GB2313678A - Preventing discontinuities in electronically-interlocked parallel-multiplexed control system - Google Patents

Preventing discontinuities in electronically-interlocked parallel-multiplexed control system Download PDF

Info

Publication number
GB2313678A
GB2313678A GB9700644A GB9700644A GB2313678A GB 2313678 A GB2313678 A GB 2313678A GB 9700644 A GB9700644 A GB 9700644A GB 9700644 A GB9700644 A GB 9700644A GB 2313678 A GB2313678 A GB 2313678A
Authority
GB
United Kingdom
Prior art keywords
standby
standby system
service
interlocked
service system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB9700644A
Other versions
GB9700644D0 (en
GB2313678B (en
Inventor
Mukai Atsushi
Okajima Toshio
Sekimoto Hajime
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mitsubishi Electric Corp
Original Assignee
Mitsubishi Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp filed Critical Mitsubishi Electric Corp
Publication of GB9700644D0 publication Critical patent/GB9700644D0/en
Publication of GB2313678A publication Critical patent/GB2313678A/en
Application granted granted Critical
Publication of GB2313678B publication Critical patent/GB2313678B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0796Safety measures, i.e. ensuring safe condition in the event of error, e.g. for controlling element
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B7/00Arrangements for obtaining smooth engagement or disengagement of automatic control
    • G05B7/02Arrangements for obtaining smooth engagement or disengagement of automatic control electric
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1637Error detection by comparing the output of redundant processing systems using additional compare functionality in one or some but not all of the redundant processing components
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1654Error detection by comparing the output of redundant processing systems where the output of only one of the redundant processing components can drive the attached hardware, e.g. memory or I/O
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1695Error detection or correction of the data by redundancy in hardware which are operating with time diversity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1675Temporal synchronisation or re-synchronisation of redundant processing components

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Hardware Redundancy (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

An electronically-interlocked parallel-duplexed control system includes an inservice system l and a standby system 2. Both systems are operated constantly in a parallel duplexed manner and interlocked electronically so that upon occurrence of a fault in the in-service system, the standby system is put into operation to serve as the in-service system by change-over unit 3. The system is imparted with facility for ensuring continuity in the output control data to be supplied to a device under control 6 upon changing-over of the standby system to the service operation mode. The inservice system l transfers output control data and a CRC (cyclic redundancy code) value calculated on the basis of that data to the standby system 2 by way of mirror memories 7a, 7b serving as interface. The standby system compares the received CRC value with one calculated on the basis of output control data in the standby system. When the comparison results in discrepancy, a fault signal is generated for preventing unit 3 from changing over the in-service system to the standby system even when abnormality occurs in the in-service system. The control output may thus be prevented from becoming discontinuous.

Description

ELECTRONICALLY- INTERLOCKED PARALLEL-MULTIPLEXED CONTROL SYSTEM BACKGROUND OF THE INVENTION Field of the Invention The present invention relates generally to an electronically-interlocked parallel-multiplexed control system which includes an in-service system ordinarily put into service or operation and at least one standby system ordinarily placed in a standby state for preparation to cope with occurrence of a fault in the in-service system, wherein both of the in-service system and the standby system are operated constantly in a parallel multiplexed or duplexed manner and interlocked electronically so that upon occurrence of a fault in the in-service system, the standby system is changed over to a service operation mode to serve as the in-service system. More particularly, the invention is concerned with the electronically-interlocked parallelmultiplexed control system of the type mentioned above in which a facility is provided for inhibiting or disabling the change-over of the standby system to the service operation mode in place of the in-service system when a fault or abnormality is detected in the standby system.
Description of Related Art In the conventional electronically-interlocked parallel-duplexed system known heretofore, same data are inputted in parallel to both an in-service system and a standby system while establishing synchronism in operation between both the systems so that same output data are generated as the results of arithmetic operations performed in both the systems for realizing function such as a control function imposed on the electronically-interlocked parallelduplexed system.
For having better understanding of the invention, technical background thereof will first be reviewed by reference to Fig. 15 which shows in a block diagram an arrangement of a major portion of an hitherto known electronically-interlocked parallel-duplexed control system, as disclosed, for example, in Japanese Unexamined Patent Application Publication No. 292257/1991 (JP-A-3-292257).
In Fig. 15, reference character 1 denotes a first interlocked system (i.e., a so-called in-service system), la denotes a control unit constituted by a central processing unit or CPU for executing a program or programs for realizing, for example, a control function(s) imposed on the electronically-interlocked parallel-duplexed control system.
Further, reference character 1b denotes an external interface for interconnecting the control unit la and a controlled device 6 (e.g. apparatus, unit, machine or the like, i.e., an object placed under the control of the electronicallyinterlocked parallel-duplexed control system), lc denotes a control output signal line for transmitting a control signal outputted from the control unit la to the controlled device 6 by way of a local area network or LAN and an interfaces therefor, ld denotes a line for sending back data or information from the controlled device 6 to the control unit la, and reference character le denotes an operation cycle timer for establishing synchronism between the control units of first interlocked system (in-service system) 1 and the second interlocked system (standby system) 2 for executions of respective programs.
Further, reference numeral 2 denotes a second interlocked system (standby system) which is comprised of a control unit 2a, an external interface 2b, a control output signal line 2c, a supervisory signal line 2d and an operation cycle timer 2e. These components serve for the same functions as those of the corresponding components of the first interlocked system mentioned above.
Furthermore, reference numeral 3 denotes a changeover unit. In dependence on the state which the change-over unit 3 assumes, either one of the external interfaces lb and 2b of the first interlocked system 1 and the second interlocked system 2 can function while the output of the other system is disabled or inhibited. Reference character 4a denotes a system status signal line interconnecting the change-over unit 3 and the control unit la to each other for sending a system status to the control unit la, and 4b denotes a system fault signal line connected between the control unit la and the change-over unit 3 for indicating a fault state of the first interlocked system (in-service system) 1 upon occurrence thereof. Similarly, reference character 5a designates a system status signal line and 5b designates a system fault signal line provided in associated with the second interlocked system (standby system) 2.
In the electronically-interlocked parallel-duplexed control system of the configuration described above, the supervisory signal carrying information concerning the controlled device 6 (object under control) is inputted to both the first interlocked system (in-service system) 1 and the second interlocked system (standby system) 2 in parallel by way of the local area network or LAN for short, the respective LAN interfaces and the supervisory signal lines ld and 2d, respectively, wherein the control units la and 2a perform respective data processings in synchronism on the input information or data, as a result of which command or control information is sent to the controlled device 6 by way of one of the control output data lines ic and 2c and the LAN system.
In this conjunction, it should be appreciated that the output of the second interlocked system (standby system) 2 is ordinarily disabled. Accordingly, what is effective ordinarily is only the output of the first interlocked system (in-service system) 1. In other words, the second interlocked system (standby system) 2 receives the information or data from the controlled device 6 and operates in a manner same as or equivalent to the first interlocked system (in-service system) 1 so that the second interlocked system is always ready for dealing with abnormality possibly occurring in the first interlocked system (in-service system) 1 by replacing the latter.
In conjunction with synchronization for the processings executed in the first interlocked system (inservice system) 1 and the second interlocked system (standby system) 2, it is noted that so long as the in-service system operates normally, the operation cycle or timing at which the in-service system operates is regarded to be correct, whereby the operation cycle timer 2e of the standby system is so set as to conform with the timer le of the in-service system, In this way, synchronism is established between the in-service system and the standby system.
Next, description will be directed to a procedure for changing over the standby system to the service operation mode (e.g. mode for controlling/monitoring or supervising the controlled device 6).
In both the first interlocked system (in-service system) 1 and the second interlocked system (standby system) 2, occurrence of abnormality in these systems are constantly monitored by the control units la and 2a, respectively. When a fault or abnormality is detected, a system fault signal 4b or 5b is issued from the control unit la or 2a. Thus, in response to the system fault signal 4b, the change-over unit 3 disables or invalidates the control output of the first interlocked system (in-service system) 1 and at the same time sets to the service operation mode the second interlocked system (standby system) 2. Thus, the second interlocked system 2 can now serve as the in-service system in place of the first interlocked system.
In the case of the conventional electronicallyinterlocked parallel-duplexed control system described above, the in-service system and the standby system perform the arithmetic operations for the control purpose on the basis of supervisory data sent back from the controlled device (object under control) and inputted in parallel to the in-service system and the standby system, respectively, on the assumption that the input data are identical for both the in-service system and the standby system. Thus, both the systems can generate the respective control data which must be identical with each other. However, the conventional electronically-interlocked parallel-duplexed control system is not imparted with any facility to confirm whether or not contents of the control data outputted from the in-service system and the standby system are identical with each other.
As a consequence, there may arise such situation that the standby system is changed over to the service operation mode upon occurrence of a fault in the in-service system even when the output control data generated by the standby system differs from that of the standby system, incurring a problem that continuity of the control can not be maintained before and after the change-over of the standby system to the service operation mode, which of course involves disturbance or inconvenience for the controlled device 6.
SUMMARY OF THE INVENTION In the light of the state of the art described above, it is an object of the present invention to provide an electronically-interlocked parallel-multiplexed control system which can ensure continuity of control output before and after change-over of a standby system to the service operation mode, to thereby protect the controlled device against disturbance which may otherwise be brought about upon change-over of the control operation from the in-service system to the standby system.
In view of the above and other objects which will become apparent as the description proceeds, there is provided according to an aspect of the present invention an electronically-interlocked parallel-multiplexed control system which includes an in-service system ordinarily put into operation in a service operation mode for controlling/ supervising an object of concern, and at least one standby system ordinarily placed in a standby mode for preparation to cope with occurrence of a fault in the in-service system, wherein both of the in-service system and the standby system are operated constantly in a parallel duplexed or multiplexed manner and interlocked electronically so that upon occurrence of a fault in the in-service system, the standby system is changed over to the service operation mode by replacing the in-service system. The system is comprised of an input means for receiving data from the object of concern as input data in the in-service system, a first processing means provided in the in-service system for processing the input data to thereby generate output control data to be sent to the object of concern on the basis of the input data, a memory means provided in association with the in-service system and the standby system, respectively, for transferring the input data received in the in-service system to the standby system, a second processing means provided in the standby system for processing the input data transferred from the in-service system to thereby generate output control data, a calculating means provided in the in-service system and the standby system for calculating check values of the output control data generated by the first and second processing means, respectively, a comparison means provided in the standby system for comparing the check values with each other, a fault signal means for generating a fault signal indicating occurrence of abnormality in the standby system unless result of the comparison indicates coincidence between the check values outputted from the calculating means, respectively, and a change-over means responsive to the fault signal for thereby preventing the standby system from being changed over to the service operation mode even when abnormality occurs in the in-service system.
By virtue of such arrangement that both the in-service system and the standby system are constantly operated and that check values of the output control data of both the systems are calculated to be compared with each other, wherein change-over of the standby system to the service operation mode is inhibited when the above-mentioned comparison results in discrepancy, it is possible to protect the control output against becoming discontinuous, which may otherwise occur around the change-over time point.
In a preferred mode for carrying out the invention, the check value may be calculated in terms of a cyclic redundancy code.
By checking the output control data by calculating the CRC values as mentioned above, the output control data check can be realized with high reliability.
In another preferred mode for carrying out the invention, the check value may be calculated in terms of a check-sum value.
By using the check sum value for checking the validity of the output control data, the check processing can be executed at a high speed.
In yet another preferred mode for carrying out the invention, the electronically-interlocked parallelmultiplexed control system may further include a means for adding a counter value of an operation cycle timer to the input data to be transferred from the in-service system to the standby system, the counter value being incremented upon every transfer of the input data. The comparison means is then arranged so as to compare the check values each added with the counter value.
By adding the counter value to the data upon transferring thereof from the in-service system to the standby system through the medium of the mirror memories and checking the count value in addition to the output control data, as described above, it is possible to detect discrepancy of the data due to deviation in the operation cycle between the in-service system'and the standby system, to another advantage.
In a further preferred mode for carrying out the invention, the electronically-interlocked parallelmultiplexed control system may further include a means for adding a check value of the input data upon transferring of the check value of the output control data from the in-service system to the standby system. The comparison means provided in the standby system may then compare the check value of the input data for the in-service system with that of the input data transferred to the standby system with each other in addition to the comparison between the counter values of the output data.
Owing to the arrangement that upon transferring of the check value for the output control data from the in-service system to the standby system by way of the mirror memories, the check value of the input data on the basis of which the output control data have been derived is added so that not only the output control data but also the input data can be checked, it is possible to make decision as to occurrence of a fault or abnormality in the standby system with further enhanced reliability, to an advantage.
In a still further preferred mode for carrying out the invention, a queue may be provided in each of the mirror memory means for data transfer from the in-service system to the standby system, whereby the queue is enqueued in the in-service system, while the queue is dequeued in the standby system.
By employing the queues in the mirror memories, respectively, as described above, discrepancy between the data written by the in-service system and the data read out by the standby system can positively be excluded.
In yet further preferred mode for carrying out the invention, such arrangement may be adopted that an interrupt is issued from the in-service system to the standby system after having written the input data when the data is transferred from the in-service system to the standby system, wherein the interrupt is utilized as a timing for allowing the input data to be read out in the standby system.
Owing to the arrangement for informing the standby system of the mirror memory write timing from the in-service system by issuing the interrupt, as described above, synchronization can be realized in the data transfer between both the systems.
In still further preferred mode for carrying out the invention, such arrangement may be equally be adopted that when data is transferred from the in-service system to the standby system, memory status is updated in the in-service system after having written the input data therein. On the other hand, in the standby system, the memory status is monitored periodically at every predetermined interval for thereby determining the timing for reading out the input data.
Owing to the arrangement for informing the standby system of the mirror memory write timing from the in-service system by updating the status information, as described above, synchronization can be realized in the data transfer between both the systems.
The above and other objects, features and attendant advantages of the present invention will more easily be understood by reading the following description of the preferred embodiments thereof taken, only by way of example, in conjunction with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS In the course of the description which follows, reference is made to the drawings, in which: Fig. 1 is a block diagram showing a major portion of an electronically-interlocked parallel-duplexed control system according to a first embodiment of the present invention; Fig. 2 is a flow chart for illustrating operation of a first interlocked system operating as an in-service system (i.e., in an in-service mode) in the electronicallyinterlocked parallel-duplexed control system according to the first embodiment of the invention; Fig. 3 is a flow chart for illustrating operation of a second interlocked system operating as a standby system (i.e., in a standby mode) according to the first embodiment of the invention; Fig. 4 is a flow chart for illustrating a processing procedure executed by a first interlocked system (in-service system) in the electronically-interlocked parallel-duplexed control system according to a second embodiment of the invention; Fig. 5 is a flow chart for illustrating a processing procedure executed by a second interlocked system (standby system) according to a second embodiment of the invention; Fig. 6 is a flow chart for illustrating a processing procedure executed by a first interlocked system (in-service system) in the electronically-interlocked parallel-duplexed control system according to a third embodiment of the invention; Fig. 7 is a flow chart for illustrating a processing procedure executed by a second interlocked system (standby system) according to the third embodiment of the invention; Fig. 8 is a flow chart for illustrating a processing procedure executed by a first interlocked system (in-service system) in the electronically-interlocked parallel-duplexed control system according to a fourth embodiment of the invention; Fig. 9 is a flow chart for illustrating a processing procedure executed by a second interlocked system (standby system) according to the fourth embodiment of the invention; Fig. 10 is a block diagram showing a major portion of an electronically-interlocked parallel-duplexed control system according to a fifth embodiment of the present invention; Fig. 11 is a flow chart for illustrating a processing procedure executed by a first interlocked system (in-service system) in the electronically-interlocked parallel-duplexed control system according to the fifth embodiment of the invention; Fig. 12 is a flow chart for illustrating a processing procedure executed by a second interlocked system (standby system) according to the fifth embodiment of the invention; Fig. 13 is a flow chart for illustrating operation of an in-service system in the electronically-interlocked parallel-duplexed control system according to a sixth embodiment of the invention; Fig. 14 is a flow chart for illustrating a processing procedure executed by a second interlocked system (standby system) according to the sixth embodiment of the invention; and Fig. 15 is a block diagram showing a major portion of a hitherto known electronically-interlocked parallelduplexed control system.
DESCRIPTION OF THE PREFERRED EMBODIMENTS Now, the present invention will be described in detail in conjunction with what is presently considered as preferred or typical embodiments thereof by reference to the drawings. In the following description, like reference characters designate like or equivalent parts throughout the several views. Further, in the description which follows, it is assumed that the invention is applied to an electronically-interlocked parallel-duplexed control system including one in-service system and one standby system.
However, it should be appreciated that the invention can find application in general to an electronically interlocked parallel-multiplexed control system including one in-service system and one or more standby system(s).
Embodiment 1 Figure 1 is a block diagram showing a major portion of an electronically-interlocked parallel-duplexed control system according to a first embodiment of the present invention.
In the figure, reference numerals 1 to 6 denote components same as or equivalent to those of the conventional electronically-interlocked parallel-duplexed control system mentioned hereinbefore by reference to Fig. 15 and using like reference characters. Further, reference character 7a denotes a mirror memory incorporated in a first interlocked system (in-service system) generally designated by 1, while 7b denotes a mirror memory incorporated in a second interlocked system (standby system) generally designated by 2. Furthermore, reference characters 8a and 8b denote interconnecting cables for connecting the mirror memories 7a and 7b to each other.
Each of the mirror memories 7a and 7b may be realized in a same structure as a memory board which can be written or read by the associated control unit la or 2a in an essentially same fashion as a conventional RAM (random access memory). With the arrangement shown in Fig. 1, data written in the mirror memory 7a by the control unit la is simultaneously copied to the mirror memory 7b by way of the connecting cable 8a to be thereby written in a predetermined area of the mirror memory 7b so that the data can be read out by the control unit 2a. Similarly, data written in the mirror memory 7b by the control unit 2a is simultaneously copied to the mirror memory 7a by way of the connecting cable 8b to be written in a predetermined area of the mirror memory 7a so that the data can be read out by the control unit la.
In this connection, such memory area allocation is adapted that the predetermined area of the mirror memory 7b to which the data is copied from the mirror memory 7a upon writing thereof by the control unit la does not overlap a memory area of the mirror memory 7b into which data is written by the control unit 2a and that the predetermined area of the mirror memory 7a to which the data is copied from the mirror memory 7b upon writing thereof by the control unit 2a does not overlap a memory area of the mirror memory 7a into which data is written by the control unit la, so that the predetermined areas can be utilized as facility for interfacing the first interlocked system (in-service system) 1 and the second interlocked system (standby system) 2 to each other.
Here,it is be noted that the CPU(la) performs the functions of a first processing means and a calculating means of the present invention,and that the CPU(2a) performs the functions of a second processing means,a calculating means and a fault signal means of the present invention.
Figure 2 is a flow chart for illustrating operation of the first interlocked system 1 operating in the service operation mode in the electronically-interlocked parallelduplexed control system implemented in the configuration described above, while Fig. 3 is a flow chart for illustrating operation of the second interlocked system (standby system) 2 operating in the standby mode.
At first, operation of the first interlocked system (in-service system) 1 will be elucidated by reference to the flow chart of Fig. 2. In succession to an initialization step Si, supervisory data or information is supplied from the controlled device 6 (i.e., object under control) by way of the LAN system and the supervisory signal line id to be stored in an internal RAM (random access memory) incorporated in the first interlocked system 1 (step S2). The RAM mentioned just above is omitted from illustration in Fig. l.
The information or data as inputted is written into the mirror memory 7a and copied to the other mirror memory 7b.
Thus, the data inputted to the electronically-interlocked parallel-duplexed control system is transferred to the second interlocked system (standby system) 2 as well (step S3).
Subsequently, in the first interlocked system (inservice system) 1, arithmetic operation for the control purpose is performed on the basis of the input data or information (step S4), whereon a value of a cyclic redundancy code (hereinafter referred to as the CRC value) of output control data to be supplied to the controlled device 6 is calculated (step S5). Parenthetically, the CRC value can be determined by multiplying the output control data by a term of highest order of a given generating polynomial and then dividing the product resulting from the multiplication by the generating polynomial. The remainder of the division then represents the CRC value of the output control data. By way of example, let's assume that the output control data is represented by P(X) with the generating polynomial being given by G(X) = X16 + X12 + X5 + 1. Then, the CRC value is determined as the remainder resulting from the division expressed by X'6 P(X)/G(X). Incidentally, calculation of the CRC value for checking the output control data is widely adopted in the art because the error check can be realized with high reliability. In reality, with the CRC check, it is possible to detect even the bit suffering error. The CRC value as calculated is written in the mirror memory 7a, being simultaneously copied to the mirror memory 7b (step S6).
Thus, the CRC value is made available by the standby system as well.
Finally, in a step S7, the control data is supplied to the controlled device 6 via the control output signal line ic.
Subsequently, the processing routine comprised of the steps S2 to S7 is repetitively executed periodically at a predetermined cycle or period set at the operation cycle timer le.
Next, description will be directed to operation of the second interlocked system (standby system) 2 by reference to Fig. 3. After the initialization step T1, the input or data information written by the in-service system 1 is read out from the mirror memory 7b to be stored in an internal RAM (random access memory) incorporated in the second interlocked system (standby system) 2 (step T2). The internal RAM mentioned just above is omitted from illustration in Fig. 1.
Subsequently, arithmetic operation for the control purpose is performed on the basis of the input information or data (step T3) and the CRC value of the output control data is calculated (step T4) in a same manner as described above in conjunction with the in-service system. Then, the CRC value written by the in-service system is read out from the mirror memory 7b (step T5), whereupon the CRC value calculated in the step T4 by the second interlocked system (standby system) 2 is compared with the CRC value read out from the mirror memory 7b (step T6). When the comparison results in discrepancy between both the CRC values (i.e., when the answer of the comparison step T6 is negative "NO"), this means that continuity in the control for the object under control can not be sustained when the second interlocked system (standby system) 2 operating currently as the standby system is changed over to the service operation mode. Accordingly, when the comparison step T6 results in negation (NO), it is decided that the standby system (second interlocked system) suffers abnormality or a fault. Thus, the system fault signal Sb is supplied to the change-over unit 3 (step T7). As a consequence, execution of the program by the standby system is stopped (step T8), whereby discontinuity in the control which may otherwise be brought about by changing over the standby system to the service operation mode can be prevented.
On the other hand, when coincidence is found between both the CRC values in the step T6 (i.e., when the answer of the comparison step T6 is affirmative "YES"), the processing routine comprised of the steps T2 to T6 is repetitively executed periodically at a cycle set at the operation cycle timer 2e which operates in synchronism with the operation cycle timer le.
As will now be appreciated from the foregoing, when some fault or abnormality occurs in the first interlocked system (in-service system) 1 operating in service mode, the second interlocked system (standby system) 2 operating in the standby mode is prevented from being changed over to the service mode so long as no coincidence is detected in the output control data between the first interlocked system (inservice system) 1 and the second interlocked system (standby system) 2, whereby discontinuity in the control can positively be prevented.
Embodiment 2 In the electronically-interlocked parallel-duplexed control system according to the first embodiment of the invention described above, the in-service system and t giving rise to a problem. With a second embodiment of the invention, it is contemplated to tackle solution of this inconvenience. Thus, according to the teachings of the invention incarnated in the instant embodiment, it is proposed to detect difference or deviation in the operation cycle for the arithmetic operation between both the inservice system and the standby system, to thereby inhibit the change-over of the standby system to the in-service system when deviation in the operation cycle is detected between both the systems even when coincidence is found in the control data as outputted.
Figure 4 is a flow chart for illustrating a processing procedure executed by the first interlocked system operating as the in-service system 1 according to the second embodiment of the invention, while Fig. 5 is a flow chart for illustrating a processing procedure executed by the second interlocked system operating as the standby system 2.
Description will first be made of the processings executed in the in-service system by reference to Fig. 4.
After the initialization step S1, information or data supplied from the controlled device 6 is written into the mirror memory 7a, being concurrently copied to the mirror memory 7b of the standby system, as is in the case of the first embodiment. Thus, the information is transferred to the second interlocked system (standby system) 2 as well (steps S1 to S3).
Simultaneously, the operation cycle timer counter le is incremented, whereupon the updated counter value is transferred to the standby system by writing the counter value in the mirror memories 7a and 7b (step Ul).
Subsequently, in the first interlocked system operating as the in-service system 1, arithmetic operation for generating the control data is performed on the basis of the input data, whereon the cyclic redundancy code (CRC) for the output control data is calculated and written in the mirror memories 7a and 7b. Thus, the CRC value is transferred to the standby system as well (steps S4 to S6).
In that case, same counter value as the one transferred to the standby system in the aforementioned step U1 is written in the mirror memories 7a and 7b as the output counter value (step U2).
Finally, the control data is delivered to the controlled device (object under control) 6 via the control output signal line ic and the LAN system (step S7).
Next, description will turn to operation of the second interlocked system functioning as the standby system 2 by reference to Fig. 5. After the initialization step T1, the input data copied to the mirror memory 7b from the memory 7a of the in-service system is read out from the former 7b (steps T1 and T2). Simultaneously, the counter value transferred from the in-service system in the step U2 (Fig. 4) is read out from the mirror memory 7b in a step U3.
Subsequently, arithmetic operation for generating the control data is performed on the basis of the input data to thereby calculate the CRC value of the control data (step T4) in the same manner as described above in conjunction with the first embodiment of the invention, whereupon the CRC value calculated by the second interlocked system (standby system) 2 is compared with the CRC value read out from the mirror memory 7b (steps T3 to T6).
When the comparison results in discrepancy between both the CRC values (i.e., when the answer of the comparison step T6 is negative "NO"), a system fault signal 5b is issued. As a consequence, execution of the program by the standby system is stopped (steps T7 and T8).
On the other hand, when coincidence is found between both the CRC value calculated and the one read out (i.e., when the comparison step T6 results in "YES"), the counter value written in the mirror memory 7b by the in-service system in the step U2 (Fig. 4) is read out by the standby system in a step U4, whereon decision is made in a step U5 as to whether the counter value as read out from the mirror memory 7b coincides with the counter value fetched in the aforementioned step U3. When no coincidence is found between both the counter values (i.e., when the decision step U5 results in negation "NO"), then it is determined that the operation cycles of both the system are deviated from each other. Thus, the standby system outputs a fault signal 5b and stops execution of the program (steps T7 and T8).
On the other hand, when coincidence is detected between the input counter value read out from the mirror memory 7b and the output counter value (i.e., when the decision step U5 results in affirmation "YES"), the processing routine including the steps T2 to U5 is executed repetitively under the timing of the operation cycle timer 2e which operates in synchronism with the operation cycle timer le incorporated in the in-service system.
In this manner, discrepancy between the outputs of both the systems due to deviation in the operation cycle or timing can be detected.
Embodiment 3 In the case of the electronically-interlocked parallel-duplexed control system according to the first embodiment of the invention described above, the standby system can be changed over to the service operation mode so long as the control outputs of both the systems coincide with each other. With the teachings of the invention incarnated in a third embodiment thereof, it is contemplated to check the input data for both the systems as to coincide with a view to ensuring higher security.
Figure 6 is a flow chart for illustrating operation of the first interlocked system (in-service system) 1 according to the third embodiment of the invention, while Fig. 7 is a flow chart for illustrating operation of the second interlocked system 2 operating as the standby system.
Description will first be directed to the operation of the in-service system by reference to Fig. 6. After the initialization step S1, information or data received from the controlled device 6 is written into the mirror memory 7a, being simultaneously copied to the mirror memory 7b, as described hereinbefore in conjunction with the first and second embodiments. Thus, the received or input data is transferred to the second interlocked system (standby system) 2 (steps S1 to S3). Then, arithmetic operation for generating the control data is performed on the basis of the input data, whereon the cyclic redundancy code (CRC) of the control data is calculated and written in the mirror memory 7a and hence in the memory 7b as well. Thus, the CRC value is transferred to the standby system (steps S4 to S6).
Subsequently, the CRC of the input data received from the controlled device 6 is calculated, whereon the CRC value as obtained is written in the mirror memory 7a, being simultaneously coped to the mirror memory 7b (step V2). In this manner, the CRC value of the input data received from the controlled device 6 is transferred to the standby system.
Finally, the control data is delivered to the controlled device 6 via the control output signal line ic (step S7) and the LAN.
Next, description will turn to operation of the second interlocked system (standby system) 2 by reference to Fig. 7. After the initialization step T1, arithmetic operation for generating the control data is performed on the basis of the input data read out from the mirror memory 7b to thereby calculate the CRC value of the control data, as described above in conjunction with the first embodiment, whereupon the CRC value calculated by the second interlocked system (standby system) 2 is compared with the CC value read out from the mirror memory 7b (steps T3 to T6).
When the comparison results in discrepancy between both the CRC values (i.e., when the answer of the comparison step T6 is negative "NO"), a system fault signal 5b is issued (step T7), and execution of the program by the standby system is stopped (step T8).
On the other hand, when coincidence is found between both the CRC values mentioned above (i.e., when the comparison step T6 results in "YES"), the CRC value of the input data read out from the mirror memory 7b is calculated in a step V3, and the corresponding CRC value transferred from the in-service system is read out from the mirror memory 7b in a step V4. Thereafter, -the CRC value of the input data as calculated in the aforementioned step V3 is compared with the CRC value of the input data transferred from the in-service system and held in the mirror memory 7b. When no coincidence is found between both the CRC values (i.e., when the decision step V5 results in negation "NO"), the standby system outputs a fault signal 5b and stops execution of the program (steps T7 and T8). By contrast, when coincidence is found between the CRC values (i.e., when the answer of the decision step V5 is affirmative "YES"), then the processing routine including the steps T2 to V5 is executed repetitionally under the timing of the operation cycle timer 2e which operates in synchronism with the operation cycle timer le of the in-service system.
In this manner, by checking coincidence of the input data received from the controlled device 6 in addition to the output control data to be supplied to the controlled device, high security or fail-safe operation of the electronically-interlocked parallel-duplexed control system can be ensured.
Embodiment 4 As mentioned previously, there may arise such situation due to difference in hardware characteristics between the in-service system and the standby system that before the input data received from the controlled device 6 has been written in the associated mirror memory 7a of the in-service system and copied simultaneously to the mirror memory 7b of the standby system, the later reads out the same data, incurring possibly a problem that the data written does not coincide with the data read out. With the invention incarnated in a fourth embodiment thereof, it is contemplated to deal with such inconvenience. More specifically, it is taught to provide queues in both the mirror memories, wherein data writing in the mirror memory is realized by enqueuing the queue while data reading from the mirror memory is realized by dequeuing the queue.
Figure 8 is a flow chart for illustrating operation of the first interlocked system (in-service system) 1 according to the fourth embodiment of the invention, while Fig. 9 is a flow chart for illustrating operation of the second interlocked system (standby system) 2.
At first, description directed to the processings executed by the in-service system by reference to Fig. 8.
After the initialization step S1, information or data received from the controlled device 6 via the LAN is queued or registered in a queue provided in the mirror memory 7a, being simultaneously mapped to the mirror memory 7b. Thus, the input data as received is transferred to the second interlocked system (standby system) 2 (steps S1 to Wl).
Then, arithmetic operation for the control is performed on the basis of the input information, whereon the cyclic redundancy code (CRC) for the output control data is calculated and enqueued in the mirror memories 7a and 7b.
Thus, the CRC value is transferred to the standby system as well (steps S4 to W2).
Finally, the control data is outputted to the controlled device 6 via the control output signal line ic and the LAN (step S7).
Next, description will turn to operation of the second interlocked system (standby system) 2 by reference to Fig. 9. After the initialization step T1, the input data transferred from the in-service system is dequeued from the mirror memory 7b in a step W3. Subsequently, arithmetic operation for the control is performed on the basis of the input data to thereby calculate the CRC value of the control data (steps T3 and T4), whereupon the control output CRC value in the in-service system is dequeued from the mirror memory 7b (step W4) and compared with the CRC value of the standby system calculated in the aforementioned step T4 (step T6).
When the comparison results in discrepancy between both the CRC values (i.e., when the answer of the comparison step T6 is negative "NO"), a system fault signal 5b is issued. As a consequence, execution of the program by the standby system is stopped (steps T7 and T8).
On the other hand, when coincidence is found between both the CRC values (i.e., when the comparison step T6 results in "YES"), the processing routine including the steps W3 to T6 is executed repetitively under the timing of the operation cycle timer 2e which operates in synchronism with the operation cycle timer le incorporated in the in-service system.
By virtue of the arrangement described above, the input data written in the mirror memory from the in-service system and the data read out by the standby system can match without fail, whereby discrepancy in the output data which is ascribable to mismatching in the input data can positively be excluded.
Embodiment 5 As described hereinbefore, there may arise such situation that in the course of writing the data transferred from the in-service system, the standby system reads out the data, which makes it impossible to establish correctly synchronism between both the systems. To evade such situation, it is contemplated with the invention incarnated in a fifth embodiment thereof to arrange the control system such that the in-service system issues an interrupt upon completion of the data writing in the mirror memories while the standby system can read out the data from the mirror memory only upon occurrence of the interrupt, to thereby establish synchronism between both the systems.
Figure 10 is a block diagram showing schematically a general system configuration of the electronicallyinterlocked parallel-duplexed control system according to the fifth embodiment of the invention, in which components same as or functionally equivalent to those shown in Fig. 1 are denoted by like reference characters. It should however be mentioned that each of the mirror memories 7a and 7b is imparted with a function for generating an interrupt signal.
Further, in Fig. 10, reference character 9a denotes an interrupt line extending from the mirror memory 7a to the control unit la and 9b denotes an interrupt line extending from the mirror memory 7b to the control unit 2a. When the control unit la writes data in the mirror memory 7a at a predetermined area thereof, the control unit la concurrently makes access to an interrupt area of the mirror memory 7b, as a result of which the mirror memory 7b issues an interrupt signal to the control unit 2a via the interrupt line 9b. The interrupt signal for the control unit la is issued from the mirror memory 7a through the similar procedure.
Figure 11 is a flow chart for illustrating operation of the in-service system of the electronicallyinterlocked parallel-duplexed control system according to the fifth embodiment of the invention, and Fig. 12 is a flow chart for illustrating operation of the standby system. As can be seen in the figure, both the processing flows in general are similar to the processing routine comprised of the steps S1 to S7 shown in Fig. 2 and the processing flow including the steps T1 to T8 shown in Fig. 3, respectively.
However, in the processing performed by the in-service system, there are additionally provided steps X1 and X2 for generating interrupts for the standby system following immediately the mirror memory write processing steps S3 and S6, respectively, for messaging the ends of the write processing steps to the standby system. On the other hand, the standby system waits for the interrupt from the standby system in steps X3 and X4, respectively, and reads out the data and the CRC value from the mirror memory 7b at time points when the interrupts for mess aging the end of the write operations are issued, respectively, from the in-service system (steps T2 and T5).
Through the procedure described above, it is possible to establish synchronism between the in-service system and the standby system with further enhanced reliability.
Embodiment 6 A sixth embodiment of the invention is directed to an electronically- interlocked parallel-duplexed control system in which synchronism in the data transfer between the in-service system and the standby system is established by detecting updated status of the in-service system by the standby system through a polling procedure. In that case, at the time point when the in-service system updates status information stored in the mirror memories 7a and 7b, the standby system performs processing for establishing synchronism in the data transfer with the in-service system by monitoring the updating of the status information in the associated mirror memory 7b.
Figure 13 is a flow chart for illustrating operation of the in-service system of the electronicallyinterlocked parallel-duplexed control system according to the sixth embodiment of the invention, and Fig. 14 is a flow chart for illustrating operation of the standby system. As can be seen in these figures, the processing flows in general are similar to the processing routine comprised of the steps S1 to S7 shown in Fig. 2 and the processing flow including the steps T1 to T8 shown in Fig. 3, respectively. However, in the processing performed by the in-service system, there are additionally provided steps Y1 and Y2 for waiting for updatings of the statuses of the mirror memories 7a and 7b, following immediately the mirror memory write processing steps S3 and S6, respectively, for messaging the end of the write processing to the standby system. On the other hand, the standby system waits for the updating of the mirror memory 7a (steps Y3 and Y4) and reads out the data from the mirror memory 7b at a time point when information of the updated status of the mirror memory 7a indicating the end of the write operation is received from the in-service system.
Through the procedure described above, it is possible to establish synchronism in operation between the in-service system and the standby system, as is in the case of the fifth embodiment of the invention.
Embodiment 7 In the case of the electronically-interlocked parallel-duplexed control system described above in conjunction with the first to sixth embodiments, the CRC value is calculated as the check value for confirming coincidence of theoutput data from both the systems.
However, in place of determining the CRC value, a check sum value may be made use of, substantially to the same effect.
The method of calculating the check sum value for checking output the error is adopted conventionally, as with the case of the CRC value. Generally, the check sum value can be obtained simply by resorting to addition of the output data.
Consequently, when compared with calculation of the CRC value which includes multiplication, the output data can be checked at a higher speed by using the check sum value, which is favorable for maintaining continuity in the control output notwithstanding of change-over of the in-service system and the standby system.
Many features and advantages of the present invention are apparent from the detailed description and thus it is intended by the appended claims to cover all such features and advantages of the system which fall within the true spirit and scope of the invention. Further, since numerous modifications and combinations will readily occur to those skilled in the art, it is not intended to limit the invention to the exact construction and operation illustrated and described.
By way of example, although the invention has been described in conjunction with the electronically-interlocked parallel-duplexed control system in which a pair of systems of a same configuration operate in synchronism in parallel with output of one system being enabled, it should be understood that the present invention can equally find application to a control system in which three or more systems are arranged to operate in parallel and so electronically interlocked that when abnormality occurs in the in-service system, one of other standby system is put into operation. Furthermore, it is contemplated that storage or recording media on which the teachings of the invention are recorded in the form of programs executable by computers inclusive of microprocessor are to be covered by the invention.
Accordingly, all suitable modifications and equivalents may be resorted to, falling within the spirit and scope of the invention.

Claims (9)

WHAT IS CLAIMED IS:
1. An electronically-interlocked parallel-multiplexed control system, including an in-service system ordinarily put into operation in a service operation mode for controlling/supervising an object of concern, and at least one standby system ordinarily placed in a standby mode for preparation to cope with occurrence of a fault in said in-service system, wherein both of said in-service system and said standby system are operated constantly in a parallel multiplexed manner and interlocked electronically so that upon occurrence of a fault in said in-service system, said standby system is changed over to said service operation mode by replacing said in-service system, comprising: input means for receiving data from said object of concern as input data in said in-service system; first processing means provided in said in-service system for processing said input data to thereby generate output control data to be sent to said object of concern on the basis of said input data; memory means provided in association with said in-service system and said standby system, respectively, for transferring said input data received in said in-service system to said standby system; second processing means provided in said standby system for processing said input data transferred from said in-service system to thereby generate output control data; calculating means provided in said in-service system and said standby system for calculating check values of said output control data generated by said first and second processing means, respectively; comparison means provided in said standby system for comparing said check values with each other; fault signal means for generating a fault signal indicating occurrence of abnormality in said standby system unless result of said comparison indicates coincidence between said check values outputted from said calculating means, respectively; and change-over means responsive to said fault signal for thereby preventing said standby system from being changed over to said service operation mode even when abnormality occurs in said in-service system.
2. An electronically-interlocked parallel-multiplexed control system according to claim 1, wherein said check value is calculated in terms of a cyclic redundancy code.
3. An electronically-interlocked parallel-multiplexed control system according to claim 1, wherein said check value is calculated in terms of a check-sum value.
4. An electronically-interlocked parallel-multiplexed control system according to any one of claims 1 to 3, further comprising: means for adding a counter value of an operation cycle timer to the input data to be transferred from said in-service system to said standby system, said counter value being incremented upon every transfer of said input data; wherein said comparison means compares said check values each added with said counter value.
5. An electronically-interlocked parallel-multiplexed control system according to any one of claims 1 to 4, further comprising: means for adding a check value of said input data upon transferring of said check value of said output control data from said in-service system to said standby system; wherein said comparison means provided in said standby system compares the check value of the input data for said in-service system with that of the input data transferred to said standby system with each other in addition to the comparison between the counter values of said output data.
6. An electronically-interlocked parallel-multiplexed control system according to any one of claims 1 to 5, wherein a queue is provided in each of said memory means for data transfer from said in-service system to said standby system, said queue being enqueued in said in-service system, while said queue is dequeued in said standby system.
7. An electronically-interlocked parallel-multiplexed control system according to any one of claims 1 to 5, wherein an interrupt is issued from said in-service system to said standby system after having written the input data when said data is transferred from said in-service system to said standby system, said interrupt being utilized as a timing for allowing said input data to be read out in said standby system.
8. An electronically-interlocked parallel-multiplexed control system according to any one of claims 1 to 5, wherein upon data transfer from said in-service system to said standby system, memory status is updated in said in-service system after having written the input data therein, while in said standby system, said memory status is monitored periodically at every predetermined interval in said standby system for determining the timing for reading out said input data.
9. An electronically-interlocked parallel-multiplexed control system substantially as herein described with reference to Figures 1 to 14 of the accompanying drawings.
GB9700644A 1996-05-27 1997-01-14 Electronically-interlocked parallel-multiplexed control system Expired - Fee Related GB2313678B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP13201496A JP3208060B2 (en) 1996-05-27 1996-05-27 Parallel dual electronic interlocking device

Publications (3)

Publication Number Publication Date
GB9700644D0 GB9700644D0 (en) 1997-03-05
GB2313678A true GB2313678A (en) 1997-12-03
GB2313678B GB2313678B (en) 1998-09-09

Family

ID=15071521

Family Applications (1)

Application Number Title Priority Date Filing Date
GB9700644A Expired - Fee Related GB2313678B (en) 1996-05-27 1997-01-14 Electronically-interlocked parallel-multiplexed control system

Country Status (3)

Country Link
JP (1) JP3208060B2 (en)
FR (1) FR2749097B1 (en)
GB (1) GB2313678B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2345153A (en) * 1998-12-23 2000-06-28 Motorola Ltd Fault-tolerant microcontroller arrangement, eg for a vehicle braking system
DE10057782C1 (en) * 2000-11-22 2002-06-20 Siemens Ag Operating mode switching method for process control switches between solo operating mode and redundant control mode employing back-up central processing unit
GB2393000A (en) * 2002-07-19 2004-03-17 Hewlett Packard Development Co Mirrored memory used to assist communication between processors in RAID devices
EP1857936A1 (en) * 2005-01-28 2007-11-21 Yokogawa Electric Corporation Information processing apparatus and information processing method
US9098074B2 (en) 2009-04-20 2015-08-04 Pilz Gmbh & Co. Kg Safety-related control unit and method for controlling an automated installation

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5067965B2 (en) * 2007-07-06 2012-11-07 日本信号株式会社 Ground unit, writing device and ground device
JP2010102565A (en) * 2008-10-24 2010-05-06 Mitsubishi Electric Corp Duplex controller
JP4954249B2 (en) * 2009-07-22 2012-06-13 株式会社京三製作所 Electronic terminal device and electronic interlocking device
JP2015194971A (en) 2014-03-31 2015-11-05 日本信号株式会社 redundant system control device
JP7023726B2 (en) * 2018-01-25 2022-02-22 株式会社日立ハイテクソリューションズ Duplex control system
KR102171638B1 (en) * 2018-10-05 2020-10-30 현대로템 주식회사 Tcms and method of data distributed processing

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0041701A2 (en) * 1980-06-09 1981-12-16 Hitachi, Ltd. Multiple digital controller system
GB2235791A (en) * 1989-07-21 1991-03-13 Hitachi Ltd Escalator or travelator control

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0518630A3 (en) * 1991-06-12 1993-10-20 Aeci Ltd Redundant control system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0041701A2 (en) * 1980-06-09 1981-12-16 Hitachi, Ltd. Multiple digital controller system
GB2235791A (en) * 1989-07-21 1991-03-13 Hitachi Ltd Escalator or travelator control

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Japanese Abstract JP030292257 A,(KYOSAN ELECTRIC MFG CO LTD)24.12.1991 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2345153A (en) * 1998-12-23 2000-06-28 Motorola Ltd Fault-tolerant microcontroller arrangement, eg for a vehicle braking system
DE10057782C1 (en) * 2000-11-22 2002-06-20 Siemens Ag Operating mode switching method for process control switches between solo operating mode and redundant control mode employing back-up central processing unit
GB2393000A (en) * 2002-07-19 2004-03-17 Hewlett Packard Development Co Mirrored memory used to assist communication between processors in RAID devices
US6938124B2 (en) 2002-07-19 2005-08-30 Hewlett-Packard Development Company, L.P. Hardware assisted communication between processors
GB2393000B (en) * 2002-07-19 2005-10-12 Hewlett Packard Development Co Hardware assisted communication between processors
US7318120B2 (en) 2002-07-19 2008-01-08 Hewlett-Packard Development Company, L.P. Hardware assisted communication between processors
EP1857936A1 (en) * 2005-01-28 2007-11-21 Yokogawa Electric Corporation Information processing apparatus and information processing method
EP1857936A4 (en) * 2005-01-28 2011-03-09 Yokogawa Electric Corp Information processing apparatus and information processing method
US8359529B2 (en) 2005-01-28 2013-01-22 Yokogawa Electric Corporation Information processing apparatus and information processing method
US9098074B2 (en) 2009-04-20 2015-08-04 Pilz Gmbh & Co. Kg Safety-related control unit and method for controlling an automated installation

Also Published As

Publication number Publication date
FR2749097A1 (en) 1997-11-28
JP3208060B2 (en) 2001-09-10
GB9700644D0 (en) 1997-03-05
GB2313678B (en) 1998-09-09
JPH09319401A (en) 1997-12-12
FR2749097B1 (en) 1998-07-24

Similar Documents

Publication Publication Date Title
EP1760559B1 (en) Method and apparatus for synchronizing an industrial controller with a redundant controller
US4366535A (en) Modular signal-processing system
US5596716A (en) Method and apparatus for indicating the severity of a fault within a computer system
US5890010A (en) Data processing apparatus with a coprocessor which asynchronously executes commands stored in a coprocessor command storage section
GB2313678A (en) Preventing discontinuities in electronically-interlocked parallel-multiplexed control system
US5742851A (en) Information processing system having function to detect fault in external bus
EP0598471A1 (en) Method and apparatus for verifying the orderly processing of data
US5226151A (en) Emergency resumption processing apparatus for an information processing system
JPH0341522A (en) Message missing detecting and processing system
EP0602770B1 (en) Abnormal packet processing system
JPH11282515A (en) Programmable controller and storage medium
JPH113295A (en) Data transmitter-receiver
JPH0281158A (en) Inter-computer program on-line reallocation system
KR970002883B1 (en) Method for requiring the right of possession of common bus in a multi-processor
JP2946541B2 (en) Redundant control system
JPH07250121A (en) Communication channel selection control unit
JPS59119451A (en) Diagnosing system of electronic computer system
JPS6349804B2 (en)
JPH07230432A (en) Calculating device
JPH0237458A (en) Bus control system for redundant bus constitution
JPH05289896A (en) Fault tolerant computer
JPH05127937A (en) Multiprocessor system
JPH05224969A (en) Fault information processing system
JPH0589022A (en) Information processor
JPH05250300A (en) Information processor

Legal Events

Date Code Title Description
746 Register noted 'licences of right' (sect. 46/1977)

Effective date: 20000128

PCNP Patent ceased through non-payment of renewal fee

Effective date: 20130114