JP5563700B2 - Control device - Google Patents

Description

  The present invention relates to a control device including a programmable electronic device.

  In potentially dangerous process facilities such as nuclear power plants and chemical plants, in order to reduce the impact on workers and the surrounding environment in the event of an emergency, passive measures such as protective equipment such as partition walls, emergency stop devices, etc. Active measures using safety devices are taken. Of these, control of safety devices and the like has been conventionally realized by electromagnetic and mechanical means such as relays.

  However, in recent years, with the development of technology in programmable control equipment represented by programmable electronic devices (Programmable Logic Controller: PLC), there is an increasing need to use these as control means of a safety control system.

  For example, IEC61508 is an international standard issued in response to such a trend, and requirements for using an electrical / electronic / programmable electronic device as part of a safety control system are defined. (Non-Patent Document 1).

  In IEC61508, Safety Integrity Level (SIL) is defined as a measure of the capability of a safety control system, and requirements of levels corresponding to levels from 1 to 4 are defined. The higher the SIL, the greater the degree to which the potential danger of the process equipment can be reduced. That is, it means how reliably predetermined safety control can be performed when an abnormality in the process equipment is detected.

  Even if the safety control device is inactive in the normal operation state, it is required to be activated immediately when an abnormality occurs in the process equipment. Therefore, it is important to always perform self-diagnosis and check its own soundness. In addition, in a safety control system that requires a high SIL, it is necessary to perform a wide range and high accuracy self-diagnosis in order to minimize the probability that the system will not operate due to an undetected failure.

  In IEC61508, self-diagnosis techniques to be applied are introduced for each type of component parts constituting the safety control device, and the effectiveness of each technique is shown in the form of a diagnostic rate. The diagnosis rate indicates the proportion of failures that can be detected when the diagnosis technique is adopted among all failures in each component. For example, it is said that a diagnosis rate of up to 99% can be claimed in the RAM diagnostic technique “abraham” (Patent Document 2).

  In addition, a method of monitoring the consistency of the output results of each other using a plurality of processors is effective as a failure detection means for a processor that is one of the components of the PLC.

  As a method for mutually diagnosing the outputs of a plurality of processors, it is effective to perform a similar control process at the same time and confirm that the outputs match each other.

  For example, there is a technique in which the outputs of a plurality of processors operating asynchronously are collated to detect immediately even if a processor fails (Patent Document 1).

JP 2007-11639 A US Registration No. 6779128

IEC 61508-1 to 7, “Functional safety of electrical / electronic / programmable electronic safety-related systems” part 1 to part 7

  In the device described in Patent Document 1, the processor can be diagnosed by the processor verification means. However, when a failure occurs in the memory interface from the output of the processor verification means to the main memory, there is no hardware detection means, so failure detection by software must be performed. In the diagnosis process by the processor software, the memory interface can be diagnosed by comparing the read / write-back value with the expected value in the memory. However, there is a problem that during the actual operation period between the n-th diagnosis process and the (n + 1) -th diagnosis process, an abnormality may not be detected and the operation may continue without being unstable.

  The present invention has been made in view of such a point, and an object of the present invention is to be able to immediately and surely detect a failure and prevent it from being processed in an unstable state.

In order to solve the above problem, the control device of the present invention creates a first error detection code from first information stored in the main memory as a result of the first processor executing a predetermined program, and stores it in the main memory in advance. a first code generator which detect the in abnormality by comparing the second stored information is an error detection code which has been, the second processor being configured to output a first processor and the same operation result program create a second error detection code from the second information stored in the main memory as a result of performing, and a second code generator to detect the in abnormality by comparing the second storage information. Further, when the first processor and / or the second processor reads the first information or the first memory information as the second information from the main memory, it is necessary for the first memory information and the second memory information read from the main memory. When the error correction is performed according to the correction processing unit supplied to the first code generation unit and the second code generation unit, and the first code generation unit detects a mismatch between the first error detection code and the second storage information And / or when the second code generation unit detects a mismatch between the second error detection code and the second storage information, the first processor reads the first storage information from the main memory, and the second processor stores the second memory. An interrupt control unit that prohibits an operation of reading information from the main memory. Further, it detects whether the first information and the second information are the same and reports them to the interrupt control unit, and detects whether the first error detection code and the second error detection code are the same. By reporting to the interrupt control unit, when the first error detection code and the second error detection code are not the same, it is prohibited to write the first information or the second information to the main memory as the first storage information A part.

  In the control apparatus of the present invention, the collation unit detects whether the first information and the second information match at the time of writing, so that the first processor, the second processor, and these processors and the collation unit are present. Detects a failure with the bus interface. Then, the collation unit detects whether the first error detection code and the second error detection code match, so that the first code generation unit, the second code generation unit, and between these generation unit and the collation unit A failure of a certain bus interface is detected.

  That is, in the control device of the present invention, the collation unit can always detect a bit error occurring in the first information or the second information. The collation unit controls the writing of the first information and the second information to the main memory based on the detected bit error. Therefore, in the present invention, when a bit error occurs due to a failure of each processor or each bus interface during writing, the first information or the second information can be prevented from being written to the main memory.

  In the control device of the present invention, the collation unit detects whether the first information and the second information match at the time of reading, so that the first processor, the second processor, and these processors and the collation unit are present. Detects a failure with the bus interface. The first verification unit prevents the stored information from being read from the main memory when a failure is detected.

  When the storage information is read from the main memory, the first code generation unit is configured such that the first storage information of the storage information and the error detection code newly generated from the first information are the same as the second storage information of the storage information. By detecting whether or not there is, a failure of the main memory and a bus interface between the main memory and the first code generation unit is detected. Further, the second code generation unit detects whether or not the error detection code newly generated from the first storage information and the second information of the storage information is the same as the second storage information of the storage information. The failure of the main memory and the bus interface between the main memory and the first code generation unit is detected.

  The first code generation unit and the second code generation unit do not input the first storage information to each of the first processor and the second processor when any one of the code generation units detects a failure. ing. Therefore, in the present invention, when a bit error occurs due to a failure of each processor or each bus interface during reading, the first storage information is input to the first processor and the second processor without erroneously detecting the bit error. You can not let it.

  According to the present invention, a failure occurring in each processor or each bus interface can be reliably detected. When a failure is detected during writing, writing of information to the main memory is prohibited, and when a failure is detected during reading, input of information to each processor is prohibited. That is, it is possible to prevent the failure from being detected immediately and reliably and continuing to be processed in an unstable state. Thereby, safety is further improved.

It is a block diagram which shows a control system. It is a block diagram which shows the CPU apparatus to which the control apparatus which concerns on one Embodiment of this invention is applied. It is a block diagram which shows A system CRC circuit. It is a block diagram which shows an ECC circuit. It is a state transition diagram showing the transition of the mode of the CPU device. It is a timing chart which shows operation | movement of CPU apparatus to which the control apparatus which concerns on one Embodiment of this invention is applied. It is a timing chart which shows operation | movement of CPU apparatus to which the control apparatus which concerns on one Embodiment of this invention is applied. It is a timing chart which shows operation | movement of CPU apparatus to which the control apparatus which concerns on one Embodiment of this invention is applied. It is a table | surface which shows the failure detection range of CPU apparatus to which the control apparatus which concerns on one Embodiment of this invention is applied.

  Hereinafter, the best mode for carrying out the invention (hereinafter referred to as “embodiment”) will be described in the following order. The embodiments described below are preferred specific examples of the present invention. Therefore, various technically preferable limitations are attached. However, the scope of the present invention is not limited to these embodiments unless otherwise specified in the following description. For example, the numerical conditions of each parameter given in the following description are only suitable examples, and the dimensions, shapes, and arrangement relationships in the drawings used for the description are also schematic.

1. Embodiments (1) Configuration of control system (2) Configuration of CPU device (3) Example of configuration of A system CRC circuit (4) Example of configuration of ECC circuit (5) Mode transition of CPU device (6) CPU device (7) CPU device failure detection range

<1. One Embodiment>
[Control system configuration]
Examples of embodiments of the present invention will be described below with reference to FIGS.
FIG. 1 is a block diagram showing a control system 101 according to an embodiment of the invention.
The control system 101 includes a CPU device 102, a higher-level device 103, a lower-level device 104, and a control target 105.

  The host device 103 stores a predetermined program and is connected to the CPU device 102 via the network 106.

  The CPU device 102 downloads a predetermined program from the host device 103 via the network 106, and performs an operation based on the program. The CPU device 102 is also connected to the lower level device 104 via the network 106, and outputs the calculation result to the lower level device 104 via the network.

  As will be described later, the CPU device 102 includes a plurality of processors, and performs calculation based on a program in either the general mode or the safety mode. The general mode is a mode in which each processor performs independent calculations. The safety mode is a mode in which the soundness of the processor is confirmed by performing the same operation in each processor and verifying whether or not the operation result is the same. Further, the CPU device 102 may operate in a test mode. The test mode is a mode for verifying whether or not the CPU device 102 normally operates based on a test program stored in the CPU device 102 in advance. The CPU device 102 in the general mode and the safety mode basically inputs the calculation result to the lower device 104, but the CPU device 102 in the test mode outputs nothing to the lower device 104. That is, the test mode is performed when the CPU device 102 is not controlling the lower device 104. Note that switching between the general mode, the safety mode, and the test mode is performed by a scheduler set in the CPU device 102 in advance.

  The lower level device 104 is an interface for inputting / outputting control information to / from the control target 105. The lower level device 104 is connected to the control target 105 and operates the control target 105 based on the calculation result input from the CPU device 102. The control object 105 is a process facility with high potential danger such as a nuclear power plant or a chemical plant, which requires safety when performing control.

[Configuration of CPU device]
Next, the CPU device 102 constituting the control system 101 will be described with reference to FIG.
FIG. 2 is a block diagram showing the CPU device 102. Note that the CPU device 102 shown below assumes a case where the CPU device 102 performs calculations in the safety mode based on a program downloaded from the host device 103. However, only when the CPU device 102 downloads a predetermined program from the host device 103, an operation different from the safety mode is performed.

  First, a configuration used when the CPU device 102 downloads a predetermined program from the host device 103 will be described. The configuration used in the CPU device 102 at this time is an A-system processor 202, a B-system processor 203, a part of the control device 204, and a main memory 205. A part of the control device 204 is a network controller 206, a CRC circuit 207, and an ECC circuit 232. Hereinafter, in this example, the case where there are two processors, the A-system processor 202 and the B-system processor 203, constituting the CPU device 102 will be described. However, the number of processors is not limited, and the present invention is restricted thereby. There is no.

  Download of a predetermined program from the host apparatus 103 is performed in the multitask mode, that is, either the A-system processor 202 or the B-system processor 203. At this time, the network controller 206 acquires a 32-bit data string as a program from the higher-level device 103 via the network 106. The network controller 206 includes a DMA (Direct Memory Access) controller (not shown) and determines in which position in the main memory 205 the program is to be written. That is, a 32-bit wide data string as an address is generated. The network controller 206 is connected to the CRC circuit 207 and the ECC circuit 232, and outputs the program acquired from the host device 103 and the generated address to the CRC circuit 207 and the ECC circuit 232.

  The CRC circuit 207 generates 8-bit CRCC (Cyclic Redundancy Check Codes) from a 64-bit wide data string combining the address and program input from the network controller 206. The CRC circuit 207 is connected to the ECC circuit 232 and outputs the generated CRCC to the ECC circuit 232. The ECC circuit 232 generates an ECC (Error-Correcting Code) of an 8-bit data string from a total 72-bit data string including the CRCC, the program body, and the address, and stores the program body, CRCC, and ECC in the main memory 205. Write to. The ECC circuit 232 is also used in the safety mode calculation. Therefore, a more detailed description of the ECC circuit 232 will be described in a place where the configuration related to the safety mode is described.

  The main memory 205 has three areas: a data storage area 229, a CRCC storage area 230, and an ECC storage area 231. The data storage area 229 is an area where a program is written. The CRCC storage area 230 is an area in which CRCC generated by the CRC circuit via the network controller 206 is written. The ECC storage area 231 is an area in which ECC generated by the ECC circuit 232 via the network controller 206 is written.

  Next, a configuration used when the CPU device 102 performs a calculation in the safety mode based on a program downloaded from the host device 103 will be described. The configuration used in the CPU device 102 at this time is an A-system processor 202, a B-system processor 203, a control device 204 excluding the CRC circuit 207, and a main memory 205.

  The A system processor 202 executes a predetermined program downloaded from the host device 103 to process a task. At this time, some tasks write / read information to / from the main memory 205 via the control device 204. The A-system processor 202 is connected to the control device 204 via the A-system processor bus 208, and inputs / outputs information to / from the control device 204 via the A-system processor bus 208. At the time of writing, the A-system processor 202 outputs the address, data, and command to the control device 204 via the A-system processor bus 208. On the other hand, at the time of reading, the A-system processor 202 outputs an address and a command to the control device 204 via the A-system processor bus 208.

  Data and address are 32-bit wide data strings. On the other hand, the command is 1-bit data for controlling the control device 204 and the main memory 205. In this example, it is assumed that the control device 204 and the main memory 205 perform an operation corresponding to writing when the command is ‘1’, and perform a read operation when the command is ‘0’.

  The B processor 203 has the same function as the A processor 202. That is, when the B processor 203 executes a predetermined program downloaded from the host device 103 to process a task, the B processor 203 writes / reads information or the like corresponding to the task to the main memory 205 via the control device 204 This is what we do. The B-system processor 203 is connected to the control device 204 via the B-system processor bus 211, and inputs / outputs information to / from the control device 204 via the B-system processor bus 211. At the time of writing, the B processor 203 outputs the address, data, and command to the control device 204 via the B processor bus 211. On the other hand, at the time of reading, the B processor 203 outputs an address and a command to the control device 204 via the B processor bus 211.

The control device 204 detects whether or not there is a failure in each block and bus constituting the control device 204, the A-system processor 202, the B-system processor 203, and the main memory 205.
The control device 204 includes an A-system CRC circuit 209, a B-system CRC circuit 212, a verification circuit 214, an ECC circuit 232, and an interrupt control unit 220. Further, the control device 204 includes a network controller 206 and an output changeover switch 221.

  The A-system CRC circuit 209 is a circuit that generates a CRCC from a data string of a predetermined number of bits having a bit width.

The A-system CRC circuit 209 of this example performs different processing at the time of writing and at the time of reading.
The A-system CRC circuit 209 at the time of writing generates a CRCC from a 64-bit wide data string that combines the address and data input from the A-system processor 202. The A system CRC circuit 209 is connected to the verification circuit 214 via the A system CRCC bus 210, and outputs the generated CRCC to the verification circuit 214.

  The A-system CRC circuit 209 at the time of reading newly generates a CRCC from a 64-bit wide data string that combines the address input from the A-system processor 202 and the data written to the main memory 205 at the time of writing. Then, it is determined whether the CRCC stored in the main memory 205 and the newly generated CRCC are the same data string.

  The A-system CRC circuit 209 is connected to the interrupt control unit 220 and generates a logic signal (hereinafter referred to as “A-system CRCC verification mismatch”) based on the determination result (match / mismatch). Output to the controller 220.

  The B-system CRC circuit 212 is the same circuit as the A-system CRC circuit 209, and is a circuit that generates a CRCC from a data string having a predetermined number of bits.

  The B-system CRC circuit 212 of this example performs different processing at the time of writing and at the time of reading.

The B-system CRC circuit 212 at the time of writing generates a CRCC from a 64-bit wide data string that combines the address and data input from the B-system processor 203. The B-system CRC circuit 212 is connected to the verification circuit 214 via the B-system CRCC bus 213, and outputs the generated CRCC to the verification circuit 214.

  The B-system CRC circuit 212 at the time of reading newly generates a B-system CRCC from a 64-bit wide data string that combines the address input from the B-system processor 203 and the data written to the main memory 205 at the time of writing. Then, it is determined whether the CRCC stored in the main memory 205 and the newly generated CRCC are the same data string.

  The B-system CRC circuit 212 is connected to the interrupt control unit 220 and generates a logic signal (hereinafter referred to as “B-system CRCC verification mismatch”) based on the determination result (match / mismatch). Output to the controller 220. Hereinafter, the CRCC generated by the A system CRC circuit 209 is referred to as an A system CRCC, and the CRCC generated by the B system CRC circuit 212 is referred to as a B system CRCC.

  The collation circuit 214 is a circuit that determines the match / mismatch of two input data strings. The collation circuit 214 is connected to the ECC circuit 232 through two buses of an ECC circuit 232, an internal bus 215, and a CRCC internal bus 216. Further, the verification circuit 214 is also connected to the interrupt control unit 220.

  The collation circuit 214 at the time of writing generates a 72-bit width data string combining the address and data input from the A system processor 202 and the A system CRCC input from the A system CRC circuit 209 from the B system processor 203. A match / mismatch is determined by comparing a 72-bit data string that combines the input address and data with the B CRCC input from the B CRC circuit 212. At this time, the collation circuit 214 generates a logic signal (hereinafter referred to as “collation mismatch”) based on the determination result (match / mismatch) of the data string and outputs it to the interrupt control unit 220. The collation circuit 214 outputs the address, data, and command input from the A-system processor 202 to the ECC circuit 232 via the internal bus 215 only when the mutual data strings match, that is, when the determination results match. The A-system CRCC is output to the ECC circuit 232 via the CRCC internal bus 216.

  The collating circuit 214 at the time of reading compares the address data string input from the A-system processor 202 with the address data string input from the B-system processor 203 to determine a match / mismatch. At this time, the collation circuit 214 generates a collation mismatch based on the determination result (match / mismatch) and outputs it to the interrupt control unit 220. The collation circuit 214 outputs the address and command input from the A-system processor 202 to the ECC circuit 232 via the internal bus 215 only when the mutual data strings match, that is, when the determination results match. .

  The ECC circuit 232 generates an ECC from a data string having a bit width of a predetermined number of digits. Further, by using the generated ECC, an error in the data string is detected, and when the detected error is a correctable 1-bit error, the data string is corrected.

  The ECC circuit 232 performs different processing at the time of writing and at the time of reading. The ECC circuit 232 is connected by a memory bus 217, a CRCC memory bus 218, and an ECC memory bus 219 so that data strings can be exchanged between the main memories 205.

  The write ECC circuit 232 generates an ECC with a 72-bit wide data string that combines the address, data, and CRCC input from the verification circuit 214. Then, the generated ECC is output to the main memory 205 via the ECC memory bus 219. Then, the ECC circuit 232 outputs the address, data, and command input from the verification circuit 214 to the main memory 205 via the memory bus 217, and the CRCC input from the verification circuit 214 to the main memory via the CRCC memory bus 218. Output to the memory 205.

  The ECC circuit 232 at the time of reading newly generates an ECC from a 72-bit width data string that combines the data written in the main memory 205, the address input from the verification circuit 214, and the CRCC. Then, the ECC circuit 232 determines whether or not the newly generated ECC matches the ECC written in the main memory 205. The ECC circuit 232 is connected to the interrupt control unit 220 and generates a logic signal (hereinafter referred to as “ECC verification mismatch”) based on the determination result (match / mismatch). Output to.

  When the determination result is coincident, the ECC circuit 232 outputs the data and CRCC written in the main memory 205 to the A-system CRC circuit 209 and the B-system CRC circuit 212 via the collation circuit 214 and ECC collation mismatch ( Match) is generated and output to the interrupt control unit 220.

  If the determination results do not match, the ECC circuit 232 performs error checking of the ECC and CRCC written in the main memory 205 using the newly generated ECC and the ECC written in the main memory 205.

  In the case of a correctable error, the ECC circuit 232 corrects the data and CRCC error, and outputs the error-corrected data and CRCC to the A-system CRC circuit 209 and the B-system CRC circuit 212 via the collation circuit 214. At the same time, ECC verification mismatch (match) is generated and output to the interrupt control unit 220.

  In the case of an uncorrectable error, the ECC circuit 232 generates an ECC verification mismatch (mismatch) and outputs it to the interrupt control unit 220.

  The interrupt control unit 220 outputs an A-system interrupt request to the A-system processor 202, and outputs a B-system interrupt request to the B-system processor 203. The interrupt control unit 220 has a function of controlling the A system interrupt request and the B system interrupt request, and indicates an A system interrupt request register for asserting the A system interrupt request, and an interrupt factor. Consists of an A-system interrupt factor register. A B system interrupt request register for asserting a B system interrupt request and a B system interrupt factor register indicating an interrupt factor are provided.

  The interrupt control unit 220 can control the A-system interrupt request to the A-system processor 202 and the B-system interrupt request to the B-system processor 203 independently.

  The A system interrupt request register, the B system interrupt request register, the A system interrupt factor register, and the B system interrupt factor register can be accessed from the A system processor 202 and the B system processor 203. .

  The interrupt control unit 220 has a function of avoiding the control device 204 from an unsafe state when an abnormality of each processor or an abnormality of an interface from each processor to the main memory 205 and an abnormality of the main memory 205 are detected. That is, the interrupt control unit 220 determines that the A-system CRC verification mismatch from the A-system CRC circuit 209, the B-system CRC verification mismatch from the B-system CRC circuit 212, the verification mismatch from the verification circuit 214, or the ECC verification mismatch from the ECC circuit 232 Based on any one of the logic signals, it is determined whether or not to interrupt the operation currently being performed by the A-system processor 202 and the B-system processor 203. The interrupt control unit 220 controls other interrupt factors, but is not mentioned in the present invention.

  Incidentally, the output changeover switch 221 is connected to the A-system processor 202, the B-system processor 203, and the network controller 206. The output changeover switch 221 selects one of the operation results of the A processor 202 or the B processor 203 and outputs the operation result of the selected processor to the network controller 206. That is, the output changeover switch 221 is a switch for outputting the calculation result of the selected processor to the upper apparatus 103 or the lower apparatus 104 on the network 106 via the network controller 206.

[Configuration of A system CRC circuit]
Next, an example of the circuit configuration of the A system CRC circuit 209 and the B system CRC circuit 212 will be described with reference to FIG.
FIG. 3 is a diagram showing an example of the A-system CRC circuit 209 and its periphery. Since the A system CRC circuit 209 and the B system CRC circuit 212 are the same circuit, the description of the B system CRC circuit 212 is omitted.

  The A-system CRC circuit 209 includes a CRC calculation circuit 302 connected to the A-system processor 202 and the verification circuit 214 via the A-system processor bus 208, and the A-system processor 202 and the verification circuit 214 via the A-system processor 202. It consists of a connected switch and a digital comparator 304.

  The switch terminal S2 is connected to the CRC calculation circuit 302 and the digital comparator 304, the terminal S1 is connected to the verification circuit 214 via a CRC bus, and the terminal S3 is connected to the digital comparator 304. This switch switches terminals to be connected based on a command input from the A-system processor 202. More specifically, the switch connects the terminal S1 and the terminal S2 when the command is “1”, that is, when writing, and connects the terminal S1 and the terminal S3 when the input command is “0”, that is, when reading. To do.

  The CRC calculation circuit 302 calculates the A-system CRCC using the address and data input from the A-system processor 202 at the time of writing, and outputs the calculated A-system CRCC to the verification circuit 214 via the A-system CRCC bus 210.

  The CRC calculation circuit 302 calculates an A-system CRCC using the address input from the A-system processor 202 at the time of reading and data acquired from the main memory 205 via the verification circuit 214, and the calculated A-system CRCC is a digital comparator. It outputs to 304.

  The digital comparator 304 operates only when reading. The digital comparator 304 compares the A-system CRCC calculated by the CRC calculation circuit 302 with the CRCC acquired from the main memory 205 via the verification circuit 214, and the A-system CRCC verification mismatch, which is a logic signal corresponding to the comparison result Is output to the interrupt control unit 220.

[Configuration of ECC circuit]
Next, an example of the circuit configuration of the ECC circuit 232 will be described with reference to FIG.
FIG. 4 is a diagram illustrating an example of the ECC circuit 232 and its periphery.

  The ECC circuit 232 includes a first changeover switch 402, a second changeover switch 403, an ECC calculation circuit 404, a third changeover switch 405, an ECC comparison circuit 406, an ECC correction circuit 408, and a fourth changeover switch 409. , A fifth changeover switch 410 and a switch control circuit 411.

The first changeover switch 402 is a switch that connects the ECC calculation circuit 404 and either the internal bus 215 or the memory bus 217.
The terminal S4 of the first changeover switch 402 is connected to the verification circuit 214 via the internal bus 215, the terminal S5 is connected to the main memory 205 via the memory bus 217, and the terminal S6 is connected to the ECC calculation circuit 404. . The first changeover switch 402 is controlled by a switch control circuit 411 for a terminal to be connected. Specifically, at the time of writing, the ECC calculation circuit 404 and the internal bus 215 are connected by connecting the terminal S4 and the terminal S6. On the other hand, at the time of reading, the ECC calculation circuit 404 and the memory bus 217 are connected by connecting the terminals S5 and S6.

The second changeover switch 403 is a switch that connects the ECC calculation circuit 404 and either the CRCC internal bus 216 or the CRCC memory bus 218.
The terminal S7 of the second changeover switch 403 is connected to the verification circuit 214 via the CRCC internal bus 216, the terminal S8 is connected to the main memory 205 via the CRCC memory bus 218, and the terminal S9 is connected to the ECC calculation circuit 404. ing. The second changeover switch 403 is controlled by a switch control circuit 411 at a terminal to be connected. Specifically, at the time of writing, the terminal S7 and the terminal S9 are connected, and the ECC calculation circuit 404 and the CRCC internal bus 216 are connected. On the other hand, at the time of reading, the ECC calculation circuit 404 and the CRCC memory bus 218 are connected by connecting the terminals S8 and S9.

  The ECC calculation circuit 404 at the time of writing generates an ECC from the address and data input from the verification circuit 214 via the internal bus 215 and the CRCC input from the verification circuit 214 via the CRCC internal bus 216. The ECC is output via the third changeover switch 405.

  On the other hand, the ECC calculation circuit 404 at the time of reading includes data acquired from the main memory 205 via the memory bus 217, CRCC acquired from the main memory 205 via the CRCC memory bus 218, and a verification circuit via the internal bus 215. An ECC is generated from the address input from 214, and the generated ECC is output via the third changeover switch 405.

The third changeover switch 405 is a switch for changing the output from the ECC circuit 232 to either the ECC comparison circuit 406 or the main memory 205.
The terminal S10 of the third changeover switch 405 is connected to the ECC calculation circuit 404, the terminal S12 is connected to the ECC comparison circuit 406, and the terminal S11 is connected to the main memory 205 via the ECC memory bus 219. The third changeover switch 405 is controlled by a switch control circuit 411 at a terminal to be connected. Specifically, at the time of writing, the terminals S 10 and S 11 are connected and the ECC generated by the ECC calculation circuit 404 is output to the ECC memory bus 219. On the other hand, at the time of reading, the terminals S10 and S12 are connected and the ECC generated by the ECC calculation circuit 404 is output to the ECC comparison circuit 406.

The ECC comparison circuit 406 performs processing only at the time of reading by the third changeover switch 405. The ECC comparison circuit 406 calculates the exclusive OR of the ECC acquired from the main memory 205 via the ECC memory bus 219 and the data string of each of the ECC generated by the ECC calculation circuit 404. Check for errors. The error check here detects whether there is no error (all bits match), 1-bit error, or error of 2 bits or more, and whether each of these errors can be corrected. Point to. The ECC comparison circuit 406 outputs such an error check result to the ECC correction circuit 408 and the switch control circuit 411.

The ECC correction circuit 408 performs processing only at the time of reading by the third changeover switch 405. The ECC correction circuit 408 corrects the data read from the main memory 205 and the CRCC error based on the error check result input from the ECC comparison circuit 406.

  In the case of an uncorrectable 1-bit error and an error of 2 bits or more, the ECC correction circuit 408 outputs an ECC collation mismatch (mismatch) to the interrupt control unit 220.

  In the case of a correctable 1-bit error, the ECC correction circuit 408 performs bit correction of data read from the main memory 205 or CRCC using an error check result input from the ECC comparison circuit 406 and an interrupt control unit. The ECC verification mismatch (match) is output to 220.

  The fourth changeover switch 409 is a switch for turning on / off the connection between the internal bus 215 and the memory bus 217. The terminal S13 of the fourth changeover switch 409 is connected to the internal bus 215, and the terminal S14 is connected to the memory bus 217. The fourth changeover switch 409 is controlled to be turned on / off by the switch control circuit 411. At the time of writing, the terminal S13 and the terminal S14 are connected to output the address, data, and command input from the verification circuit 214 to the main memory 205. When the error check result detected by the ECC comparison circuit 406 at the time of reading is an error-free or correctable 1-bit error, the terminal S13 and the terminal S14 are connected to output the data stored in the main memory 205 to the verification circuit 214. To.

  The fifth changeover switch 410 is a switch for turning on / off the connection between the CRCC internal bus 216 and the CRCC memory bus 218. The terminal S15 of the fifth changeover switch 410 is connected to the CRCC internal bus 216, and the terminal S16 is connected to the CRCC memory bus 218. The fifth changeover switch 410 is controlled to be turned on / off by the switch control circuit 411. At the time of writing, the terminals S15 and S16 are connected to output the CRCC input from the collation circuit 214 to the main memory 205. When the error check result detected by the ECC comparison circuit 406 at the time of reading is an error-free or correctable 1-bit error, the terminal S15 and the terminal S16 are connected and the CRCC stored in the main memory 205 is output to the verification circuit 214. Like that.

  The switch control circuit 411 controls connection of each terminal of the first changeover switch 402, the second changeover switch 403, the third changeover switch 405, the fourth changeover switch 409, and the fifth changeover switch 410. This control is performed based on the command input from the verification circuit 214 via the internal bus 215 and the error check result input from the ECC comparison circuit 406.

[Mode transition of CPU device]
Next, the mode transition of the CPU device 102 will be described with reference to FIG.
FIG. 5 is a state transition diagram showing mode transition of the CPU device 102.

  First, when the CPU device 102 is activated, the CPU device 102 enters an OS startup mode (step S501). At this time, the CPU device 102 acquires a predetermined program stored in the host device 103 via the network.

  The CPU device 102 is operated by the scheduler in any of the above-described general mode (step S502), safety mode (step S503), or test mode (step S504). In addition, when the mode is changed by the scheduler, the mode shifts to the OS startup mode (step S506, step S507, and step S508).

  If an abnormality occurs in the CPU device 102 during the calculation in the general mode, the CPU device 102 stops the calculation (step S509).

  Further, when the above occurs in the CPU device 102 during the calculation in the safety mode, the CPU device 102 stops the calculation (step S510).

  Further, when executing a test mode, that is, detecting a failure of each block and each bus constituting the CPU device 102 by the test program, the CPU device 102 stops the CPU device 102 (step S511).

  Among the states shown above, the CPU device 102 has the configuration shown in FIGS. 2 to 4 in order to detect the error in step S510. That is, the configurations of FIGS. 2 to 4 of the present embodiment are for reliably detecting an abnormality of the CPU device 102 in the safety mode and reaching the abnormal stop mode.

[Operation of CPU device]
Next, the operation of the control device 204 in the safety mode will be described with reference to FIGS.
FIG. 6 is a timing chart showing the operation of the control device 204 when there is no failure.

  An operation of the control device 204 when the A-system processor 202 and the B-system processor 203 write to the main memory 205 based on a predetermined program acquired in advance from the host device 103 will be described. Since the B-system CRC circuit 212 has the same configuration as the A-system CRC circuit 209, the operation relating to the B-system CRC circuit will be described below with reference to the A-system CRC circuit shown in FIG.

First, when the A processor 202 makes a write request to the main memory 205 (T601), the A processor CRC of the control device 204 sends a command ('1') indicating the address, data, and write via the A processor bus 208. It outputs to the circuit 209 and the collation circuit 214. Then, the A system CRC circuit 209 connects the terminal S1 and the terminal S2 of the switch 303 with the command input from the A system processor 202 as a trigger. The CRC calculation circuit 302 of the A system CRC circuit 209 generates an A system CRCC from the address and data input from the A system processor 202. Then, the CRC calculation circuit 302 of the A system CRC circuit 209 outputs the generated A system CRCC to the collation circuit 214 via the A system CRCC bus (T602).

On the other hand, the B processor 203 performs the same operation as the A processor 202. First, when the B processor 203 makes a write request to the main memory 205 (T603), the B processor CRC of the control device 204 sends a command ('1') indicating data, address and write via the B processor bus 211. It outputs to the circuit 212 and the collation circuit 214. Then, the B-system CRC circuit 212 connects the terminal S1 and the terminal S2 of the switch 303 using a command input from the B-system processor 203 as a trigger. The CRC calculation circuit 302 of the B system CRC circuit 212 generates a B system CRCC from the address and data input from the B system processor 203. Then, the CRC calculation circuit 302 of the B system CRC circuit 212 outputs the generated B system CRCC to the collation circuit 214 (T604).

  The collation circuit 214 determines whether or not the A system CRCC input from the CRC calculation circuit 302 of the A system CRC circuit 209 matches the B system CRCC input from the CRC calculation circuit 302 of the B system CRC circuit 212. (T605). In the case where there is no failure in each failure detection target, the determination results are the same. Therefore, the collation circuit 214 sends the address, data, and command input from the A-system processor 202 via the A-system processor bus 208 to the internal bus 215. To the ECC circuit 232. Further, the collation circuit 214 outputs the A system CRCC input from the A system CRC circuit 209 to the ECC circuit 232 via the CRCC internal bus 216. Since the output from the B-system CRC circuit 212 may be input to the ECC circuit 232, the A-system CRCC and the B-system CRCC are simply described as CRCC in the following.

  The ECC circuit 232 connects the terminal S4 and the terminal S6 of the first changeover switch 402, connects the terminal S7 and the terminal S9 of the second changeover switch 403, and uses the command inputted from the verification circuit 214 as a trigger. The terminals S10 and S11 of the switch 405 are connected, the terminals S13 and S14 of the fourth changeover switch 409 are connected, and the terminals S15 and S16 of the fifth changeover switch 410 are connected. The ECC calculation circuit 404 generates an ECC using the address, data, and CRCC input from the collation circuit 214 and outputs the generated ECC to the main memory 205 via the ECC memory bus 219. At this time, the ECC circuit 232 outputs the data, command, and data input from the verification circuit 214 to the main memory 205 via the memory bus 217, and the CRCC input from the verification circuit 214 via the CRCC memory bus 218. The data is output to the main memory 205 (T606).

  The main memory 205 uses the command input from the ECC circuit 232 as a trigger, and stores the data, CRCC, and ECC input from the ECC circuit 232 at the position indicated by each address input from the ECC circuit 232. That is, based on the address, the main memory 205 stores data in the data storage area 229, stores CRCC in the CRCC storage area 230, and stores ECC in the ECC storage area 231 (T607).

  After the above processing is completed, when the main memory 205 outputs a write end response to each circuit of the control device 204, each circuit of the main memory 205 ends the write operation (T608).

  Next, the operation of the control device 204 when the A-system processor 202 and the B-system processor 203 read from the main memory 205 based on a predetermined program acquired in advance from the host device 103 will be described.

  First, the A processor 202 and the B processor 203 make a read request to the control device 204. Then, the A-system processor 202 outputs a command (“0”) indicating an address and a read to the verification circuit 214 of the control device 204 via the A-system processor bus 208 and outputs the command to the A-system CRC circuit 209. To do. The A system CRC circuit 209 connects the terminal S1 and the terminal S3 of the switch 303 with a command input from the A system processor 202 as a trigger.

  On the other hand, the B processor 203 outputs a command (“0”) indicating an address and a read to the collation circuit 214 of the main memory 205 via the B processor bus 211 and outputs the command to the B CRC circuit 212. To do. The B-system CRC circuit 212 connects the terminal S1 and the terminal S3 of the switch 303 using a command input from the B-system processor 203 as a trigger.

  Here, the collation circuit 214 compares the address input from the A-system processor 202 with the address input from the B-system processor 203, and determines whether or not the comparison result is coincident (T609).

  If the collation circuit 214 determines that they match, the collation circuit 214 outputs the address and command input from the A-system processor 202 to the ECC circuit 232 via the internal bus 215. Then, the ECC circuit 232 connects the terminal S5 and the terminal S6 of the first changeover switch 402, connects the terminal S8 and the terminal S9 of the second changeover switch 403, using the command input from the verification circuit 214 as a trigger, The terminals S10 and S12 of the three changeover switch 405 are connected. Then, the ECC circuit 232 outputs the address and command input from the verification circuit 214 to the main memory 205 via the memory bus.

  The main memory 205 uses the command input from the ECC circuit 232 as a trigger, and outputs the data stored in the main memory 205 to the ECC circuit 232 via the memory bus in accordance with the address input from the ECC circuit 232. At this time, the main memory 205 outputs the stored CRCC to the ECC circuit 232 via the CRCC memory bus 218 in accordance with the address input from the ECC circuit 232. Further, the main memory 205 outputs the stored ECC to the ECC circuit 232 via the ECC memory bus 219 in accordance with the address input from the ECC circuit 232.

  Then, the ECC calculation circuit 404 of the ECC circuit 232 newly generates an ECC from the address input from the collation circuit 214, the data acquired from the main memory 205, and the CRCC, and outputs the ECC to the ECC comparison circuit 406.

  The ECC comparison circuit 406 calculates an exclusive OR of the newly generated ECC and the ECC acquired from the main memory 205. Then, the aforementioned error check is performed, and the error check result is output to the ECC correction circuit 408 and the switch control circuit 411. In this case, since the error check result indicates no error, the switch control circuit 411 connects the terminals S13 and S14 of the fourth changeover switch 409 and connects the terminals S15 and S16 of the fifth changeover switch 410. Then, the data acquired from the main memory 205 is output to the CRC calculation circuit 302 of the A system CRC circuit 209 via the internal bus 215, the verification circuit 214 and the A system processor bus 208. At this time, the CRCC acquired from the main memory 205 is output to the digital comparator 304 of the A system CRC circuit 209 via the CRCC internal bus 216, the collation circuit 214, and the A system CRCC bus. The data and CRCC acquired from the main memory 205 are similarly input to the B-system CRC circuit 212 (T610).

  Here, the CRC calculation circuit 302 of the A-system CRC circuit 209 newly generates a CRCC from the address output from the A-system processor 202 via the A-system processor bus 208 and the data input from the ECC circuit 232. Input to the digital comparator 304. The digital comparator 304 compares the newly generated CRCC with the CRCC input from the ECC circuit 232, and determines whether or not the comparison result is coincident.

  In this case, since the determination results are the same, the data output from the ECC circuit 232, that is, the data stored in the main memory 205 is output to the A-system processor 202 via the A-system processor bus 208 (T611). . At this time, the same data stored in the main memory 205 is also output to the B processor 203 from the B system CRC circuit 212 via the B processor bus 211 (T612).

  FIG. 7 shows a control device 204 when a failure occurs in any of the A-system processor 202, the A-system CRC circuit 209, the A-system processor bus 208, the B-system processor 203, the B-system CRC circuit 212, and the B-system processor bus 211. It is a timing chart which shows the operation | movement. T701 to T704 are the same as T601 to T604 in FIG.

  Immediately after the timing of T704, that is, during writing, a failure occurs in any of the A system processor 202, the A system CRC circuit 209, the A system processor bus 208, the B system processor 203, the B system CRC circuit 212, and the B system processor bus 211. It is assumed that it has occurred (T705). Then, the verification circuit 214 compares the A system CRCC input from the A system CRC circuit 209 via the A system CRCC bus 210 and the B system CRCC input from the B system CRC circuit 212 via the B system CRCC bus 213. To do. Then, the collation circuit 214 determines whether or not the respective comparison results match (T706).

  In this case, since the determination results do not match, the collation circuit 214 returns a response to the A-system processor 202 and the B-system processor 203. The collation circuit 214 outputs a collation mismatch (mismatch) to the interrupt control unit 220 and registers the factor in the A-system interrupt factor register and the B-system interrupt factor register. Then, the processing of the A-system processor 202 and the B-system processor 203 is temporarily interrupted at the time of T607 by the A-system interrupt factor register and the B-system interrupt factor register.

  As described above, when a failure such as this case occurs, data is not written to the main memory 205, and execution of the subsequent program is interrupted by the interrupt control unit 220.

Next, the controller 204 when a failure occurs in any of the verification circuit 214, internal bus 215, CRCC internal bus 216, ECC circuit 232, memory bus, CRCC memory bus 218, ECC memory bus 219, and main memory 205 The operation will be described with reference to FIG.
FIG. 8 is a timing chart showing the operation of the control device 204. Since T801 to T809 are the same as T601 to T609 shown in FIG.

  Immediately after the timing of T809, that is, during reading, a failure occurs in any of the verification circuit 214, internal bus 215, CRCC internal bus 216, ECC circuit 232, memory bus 217, CRCC memory bus 218, ECC memory bus 219, and main memory 205 Is assumed to occur (T810).

  The main memory 205 outputs the stored data to the ECC circuit 232 via the memory bus according to the address input from the ECC circuit 232. At this time, the main memory 205 outputs the stored ECC to the ECC circuit 232 via the ECC memory bus 219 in accordance with the address input from the ECC circuit 232, and the stored CRCC is input from the ECC circuit 232. The data is output to the ECC circuit 232 via the CRCC memory bus 218 according to the address. Then, the ECC calculation circuit 404 of the ECC circuit 232 newly generates an ECC from the address input from the verification circuit 214 via the internal bus 215, the data acquired from the main memory 205, and the CRCC, and sends the ECC to the ECC comparison circuit 406. Output.

  The ECC calculation circuit 404 performs the error check described above by calculating the exclusive OR of the newly generated ECC and the ECC read from the main memory 205. The error check result is output to the ECC comparison circuit 406 and the switch control circuit 411. In this case, since the error check result is “no bit error”, the switch control circuit 411 connects the terminals S13 and S14 of the fourth changeover switch 409 and connects the terminals S15 and S16 of the fifth changeover switch 410. Then, the data acquired from the main memory 205 is output to the CRC calculation circuit 302 of the A system CRC circuit 209 via the internal bus 215, the verification circuit 214 and the A system processor bus 208. At this time, the CRCC acquired from the main memory 205 is output to the digital comparator 304 of the A system CRC circuit 209 via the CRCC internal bus 216, the collation circuit 214, and the A system CRCC bus. Note that the data and CRCC acquired from the main memory 205 are similarly input to the B-system CRC circuit 212 (T811).

  The CRC calculation circuit 302 of the A-system CRC circuit 209 newly generates a CRCC from the address input from the A-system processor 202 and the data input from the ECC circuit 232 via the A-system processor bus 208 to generate an A-system CRC circuit. It outputs to the digital comparator 304 of 209. The digital comparator 304 compares the newly generated CRCC with the CRCC input from the ECC circuit 232, and determines whether or not the comparison result is coincident (T812).

  On the other hand, the CRC calculation circuit 302 of the B system CRC circuit 212 newly generates a CRCC from the address input from the B system processor 203 and the data input from the ECC circuit 232 via the B system processor bus 211 to generate the B system. The data is output to the digital comparator 304 of the CRC circuit 212. The digital comparator 304 compares the newly generated CRCC with the CRCC input from the ECC circuit 232, and determines whether or not the comparison result is coincident (T813).

  In this case, it is determined that the digital comparator 304 of the A system CRC circuit 209 and / or the digital comparator 304 of the B system CRC circuit 212 do not match. Then, the digital comparator 304 that has detected the mismatch outputs a CRC verification mismatch (mismatch) to the interrupt control unit 220 and registers the factor in the A-system interrupt factor register or the B-system interrupt factor register. Then, the processing of the A-system processor 202 and the B-system processor 203 is temporarily suspended at the time of T607 by the A-system interrupt factor register or the B-system interrupt factor register.

  As described above, when a failure such as this case occurs, the A-system processor 202 and the B-system processor 203 cannot read data, and the execution of the subsequent program is interrupted by the interrupt control unit 220.

[Fault detection range of CPU device]
Next, the failure detection range of the CPU device 102 will be summarized.
FIG. 9 is a table showing a failure detection range of the CPU device 102.
FIG. 9A is a table showing a failure detection range of the CPU device 102 when operating in the safety mode.

  As described above, as a component for detecting a failure of each block and each bus (hereinafter referred to as “failure detection target”) constituting the CPU device 102 in the safety mode, the CPU device 102 includes the A-system CRC circuit 209, B A system CRC circuit 212, a verification circuit 214, and an ECC circuit 232 are provided.

  The fault detection target of the A system CRC circuit 209 includes the A system processor bus 208, the collation circuit 214, the internal bus 215, the CRCC internal bus 216, the ECC circuit 232, the memory bus 217, the CRCC memory bus 218, An ECC memory bus 219 and a main memory 205.

  The failure detection target of the B-system CRC circuit 212 includes the B-system processor bus 211, the verification circuit 214, the internal bus 215, the CRCC internal bus 216, the ECC circuit 232, the memory bus 217, the CRCC memory bus 218, An ECC memory bus 219 and a main memory 205.

  The failure detection targets of the verification circuit 214 are the A system processor 202, the B system processor 203, the A system CRC circuit 209, the B system CRC circuit 212, the A system processor bus 208, and the B system processor bus 211.

  The failure detection targets of the ECC circuit 232 are the memory bus 217, the CRCC memory bus 218, the ECC memory bus 219, and the main memory 205.

  FIG. 9B is a table showing a failure detection range of the CPU device 102 when operating in the test mode. In the test mode, by operating a test program as shown in the table, the A system processor 202, the B system processor 203, the A system CRC circuit 209, the B system CRC circuit 212, the A system processor bus 208, and the B system processor bus 211 , The collation circuit 214, the internal bus 215, the CRCC memory bus 218, the ECC circuit 232, the memory bus 217, the CRCC memory bus 218, the ECC memory bus 219, and the main memory 205 are independently diagnosed. Since the failure detection target is the same as that shown in the table of FIG. 9A, the description regarding the failure detection target is omitted.

  As described above, the present embodiment not only detects a failure by simply comparing outputs from a plurality of processors and determining whether or not the outputs match, but also the failure of the means for performing the comparison. Added detection. Therefore, it is possible to more reliably detect a failure of each block and each bus constituting the CPU device 102 during processing in the CPU device 102 (in the safety mode). As soon as a failure is detected, the processing is stopped. For example, even if a failure occurs during the control of a potentially dangerous process facility, the control is immediately interrupted, so that the safety is further improved.

  Although the ECC circuit 232 is provided in this embodiment, the same effect as described above can be obtained without providing the ECC circuit 232. However, when the ECC circuit 232 is not provided, the internal bus 215 and the memory bus 217 are connected, and the CRCC internal bus 216 and the CRCC memory bus 218 need to be connected.

  As mentioned above, although the example of embodiment of this invention was demonstrated, this invention is not limited to the said embodiment example, Unless it deviates from the summary of this invention described in the claim, other modifications Needless to say, application examples are included.

  DESCRIPTION OF SYMBOLS 101 ... Control system, 102 ... CPU apparatus, 103 ... High-order apparatus, 104 ... Low-order apparatus, 105 ... Control object, 106 ... Network, 202 ... A system processor, 203 ... B system processor, 204 ... Control apparatus, 205 ... Main memory , 206 ... Network controller, 207 ... CRC circuit, 208 ... A system processor bus, 209 ... A system CRC circuit, 210 ... A system CRCC bus, 211 ... B system processor bus, 212 ... B system CRC circuit, 213 ... B system CRCC bus, 214 ... collation circuit, 215 ... internal bus, 216 ... CRCC internal bus, 217 ... memory bus, 218 ... CRCC memory bus, 219 ... ECC memory bus, 220 ... interrupt control unit, 221 ... output selector switch, 229 ... Data storage area, 230 ... CRCC storage area, 231 ... ECC storage 232 ... ECC circuit 302 ... CRC calculation circuit 303 ... switch 304 ... digital comparator 402 ... first changeover switch 403 ... second changeover switch 404 ... ECC calculation circuit 405 ... third changeover switch 406 ... ECC comparison circuit, 408 ... ECC correction circuit, 409 ... fourth switch, 410 ... fifth switch, 411 ... switch control circuit

Claims (2)

A first error detection code is created from first information stored in the main memory as a result of the first processor executing a predetermined program, and second storage information that is an error detection code stored in the main memory in advance A first code generation unit that detects an abnormality by comparing;
A second processor configured to output the same operation result as the first processor generates a second error detection code from second information stored in the main memory as a result of executing the program; A second code generation unit for detecting an abnormality by comparing with the two storage information;
When the first processor and / or the second processor reads the first information or the first storage information as the second information from the main memory, the first storage information read from the main memory and the second memory A correction processing unit that performs error correction on the stored information as needed and supplies the first code generation unit and the second code generation unit;
When the first code generation unit detects a mismatch between the first error detection code and the second storage information, and / or the second code generation unit includes the second error detection code and the second storage information. An interrupt control unit that prohibits an operation in which the first processor reads the first storage information from the main memory and an operation in which the second processor reads the second storage information from the main memory when a mismatch is detected When,
Whether or not the first information and the second information are the same is detected and reported to the interrupt control unit, and whether or not the first error detection code and the second error detection code are the same And a verification unit that controls writing of the first information or the second information to the main memory by detecting the error and reporting the interrupt to the interrupt control unit. The interrupt control unit has an interrupt factor register, and the first code generation unit detects a mismatch between the first error detection code and the second storage information, and / or the second code generation unit. Is registered in the interrupt factor register as a failure caused by the main memory or the correction processing unit when the mismatch between the second error detection code and the second storage information is detected, and the verification unit When a mismatch between the first information and the second information is detected, and / or when the matching unit detects a mismatch between the first error detection code and the second error detection code, the first code generation unit , Registering in the interrupt factor register as a failure caused by the second code generation unit, the first processor or the second processor,
The control device according to claim 1.

Images