JP2012038026A - Dual arithmetic unit - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a dual arithmetic unit capable of improving the operation rate of a system while securing the security of the system.SOLUTION: The dual arithmetic unit includes an A system arithmetic processing circuit 2, a B system arithmetic processing circuit 3, a collation circuit 4, and a reset circuit (resetting means) 6. Data is transferred between the A system arithmetic processing circuit 2 and the B system arithmetic processing circuit 3, the coincidence/discrepancy of the data between the systems is determined, and whether results (CMPa, CMPb) of data collation are coincident between the systems is determined. The A system arithmetic processing circuit 2 and the B system arithmetic processing circuit 3 are reset after stopping outputting signals (CMPa, CMPb) showing that the results of data collation are different to the collation circuit until the number of times when the results of data collation are not coincident reaches a threshold SL, and when the number of times reaches the threshold SL, the signals showing that the results of data collation are different are outputted to the collation circuit, the reset is also stopped, and a security relay is lowered by maintaining an output of the collation circuit 4 at a high level or a low level.

Description

  The present invention relates to a duplex operation device including two operation processing means for performing the same processing synchronously.

Conventionally, there has been an apparatus as described in Patent Document 1, for example, as this type of duplex computing apparatus.
This duplex arithmetic unit is equipped with two arithmetic processing means (MPU), outputs the comparison data of its own system to another system, and compares the input comparison data from the other system with the comparison data of its own system. The collation result output is output to the collation means (comparison circuit). Then, the collating means outputs an alternating signal indicating a normal operation to the outside when the collation result outputs from both the arithmetic processing means match, and stops the output of the alternating signal when the collation result outputs do not match. Stop operation and guide the system to the safe side.

Japanese Patent Application Laid-Open No. 11-143841

  However, in the above-described conventional duplicated arithmetic unit, even if the collation results between the systems are temporarily different due to a temporary factor, the collation means that the collation result output does not match. Since the operation of the system is stopped based on this, safety can be ensured, but there is a problem that the operating rate of the system is lowered more than necessary.

  The present invention has been made paying attention to the above-described problems, and an object of the present invention is to provide a duplex computing device capable of improving the operating rate of the system while ensuring the safety of the system.

  For this reason, the invention according to claim 1 is provided with a first arithmetic processing means and a second arithmetic processing means for performing the same processing synchronously, and a reset signal for resetting the first arithmetic processing means and the second arithmetic processing means. Resetting means for outputting, each of the first arithmetic processing means and the second arithmetic processing means reads the data of the other system and collates it with the corresponding own system data, and the collation result in the other system Is read, and the number of times that the collation result is different between the systems is counted. In such a case, the output instruction of the reset signal is stopped.

In such a configuration, each of the first arithmetic processing means and the second arithmetic processing means verifies the soundness of the data by collating the data of the own system with the data of the other system, and further, with the collation result in the own system. Based on the collation result in the other system, it is determined whether one matches and the other detects the mismatch and the collation result is different between the systems.
And if the collation results are different between systems, the number of times that the collation results are obtained is accumulated, and if the accumulated number is less than the threshold, the collation results that differ between systems are Since it may be due to a temporary factor, the output of the reset signal is instructed to reset (restart) the first arithmetic processing means and the second arithmetic processing means, while continuing the operation of the system. When the number of times exceeds the threshold, it is estimated that a continuous failure (abnormality) has occurred, and the output instruction of the reset signal is stopped.
The data includes input / output values of two arithmetic processing means and values of arithmetic processing results.

  In the configuration of claim 1, when the collation result in the first arithmetic processing means and the collation result in the second arithmetic processing means are input as in claim 2, and the collation results are different between systems, A fail-safe collation means for outputting a fail-safe signal for stopping the operation of the system including the duplex computing device, the collation result is different between systems, and the output instruction of the reset signal is stopped; The operation of the system can be stopped by outputting a fail safe signal from the fail safe collating means.

  In such a configuration, when the number of collation results different between systems exceeds the threshold value and the reset operation of the first arithmetic processing means and the second arithmetic processing means is stopped, the failsafe collating means outputs a failsafe signal. This stops the operation of the system and leads the system to the safe side against the occurrence of continuous failures (abnormalities).

  In the configuration of claim 1 or 2, as in claim 3, each of the first calculation processing means and the second calculation processing means reads the number of times counted by another system, and the number of times counted by the own system. The output instruction of the reset signal can be controlled by comparing with the number of times counted by another system.

  In such a configuration, the count result of the number of times is passed between each other, and the output count of the reset signal is controlled by comparing the number of times counted by the both, whereby safety can be ensured when the count result of the number of times is different.

  The configuration according to claim 2 or 3, further comprising an oscillating means for supplying a common clock signal to the first arithmetic processing means and the second arithmetic processing means, as in claim 4, wherein the first arithmetic processing means and Each of the second arithmetic processing means outputs a time measurement completion signal to another system at a constant cycle based on the time measurement by the clock signal, and the data is synchronized with the clock signal in response to the input of the time measurement completion signal. Can be output to the other system, and an alternating signal indicating the result of the data verification can be output to the fail-safe verification unit.

  In such a configuration, a common clock signal is supplied from the oscillating means to the two arithmetic processing means, and the two arithmetic processing means each output a time measurement completion signal at a constant period based on the clock signal. Data is output in synchronization with the signal and the data is collated. Then, the two arithmetic processing means output an alternating signal indicating the collation result to the fail-safe collating means, and the fail-safe collating means outputs a fail-safe signal based on the collation of the alternating signal.

  According to such a redundant arithmetic unit, it is possible to prevent the system operation from being stopped due to a temporary factor, and it is possible to improve the operating rate of the system while ensuring the safety of the system.

The block diagram which shows embodiment of the duplication arithmetic unit which concerns on this invention The flowchart which shows the collation process in the said embodiment Time chart showing operation of collation processing in the embodiment The time chart which shows the operation | movement of the collation process at the time of the failure occurrence in the said embodiment

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 shows a configuration of a duplex operation device according to the present invention. 1 includes an oscillator (oscillating means) 1, an A-system arithmetic processing circuit (first arithmetic processing means) 2, a B-system arithmetic processing circuit (second arithmetic processing means) 3, and verification. A circuit (fail-safe collating means) 4, an inspection oscillator 5, and a reset circuit (resetting means) 6 are included.

  The oscillator 1 supplies a common clock signal CLK0 to the two arithmetic processing circuits 2 and 3 in order to realize the synchronization processing of the two arithmetic processing circuits 2 and 3. A crystal oscillator or the like can be adopted as the oscillator 1, and the frequency of the clock signal CLK0 can be appropriately selected according to the design.

The A-system and B-system arithmetic processing circuits 2 and 3 are dual-system circuits that perform the same processing synchronously based on the clock signal CLK0, calculate input data, and output the data obtained by this arithmetic processing It has the function to do.
The duplexing arithmetic unit shown in FIG. 1 constitutes, for example, a railroad crossing safety device, and the A system and B system arithmetic processing circuits 2 and 3 input information on the position of a train approaching the railroad crossing, etc. A can control signal is output.

As the A-system and B-system arithmetic processing circuits 2 and 3, for example, an ASIC or a CPU bus circuit can be adopted, but an MCU (Micro Control Unit) is preferably used. Since this MCU corresponds to a CPU bus circuit mounted on one LSI, it can contribute to downsizing, low power consumption, or low cost of the device.
The A-system and B-system arithmetic processing circuits 2 and 3 include a failure detection unit 200 and 300, an inspection unit 201 and 301, a monitoring timer unit 202 and 302, a timer unit 203 and 303, and a data storage unit 205, respectively. 305, output units 206 and 306, data processing units 207 and 307, verification units 208 and 308, input units 209 and 309, verification result comparison units 210 and 310, and number storage units 211 and 311 are included. . These represent hardware functional blocks or software functional modules.

  In the following, the operation and function of the duplex arithmetic unit having the above-described configuration will be described. However, in order to avoid redundancy, only the A-system arithmetic processing circuit 2 will be described, and the other B-system arithmetic processing circuit 3 will be described. Shall have the same action and function.

  The timer unit 203 measures time with the clock signal CLK0 of the oscillator 1 and outputs a time measurement completion signal TUPa to the B-system arithmetic processing circuit 3 at regular intervals. On the other hand, the B-system arithmetic processing circuit 3 similarly outputs a time-measurement completion signal TUPb to the A-system arithmetic processing circuit 2 at a constant cycle based on the timing of the timer unit 303.

  The output unit 206 outputs the data Da to the B-system arithmetic processing circuit 3 in synchronization with the clock signal CLK0 when the timing completion signal TUPb is input from the B-system arithmetic processing circuit 3. Specifically, the output unit 206 reads the data DATAa from the data storage unit 205, and outputs the same data Dap (positive data) as the data DATAa in the first half of one cycle of the timing completion signal TUPb. In the second half, data Dan (negative data) obtained by inverting the positive / negative logic of the data DATAa is output to the input unit 309 of the B-system arithmetic processing circuit 3.

Similarly, the B-system arithmetic processing circuit 3 outputs the data Db to the input unit 209 of the A-system arithmetic processing circuit 2 in synchronization with the clock signal CLK0 when the timing completion signal TUPa is input.
Here, as the process of inverting the positive / negative logic, for example, a process of executing exclusive OR (ie, XOR) with FF (h) for each byte of the data DATAa can be employed. For example, when AA (h) of data DATAa is logically inverted, 55 (h) is obtained.
The data storage unit 205 is a memory, and stores data DATAa such as input / output values and calculation processing result values in the data processing unit 207.

The data processing unit 207 calculates data (such as train position information) input by the duplexing arithmetic unit, and outputs data (such as a control signal for a railroad crossing barrier) that is obtained thereby. Further, the data processing unit 207 writes the input / output data and the like in the data storage unit 205 as the data DATAa.
The input unit 209 receives the data Db from the B-system arithmetic processing circuit 3 and outputs it to the collation unit 208.

The collation unit 208 reads the data DATAa (own system data) from the data storage unit 205, and the data DATAa and the data Db (other system data) input as corresponding data from the B system arithmetic processing circuit 3 side. And an alternating signal CMPa indicating the collation result (match / mismatch) is output to the collation result comparison unit 210 of the own system and the collation result comparison unit 310 of the other system.
The collation processing in the collation unit 208 is performed, for example, by comparing the data DATAa and the data Db in units of 2 bytes from the head. If they match, the output alternating signal CMPa is set to the high level. And

Since the data Db received from the B system arithmetic processing circuit 3 is logically inverted every half cycle as described above, the data DATAa (A system positive data) and the data Db (B system positive data) are used in the first half of one cycle. Data) and the data DATAa (A system positive data) and the data Db (B system negative data) do not match in the second half of one cycle in the normal state. In the normal state of the circuits 2 and 3, the alternating signal CMPa periodically repeats a high level and a low level.
In other words, the state in which the alternating signal CMPa repeats the high level and the low level indicates the coincidence state of the A-system data and the B-system data, and the data Db is collated with the positive data and the negative data, Db sticking failure can be detected.
If the occurrence of an abnormality is detected as a result of data collation in the collation unit 208, the A-system arithmetic processing circuit 2 stops its operation, and as a result, the alternating signal CMPa stops alternating and maintains a constant value.

  The collation circuit 4 is configured by an LSI having a logic circuit, and collates the alternating signals CMPa and CMPb received from the two arithmetic processing circuits 2 and 3 (collation result comparison units 210 and 310). When the same alternating signals CMPa and CMPb are output from each system, the state signal FS that alternates in the same way (inverted at the inversion cycle of positive data and negative data) is used as, for example, a safety relay (not shown). Output for. On the other hand, when the alternating signals CMPa and CMPb do not match, the collation circuit 4 holds the state signal FS at either the high level or the low level.

  The safety relay includes a drive circuit composed of an inductor or the like, and does not drop when the state signal FS input to the drive circuit is alternating, but when the state signal FS stops alternating (high level or low level) In this case, the power supply to the external control target device is cut off. By providing such a mechanism, it is possible to control the system including the duplex computing device to the safe side.

In addition, the duplexing arithmetic device of this embodiment includes an inspection oscillator 5 in order to monitor the failure of the oscillator 1. The inspection oscillator 5 supplies a common inspection clock signal CLK 1 to the two arithmetic processing circuits 2 and 3. Note that a crystal oscillator or the like can be employed as the inspection oscillator 5 and the frequency of the clock signal CLK1 can be appropriately selected according to the design.
The monitoring timer unit 202 measures time according to the inspection clock signal CLK1, and the inspection unit 201 determines the soundness of the period of the time measurement completion signal TUPb input from the B-system arithmetic processing circuit 3 based on the time measurement of the monitoring timer unit 202. inspect.

Specifically, for each input of the timing completion signal TUPb, the inspection unit 201 reads the timer value Ta measured by the monitoring timer unit 202 and determines whether or not the change ΔTa in the timer value Ta is a predetermined value N. To do. If the period of the time measurement completion signal TUPb is normal, the timer value Ta increases by the expected predetermined change N for each input of the time measurement completion signal TUPb. Is not the predetermined value N, an abnormality in the period of the time measurement completion signal TUPb is detected.
However, since the inspection clock signal CLK1 is asynchronous with the clock signal CLK0, an error occurs in the change ΔTa even during normal operation. For this reason, in actual circuit design, it is necessary to set the predetermined value N within a certain numerical range in consideration of an error.

The inspection unit 201 reads the timer value Tb from the B-system arithmetic processing circuit 3 and compares the timer value Tb with the timer value Ta every time the timing completion signal TUPb is input. If the timer value Tb and the timer value Ta do not match as a result of the comparison, the inspection unit 201 detects a failure in the monitoring timer unit 302 of the B-system arithmetic processing circuit 3.
In this way, it is possible to detect an abnormality in the period of the time measurement completion signal TUPb using the inspection clock signal CLK1, and to inspect the failure of the monitoring timer unit 302 of the B-system arithmetic processing circuit 3 by inspecting the timer value Tb. Can be detected.

Further, in the duplication operation device of the present embodiment, the collation unit 208 provides the alternating signal CMPa indicating the collation result in the collation result comparison unit 210 and the B system arithmetic processing circuit 3 provided in the A system arithmetic processing circuit 2. Are output to each collation result comparison unit 310.
Based on the collation result (alternate signal CMPa) in the collation unit 208 of the own system and the collation result (alternate signal CMPb) in the collation unit 308 of the other system, the collation result comparison unit 210 generates a collation result that differs between systems. It is determined whether or not.

The case where the collation results are different between systems is a case where one matches and the other detects a mismatch, and the mismatch includes a case where a mismatch is detected in a normal state.
When the collation results in the respective systems match, the collation result comparison unit 210 outputs the alternating signal CMPb (or the alternating signal CMPa) to the collation circuit 4, and the collation result comparison unit 310 of the other system also. If it is determined that the collation results in the respective systems match, the collation result comparison unit 310 outputs the alternating signal CMPa (or the alternating signal CMPb) to the collation circuit 4. The same alternating signals CMPa and CMPb are input from the system, and the system operation is continued by outputting the alternating state signal FS to the safety relay.
On the other hand, the collation result comparison unit 210, when the collation results in each system are divided into coincidence and non-coincidence, and the collation results are different from each other, the collation result is different from the number of times storage unit 211 of the own system so far. The integrated number AN, which is the integrated value of the number of times obtained, is read out, the integrated number AN is increased by one, the increased number AN is updated and stored in the number storage unit 211, and the increased number The number of times AN (or the number of times AN before increase correction read from the number storage unit 211) is compared with the threshold value SL.
Here, when the number of times AN is smaller than the threshold value SL (AN <SL), the output of the alternating signal CMPb (or the alternating signal CMPa) indicating that the verification result is different between systems to the verification circuit 4 is stopped. Thus, the reset circuit 6 is instructed to output a reset signal. When receiving the reset signal output instruction, the reset circuit 6 outputs a reset signal for resetting (restarting) the A-system and B-system arithmetic processing circuits 2 and 3.
As a result, when the number of times AN is smaller than the threshold value SL, even if the collation results are different between the systems, the alternating operation of the state signal FS output from the collation circuit 4 is not stopped, and the A system and B system operations are stopped. By resetting the processing circuits 2 and 3, the collation is performed again.

When the number of times AN is equal to or larger than the threshold value SL (AN ≧ SL), an alternating signal CMPb (or an alternating signal CMPa) indicating that the collation results are different between the systems is output to the collation circuit 4, The output of the reset signal is not instructed, and the A-system and B-system arithmetic processing circuits 2 and 3 are not reset (restarted).
That is, for each input of the timing completion signal TUPb, the data is collated between the systems, and whether the collation result in the A system matches the collation result in the B system is determined. Even if the collation results in are different, if the number of integrations AN that has been judged that the collation results have been different so far does not reach the threshold value SL, the alternating signals CMPa, CMPb indicating that the collation results are different between the systems. After stopping the output to the verification circuit 4, the reset circuit 6 is instructed to output a reset signal to reset (restart) the two arithmetic processing circuits 2 and 3.

After stopping the output of the alternating signals CMPa and CMPb indicating that the collation results are different between the systems to the collation circuit 4, the two arithmetic processing circuits 2 and 3 are reset (restarted) so that the collation circuit 4 Therefore, the safety relay is not dropped by the state signal FS, the data collation between the systems is performed again, and the system operation is continued.
Here, the cause of the difference in verification results between systems is not a temporary one, but is due to a fixed failure. Even in data verification after reset (restart), the verification results differ between systems and As a result of repetition, when the number of times AN (the number of resets) is equal to or greater than the threshold value SL, alternating signals CMPa and CMPb indicating that the collation results are different between the systems are output to the collation circuit 4, and the two arithmetic processing circuits 2, 3 is stopped, and as a result, the state signal FS output from the verification circuit 4 is maintained at a high level or a low level, and the safety relay drops, so that the power supply to the external control target device is not performed. Shut off and stop system operation.

That is, even if the collation results differ between the systems, there is a possibility that the number of times until the number of times reaches the threshold value SL, it may be due to a temporary factor, so the output of the alternating signals CMPa and CMPb to the collation circuit 4 is stopped. The system operation is continued by resetting, but if the number of times the verification results differ between systems reaches the threshold value SL, a fixed failure may have occurred. By outputting the signals CMPa and CMPb to the verification circuit 4, the safety relay is turned off by the status signal FS from the verification circuit 4, and the system operation is stopped.
Therefore, when collation results differ between systems due to transient factors, the system operation is not immediately stopped, and it is possible to suppress an excessive decrease in the system operation rate. If it occurs and the state where the verification result is different between systems is repeated (when the verification result is different between systems frequently), fail safety of the system can be realized by shutting off the power by dropping the safety relay .

The same processing is performed in the collation result comparison unit 310 on the B-system arithmetic processing circuit 3 side, and a series of collation processing is synchronized with each other in accordance with the same clock signal CLK0 in the two arithmetic processing circuits 2 and 3. Executed.
When the reset signal is output from at least one of the collation result comparison unit 210 on the A system arithmetic processing circuit 2 side and the collation result comparison unit 310 on the B system arithmetic processing circuit 3 side, The arithmetic processing circuits 2 and 3 are reset (restarted).

  Here, the number of times ANa counted on the A-system arithmetic processing circuit 2 side and the number of times ANb counted on the B-system arithmetic processing circuit 3 side are mutually passed, and each of the two arithmetic processing circuits 2 and 3 The larger number of times AN and the threshold value SL are compared, and the output of the reset signal can be controlled based on the comparison result.

Next, the collating process in the duplex arithmetic unit will be described with reference to the flowchart of FIG. Although the flowchart of FIG. 2 is described corresponding to the processing of both the A-system and B-system arithmetic processing circuits 2 and 3, the description will be focused on the processing in the A-system arithmetic processing circuit 2.
First, when the timing completion signal TUPb is input (step S501), the inspection unit 201 determines whether or not the change ΔTa in the timer value Ta is a predetermined value N (step S502).

If the change Ta is deviated from the predetermined value N as a result of the determination in the inspection unit 201, the failure detection unit 200 detects the occurrence of a failure (step S516).
Next, the timer value Ta is output from the monitoring timer unit 202 to the B-system arithmetic processing circuit 3 (step S503), and the inspection unit 201 receives the timer value Tb input from the B-system arithmetic processing circuit 3 (other system). And the timer value Ta in the own system are compared (step S504). As a result of the comparison between the timer value Tb and the timer value Ta, if these values do not match, the failure detection unit 200 detects the occurrence of a failure (step S516).

Next, the output unit 206 outputs data Da (positive data) to the B system arithmetic processing circuit 3 (step S505), and the collation unit 208 uses the data Db input from the B system arithmetic processing circuit 3 and the storage unit 205. Is collated with the data DATAa read out from, and an alternating signal CMPa indicating the result is output to the collation result comparison unit 210 of the own system and the collation result comparison unit 310 of the other system together with the collation circuit 4 (step S506).
Next, the output unit 206 outputs data Da (negative data) obtained by performing the logical inversion process on the data DATAa to the B-system arithmetic processing circuit 3 (step S507).

  Then, the collation unit 208 collates the data Db (negative data) obtained by logically inverting the data DATAb in the B-system arithmetic processing circuit 3 and the data DATAa (positive data) read from the storage unit 205. Then, the alternating signal CMPa indicating the result is output to the own collation result comparison unit 210 and the other collation result comparison unit 310 (step S508).

Thus, in the comparison between the data Da and the data Db, as described above, the data Db as it is (positive data) and data obtained by inverting the data Db (negative data) are alternately compared with the data Da. Thus, in the normal state in which the data Da and the data Db match, the matching result repeats matching / mismatching, and the alternating signal CMPa that repeats high level and low level corresponding to the repetition of matching / mismatching is obtained. It is to be generated.
In the figure, “(P)” represents positive data that has not undergone logic inversion processing, while “(N)” represents negative data that has undergone logic inversion processing.

Next, the collation result comparison unit 210 compares the alternating signal CMPa indicating the collation result in the A system with the alternating signal CMPb indicating the collation result in the B system, and determines whether or not they match. Judgment is made (step S509).
If they match, the collation result comparison unit 210 outputs the input alternating signal CMPb (or alternating signal CMPa) to the collation circuit 4 as it is.
On the other hand, in the case of a mismatch, the accumulated number AN stored in the number storage unit 211 is read, the accumulated number AN is increased by 1 in response to the current mismatch determination, and the accumulated number AN after the increase is increased by the number storage unit. 211 is updated and stored (step S510).

Note that the initial value of the integration number AN is 0, and indicates the integration result from the initial state where the verification result in the A system differs from the verification result in the B system.
Next, the increased number of times ANa is output to the collation result comparison unit 310 of the B-system arithmetic processing circuit 3 (step S511). Further, the integration number ANa counted by the own system and the B-system arithmetic processing circuit 3 are input. Based on the number of integrations ANb in the B system, the number of integrations ANR used to determine whether or not to perform the reset process is set (step S512).
Here, for example, the larger one of the integration number ANa counted in the own system and the B system integration number ANb input from the B system arithmetic processing circuit 3 can be set as the integration number ANR. Further, the integration number AN counted by the own system can be set as the integration number ANR as it is without passing the integration number AN between the systems. Further, when the number of integrations AN counted by the own system is larger than the number of integrations AN counted by the other system, or when the number of integrations AN counted by the own system and the number of integrations AN counted by the other system differ. The number of times ANR can be forcibly set to a predetermined maximum value (> threshold SL) to output a reset signal.

Next, the collation result comparison unit 210 determines whether or not the cumulative number ANR is equal to or greater than a threshold SL stored in advance (step S513). Here, if the integration number ANR is less than the threshold SL (0 ≦ ANR <SL), the output of the input alternating signal CMPb (or the alternating signal CMPa) to the verification circuit 4 is stopped and the reset circuit 6 is stopped. To instruct the output of the reset signal.
Upon receiving the reset signal output instruction, the reset circuit 6 outputs a reset signal to each of the two arithmetic processing circuits 2 and 3, and resets (restarts) the two arithmetic processing circuits 2 and 3 (step S514). Execute the matching process again.

In the above reset processing, the output of the input alternating signal CMPb (or alternating signal CMPa) to the verification circuit 4 is stopped, so that the safety relay does not drop and the two arithmetic processing circuits 2 and 3 are turned on. If the data collation is performed again after returning to the initial state, and the collation result returns to the matching state, the state signal FS output from the collation circuit 4 continues alternating.
The threshold value SL is preliminarily adapted as a value that allows the operation to be continued within a range in which fail-safeness of the system can be ensured when the collation result does not match due to a temporary factor.
In addition, as described above, the reset processing of the arithmetic processing circuits 2 and 3 by the reset circuit includes the processing of returning the arithmetic processing circuits 2 and 3 to the initial state at the time of power-on and performing data collation again, as well as the initial state. It shall include the process of redoing only the collation sequence without returning.

As a result, when the verification result temporarily becomes inconsistent due to a temporary factor, it is possible to prevent the safety relay from immediately dropping and stopping the operation. Can be improved.
Further, if the cumulative number AN counted in the own system and the cumulative number AN counted in the other system are passed between the systems, and the reset signal output is controlled based on the larger cumulative number AN, the number of times is stored. When the counting results differ between the systems due to failure of the units 211 and 311, it is possible to prevent the system operation from being continued excessively by resetting, and to lead the system to the safer side.

On the other hand, when the cumulative number of times ANR is equal to or greater than the threshold SL, the mismatch in the collation result between the A system and the B system is not a temporary one, but some failure / abnormality continuously occurs. Can be estimated.
Therefore, when the cumulative number ANR is equal to or greater than the threshold value SL, the input alternating signal CMPb (or alternating signal CMPa) is output to the collating circuit 4 and the reset circuit 6 is instructed to output a reset signal. First, the collation circuit 4 changes the status signal FS to the high level or the low level based on the fact that the alternating signal CMPa indicating the verification result in the A system and the alternating signal CMPb indicating the verification result in the B system do not match. As a result, the safety relay drops, the power supply to the external control target device is cut off, the system operation is stopped, and the system is made safe (step S515).

In this embodiment, the soundness of the number storage units 211 and 311 is checked by using the startup time, the idle time, and the like, and the integration number AN stored in the number storage units 211 and 311 is fixed within the threshold SL. The system operation is allowed after confirming that no failure has occurred. As a soundness check of the number storage units 211 and 311, for example, a check method in which redundant codes (SUM values and CRCs of the entire number storage units 211 and 311) are added and stored data and codes are checked can be applied.
For example, the accumulated number AN stored in the number-of-times storage units 211 and 311 is reset to 0 when a state in which the matching results match continues for a set time or longer, or if the system operates on a daily basis, It can be reset to 0 when the system is stopped at the end, or can be reset to 0 by an initialization process when the system is started by operating the power switch.
In addition, when credibility is not obtained in the stored values of the number storage units 211 and 311 by the soundness check of the number storage units 211 and 311 described above, initialization of the integration number AN is attempted (reset to 0), and initialization is performed. If the system operation is successful, the system operation can be continued. If the initialization is not successful, the system operation can be stopped.

FIG. 3 is a time chart showing the operation of the collation process. Here, the symbols Ap1 to Ap3 and the symbols Bp1 to Bp3 represent positive data of the A system and the B system, respectively, and the symbols An1 to An3 and the symbols Bn1 to Bn3 represent the negative data of the A system and the B system, respectively. .
Since the A-system arithmetic processing circuit 2 and the B-system arithmetic processing circuit 3 are synchronized with the same clock signal CLK0, they respectively output the timing completion signals TUPa and TUPb at the same timing.
Therefore, the A-system arithmetic processing circuit 2 and the B-system arithmetic processing circuit 3 respectively output data Da and Db at the same timing, and the collation units 208 and 308 can perform collation processing at the same timing.

Since the data Da and Db repeat the positive data and the negative data alternately every half cycle of the timing completion signals TUPa and TUPb, respectively, the alternating signals CMPa and CMPb are high signals indicating coincidence at the normal time when the data coincides. The level and the low level indicating inconsistency are alternately repeated. At this time, as described above, the collation circuit 4 outputs the state signal FS that alternates in the same manner as the alternating signals CMPa and CMPb.
On the other hand, as shown in FIG. 4, when error data Ep is generated in the data DATAa, the error data Ep, En and the data Bp2, Bn2 are collated, and as a result, the abnormality is detected at the timing indicating the original match. However, until the number of times AN in which the mismatch of the collation results is detected becomes equal to or greater than the threshold SL, the collation is performed again by reset. When the number AN exceeds the threshold SL, the state signal FS output from the collation circuit 4 is generated. The safety relay is dropped so that it is held at one level.

In the above embodiment, the alternating signals CMPa and CMPb, which are the outputs of the matching units 208 and 308, are input to the matching circuit 4 via the matching result comparison units 210 and 310. Alternatively, the alternating signals CMPa and CMPb may be input directly to the verification circuit 4 from 308. However, in the above configuration, if the collation result between the A system and the B system does not match, even if the reset is performed, the alternating of the state signal FS output from the collation circuit 4 stops and the safety relay operates. Since it will fall, it is good to make a safety relay return immediately with reset operation.
In addition, the application range of the duplex computing device according to the present invention is not limited to the railway field device, and the present invention also applies to devices in other fields that require fail-safety, such as a device mounted on an aircraft. It goes without saying that it is within range.
Although the contents of the present invention have been specifically described above with reference to the preferred embodiments, it is obvious that those skilled in the art can take various modifications based on the basic technical idea and teachings of the present invention. It is.

DESCRIPTION OF SYMBOLS 1 Oscillator 2, 3 Arithmetic processing circuit 4 Collation circuit 5 Test oscillator 6 Reset circuit 205,305 Data storage part 206,306 Intersystem output part 207,307 Data processing part 208,308 Collation part 209,309 Intersystem input part 210 , 310 Matching result comparison unit 211, 311 Count storage unit CLK0 Clock signal CLK1 Test clock signal TUPa, TUPb Timing completion signal CMPa, CMPb Alternate signal Ta, Tb Timer values DATAa, DATAb Data

Claims (4)

A first arithmetic processing means and a second arithmetic processing means for performing the same processing synchronously;
Resetting means for outputting a reset signal for resetting the first arithmetic processing means and the second arithmetic processing means,
Each of the first arithmetic processing means and the second arithmetic processing means reads the data of the other system and collates it with the corresponding own system data, and also reads the collation result in the other system, and collates differently between the systems. Counts the number of times the result is obtained, instructs the reset means to output the reset signal when the number is less than a threshold, and instructs the reset signal to output when the number exceeds the threshold Duplicate arithmetic unit that stops the operation. A fail-safe that inputs the collation result in the first arithmetic processing means and the collation result in the second arithmetic processing means and stops the operation of the system including the duplex arithmetic unit when the collation results are different between systems. A fail-safe verification means for outputting a signal,
The double operation according to claim 1, wherein when the verification result is different between systems and the output instruction of the reset signal is stopped, the operation of the system is stopped by the output of the fail-safe signal from the fail-safe verification means. Computing device.   Each of the first arithmetic processing means and the second arithmetic processing means reads the number of times counted by the other system, compares the number of times counted by the own system with the number of times counted by the other system, and outputs the reset signal. The duplex arithmetic unit according to claim 1 or 2, which controls an instruction. Oscillating means for supplying a common clock signal to the first arithmetic processing means and the second arithmetic processing means;
Each of the first arithmetic processing means and the second arithmetic processing means outputs a time measurement completion signal to another system at a constant period based on the time measurement by the clock signal, and triggered by the input of the time measurement completion signal, 4. The duplication operation apparatus according to claim 2, wherein data is output to another system in synchronization with a clock signal, and an alternating signal indicating the data verification result is output to the fail-safe verification means.