GB2558750A - Processing device - Google Patents

Processing device Download PDF

Info

Publication number
GB2558750A
GB2558750A GB1718872.3A GB201718872A GB2558750A GB 2558750 A GB2558750 A GB 2558750A GB 201718872 A GB201718872 A GB 201718872A GB 2558750 A GB2558750 A GB 2558750A
Authority
GB
United Kingdom
Prior art keywords
output
signal
input
internal logic
output signals
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1718872.3A
Other versions
GB201718872D0 (en
GB2558750B (en
Inventor
Imazawa Takao
Shiraishi Masahiro
Nishikawa Satoshi
Doken Tomohiko
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Publication of GB201718872D0 publication Critical patent/GB201718872D0/en
Publication of GB2558750A publication Critical patent/GB2558750A/en
Application granted granted Critical
Publication of GB2558750B publication Critical patent/GB2558750B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/183Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components
    • G06F11/184Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components where the redundant components implement processing functionality

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Hardware Redundancy (AREA)
  • Safety Devices In Control Systems (AREA)
  • Logic Circuits (AREA)

Abstract

A processing device 3 has processing circuits 1, 2 with different hardware configurations from each other. Each circuit performs identical processing to identical input signals 4, 5, to generate identical output signals 6, 7. An output signal collation unit 8 collates the output signals of the processing circuits to output a collation result. The processing device also has a controller 30 that receives the output signals when the output signals match in the collation unit, and receives an abnormality signal when the outputs do not match from the collation unit. The controller executes an abnormality process when it receives the abnormality signal, otherwise it executes a control based on the output signals. The circuits may be integrated circuits configured for a specific application, such as field programmable gate array (FPGA).

Description

(54) Title of the Invention: Processing device
Abstract Title: Processing device with differently configured circuits and a collation unit (57) A processing device 3 has processing circuits 1,2 with different hardware configurations from each other. Each circuit performs identical processing to identical input signals 4, 5, to generate identical output signals 6, 7. An output signal collation unit 8 collates the output signals of the processing circuits to output a collation result. The processing device also has a controller 30 that receives the output signals when the output signals match in the collation unit, and receives an abnormality signal when the outputs do not match from the collation unit. The controller executes an abnormality process when it receives the abnormality signal, otherwise it executes a control based on the output signals. The circuits may be integrated circuits configured for a specific application, such as field programmable gate array (FPGA).
CONTROLLER
FIG. 1
FPGA MODULE
SENSOR
1/4
SYSTEM A 101.
/'input X PN1 '
: SIGNAL A i
ί INPUT X PN2
: SIGNAL BT
I INPUT : PN3
• SIGNAL CT
201
INPUT PN1 fl
j SIGNAL CT
INPUT i PN2 i
: SIGNAL AT
ί INPUT : PN3 ί
• SIGNAL By -> :
------------
SYSTEM B
FIG. 1
FPGA MODULE
T INTERNAL LOGIC
sOUTPUT , * SIGNAL A/
2/4
FIG. 2
FPGA MODULE SYSTEM A 101
FPGA1 ' INPUT SIGNAL A
INPUT SIGNAL B
INPUT • SIGNAL CTT :PN1
->
:PN2 —>
201
INPUT SIGNAL C ; INPUT : SIGNAL A T INPUT : , SIGNAL Β T PN1 f
PN2
>Νί
SYSTEM B
- V V V X X -χ-χ-χ- χ-Κτχ· -X -X·’
INTERNAL LOGIC A xx.
'77777S
INTERNAL LOGIC BZZ
’ ΡΝ4ί < OUTPUT
PN5 ; SIGNAL A i
PN6I LoS;
OUTPUT
SIGNAL
COLLATION
UNIT
FPGA MODULE
3/4
FIG. 3
SYSTEM A 101
INPUT SIGNAL A
INPUT SIGNAL B
INPUT SIGNAL C
PN2 ; INTERNALLOGIC 'IntTrnal'logicT:
105 ,102 ......./
PN41 L output '
i SIGNAL A
PN5 i L OUTPUT :
: SIGNAL Β :
PN6 ί < OUTPUT :
If SIGNAL C,-
PN3 ^internalTogic
SYSTEM B 201
PN5 §§ IN I tRNAL LUGIU U $
EternallogTcd§! ΡΝθ
( INPUT X PN1 f
i SIGNAL C 7
ί INPUT 1 ±N2
ί SIGNAL A?
i input. . i PN3
SIGNAL Β 7
^injernalTogT^e^ ^nternalTogicc
SIGNAL c .OUTPUT SIGNAL A
OUTPUT ^SIGNAL b,
205
206
SYSTEM C 901-
''INPUT SIGNAL Β I ρνιΓΤ
INPUT ί PN2 :
SIGNAL C T
INPUT : PN3 ί
, SIGNAL A ,-
FPGA3_
MiRNALlOGTcl·’ ^nternalTogice^
S3
INTERNAL LOGIC C §$
^OUTPUT SIGNAL B
PN5i< OUTPUT SIGNAL C
OUTPUT TSIGNAL A.
PN6
-905
4/4
FIG. 4
FPGA MODULE SYSTEM A 101
''INPUT X IPN1
SIGNAL A 1
INPUT 1 ί PN2
SIGNAL B :
INPUT i iPN3>
SIGNAL CT
20T
'' INPUT X PN7J
SIGNAL A 7
INPUT 1 PN8
SIGNAL B T
INPUT I PN9.
, SIGNAL C 7
SYSTEM B
INTERNAL LOGIC B_>i
FPGA1
FPGA2 > INTERNAL LOGIC A
OLLATION
UNIT
PN10 ^OUTPUT — ,: SIGNAL A' PN11 I < OUTPUT SIGNAL B
PN12 ,x OUTPUT ^SIGNAL C,
204
TITLE OF THE INVENTION
PROCESSING DEVICE
BACKGROUND OF THE INVENTION
1. Field of the Invention [0001]
The present invention relates to a system to which high reliability is reguired.
2. Description of the Related Art [0002]
In a system where high reliability is reguired, such as a system that controls a process in a nuclear power plant and a factory plant, functional safety is adopted.
The functional safety reduces a risk of a system failure by adding a monitoring device or a protection device to the system.
[0003]
For the functional safety, for example, hardware constituting a part of the system may be multiplexed or diversified. Multiplexing is to provide a plurality of pieces of hardware having an identical function, to prepare for a failure such as a failure of the hardware.
Diversification is to configure multiplexed pieces of hardware respectively with hardware components different from each other. For example, a field programmable gate array (FPGA) may be adopted for a process control system (see JP-2012-103866-A, JP-2010-177881-A, and JP-2009212230-A). In that case, for a component that performs a key function in each module, such as the FPGA mounted in an input/output device or a calculation device, multiplexing and diversification may be required. For example, by providing two systems of hardware circuits that respectively perform identical processing to identical input signals and generate identical output signals, and confirming that the signals match each other, normal operation of the hardware circuit can be confirmed. When an abnormality occurs in any one of the hardware circuits, the output signals of the two hardware circuits do not match each other, so that the abnormality can be easily detected.
SUMMARY OF THE INVENTION [0005]
However, a common cause failure (CCF) may occur in two systems of hardware circuits multiplexed. The CCF is a failure in which the same places in a plurality of pieces of hardware fail in the same way due to a common cause.
When the CCF occurs simultaneously in two systems, output signals of the two systems show abnormal values in the same way. In that case, the abnormality cannot be detected by monitoring whether or not the output signals match each other. Causes of the CCF include a lot defect in a component commonly used in the plurality of pieces of hardware, for example.
[0006]
An object of the present invention is to provide a technology that enables detection even when the abnormality is caused by the CCF.
[0007]
A processing device according to an aspect of the present invention includes: a plurality of systems of processing circuits that respectively have hardware configurations different from each other, perform identical processing to identical input signals, and generate identical output signals; and an output signal collation unit that collates the output signals of the plurality of systems of processing circuits to output a collation result.
[0008]
According to the present invention, since the plurality of systems of processing circuits respectively have hardware configurations different from each other, even when the CCF occurs, different signals appear respectively in the output signals, and the abnormality can be detected by comparing those output signals with each other .
BRIEF DESCRIPTION OF THE DRAWINGS [0009]
Fig. 1 is a diagram illustrating a configuration of an FPGA module according to a first embodiment;
Fig. 2 is a diagram for explaining a case where a
CCF occurs in the first embodiment;
Fig. 3 is a diagram illustrating a configuration of an FPGA module according to a second embodiment; and
Fig. 4 is a diagram illustrating a configuration of an FPGA module according to a third embodiment.
DESCRIPTION OF THE EMBODIMENTS [0010]
Embodiments of the present invention will be described with reference to the drawings.
First Embodiment [0011]
Fig. 1 is a diagram illustrating a configuration of an FPGA module according to a first embodiment.
[0012]
In an FPGA module 3, a system A circuit and a system
B circuit exist. In the system A circuit, an FPGA1 is provided including an input terminal unit 101, an output terminal unit 102, an internal logic A 103, and an internal logic B 104. The internal logic A 103 and the internal logic B 104 of the FPGA1 can be externally programmed.
Similarly, in the system B circuit, an FPGA2 is provided including an input terminal unit 201 and an output terminal unit 202 identical to those of the FPGA1, and an internal logic A 203 and an internal logic B 204 identical to those of the FPGA1. The internal logic A 203 and the internal logic B 204 of the FPGA2 can be externally programmed.
[0013]
The internal logic A 103 of the system A and the internal logic A 203 of the system B are functional units that perform identical processing. In addition, the internal logic B 104 of the system A and the internal logic
B 204 of the system B are functional units that perform identical processing.
[0014]
The FPGA module 3 includes an output signal collation unit 8 as a common part apart from the system A circuit and the system B circuit. The output signal collation unit 8 collates output signals A, B, and C of the
FPGA1 with output signals A, B, and C of the FPGA2, respectively. When the output signals A, B, and C from the system A circuit all match the respective output signals A,
B, and C from the system B circuit, it can be estimated that the FPGA module 3 normally operates. In that case, the output signal collation unit 8 outputs the output signals A, B, and C to a controller 30. When mismatch occurs in any one of the output signals A, B, and C, the output signal collation unit 8 outputs a predetermined abnormality signal for notification of occurrence of an abnormality.
[0015]
As described above, the internal logic A 103 of the
FPGA1 and the internal logic A 203 of the FPGA2 perform the same calculation. In addition, the internal logic B104 of the FPGA1 and the internal logic B 204 of the FPGA2 perform the same calculation. Also as the FPGA as a whole, the
FPGA1 and the FPGA2 perform identical operation.
[0016]
In the present embodiment, as an input signal group to the FPGA1 and an input signal group 5 to the FPGA2, the same signals output from one sensor 40 are used, so that, when there is no abnormality such as a failure, an output signal group 6 from the FPGA1 and an output signal group 7 from the FPGA2 match each other completely.
[0017]
The FPGA1 and the FPGA2 are functional units that perform an identical function, as described above, and respectively have hardware configurations different from each other. Specifically, combinations of input signals and input terminals, and combinations of output signals and output terminals vary for each system. For example, in the
FPGA1, an input terminal PN1 is assigned to an input signal
A, an input terminal PN2 is assigned to an input signal B, and an input terminal PN3 is assigned to an input signal C.
Meanwhile, in the FPGA2, an input terminal PN2 is assigned to the input signal A, an input terminal PN3 is assigned to the input signal B, and an input terminal PN1 is assigned to the input signal C. In addition, in the FPGA1, an output terminal PN4 is assigned to the output signal A, an output terminal PN5 is assigned to the output signal B, and an output terminal PN6 is assigned to the output signal C.
Meanwhile, in the FPGA2, an output terminal PN6 is assigned to the output signal A, an output terminal PN4 is assigned to the output signal B, and an output terminal PN5 is assigned to the output signal C.
[0018]
Fig. 2 is a diagram for explaining a case where a
CCF occurs in the first embodiment. Here, the internal logic A 103 and the internal logic A 203 are circuits each of which inputs the input signal A and the input signal B to perform predetermined processing and outputs the output signal A. The internal logic B 104 and the internal logic
B 204 are circuits each of which inputs the input signal C to perform predetermined processing and outputs the output signal B and the output signal C.
[0019]
As illustrated in Fig. 2, it is assumed that the input terminal PN3 has a failure as the CCF in the FPGA1 and the FPGA2, for example. In that case, in the system A circuit, input of the internal logic B 104 is abnormal, so that the output signals B and C output from the internal logic B 104 are abnormal. Meanwhile, in the system B circuit, input of the internal logic A 203 is abnormal, so that the output signal A output from the internal logic A
203 is abnormal. As a result, in the output signal collation unit 8, mismatch of the output signal is detected between the system A circuit and the system B circuit. In that case, the output signal collation unit 8 outputs, to the controller 30, the predetermined abnormality signal instead of the output signals A, B, and C. The controller
30, when not receiving the abnormality signal, executes predetermined process control on the basis of the output signals A, B, and C; however, when receiving the abnormality signal as described above, the controller 30 executes predetermined abnormality processing instead of performing the process control.
[0020]
As described above, in the present embodiment, a process control system includes: the plurality of systems of processing circuits (FPGA1 and FPGA2) that respectively have hardware configurations different from each other, perform identical processing to identical input signals, and generate identical output signals; and the output signal collation unit 8 that collates the output signals of the plurality of systems of processing circuits to output a collation result. Since the plurality of systems of processing circuits respectively have hardware configurations different from each other, even when the CCF occurs, different signals appear respectively in the output signals, and the abnormality can be detected by comparing those output signals with each other.
[0021]
The output signal collation unit 8, when the output signals A, B, and C respectively match each other, transmits the output signals A, B, and C to the controller
30, and when mismatch occurs in any of the output signals
A, B, and C, transmits the abnormality signal indicating abnormality to the controller 30. The controller 30, when not receiving the abnormality signal, since the output signals A, B, and C are received, executes process control on the basis of the output signals A, B, and C; however, when receiving the abnormality signal, the controller 30 executes the predetermined abnormality processing instead of performing the process control. In a case where output signals of a plurality of processing circuits match each other, the process control is executed, and in a case where the output signals do not match each other, the abnormality processing is executed, so that highly reliable process control can be realized.
[0022]
In the present embodiment, the processing circuits each are an integrated circuit (FPGA) configured for a specific application, and the processing circuits and the output signal collation unit 8 are configured in one module (the FPGA module 3). For that reason, the module including the plurality of processing circuits multiplexed can be configured such that the abnormality can be detected by collation of the output signals when the CCF occurs in the component of those processing circuits. In addition, the processing circuits are FPGAs, so that the plurality of processing circuits that performs identical processing can be easily configured as circuits respectively have different configurations.
[0023]
The FPGAs respectively have combinations of input/output signals and input/output terminals different from each other. The combinations of the input/output signals and the input/output terminals are made different from each other, whereby the hardware configurations of the
FPGAs can be easily made different from each other.
Second Embodiment [0024]
In the first embodiment, the module mounting two systems of processing circuits has been exemplified;
however, the present invention is not limited thereto, and the present invention can be applied to a module mounting a plurality of systems of processing circuits. In a second embodiment, a module mounting three systems of processing circuits will be exemplified.
[0025]
Fig. 3 is a diagram illustrating a configuration of an FPGA module according to the second embodiment. In an
FPGA module 3, a system A circuit, a system B circuit, and a system C circuit exist. In the system A circuit, an
FPGA1 is provided including an input terminal unit 101, an output terminal unit 102, an internal logic C 105, an internal logic D 106, and an internal logic E 107. The internal logic C 105, the internal logic D 106, and the internal logic E 107 of the FPGA1 can be externally programmed. Similarly, in the system B circuit, an FPGA2 is provided including an input terminal unit 201, an output
terminal unit 202 , an internal logic C 205 , an internal
logic D 206, and an internal logic E 207. The internal
logic C 205, the internal logic D 206, and the internal
logic E 207 of the FPGA2 can be externally programmed.
Similarly, in the system C circuit, an FPGA3 is provided including an input terminal unit 901, an output terminal unit 902, an internal logic C 905, an internal logic D 906, and an internal logic E 907. The internal logic C 905, the internal logic D 906, and the internal logic E 907 of the
FPGA3 can be externally programmed.
[0026]
The internal logic C 105 of the system A, the internal logic C 205 of the system B, and the internal logic C 905 of the system C are functional units that perform identical processing. The internal logic D 106 of the system A, the internal logic D 206 of the system B, and the internal logic D 906 of the system C are functional units that perform identical processing. The internal logic E 107 of the system A, the internal logic E 207 of the system B, and the internal logic E 907 of the system C are functional units that perform identical processing.
[0027]
The FPGA module 3 includes an output signal collation unit 8 as a common part apart from the system A circuit, the system B circuit, and the system C circuit.
The output signal collation unit 8 collates output signals
A, B, and C of the FPGA1, output signals A, B, and C of the
FPGA2, and output signals A, B, and C of the FPGA3, respectively. When the output signals A, B, and C from the system A circuit all match the respective output signals A,
B, and C from the system B circuit and the respective output signals A, B, and C from the system C circuit, it can be estimated that the FPGA module 3 normally operates.
In that case, the output signal collation unit 8 outputs the output signals A, B, and C to a controller (not illustrated). When mismatch occurs in any one of the output signals A, B, and C, the output signal collation unit 8 outputs, to the controller, a predetermined abnormality signal for notification of occurrence of an abnormality.
[0028]
As described above, the internal logic C 105 of the
FPGA1, the internal logic C 205 of the FPGA2, and the internal logic C 905 of the FPGA3 perform the same calculation. In addition, the internal logic D 106 of the
FPGA1, the internal logic D 206 of the FPGA2, and the internal logic D 906 of FPGA3 perform the same calculation.
Furthermore, the internal logic E 107 of the FPGA1, the internal logic E 207 of the FPGA2, and the internal logic E
907 of FPGA3 perform the same calculation. Also as the
FPGA as a whole, the FPGA1, the FPGA2, and the FPGA3 perform identical operation.
[0029]
In the present embodiment, it is assumed that, as an input signal group 4 to the FPGA1, an input signal group 5 to the FPGA2, and an input signal group 10 to the FPGA3, the same signals output from one sensor (not illustrated) are used. For that reason, when there is no abnormality such as a failure, an output signal group 6 from the FPGA1, an output signal group 7 from the FPGA2, and an output signal group 11 from the FPGA3 match each other completely.
[0030]
The FPGA1, the FPGA2, and the FPGA3 are functional units that perform an identical function, as described above, and respectively have hardware configurations different from each other. Specifically, combinations of input signals and input terminals, and combinations of output signals and output terminals vary for each system.
[0031]
For example, in the FPGA1, an input terminal PN1 is assigned to an input signal A, an input terminal PN2 is assigned to an input signal B, and an input terminal PN3 is assigned to an input signal C. Meanwhile, in the FPGA2, an input terminal PN2 is assigned to the input signal A, an input terminal PN3 is assigned to the input signal B, and an input terminal PN1 is assigned to the input signal C.
Further, in the FPGA3, an input terminal PN3 is assigned to the input signal A, an input terminal PN1 is assigned to the input signal B, and an input terminal PN2 is assigned to the input signal C.
[0032]
In addition, in the FPGA1, an output terminal PN4 is assigned to the output signal A, an output terminal PN5 is assigned to the output signal B, and an output terminal PN6 is assigned to the output signal C. Meanwhile, in the
FPGA2, an output terminal PN5 is assigned to the output signal A, an output terminal PN6 is assigned to the output signal B, and an output terminal PN4 is assigned to the output signal C. Further, in the FPGA3, an output terminal
PN6 is assigned to the output signal A, an output terminal
PN4 is assigned to the output signal B, and an output terminal PN5 is assigned to the output signal C.
[0033]
Here, the internal logic C 105, the internal logic C
205, and the internal logic C 905 are circuits each of which inputs the input signal A to perform predetermined processing and outputs the output signal A. The internal logic D 106, the internal logic D 206, and the internal logic D 906 are circuits each of which inputs the input signal B to perform predetermined processing and outputs the output signal B. The internal logic E 107, the internal logic E 207, and the internal logic E 907 are circuits each of which inputs the input signal C to perform predetermined processing and outputs the output signal C.
[0034]
For example, it is assumed that the input terminal
PN3 has a failure as the CCF in the FPGA1, the FPGA2, and the FPGA3. In that case, in the system A circuit, input of the internal logic E 107 is abnormal, so that the output signal C output from the internal logic E 107 is abnormal.
Meanwhile, in the system B circuit, input of the internal logic D 206 is abnormal, so that the output signal B output from the internal logic D 206 is abnormal. Further, in the system C circuit, input of the internal logic C 905 is abnormal, so that the output signal A output from the internal logic C 905 is abnormal.
[0035]
As a result, in the output signal collation unit 8, mismatch of the output signal is detected between the system A circuit, the system B circuit, and the system C circuit. In that case, the output signal collation unit 8 outputs, to the controller (not illustrated), the predetermined abnormality signal instead of the output signals A, B, and C. The controller, when not receiving the abnormality signal, executes predetermined process control on the basis of the output signals A, B, and C;
however, when receiving the abnormality signal as described above, the controller executes predetermined abnormality processing instead of performing the process control.
Third Embodiment [0036]
In the first embodiment, an example has been described in which combinations of the input/output signals and input/output terminals vary for each system in two FPGA; however, the present invention is not limited thereto. As another example, in a third embodiment, an example will be described in which input/output terminals different from each other are respectively used in two
FPGAs.
[0037]
Fig. 4 is a diagram illustrating a configuration of an FPGA module according to the third embodiment.
[0038]
In an FPGA module 3, a system A circuit and a system
B circuit exist. In the system A circuit, an FPGA1 is provided including an input terminal unit 101, an output terminal unit 102, an internal logic A 103, and an internal logic B 104. The internal logic A 103 and the internal logic B 104 of the FPGA1 can be externally programmed.
Similarly, in the system B circuit, an FPGA2 is provided including an input terminal unit 201 and an output terminal unit 202 identical to those of the FPGA1, and an internal logic A 203 and an internal logic B 204 identical to those of the FPGA1. The internal logic A 203 and the internal logic B 204 of the FPGA2 can be externally programmed.
[0039]
The internal logic A 103 of the system A and the internal logic A 203 of the system B are functional units that perform identical processing. In addition, the internal logic B 104 of the system A and the internal logic
B 204 of the system B are functional units that perform identical processing.
[0040]
The FPGA module 3 includes an output signal collation unit 8 as a common part apart from the system A circuit and the system B circuit. The output signal collation unit 8 collates output signals A, B, and C of the
FPGA1 with output signals A, B, and C of the FPGA2, respectively. When the output signals A, B, and C from the system A circuit all match the respective output signals A,
B, and C from the system B circuit, it can be estimated that the FPGA module 3 normally operates. In that case, the output signal collation unit 8 outputs the output signals A, B, and C to a controller 30. When mismatch occurs in any one of the output signals A, B, and C, the output signal collation unit 8 outputs a predetermined abnormality signal for notification of occurrence of an abnormality.
[0041]
As described above, the internal logic A 103 of the
FPGA1 and the internal logic A 203 of the FPGA2 perform the same calculation. In addition, the internal logic B104 of the FPGA1 and the internal logic B 204 of the FPGA2 perform the same calculation. Also as the FPGA as a whole, the
FPGA1 and the FPGA2 perform identical operation.
[0042]
In the present embodiment, it is assumed that, as an input signal group 4 to the FPGA1 and an input signal group to the FPGA2, the same signals output from one sensor (not illustrated) are used. For that reason, when there is no abnormality such as a failure, an output signal group 6 from the FPGA1 and an output signal group 7 from the FPGA2 match each other completely.
[0043]
The FPGA1 and the FPGA2 are functional units that perform an identical function, as described above, and respectively have hardware configurations different from each other. Specifically, the FPGA1 and the FPGA2 respectively use the input/output terminals different from each other. For example, in the FPGA1, an input terminal
PN1 is assigned to an input signal A, an input terminal PN2 is assigned to an input signal B, and an input terminal PN3 is assigned to an input signal C. Meanwhile, in the FPGA2, an input terminal PN7 is assigned to the input signal A, an input terminal PN8 is assigned to the input signal B, and an input terminal PN9 is assigned to the input signal C.
In addition, in the FPGA1, an output terminal PN4 is assigned to the output signal A, an output terminal PN5 is assigned to the output signal B, and an output terminal PN6 is assigned to the output signal C. Meanwhile, in the
FPGA2, an output terminal PN10 is assigned to the output signal A, an output terminal PN11 is assigned to the output signal B, and an output terminal PN12 is assigned to the output signal C.
[0044]
Here, the internal logic A 103 and the internal logic A 203 are circuits each of which inputs the input signal A and the input signal B to perform predetermined processing and outputs the output signal A. The internal logic B 104 and the internal logic B 204 are circuits each of which inputs the input signal C to perform predetermined processing and outputs the output signal B and the output signal C.
[0045]
For example, it is assumed that the input terminal
PN3 has a failure as the CCF in the FPGA1 and the FPGA2.
In that case, in the system A circuit, input of the internal logic B 104 is abnormal, so that the output signals B and C output from the internal logic B 104 are abnormal. Meanwhile, in the system B circuit, the input terminal PN3 is not used, so that the abnormality does not occur in any of the internal logic A 203 and the internal logic B 204, and the abnormality does not occur in the output signal A output from the internal logic A 203 and the output signals B and C output from the internal logic B
204. As a result, in the output signal collation unit 8, mismatch of the output signal is detected between the system A circuit and the system B circuit. In that case, the output signal collation unit 8 outputs, to the controller 30, the predetermined abnormality signal instead of the output signals A, B, and C. The controller 30, when not receiving the abnormality signal, executes predetermined process control on the basis of the output signals A, B, and C; however, when receiving the abnormality signal as described above, the controller 30 executes predetermined abnormality processing instead of performing the process control.
[0046]
As described above, in the present embodiment, input/output terminals different from each other are respectively used in the plurality of FPGAs, so that the hardware configurations of the FPGAs can be easily made different from each other by using the input/output terminals different from each other.
[0047]
In the above, various embodiments have been described; however, the present invention is not limited to those embodiments, and those embodiments may be used in combination or a part of the configuration may be modified within the scope of the technical idea of the present invention.

Claims (6)

What is claimed is:
1. A processing device comprising:
a plurality of systems of processing circuits that respectively have hardware configurations different from each other, perform identical processing to identical input signals, and generate identical output signals; and an output signal collation unit that collates the output signals of the plurality of systems of processing circuits to output a collation result.
2. The processing device according to claim 1, further comprising a controller that executes predetermined control, wherein the output signal collation unit, when the output signals match each other, transmits the output signals to the controller, and when the output signals do not match each other, transmits a predetermined abnormality signal indicating abnormality to the controller, and the controller, when the abnormality signal is not received, executes the control on the basis of the output signals, and when the abnormality signal is received, executes predetermined abnormality processing instead of performing the control.
3. The processing device according to claim 1, wherein the processing circuits each are an integrated circuit configured for a specific application, and the processing circuits and the output signal collation unit are configured in one module.
4. The processing device according to claim 1, wherein the processing circuits are FPGAs.
5. The processing device according to claim 4, wherein the FPGAs respectively have combinations of input/output signals and input/output terminals different from each other.
6. The processing device according to claim 4, wherein the FPGAs respectively use input/output terminals different from each other.
Intellectual
Property
Office
Application No: GB1718872.3 Examiner: Mr David Maskery
GB1718872.3A 2016-12-20 2017-11-15 Processing device Active GB2558750B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2016246251A JP2018101241A (en) 2016-12-20 2016-12-20 Processing device

Publications (3)

Publication Number Publication Date
GB201718872D0 GB201718872D0 (en) 2017-12-27
GB2558750A true GB2558750A (en) 2018-07-18
GB2558750B GB2558750B (en) 2019-06-12

Family

ID=60788494

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1718872.3A Active GB2558750B (en) 2016-12-20 2017-11-15 Processing device

Country Status (3)

Country Link
JP (1) JP2018101241A (en)
GB (1) GB2558750B (en)
WO (1) WO2018117065A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPWO2020090034A1 (en) * 2018-10-31 2021-09-02 株式会社日立製作所 Processing equipment
WO2023152853A1 (en) * 2022-02-10 2023-08-17 三菱電機株式会社 Safety protection system backup device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110209021A1 (en) * 2008-02-06 2011-08-25 Steen Ditlev Sorensen Failure Detection and Mitigation in Logic Circuits
US20110264242A1 (en) * 2010-04-26 2011-10-27 Nabtesco Corporation Actuator control system
US20110313580A1 (en) * 2010-06-17 2011-12-22 Levgenii Bakhmach Method and platform to implement safety critical systems
US20150205698A1 (en) * 2014-01-23 2015-07-23 Bernecker + Rainer Industrie-Elektronik Ges.M.B.H Method for verifying the processing of software

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH08171581A (en) * 1994-12-16 1996-07-02 Hitachi Ltd Logic circuit with error detecting function and fault tolerant system using same
US7298170B2 (en) * 2005-12-30 2007-11-20 Honeywell International Inc. Safety system based on reconfigurable array of logic gates

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110209021A1 (en) * 2008-02-06 2011-08-25 Steen Ditlev Sorensen Failure Detection and Mitigation in Logic Circuits
US20110264242A1 (en) * 2010-04-26 2011-10-27 Nabtesco Corporation Actuator control system
US20110313580A1 (en) * 2010-06-17 2011-12-22 Levgenii Bakhmach Method and platform to implement safety critical systems
US20150205698A1 (en) * 2014-01-23 2015-07-23 Bernecker + Rainer Industrie-Elektronik Ges.M.B.H Method for verifying the processing of software

Also Published As

Publication number Publication date
GB201718872D0 (en) 2017-12-27
GB2558750B (en) 2019-06-12
JP2018101241A (en) 2018-06-28
WO2018117065A1 (en) 2018-06-28

Similar Documents

Publication Publication Date Title
US8359529B2 (en) Information processing apparatus and information processing method
DE102015108689A1 (en) Security node in interconnect data buses
EP1857937A1 (en) Information processing apparatus and information processing method
CN110192185B (en) Redundant processor architecture
US10620260B2 (en) Apparatus having signal chain lock step for high integrity functional safety applications
US10229036B2 (en) Software update of non-critical components in dual safety-critical distributed systems
US9804575B2 (en) Multiplex control device
EP2573636A2 (en) Multi-channel control switchover logic
GB2558750A (en) Processing device
US20190140893A1 (en) Bypass Switch With Evaluation Mode For In-Line Monitoring Of Network Traffic
US20080215913A1 (en) Information Processing System and Information Processing Method
CN102904752B (en) A kind of node electoral machinery, node device and system
JP6088642B2 (en) Analog signal input circuit having a plurality of analog signal detection channels
KR20160037939A (en) Method and electronic circuit assembly for the redundant signal processing of a safety-relevant application, motor vehicle brake system, motor vehicle having said motor vehicle brake system, and use of such an electronic circuit assembly
US10346242B2 (en) Distributed real-time computer system and time-triggered distribution unit
JP6094260B2 (en) Abnormality detection protection circuit
US10520910B2 (en) I/O expansion for safety controller
Abdelawwad et al. FPGA Implementation of a Safety System-on-Chip Based on 1oo4 Architecture Using LEON3 Processor
US20170091053A1 (en) Method and device for checking calculation results in a system having multiple processing units
WO2022199787A1 (en) Program flow monitoring for gateway applications
DE102013002088B4 (en) System and method for a signature-based redundancy comparison
RU120256U1 (en) THREE-CHANNEL FAULT-RESISTANT SYSTEM ON CONFIGURABLE PROCESSORS WITH EXTERNAL AND INTRICRYSTAL RESERVATION
US20210103311A1 (en) Method and apparatus for outputting signals
CN109918270B (en) Multi-server system, error detection method, system, electronic device and storage medium
CN115288808A (en) Gas turbine exhaust temperature protection control method and system based on GE9F gas turbine