JP5116609B2 - Multiple electronic interlocking device - Google Patents

Description

  The present invention relates to a multiple electronic interlocking device that controls a traffic light and a switch in a railway station.

  In the conventional multi-system electronic interlocking device, each of the multiplexed arithmetic processing devices captures the same input data in synchronization with each other, executes the same arithmetic processing according to this input data, and performs a signal device, a switch, etc. Generate output data to control field devices. The output data of each arithmetic processing unit is collated by a collation device. If they match, all the arithmetic processing units are normal and output data is actually output to the field equipment. If they do not match, one of the arithmetic processing units As an abnormality, output to on-site equipment is prohibited and the occurrence of the abnormality is notified.

For example, in Patent Document 1, in a computer system for vehicle control such as an electronic interlocking device, processing systems A and B individually process common input information, exchange data obtained by processing, and exchange data. A configuration is disclosed in which matching or mismatching of the received data is determined, and the output circuit outputs a control signal when the data matches.
JP-A-10-129487

  In the conventional multi-system electronic interlocking device, the abnormality of any of the arithmetic processing units becomes apparent only when the collation results of the output data of the arithmetic processing units become inconsistent as described above. When a part of a certain arithmetic processing unit fails, there is a problem that if the input data happens to not require an operation at the failed part, the output data will be matched and the abnormality will be latent.

  Although there is a method of performing a self-diagnosis in each arithmetic processing unit as a countermeasure against such a latent abnormality, there is a case where the self-diagnosis processing unit itself fails and cannot detect the abnormality. In addition, there is a case where the normal state is not uniquely determined for the internal data that changes from time to time, and there is no possibility of self-diagnosis.

  In order to make anomalies that are not reflected in the output data and cannot be detected by self-diagnosis within a certain period of time, as with the output data, the program and internal data of each processing unit (hereinafter referred to as internal status) There is also a method to check periodically. However, if the internal status is collated as it is, the amount of information is larger than that of the output data, which causes a problem that the collation apparatus becomes complicated. The verification device is not subject to multiplexing and should have a simple configuration in order to improve reliability.

  Also, if the internal status verification process is attempted without improving the performance of the arithmetic processing unit, most of the resources will be devoted to the internal status verification with a large amount of information, and the inherent processing of the multi-system electronic interlocking device will be reduced. There was a problem that performance deteriorated.

  An object of the present invention is to provide a highly reliable multiplex system that reveals an abnormality of a processing unit within a certain time by periodically collating the internal statuses of a plurality of processing units after compressing the amount of information. It is to provide an electronic interlocking device.

In order to solve the above problems, the multi-system electronic interlocking device of the present invention is composed of a plurality of arithmetic processing devices and one collation device, and each arithmetic processing device receives its internal status information from a stored memory area. An arithmetic unit that periodically processes data so as to compress the amount of information by specifying and reading a head address, and the collation device is an internal unit in which the amount of information processed by the arithmetic unit of each arithmetic processing unit is compressed It includes a collating unit that collates the status information, the verification device, the internal status information amount of information data processed for each of the processing unit is compressed against respectively the matching unit, the result of the comparison If all match, it is determined that all the processing units are normal, and if they do not match, it is determined that any one of the processing units is abnormal.

According to the present invention, the internal status of a plurality of arithmetic processing devices is collated periodically after compressing the amount of information, whereby a highly reliable multiplex system that reveals abnormalities in the arithmetic processing devices within a certain period of time. An electronic interlocking device can be provided.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a block diagram showing a multi-system electronic interlocking device to which the present invention is applied. The multi-system electronic interlocking device 100 includes two arithmetic processing devices 110A and 110B having a synchronized processing cycle, and one verification device 120.

  First, a data output operation to field equipment, which is a basic operation of the electronic interlocking device, will be described with reference to FIG. In FIG. 5, arithmetic processing devices 110A and 110B receive input data D11 such as a control command to the field device from the course control device 200, and store them as D11A and D11B, respectively. The arithmetic processing devices 110A and 110B also receive input data D12 such as the state of the field device from the field device 300, and store the data as D12A and D12B, respectively.

  The arithmetic processing unit 110A performs arithmetic processing using the output data generation program P10A and the internal data D13A in accordance with the contents of the input data D11A and D12A, and generates output data D14A for controlling field equipment, and a collation unit 120. The arithmetic processing unit 110B performs arithmetic processing using the output data generation program P10B and the internal data D13B in accordance with the contents of the input data D11B and D12B, and generates output data D14B for controlling the field equipment, and the verification device 120.

  As long as one of the arithmetic processing units 110A and 110B does not become abnormal, the programs P10A and P10B are the same and unchanged. The internal data D13A and D13B have the same initial contents, and change to the same contents synchronously according to the input / calculation results of the arithmetic processing devices 110A and 110B unless any of the arithmetic processing devices 110A and 110B becomes abnormal. . Similarly, output data D14A and D14B calculated and generated from the same input data, program, and internal data have the same contents unless one of the arithmetic processing units 110A and 110B becomes abnormal.

  The collation device 120 stores the output data fetched from the arithmetic processing devices 110A and 110B as D15A and D15B, respectively, and collates them with the collation unit 121. If the collation results match, it is determined that both arithmetic processing units 110A and 110B are normal, and one of the output data D15A and D15B is output to the field device. Is determined to be abnormal, the output circuit to the field device is shut off, and the abnormality is notified.

  Next, an internal status collating operation by the multiplex electronic interlocking device of the present invention will be described with reference to FIG.

  In FIG. 1, in the arithmetic processing unit 110A, an internal status machining program P20A periodically operates to generate a machining internal status D21A in which the amount of information is compressed based on programs P10A, P20A and internal data D13A.

  In the arithmetic processing unit 110B, the internal status machining program P20B periodically operates to generate a machining internal status D21B in which the amount of information is compressed based on the programs P10B, P20B and the internal data D13B.

  As long as one of the arithmetic processing units 110A and 110B does not become abnormal, the programs P20A and P20B are the same and unchanged. Similarly, machining internal statuses D21A and D21B generated from the same program and internal data have the same contents unless any of arithmetic processing units 110A and 110B becomes abnormal.

  The collation device 120 stores the internal statuses fetched from the arithmetic processing devices 110A and 110B as D22A and D22B, respectively, and collates them with the collation unit 121. If the collation results match, it is determined that both arithmetic processing units 110A and 110B are normal, and if they do not match, it is determined that one of arithmetic processing units 110A and 110B has become abnormal and output to the field device. The circuit is shut off and an abnormality is notified.

  As one of the processing methods of the internal status according to the present invention, for example, all of the internal statuses of the respective processing units are limited to a limited time in the middle of the night when the control of the field equipment can be stopped once a day. There is a method to process at once.

  As another method, when it is necessary to control field equipment continuously for 24 hours, a certain period of each control cycle is assigned to internal status processing, and the internal status is set to the extent that the processing is completed within that time. There is also a method of dividing and proceeding sequentially. With respect to this latter method, the flow of processing when executed in the arithmetic processing unit processing 110A will be described with reference to FIG.

If the program and internal data are arranged in a continuous memory space with a capacity S [Byte] starting from address A, and the verification from the beginning to the end is performed once a day, the control cycle is T [seconds]. Then, the information amount s [Byte] of the internal status to be processed per control cycle is
s = S × T / 86400
It becomes. The contents of the processes P1 to P5 will be described in the control cycle of the nth time (n = 1, 2,..., (86400 / T)) on that day.

In FIG. 2, in the process P1, the head address a of a part of the internal status to be processed in the current control cycle is obtained as follows.
a = A + (n−1) × s

  In process P2, data of the information amount s [Byte] from address a is copied to the buffer. In the process P3, the program P20A is executed with the data stored in the buffer in the process P2 as an input. In the process P4, the process result return value of the program P20A is stored in the storage area as the internal status D21A. In process P5, the contents of the internal status D21A are sent to the verification device 120.

According to the above method, in this embodiment, if there is an abnormality in any of the arithmetic processing devices of the multi-system electronic interlocking device, it can be revealed within one day at the latest. Further, when the numerical value is less than 1, the time required for revealing the abnormality can be shortened according to the value, and the reliability of the multiple electronic interlocking device can be improved.
{(Time required for machining internal status) + (Time required for transmission / verification of machining internal status)} / (Time required for transmission / verification of unprocessed internal status)

  A case where an MD5 hash function is implemented as an example of the programs P20A and P20B in this embodiment will be described. The MD5 hash function is a one-way summary function that outputs a 128-bit hash value for a given input. In the arithmetic processing unit 110A, if the internal status processing internal program P20A is the MD5 hash function, the information amount of the internal status D21A is 128 bits.

  Generally, the amount of information in the internal program and internal data of the arithmetic processing unit of the multi-system electronic interlocking device is not less than 128 bits. Therefore, the collation device 120 is the data amount of the output data D15A, D15B or 128 bits, whichever is larger. It is possible to have a simple configuration that only needs to be able to collate, and the time required for collation can be reduced.

Similarly, the transmission path between the arithmetic processing devices 110A and 110B and the collation device 120 can also have a simple configuration that only needs to be able to transmit the above-mentioned information amount of data within a certain period of time. Also, the time required for transmission can be reduced.
A problem associated with the compression of the amount of information is that data with different contents can be compressed to produce the same result. In the present invention, this phenomenon leads to overlooking an abnormality of a certain arithmetic processing unit. In MD5 hash function, the probability that the same hash value is generated by inputting different contents is:
(1/2) ^{(Hash value bit number / 2)} = 0.5 ⁶⁴ = 5.4 × 10 ⁻²⁰
For example, when the verification is performed 3.6 × 106 times per hour, the abnormality miss probability per multiplex electronic interlocking device is 1.9 × 10 ⁻¹³ [1 / hour].

This abnormality overlook probability needs to be a value smaller than the dangerous failure rate allowed for the device, but generally the dangerous failure rate allowed for a railway security device such as an electronic interlocking device is 10 ⁻⁸ to It is about 10 ⁻⁹ [1 / hour], which satisfies this condition.

  Next, a multiple electronic interlocking device according to a second embodiment of the present invention will be described with reference to FIG. The multi-system electronic interlocking device of Embodiment 2 has a configuration capable of switching control between collation of output data and collation of internal machining status.

  In FIG. 3, the arithmetic processing devices 110A and 110B receive input data D11 such as a control command to a field device from the route control device 200, and store them as D11A and D11B, respectively. The arithmetic processing devices 110A and 110B also receive input data D12 such as the state of the field device from the field device 300, and store the data as D12A and D12B, respectively.

  The arithmetic processing unit 110A performs arithmetic processing using the output data generation program P10A and the internal data D13A in accordance with the contents of the input data D11A and D12A, generates output data D14A for controlling field devices, and generates a switching circuit. Send to P40A. The arithmetic processing unit 110B performs arithmetic processing using the output data generation program P10B and the internal data D13B in accordance with the contents of the input data D11B and D12B, generates output data D14B for controlling field devices, and generates a switching circuit. Send to P40B.

  As long as one of the arithmetic processing units 110A and 110B does not become abnormal, the programs P10A and P10B are the same and unchanged. The internal data D13A and D13B have the same initial contents, and change to the same contents synchronously according to the input / calculation results of the arithmetic processing devices 110A and 110B unless any of the arithmetic processing devices 110A and 110B becomes abnormal. . Similarly, output data D14A and D14B calculated and generated from the same input data, program, and internal data have the same contents unless one of the arithmetic processing units 110A and 110B becomes abnormal.

  The collation device 120 stores the output data fetched from the arithmetic processing devices 110A and 110B via the switching circuit P40A and the switching circuit P40B as collation data D23A and D23B, respectively, and collates them by the collation unit 121. If the collation results match, it is determined that both arithmetic processing units 110A and 110B are normal, and one of the output data D15A and D15B is output to the field device. Is determined to be abnormal, the output circuit to the field device is shut off, and the abnormality is notified.

  At the time of execution of the internal status processing, in the arithmetic processing unit A system, the internal status processing program P20A of the calculation unit operates, and the output generation program P10A, the data of the internal data D13A, or the data of the internal status processing program P20A is read. Then, data processing such as calculation of the hash value is performed, the return value of the processing result is stored in the storage area as the internal processing status D21A, and the content of the internal processing status D21A is sent to the switching circuit P40A.

  Similarly, in the arithmetic processing unit B system, the internal status processing program P20B of the arithmetic unit operates, and the output generation program P10B, the internal data D13B data, or the internal status processing program P20B data is read and hashed. Data processing such as value calculation is performed, the return value of the processing result is stored in the storage area as the internal processing status D21B, and the content of the internal processing status D21B is sent to the switching circuit P40B.

  The collation device 120 stores the internal machining status D21A and the internal machining status D21A captured from the arithmetic processing units 110A and 110B via the switching circuit P40A and the switching circuit P40B, respectively, as collation data D23A and D23B, and these are collation units. Check at 121. If the verification results do not match, it is determined that one of the arithmetic processing units 110A and 110B is abnormal, the output circuit to the field device is shut off, and the abnormality is notified.

  FIG. 4 is a flowchart showing the operation of the multiplex electronic interlocking device according to the second embodiment of the present invention shown in FIG. In FIG. 4, when the operation of the electronic interlocking device is started, it is determined in processing P0 whether or not the internal status processing is collation.

  For collation of internal status processing, in process P1, the start address of a part of the internal status to be processed in the current control cycle is obtained, and in process P2, data of information amount s is copied from address a to the buffer. In the process P3, the program P20A is executed with the data stored in the buffer in the process P2 as an input. In the process P4, the process result return value of the program P20A is stored in the storage area as the internal machining status D21A. In process P5, the internal machining status D21A is sent to the switching device.

  In process P11, the internal machining status and the output data are switched by the switching circuit, and the internal machining status fetched from the arithmetic processing device is stored as collation data. In process P12, the collation device 120 collates them with the collation unit 121. . If the result of collation does not match in process P13, it is determined that one of the arithmetic processing units 110A and 110B is abnormal, and in process P14, the output circuit to the field device is shut off, and the abnormality is notified. If the result of collation does not match in process P13, the process returns to process P0.

  In the process P0, when the internal status processing is not collated, a normal output data generation process is performed. In the process P6, the data input D11 from the route control device 200 to the electronic interlocking device 100 is performed, and in the process P7. The input data D11 is stored in each memory of the multiplex system. In process P8, output data generation processing is performed by the output data generation program. In process P9, the processing result is stored as output data. The output data is sent to the switching device.

  In the process P11, the internal processing status and the output data are switched by the switching circuit, and the output data fetched from the arithmetic processing device is stored as the collation data. In the process P12, the collation device 120 collates them with the collation unit 121. If the result of collation does not match in process P13, it is determined that one of the arithmetic processing units 110A and 110B is abnormal, and in process P14, the output circuit to the field device is shut off, and the abnormality is notified. If the result of the collation does not match in process P13, output data is output and the process returns to process P0.

  According to the above method, in the second embodiment, in the multi-system electronic interlocking device, the normal output data generation processing and the internal status processing processing can be switched, and the output data and the internal status processing data can be verified by the same verification device. If there is an abnormality in any of the arithmetic processing units, the abnormality can be revealed early.

It is a block diagram regarding internal status processing / collation of the multiplex system electronic interlocking device of Example 1 of the present invention. It is a flowchart of a process example of the internal status processing of A system shown in FIG. It is a block diagram regarding internal status processing / collation of the multiplex system electronic interlocking device of Example 2 of the present invention. It is a flowchart of operation | movement of the multiplex system electronic interlocking device shown in FIG. It is a block diagram regarding output data generation / collation of a multi-system electronic interlocking device to which the present invention is applied.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Multiple-system electronic interlocking device 110 Arithmetic processing device 120 Collation device 200 Course control device 300 Field device P10 Output data generation program P20 Internal status processing program P40 Switching circuit D11 Input data from route control device D12 Input data from field device D13 Data in the processing unit D14 Output data in the processing unit D15 Output data in the verification unit D21 Processing internal status in the processing unit D22 Processing internal status in the verification unit D23 Verification data in the verification unit

Claims (5)

In a multi-system electronic interlocking device composed of a plurality of arithmetic processing devices and a single collating device, each arithmetic processing device reads the internal status information by specifying the head address from the stored memory area and reads the amount of information. Computation unit that periodically processes data so as to compress, and the collation device comprises a collation unit that collates internal status information in which the amount of information processed by the arithmetic unit of each arithmetic processing unit is compressed The collating device collates the internal status information in which the amount of information processed for each arithmetic processing device is compressed by the collating unit, and if the collation results match, all the arithmetic processing devices are normal. A multi-system electronic interlocking device characterized by determining that any one of the arithmetic processing devices is abnormal if they do not match.   2. The multi-system electronic interlocking device according to claim 1, wherein the arithmetic unit stores a memory for generating output data for performing output processing in each arithmetic processing device and internal data for performing the output processing. 3. A multi-system electronic interlocking device characterized in that information read by specifying a head address from the data is processed as the internal status information.   2. The multi-system electronic interlocking device according to claim 1, wherein the computing unit includes the internal data in addition to a program for generating output data for performing output processing in each of the arithmetic processing devices and internal data for performing the output processing. Also for an internal status processing program for compressing status information, information read out by specifying a head address from a stored memory area is processed as the internal status information. Interlocking device. 2. The multi-system electronic interlocking device according to claim 1, wherein the collation device that collates the data-processed internal status information can also collate each output data that is output by each arithmetic processing unit. A multi-system electronic interlocking device comprising a circuit.   5. The multi-system electronic interlocking device according to claim 1, wherein the arithmetic unit cycles the hash value of the internal status information in order to compress the amount of information of the internal status information of each arithmetic processing unit. Multi-system electronic interlocking device, characterized in that it calculates automatically.

Images