JP2011198205A - Redundant system control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a redundant system control system that reduces a cost, while securing safety for use in a control terminal of a railroad security device.SOLUTION: The redundant system control system 1 is constituted by connecting two computers with the same processing programs mounted thereon. The logical product of control outputs of computers in system A and system B is output to an apparatus to be controlled. Data is mutually transmitted/received between the system A and the system B computers, thereby to collate data held by one system with data transmitted from the other system in each system, and also to monitor whether the processing of the computer in each system is smoothly executed. When a failure is detected in either of the systems after the collation and monitoring, the processing is stopped, and the output to the apparatus to be controlled becomes a safe side.

Description

  The present invention relates to a dual system control system that can be used as a railway safety device control terminal.

Conventionally, railway safety equipment control terminals have been developed exclusively for hardware and software to ensure high safety. Further, for example, the processor and its periphery are configured as a dual system, and the occurrence of malfunctions is prevented by collating the operations of the systems. For example, in Patent Document 1, a processor, a memory, a recovery memory, a bus line, a digital input / output unit, and an input / output unit are dual systems, the same software is installed in each system, and both are verified by a verification circuit. It is described that system data is compared and collated at the bus level, and is normally operated only when the collation results match, and when the collation results do not match, the processor is stopped to prevent malfunction.
In addition, when the installed software itself has a bug, the above-described verification circuit does not detect a mismatch, and therefore, as in Patent Document 2, a diagnostic device that diagnoses the operating state of the processor system using a predetermined criterion Has been proposed to be provided outside the processor system.
However, the dedicated hardware and software as described above are expensive to develop and install. In addition, parts management for maintenance has not been easy, for example, production of parts to be mounted on the apparatus is finished.

  On the other hand, with the development of computers in recent years, high-performance personal computers and operation systems (OS) have been developed, and examples of using personal computers for operation control of various devices are known.

Japanese Patent Laid-Open No. 5-189325 JP 2004-86795 A

  However, general-purpose personal computers are concerned that unintended operation or operation stop may occur due to various factors such as memory shortage due to congestion of multiple processes and waiting for responses due to multiple interrupt processing. Use as a control terminal has been forgotten for a long time. However, if a problem in introducing a general-purpose product is identified and solved, it will be possible to provide a control terminal for a railway security device at a lower cost while ensuring safety.

  An object of the present invention is to provide a dual system control system capable of reducing the cost while ensuring safety for use as a control terminal of a railway security device.

  In order to achieve the above-described object, the first invention provides a computer that receives data from an external device, generates control information of a device to be controlled according to a predetermined processing program based on the received data, and outputs the control information. A dual system control system provided in each of the system B and the B system, wherein the A system computer and the B system computer are connected to each other by communication, control information generated in the A system, AND output means for outputting a logical product with the control information generated in the B system to the device to be controlled, and data between the A system and the B system via the connection means. The verification means for verifying the data held by the own system and the data transmitted from the other system in each system, and whether the processing of the own computer in each system is executed smoothly. If the data of the A system and the B system do not match as a result of the collation by the monitoring means and the collating means, or the result of the monitoring by the monitoring means, it is determined that the processing is not smoothly executed in any of the systems And a process stop means for stopping the process and setting the output to the device to be controlled as a safe side.

According to this dual system control system, two computers having the same processing program are connected to form a dual system control system. Further, the logical product of the control outputs of the A-system and B-system computers is output to the control target device. In addition, data is transmitted and received between the A system and the B system via the connection means, and the data held by the own system and the data transmitted from the other system are collated in each system. Monitors whether or not computer processing is smoothly executed, and if the result of collation is that the data of system A and system B do not match, or as a result of monitoring, processing is not executed smoothly in either system If it is determined, the process is stopped, and the output to the device to be controlled is set to the safe side.
Therefore, the dual control system can be self-checked, and safety when using the computer as a control terminal can be ensured. As a result, it is possible to configure a device that requires high safety, such as a control terminal for a railway security device, using a general-purpose computer without using dedicated hardware and software. Cost reduction by introduction is possible.

The collating means is executed in the first computer and the first computer for collating data received by the local computer from the external device with data received by the other computer from the external device. Second collating means for collating the processing result of the processing program with the processing result of the processing program executed in another computer, and input from the control output of the own system and the device to be controlled with respect to the own system Third collating means for collating the displayed display state, fourth collating means for collating the control output of the own system and the display state input from the device to be controlled with respect to the other system, and the display of the other system It is desirable that at least one of the fifth collating means for collating the state and the display state of the own system is included.
According to the first verification means, it is possible to check the transmission error of the data received from the external device, and according to the second verification means, it is possible to check the consistency of the processing results of the same processing program respectively executed in the own system and the other system. According to the third verification means, the interface failure can be checked by comparing the control information output by the own system with the control state of the device input to the own system, and the fourth verification means outputs the own system. The interface failure can be checked by collating the control information with the control state of the device input to the other system. According to the fifth collating means, the display state in the own system and the other system can be confirmed with each other, and the interface failure can be confirmed. Can check.

The monitoring means includes first monitoring means for monitoring the operating state of the local computer using a hardware timer provided in the computer, and second monitoring means for monitoring the operating state of the hardware timer by software. It is desirable to provide
As a result, it is possible to reliably detect abnormalities such as operation stop of each computer and waiting for a response.

Further, it is desirable to mount different operating systems for the A-system computer and the B-system computer.
As a result, simultaneous errors due to operating system bugs can be detected, and safety can be further improved.

A data error determining means for determining an error in data received from the outside or another system, and a retransmission request for requesting retransmission of data to the transmission source when the data error determining means determines that there is a data error And means.
As a result, a data transmission failure can be detected, and a retransmission request can be made smoothly.

In addition, it further includes an execution order diagnosis unit that determines whether or not the processing program is executed in a predetermined order, and when the execution order of the processing program is incorrect by the execution order diagnosis unit, It is desirable that the processing in the computer is stopped by the processing stop means so that the output to the control target device is on the safe side.
Thereby, it can be confirmed whether the processing program executed in each computer is processing in an unexpected order.

Further, the memory area used in the processing program further includes a memory diagnosis unit for executing a memory diagnosis for determining whether or not there is an abnormality, and when the memory diagnosis unit detects an abnormality in the memory area, It is desirable that the processing in the computer is stopped by the processing stop means so that the output to the control target device is on the safe side.
As a result, it is possible to detect an event that may lead to an unintended operation that exceeds a predetermined memory area.

In addition, recovery information recording means for recording data received from the external device as recovery information in each system computer, and after the process is stopped by the process stop means, a normal system recovers from a system in which an abnormality has occurred. The recovery request means for requesting the recovery system, and the system in which the abnormality has occurred receiving the recovery request acquires the recovery information recorded in the normal system, and recovers the computer of the local system based on the acquired recovery information It is desirable to provide recovery processing executing means.
As a result, it is possible to perform a safe recovery after performing a process stop due to abnormality detection, thereby performing a smooth restart and reducing troubles due to the stop of the control system.

  According to the dual system control system of the present invention, it is possible to reduce the cost while ensuring the safety as the control terminal of the railway security device.

The block diagram which shows the apparatus structure of the dual-system control system 1 which concerns on this invention. Block diagram showing the internal configuration of computers PC_A and PC_B used in the dual system control system 1 The flowchart explaining the flow of the self-diagnosis process executed by each computer PC_A, PC_B of the dual system control system 1 Flowchart explaining the detailed flow of collation processing The flowchart explaining the flow of the monitoring process by the watchdog timer of the self-diagnosis process executed by each computer PC_A, PC_B of the dual system control system 1 Flowchart explaining the flow of the monitoring process by the software counter that monitors the monitoring process by the watchdog timer List of abnormal states detected by the dual system control system 1 Overall view of a railway security control system 100 using the dual system control system 1 as a control terminal for various railway security devices.

  Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the drawings.

First, with reference to FIG.1 and FIG.2, the structure of the dual-system control system 1 which concerns on this invention is demonstrated.
FIG. 1 is a block diagram showing an apparatus configuration of the dual system control system 1, and FIG. 2 is a block diagram showing an internal configuration of computers PC_A and PC_B used in the dual system control system 1.
In the present embodiment, as an example, an example in which the dual system control system 1 according to the present invention is used as a control terminal of a railway turning machine 4 will be described.

As shown in FIG. 1, the dual system control system 1 of the present invention is configured by connecting two computers PC_A and PC_B via a communication line 2. The computers PC_A and PC_B are provided with communication units 18A and 18B for communicating with the on-board device 9, respectively. Hereinafter, a system including the computer PC_A and the communication unit 18A is referred to as an A system, and a system including the computer PC_B and the communication unit 18B is referred to as a B system.
General-purpose personal computers are used as the A-system and B-system computers PC_A and PC_B.
The communication line 2 is a line for communication connection between two computers PC_A and PC_B, and is configured by, for example, a LAN (Local Area Network). Since communication between the computers PC_A and PC_B needs to be performed reliably, a wired connection is desirable, but a wireless connection may also be used.

Further, as shown in FIG. 1, the outputs (OUT_A1 and OUT_B1, OUT_A2 and OUT_B2) of the A and B computers PC_A and PC_B are input to the logical product operation circuit 7, the logical product is calculated, and the calculation result is calculated. It is output to a device to be controlled (for example, the switch 4). That is, only the output (control information) that matches in both systems is output to the device to be controlled.
In the AND operation circuit 7 shown in FIG. 1, the logical product of the output OUT_A1 from PC_A and the output OUT_B1 from PC_B is calculated, and the logical product of the output OUT_A2 from PC_A and the output OUT_B2 from PC_B is calculated. In addition, for outputs from watchdog timers (WDT_A, WDT_B) described later, the logical product of the outputs OUT_A1 and OUT_B1, and OUT_A2 and OUT_B2 is calculated. Thereby, the output timings of the control information from the A system and the B system are synchronized, and the processing results are checked for coincidence.

In FIG. 1, OUT_A1 and OUT_A2 are control information output from PC_A, and represent, for example, the localization side and the reverse side of the switch 4 respectively. Further, OUT_B1 and OUT_B2 are control information output from the PC_B and represent, for example, the localization side and the inversion side of the switch 4 respectively. The direction that is always open in the turning machine 4 is called localization.
OUT_N is a signal for controlling the switch 4 to the localization side as a result of the logical product of OUT_A1 and OUT_B1, and is controlled when turned ON. OUT_R is a signal for controlling the switch 4 to the reverse side as a result of logical product of OUT_A2 and OUT_B2, and is controlled when turned ON. However, if both OUT_N and OUT_R are ON, it is considered abnormal.
NKR and RKR are display information indicating the control state of the switch 4, where NKR is the localization side and RKR is the inversion side. The display information NKR and RKR of the turning machine 4 is input to PC_A and PC_B.
WDT_A is the output of the watchdog timer of PC_A and is connected to the normal relay 8A. WDT_B is the output of the watchdog timer of PC_B and is connected to the normal relay 8B.
The normal relays 8A and 8B are operated by the output of the watchdog timer, and when an abnormality occurs, the output of the watchdog timer stops and falls. As a result, the contacts 10A and 10B are operated to either the connected state or the opened state. The contacts 10A and 10B are opened when an abnormality occurs.

  As shown in FIG. 2, the A-system and B-system computers PC_A and PC_B include a CPU (Central Processing Unit) 11, a ROM (Read Only Memory) 12, a RAM (Random Access Memory) 13, an input unit 14, and a display unit, respectively. 15, a storage device 16, a communication unit 17 with another system, a communication unit 18 with an on-board device, a peripheral device I / F unit 19, and the like are connected via a bus 20.

  The CPU 11 calls and executes a processing program stored in the ROM 12, the storage device 16, a recording medium, and the like to a work memory area on the RAM 13, and drives and controls each unit connected via the bus 20. In the present embodiment, the CPU 11 executes the self-diagnosis process shown in FIG. 3 during the execution of the processing program relating to the control of the railway security device (for example, the turning machine 4). The self-diagnosis process will be described later.

  The ROM 12 permanently stores a computer boot program, basic programs such as BIOS, data, and the like. The RAM 13 temporarily holds the loaded program and data, and includes a work area used by the CPU 11 for performing various processes.

  The storage device 16 is an HDD (hard disk drive) or the like, and stores a computer OS (operating system), various application programs, data necessary for program execution, and the like. The application program includes a processing program related to control of a device to be controlled (for example, the turning machine 4), a self-diagnosis processing program (including verification processing) shown in FIGS. 3 to 4, and shown in FIGS. Includes operating condition monitoring program. Each program code included in these programs is read by the CPU 11 as necessary, developed in the RAM 13, and executed by the CPU 11. The storage device 16 may further include a drive device and an input / output device for driving various recording media such as a floppy (registered trademark) disk, a CD, a DVD, and a memory card, and input / output data in the recording medium. Do.

Of the application programs described above, the same program is installed in each system for the processing program, the self-diagnosis processing program, and the operating state monitoring program related to the control of the device to be controlled (for example, the turning machine 4). Is done. This is because the same processing is executed in each system and the consistency is confirmed by collating the detected processing to detect a processing abnormality.
Further, the operating system may be the same in each system, or may be different. When different operating systems are installed in each system, simultaneous errors due to operating system bugs can be prevented.

The input unit 14 is, for example, a keyboard, a pointing device such as a mouse, or an input device such as a numeric keypad, and outputs input data to the CPU 11.
The display unit 15 includes a display device such as a liquid crystal panel or a CRT monitor, and a logic circuit for executing display processing in cooperation with the display device. Display information input under the control of the CPU 11 is displayed on the display device. Display.

The communication unit 17 with another system is a communication interface that has a communication control device, a communication port, and the like and mediates data transmission / reception between the own system and the other system (A system and B system).
The communication unit 18 with the on-board device 9 has a communication control device, a communication port, and the like, and is a communication interface that mediates data transmission / reception with the on-board control device 9.
The peripheral device I / F unit 19 is an interface with the peripheral device. For example, an interface with a device to be controlled (for example, the switch 4) is included.

Next, self-diagnosis of the dual system control system 1 of the present invention will be described.
In the dual system control system 1 of the present invention, the fault detection of the dual system control system 1 itself is positively performed to prevent erroneous control output.
Possible causes of erroneous control output are as follows.
That is, the cause of an erroneous control output is roughly classified into (1) software error and (2) hardware error. Software errors include (1-1) memory data error, (1-2) operating system bug, (1-3) application bug, (1-4) application program input error, (1- 5) Includes application program design mistakes. Hardware errors include (2-1) interface failure, (2-2) CPU failure, (2-3) memory failure, (2-4) computer design failure, and (2-5). Wiring failure, (2-6) errors due to external noise, etc. are included.

  In the dual system control system 1 of the present invention, an abnormal control output is prevented in view of the above-described factors, and a failure is detected by performing a self-diagnosis during execution of the processing program.

  Specifically, first, the dual system control system 1 has a dual system configuration including two computers. In addition, a logical product operation circuit 7 of control information (control output) output from each of the A system and the B system is provided, and control outputs that are inconsistent in both systems are discarded. With such a configuration, when processing results for the same controlled information are generated twice and different processing results are obtained for the A system and the B system, the control output is not performed and the safety side is obtained.

  In addition, the A system and the B system transmit and receive data to and from each other and collate with software. Thereby, it can mutually detect that there exists abnormality in either system. In the verification process, for example, (1) mismatch between data (controlled information) received by the own computer from the onboard device 9 and data (controlled information) received by the other computer from the onboard device 9 (Controlled information inconsistency), (2) Inconsistency in processing results by processing programs in the own system and other computers (inconsistency in control output), (3) Control output for the own system and the own system Disagreement with the display state input from the device (intra-system loopback disagreement), (4) Disagreement between the control output of the own system and the display state input from the device to be controlled with respect to the other system (inter-system loop) Back mismatch), (5) A mismatch between the display status of the other system and the display status of the own system (inter-system display mismatch) is detected.

  In addition, the hardware timer counter of each system computer PC_A, PC_B is used as a watchdog timer to monitor the operating state of the computer, and the operating state of the watchdog timer is further monitored by a software counter. Thereby, it can mutually detect that the operation | movement of the computer of either system is abnormally delayed or stopped.

  In addition, when an abnormality in the computer of one system is detected by the computer of the other system as a result of the above collation or monitoring, the process of restarting the normal system becomes abnormal Instruct. In each system, the controlled information is always recorded as recovery information in a normal state, and when an abnormality occurs on one side and a restart is instructed, the recovery information held in each other's system is recorded. By checking, the time when the abnormality occurs is detected. In addition, the normal system transmits recovery information at the time when the abnormality occurs or the time around the abnormal system. The system in which an abnormality has occurred receives recovery information from the normal system and starts recovery processing. When starting the recovery process, the history up to the point when the abnormality occurred is checked against the normal system, and the safe process is restored after checking that no new controlled information is received in the normal system.

The computers PC_A and PC_B of each system execute the installed processing program by sequential processing called single thread. Then, it is desirable to perform an execution order diagnosis for determining whether or not the processing program is executed in a predetermined order, for example, at the beginning of each module of the processing program. If it is diagnosed that the execution order is wrong in any of the systems, it is regarded as abnormal and the processing is stopped.
Furthermore, it is desirable to inspect the memory area (program area) of the RAM 13 used in the processing program using, for example, an inspection code. If any of the systems is diagnosed as having a memory failure, it is considered abnormal and processing is stopped.

  In the dual system control system 1, any one of the above-described verification, monitoring, execution order diagnosis, and memory diagnosis may be executed, or a part or all of these may be executed in combination as appropriate. It may be.

Next, the flow of processing in the dual system control system 1 of the present invention will be described with reference to FIGS.
The computers PC_A and PC_B of each system of the dual system control system 1 perform the self-diagnosis process when executing the processing program of FIG. 3, the verification process of FIG. 4, and the monitoring processes of FIGS.
First, the overall flow will be described with reference to FIG.
3, it is assumed that controlled information is transmitted to the dual system control system 1 from the on-board device 9 periodically or irregularly as shown in FIG. . Identification information is given to each controlled information transmitted at each time point. As the identification information, for example, a serial number issued by the on-board device 9 is employed. It is transmitted to the computers PC_A and PC_B of each system of the dual system control system 1, and the same processing is performed by the CPU 11 of each computer PC_A and PC_B. That is, in the dual system control system 1, the same processing program is executed based on the same controlled information received by the computers PC_A and PC_B of each system. Control information (OUT_A1, OUT_A2, OUT_B1, OUT_B2) about the device to be generated is generated. The control output (control information) from each system is input to the logical product operation circuit 7, and the logical product operation result is output to the switch 4.

  Further, as a premise, the CPUs 11 of the computers PC_A and PC_B have a processing time for starting up the operating system and the like between the time when the power is turned on and the start of the operation of the application (processing program). During this time, the self-diagnosis process described below cannot be executed. Therefore, first, after the computer executes initialization processing of the operating system when the power is turned on, the computer activates an initialization application to initialize the computers PC_A and PC_B as processing devices. At this time, the normal relays 8A and 8B and the control output are still on the non-control side. Next, in order to be able to detect the operating status of the computer, the CPU 11 sets a cycle. For example, since the processing program of the present embodiment performs single-thread processing, the operation cycle of the processing program is set as the basic cycle. The basic period is, for example, about 100 ms, but is not limited to this and may be any value. Further, the CPU 11 sets a watch dog timer and starts operation. Thereafter, when a normal output cannot be obtained from the processing program within the above-mentioned cycle or a predetermined number of cycles due to some abnormality, the normal relays 8A and 8B are dropped and the processing on the safe side is performed.

  When the periodic operation is started, PC_A and PC_B each transmit data held by the own system to the other system. It also receives and holds data transmitted from other systems. Data transmission / reception between the other system and the own system is performed via the communication line 2.

In the process of FIG. 3, first, the computers PC_A and PC_B each receive controlled information from the on-board device 9 (step S101).
The computers PC_A and PC_B each receive controlled information (control request from the on-board device 9) from the on-board device 9 and hold it in the RAM 13. At this point, it is only the “intent” state received by the own system.
The computers PC_A and PC_B perform transmission failure checks on the received controlled information and register them in the memory area of the RAM 13. The transmission failure check includes, for example, a data length check, a frame check sequence, a header signature check, a check whether the identification number of the previously received data is different (excluding the first reception information), and the like. As a result of these checks, if there is no loss or failure in the data, that information is adopted, and if there is a loss or failure in the data, it is discarded. It should be noted that if there is no new continuous adoption after the last data adoption, the transmission interruption allowable time (time range acceptable as the data transmission delay time) is determined to be a transmission failure.

The computers PC_A and PC_B receive data from another system (step S102). The data received from the other system includes other system controlled information, other system processing result information, other system diagnosis result information, and the like.
The computers PC_A and PC_B perform transmission failure checks on the received data and then register them in the memory area of the RAM 13. Similar to step S101, the transmission failure check includes, for example, a data length check, a frame check sequence, a header signature check, a check whether the identification numbers of the previously received data are different (excluding the first reception information), and the like. As a result of these checks, if there is no loss or failure in the data, that information is adopted, and if there is a loss or failure in the data, it is discarded. If there is no new adoption continuously after the last adoption of data (for example, about three cycles), it is determined that there is a transmission failure.

  The computers PC_A and PC_B collate their own system data with other system data (step S103). In step S103, the controlled information (own controlled information) adopted in the own system held in the RAM 13 is compared with the controlled information (other controlled information) transmitted from the other system.

A detailed flow of the collation process is shown in FIG.
As shown in FIG. 4, in the collation process, the CPU 11 of each computer PC_A, PC_B reads the latest own system controlled information and other system controlled information from the RAM 13 (step S201), and performs comparison collation (step S202). . When the own system controlled information and the other system controlled information match (step S203; Yes), further, the diagnosis result information on the controlled information in the other system is acquired, and the diagnosis of the other system also “matches” ”(Step S204; Yes), the process proceeds to the next step. If the diagnosis result of the other system is “mismatch” (step S204; No), the process returns to step S201, and the own system controlled information and the other system controlled information are collated again.
If the own-system controlled information and the other-system controlled information do not match (step S203; No), a retransmission request for information to be collated is transmitted to the other system (step S206; No → step S207). And step S201-step S203 are repeated and the newest other system controlled information and controlled information are compared. If they do not match even after repeating a predetermined number of times (N times; N is a positive integer) (step S206; Yes), the own computer is restarted, and after the restarting, recovery processing is executed (step S208). .

  When the consistency between the own-system controlled information and the other-system controlled information can be confirmed by the collation processing in step S103, each PC_A, PC_B first determines the controlled information here and updates the controlled information in the RAM 13. (Step S104).

When the controlled information is determined, each PC_A, PC_B executes a processing program based on the controlled information to generate control information, and holds the generated control information in the RAM 13 as a processing result. This processing program is a process requested by the controlled information, and is, for example, a process for generating a control output of the switch 4. That is, the control information of the turning machine 4 is generated based on the controlled information determined in step S104.
At this point, the own system is in a state of “want” to control the machine 4.

  Each PC_A and PC_B collate the processing result of the own system (own system control information) held in the RAM 13 with the processing result (other system control information) transmitted from the other system (step S106). The matching process in step S106 is the same as the matching process shown in FIG.

That is, in the collation process of step S106, the CPU 11 of each computer PC_A, PC_B reads the latest local process result and the other system process result from the RAM 13 (step S201), and performs comparison collation (step S202). When the own system processing result and the other system processing result match (step S203; Yes), the diagnosis result information on the processing result in the other system is further acquired, and “match” is also determined in the other system diagnosis. If so (step S204; Yes), the process proceeds to the next step. If the diagnosis result of the other system is “mismatch” (step S204; No), the process returns to step S201, and the self-system process result and the other system process result are collated again.
If the own system processing result and the other system processing result do not match (step S203; No), a retransmission request for information to be collated is transmitted to the other system (step S206; No → step S207). Then, step S201 to step S203 are repeated, and the latest other system processing result is compared with the own system processing result. If they do not match even after repeating a predetermined number of times (N times; N is a positive integer) (step S206; Yes), the own computer is restarted, and after the restarting, recovery processing is executed (step S208). . The predetermined number of repetitions is, for example, 3 times, but is not limited to this.

  When the consistency between the own system processing result and the other system processed result can be confirmed by the collation processing in step S106, each PC_A, PC_B confirms the processing result (control output of the switch 4) for the first time, The processing result information in the RAM 13 is updated (step S107).

  Each PC_A, PC_B accepts input of display information (hereinafter referred to as display state) NKR, RKR indicating the control state from the switch 4. In addition, the display states NKR and RKR input from the switching machine 4 are acquired. The CPU 11 of each PC_A and PC_B collates with the control output of its own system and the display state input from the switch 4 (intra-system loopback mismatch), or changes over to its own control output and other system. The display state input from the machine 4 is collated (intersystem loopback mismatch) (step S108). The matching process in step S108 is the same as the matching process shown in FIG.

Each PC_A and PC_B appropriately execute other diagnostic processes such as an execution order diagnosis, a memory diagnosis, and an inter-system display diagnosis in addition to the above-described collation process.
The execution order diagnosis is performed at the beginning of each module, and is not performed after step S108, but is added as “other diagnosis”.

  The execution order diagnosis is for checking whether the modules of the processing program are not executed in an unexpected order. In the execution order diagnosis, a unique “call identification value” is passed as an argument for each module from the parent process that calls each module. The called module checks whether the passed call identification value is that of its own module. If the call identification values do not match, a failure is determined.

  The memory diagnosis diagnoses the process memory (.exe and read dll) of the own program. For example, the SHA256 message digest of all the loaded code segment regions of dll including its own exe is calculated and compared with the same information in the other system diagnosis information.

  In the inter-system display diagnosis, display information in the own system and the other systems PC_A and PC_B is collated. The display information includes the control state input from the switch 4.

  If a failure is detected as a result of "other diagnosis", the computer processing is stopped and disabled, and the control output is set to the safe side.

Next, monitoring of hardware and software operations will be described.
While executing the self-diagnosis process shown in FIGS. 3 and 4, each computer PC_A, PC_B performs monitoring by a watchdog timer (FIG. 5) and monitoring by a soft counter (FIG. 6), and each computer PC_A, PC_B normally operates. It is monitoring whether it is operating.

  As shown in FIG. 5, the computers PC_A and PC_B use a hardware timer counter as a watchdog timer. The count is incremented every predetermined period (for example, the above basic period; 100 ms, etc.) (step S301). If a normal output is obtained from each process within a predetermined period (step S302; Yes), the counter is reset (step S303), and the output data is registered in a predetermined memory area of the RAM 13 (step S304). ). For example, in the transmission check in step S101 and the collation process in step S106, three cycles (N cycles) are set as the upper limit value of the counter. If a normal output is not obtained within a predetermined period (step S302; No), it is regarded as abnormal, the normal relays 8A and 8B are dropped (step S305), the output of the processing result is shut off, and the process on the safe side is performed. Do. For example, when the computer PC_A or PC_B performs a response waiting and forced termination operation, the relays 8A and 8B are dropped by the monitoring by the watchdog timer, and the processing on the safe side is performed.

Further, as shown in FIG. 6, it is desirable to monitor the output of the watchdog timer using a software counter and detect an operation failure of the watchdog timer.
The computers PC_A and PC_B count up the software counter every predetermined period (step S401). The CPU 11 determines whether or not the watchdog timer has counted up during the period until the software counter next counts up (step S402), and when the count-up of the watchdog timer is not detected (step S402; No), an abnormality of the watchdog timer is detected. In the case of abnormality, the relays 8A and 8B are dropped, the output of the processing result is shut off, and safe processing is performed.

As a result of the self-diagnosis process (including verification process and other diagnoses) described above and the monitoring process by the watchdog timer, the dual system control system 1 of the present invention can detect the abnormality as shown in FIG. It becomes.
That is, “other system information transmission failure” and “controlled information transmission failure” are detected by the watchdog timer and the data check in step S101 and step S102 of FIG.
Further, “control information mismatch” is detected by the collation processing in step S103. Further, “processing result mismatch” is detected by the collation processing in step S106.
Further, “intersystem loopback mismatch” and “intrasystem loopback mismatch” are detected by the watchdog timer and step S108 of FIG.
Further, “execution order abnormality” is detected by the execution order diagnosis in the other diagnosis in step S109. Further, “memory abnormality” is detected by the memory diagnosis in the other diagnosis in step S109.
Further, “intersystem display mismatch” is detected by the intersystem display diagnosis in the other diagnosis of step S109 in FIG.
When the processing result is output to the switching machine 4 or the like, but display information indicating that the control process is complete cannot be obtained, the control result is “uncontrollable”.

  As described above, the dual system control system 1 according to the present embodiment receives the controlled information from the on-board device 9, and based on the received controlled information, the device to be controlled according to the predetermined processing program ( For example, a computer for generating and outputting control information of the switch 4) is provided in each of the A system and the B system, and the A system computer PC_A and the B system computer PC_B communicate with each other via a communication line 2 such as a LAN. Connecting. The logical product of the control information generated by the A-system computer PC_A and the control information generated by the B-system computer PC_B is calculated by the logical product operation circuit 7 and output to the device to be controlled. . Further, data is transmitted and received between the A-system computer PC_A and the B-system computer PC_B via the communication line 2, and the self-system data and other system data are collated in each system. Further, it is monitored whether or not the processing of the local computer is smoothly executed in each system. As a result of collation, if the data held or output by the A-system and B-system computers do not match, or if monitoring determines that processing is not being executed smoothly in any system, processing is stopped Then, the control system 1 is disabled, and the output to the device to be controlled is the safe side.

As described above, in the dual system control system 1 according to the present embodiment, self-checks are performed on the self-system and other-system data and processing results by software, and data in a memory such as a RAM and a ROM is stored. Actively compare and collate. In addition, it regularly monitors whether normal output is being performed, and actively detects abnormalities in the operation of the computer. Further, since the logical product of the outputs from the respective systems is calculated, if the data of both systems do not match, the control output is not performed to the switch 4 and is discarded.
As a result, software bugs and hardware failures can be detected, and in the case of failures, the device can be disabled and safe processing can be performed. Therefore, it is possible to configure a device requiring high safety such as a control terminal of a railway security device with a general-purpose computer without using dedicated hardware and software. Also in that case, sufficient safety can be secured. Moreover, the cost can be reduced by introducing a general-purpose product.

  In the above-described embodiment, the example in which the dual system control system 1 of the present invention is applied as the control terminal of the switch 4 has been described. However, the present invention is not limited to this, and other security devices can be used. It may be used as a control terminal. For example, the railroad safety device control system 100 shown in FIG. 8 includes the block control device 102 and the remote control terminal 103 of the railroad crossing 5 in addition to the remote control terminal 101 of the switch 4. The dual system control system 1 of the present invention can also be applied to the management device 102, the remote control terminal 103 of the railroad crossing 5, and the like.

  The preferred embodiments of the dual system control system according to the present invention have been described above with reference to the accompanying drawings, but the present invention is not limited to such examples. It will be apparent to those skilled in the art that various changes or modifications can be conceived within the scope of the technical idea disclosed in the present application, and these naturally belong to the technical scope of the present invention. Understood.

1 .... Dual system control system PC_A ... A computer PC_B ... B computer 2 .... Communication line 7 .... AND operation circuit 8A, 8B ... · Normal relay 9 · · · Onboard device 10A, 10B · · Contact 18A · · · A system communication unit with the onboard device 18B · · · B system communication unit with the onboard device 3 ··· Train 4 ··· Trailing machine 5 ··· Rail crossing 6 ··· Railway 100 ··· Railway security control system 101 ··· Turn Remote control terminal (application of dual control system 1)
102... Blockage management device (double system control system 1 is applied)
103 ··· Remote control terminal for level crossing (Dual system control system 1 is applied)

Claims (8)

A dual system control system that receives data from an external device, generates control information for a device to be controlled according to a predetermined processing program based on the received data, and outputs a computer for each of the A system and the B system. There,
Connection means for communicating and connecting the A-system computer and the B-system computer to each other;
Logical product output means for outputting a logical product of the control information generated in the A system and the control information generated in the B system to the device to be controlled;
Checking means for sending and receiving data to and from each other between the A system and the B system via the connecting means, and for checking the data held by the own system and the data transmitted from the other system in each system;
Monitoring means for monitoring whether the processing of the computer of the own system is smoothly executed in each system;
As a result of collation by the collation means, when the data of the A system and the B system do not match, or as a result of monitoring by the monitoring means, when it is determined that the processing is not smoothly executed in any of the systems, A process stop means for stopping the process and setting the output to the device to be controlled as a safe side;
A dual system control system comprising: The verification means includes
First collation means for collating data received by the local computer from the external device with data received by the external computer from the external device;
A second collating means for collating a processing result obtained by the processing program executed in the own computer and a processing result obtained by the processing program executed in the other computer;
Third verification means for verifying the control output of the own system and the display state input from the device to be controlled with respect to the own system;
A fourth collating means for collating the control output of the own system and the display state input from the device to be controlled with respect to the other system;
Fifth collating means for collating the display state of the other system and the display state of the own system;
2. The dual system control system according to claim 1, comprising at least one of them. The monitoring means includes
First monitoring means for monitoring an operating state of the local computer using a hardware timer provided in the computer;
2. The dual system control system according to claim 1, further comprising: second monitoring means for monitoring an operating state of the hardware timer by software.   2. The dual system control system according to claim 1, wherein the A system computer and the B system computer are installed with different operating systems. Data error determination means for determining an error in data received from the outside or another system;
When it is determined by the data error determination means that there is a data error, a retransmission request means for requesting retransmission of data to the transmission source;
The dual system control system according to claim 1, further comprising: An execution order diagnosis means for determining whether or not the processing program is executed in a predetermined order;
When the execution order of the processing program is wrong by the execution order diagnosis unit, the process stop unit stops the processing in the computer, and the output to the device to be controlled is on the safe side. The dual system control system according to claim 1. The memory area used in the processing program further comprises a memory diagnosis means for executing a memory diagnosis for determining whether or not there is an abnormality,
2. The method according to claim 1, wherein when the memory diagnosis unit detects an abnormality in the memory area, the processing stop unit stops the processing in the computer, and the output to the control target device is on the safe side. 2. The dual system control system according to 1. Recovery information recording means for recording data received from the external device as recovery information in each system computer;
After the process is stopped by the process stop unit, a normal system is a recovery request unit that requests recovery for a system in which an abnormality has occurred;
The system in which the abnormality has been received in response to the recovery request acquires the recovery information recorded in the normal system, and recovery processing execution means for recovering the local computer based on the acquired recovery information;
The dual control system according to claim 1, comprising:

Images