the freewheeling state has ended in the pre-memory (VS1) and the main memory (HS1) of the Substitute computer (ER) the contents of its pre-memory (VS2) or its main memory (HS2).