JP6099187B2 - Bus synchronous computer system - Google Patents

Description

  The present invention collates each data calculated from two arithmetic units that perform the same arithmetic processing in synchronism with the same input information and output on the data bus, and controls the operation of the control object based on the result In particular, the present invention relates to a bus-synchronous duplex computer system that improves the operation rate of a control target.

  In recent years, for example, railway signal security devices, industrial robots, and the like have been introduced control systems using computers, and high reliability is required in addition to maintenance and maintenance problems and safety. As a control system using a computer for ensuring such high reliability and safety, a plurality of computers are used, and when one computer breaks down, another computer can be substituted or a safe output is ensured. One of the systems is a bus synchronous dual computer system.

  Conventionally, as this type of bus-synchronous duplex computer system, for example, there is one described in Patent Document 1 or the like. The bus-synchronous duplex computer system described in Patent Document 1 collates each data calculated from the two arithmetic units and output on the data bus, determines whether each data matches or does not match, If the cause is a temporary cause, for example, due to noise, etc., if the cause of the transient is resolved before the number of times determined to be inconsistent reaches the predetermined number, If the control operation for the target (for example, railway traffic signal, railway vehicle brake, etc.) is not stopped and the operation is continued as it is, and the number of times determined to be inconsistent reaches a predetermined number, the operation of the arithmetic unit is determined to be abnormal. Then, control is performed so that the operation of the controlled object is on the safe side (for example, the railway vehicle is stopped). With such a configuration, the operation of the controlled object does not stagnate even when a mismatch between the data from the calculation unit occurs due to a temporary cause due to noise or the like. The decline in operating rate is suppressed.

Japanese Patent No. 2561181

  By the way, in practice, it is required to further improve the operation rate of a control target for this type of bus synchronous dual computer system.

  The conventional bus-synchronous duplex computer system described in Patent Document 1 described above suppresses a decrease in the operation rate of the control target due to a temporary cause such as noise. However, when the number of times that the data of the two calculation units is determined to be inconsistent reaches a predetermined number, the control target operation is controlled to be on the safe side, and the original control target operation is stopped. Therefore, for example, there is a problem that it is not possible to suppress a decrease in operating rate when one of the two arithmetic units fails and continues to calculate abnormal data.

  The present invention has been made paying attention to the above problems, and an object of the present invention is to provide a bus synchronous dual computer system that further improves the operation rate of the controlled object.

To achieve the above object, the bus synchronization duplex system computer system according to the present invention, the operation of the control target of each data of the two calculation unit from the results collated in the collation unit for controlling a bus synchronous duplex system in a computer system, the arithmetic unit and the pre-calculation unit is provided separately from the preliminary calculation unit from irradiation combined result of two operation portion and another collating unit each data of the preliminary calculation unit properly before collation 2 A bus-synchronous duplex computer capable of switching the abnormal-side arithmetic unit to the preliminary arithmetic unit and outputting the data of the preliminary arithmetic unit and the normal-side arithmetic unit to the control target when either one of the arithmetic units is abnormal It is a system .

With such a configuration, in a computer system that controls the operation of a controlled object in a bus-synchronous duplex system, the collation of the collation unit that collates each data of two calculation units that perform the same calculation process synchronously on the same information Before, the result of collating the data of the two computation units and the preliminary computation unit with each other by another collation unit, the preliminary computation unit is normal, and either one of the two computation units is In the case of an abnormality, the abnormal calculation unit is switched to the preliminary calculation unit, and the data of the preliminary calculation unit and the normal calculation unit can be output to the control target .

  Further, as in claim 2, the another collation unit is configured to collate each data from the two computation units and the preliminary computation unit to detect the coincidence / mismatch of each other, It is determined whether or not the operations of the two calculation units and the preliminary calculation unit are normal based on the detection result of the other verification unit, and the abnormal calculation unit is determined as a preliminary calculation unit according to the determination result. It is good to comprise so that it may switch to.

  For example, as in claim 3, a first main arithmetic unit and a second main arithmetic unit are provided as the two arithmetic units, and the preliminary arithmetic unit has the same input information as the first and second main arithmetic units. The same calculation process is performed in synchronization with each other, and the other verification unit collates each data from the first main calculation unit, the second main calculation unit, and the preliminary calculation unit, respectively, A first switching unit capable of selectively switching and connecting the first main arithmetic unit and the preliminary arithmetic unit to the collating unit, the second main arithmetic unit, and the preliminary arithmetic unit A second switching unit that can be selectively switched and connected to the collation unit, and normal operation of the first main computation unit, the second main computation unit, and the preliminary computation unit based on the detection result of the other collation unit Control for determining whether or not the first and second switching units are switched according to the determination result It may be configured with a, when.

  Further, as in claim 4, when the control unit determines that the operation of the first and second main arithmetic units is normal, the first and second main arithmetic units are connected to the verification unit. As described above, when the first and second switching units are controlled to determine that the operation of the preliminary calculation unit is normal and the operation of the first main calculation unit is abnormal, the preliminary calculation unit and the Controlling the first and second switching units to connect the second main calculation unit to the verification unit, the operation of the preliminary calculation unit is normal, and the operation of the second main calculation unit is abnormal When determining, you may comprise so that the said 1st and 2nd switching part may be controlled so that the said preliminary | backup calculating part and the said 1st main calculating part may be connected to the said collation part.

  Furthermore, as in claim 5, when the control unit detects at least a match between the data of the first main arithmetic unit and the second main arithmetic unit by the another verification unit, It is determined that the operations of the first and second main arithmetic units are normal, and at least there is a mismatch between the data from the first main arithmetic unit and the data from the second main arithmetic unit and the preliminary arithmetic unit, respectively. When detected, it is determined that the operation of the first main arithmetic unit is abnormal, and at least the data from the second main arithmetic unit and the data from the first main arithmetic unit and the preliminary arithmetic unit When the inconsistency is detected, it is determined that the operation of the second main calculation unit is abnormal, and when the data match between the preliminary calculation unit and the first main calculation unit is detected, Or the mutual data of the preliminary calculation unit and the second main calculation unit If a match is detected, the operation of the preliminary calculation unit may be the determined configuration to be normal.

  According to a sixth aspect of the present invention, there is provided a switching unit that switches between the two calculation units and the preliminary calculation unit, and each input unit of the data of the collation unit is connected to the preliminary calculation via each switching unit. When connected to a unit, different data may be input to each input unit.

  In addition, as in a seventh aspect, any one of the two calculation units may be periodically switched to the preliminary calculation unit via each switching unit.

According to the computer system of the bus synchronous dual system of the present invention, before the main collation unit that collates each data of the two arithmetic units that perform the same arithmetic processing synchronously on the same information, another collation unit As a result of comparing the data of the two arithmetic units and the preliminary arithmetic unit with each other, if the preliminary arithmetic unit is normal and one of the two arithmetic units is abnormal, Since the side calculation unit is switched to the preliminary calculation unit and each data of the preliminary calculation unit and the normal side calculation unit can be output to the control target, whichever of the two calculation units is selected when the preliminary calculation unit is normal When either of them fails and abnormal data continues to be calculated, or when abnormal data is temporarily calculated due to transients due to noise, etc., the abnormal side arithmetic unit is switched to the preliminary arithmetic unit, Each data of the normal side calculation unit is verified by the verification unit, for example, If the data match, and controls the operation of the controlled object based on each data outputted from the normal side computing section preliminary calculation unit which is data matching, it is possible to continue the original operation of the control object . In this way, it is possible to provide a bus synchronization double-system computer system to further improve the operation rate of the controlled object.

1 is a schematic configuration diagram showing a first embodiment of a bus synchronous dual computer system according to the present invention. It is explanatory drawing explaining an example of operation | movement of the bus synchronous dual system computer system of the said 1st Embodiment. It is a schematic block diagram which shows 2nd Embodiment of the bus synchronous dual system computer system which concerns on this invention. It is explanatory drawing explaining an example of operation | movement of the bus synchronous dual system computer system of the said 2nd Embodiment. It is explanatory drawing explaining the operation | movement condition when the 2nd switching part malfunctions in the bus synchronous dual-system computer system of the said 2nd Embodiment. It is a schematic block diagram which shows the modification of the said 2nd Embodiment. It is explanatory drawing explaining an example of operation | movement of the bus synchronous dual system computer system of the said modification. It is explanatory drawing explaining the condition where the conversion part and the decompression | restoration part short-circuited in the bus synchronous dual-system computer system of 2nd Embodiment shown in the said FIGS. 3-5. FIG. 9 is an explanatory diagram for explaining an operation situation when the first switching unit malfunctions in the fault-synchronized bus synchronous dual computer system shown in FIG. 8. FIG. 9 is an explanatory diagram for explaining an operation situation when the second switching unit malfunctions in the failed bus synchronous dual computer system shown in FIG. 8. It is explanatory drawing explaining an example of operation | movement of the bus synchronous dual system computer system of 3rd Embodiment.

First, the basic concept of the present invention will be described.
The bus synchronous dual computer system according to the present invention is a computer system that controls the operation of a controlled object from the result of collating the data of two computing units that perform the same computation process on the same information in synchronization. In this case, a preliminary calculation unit is provided separately from the two calculation units, and the preliminary calculation unit is obtained from the result of collating each data of the two calculation units and the preliminary calculation unit with each other before the collation by the collation unit. When either one of the two calculation units is normal and abnormal, the abnormal calculation unit is switched to the preliminary calculation unit.

  With this configuration, when the preliminary calculation unit is normal, when either one of the two calculation units fails and abnormal data continues to be calculated or temporarily due to noise or the like, When abnormal data is calculated, the abnormal side arithmetic unit is switched to the preliminary arithmetic unit, and the data of the preliminary arithmetic unit and the normal side arithmetic unit are collated by the collation unit. In other words, it is possible to control the operation of the controlled object based on each data output from the data collated operation unit and continue the original operation of the controlled object. In this way, it is possible to provide a bus synchronous dual computer system that further improves the operation rate of the controlled object.

Embodiments of a bus synchronous dual computer system to which the present invention is applied will be described below in detail with reference to the drawings.
FIG. 1 is a schematic configuration diagram showing a first embodiment of the bus synchronous dual computer system. In FIG. 1, the bus synchronous dual computer system 1 according to the present embodiment uses the other collation unit to collate each data from the two computation units and the preliminary computation unit to match each other's data. -It is configured to detect a mismatch, and it is determined whether or not the operations of the two calculation units and the preliminary calculation unit are normal based on a detection result of the another collation unit, and according to the determination result, The abnormal calculation unit is configured to be switched to the preliminary calculation unit.
Specifically, the duplex computer system 1 collates each data calculated from the two arithmetic units and output on the data bus, and when the respective data match, the operation of the arithmetic unit is as follows. It is determined to be normal, and the operation of the control target is controlled based on each data output from the calculation unit. If the data does not match, one operation of the two calculation units is determined to be abnormal. The control is performed so that the operation of the controlled object is on the safe side. As shown in FIG. 1, the first and second main arithmetic units 2A and 2B provided as the two arithmetic units and the two A preliminary calculation unit 3 provided separately from the calculation unit, a verification unit (hereinafter referred to as “main verification unit”) 4, and a verification unit different from the verification unit 4 (hereinafter referred to as “sub-verification unit”) Say) 5, a first switching unit 6, a second switching unit 7, and a control unit 8. The first and second main arithmetic units 2A and 2B, the preliminary arithmetic unit 3, and the main collating unit 4 are configured to be connectable via a data bus. The data bus is hereinafter referred to as a route.

  The first and second main calculation units 2A and 2B are calculation units that perform predetermined calculation processing on input information in advance, and perform the same calculation processing on the same input information in synchronization. It is configured as follows. Although the first and second main arithmetic units 2A and 2B and a preliminary arithmetic unit 3 to be described later are omitted from illustration, the same input information is input, and the same clock signal, for example, is input together with the input information. Are input, and each calculation unit is configured to operate in synchronization. The first and second main arithmetic units 2A and 2B are output from the first and second main arithmetic units 2A and 2B unless the operation is determined to be abnormal based on the collation result of the main collation unit 4 described later. The operation of the controlled object (for example, a railway traffic signal) is controlled based on each data. When the first and second main arithmetic units 2A and 2B operate abnormally due to a transient cause such as noise or due to a failure, for example, which one is controlled by the control unit 8 described later. It is possible to determine whether the arithmetic unit is operating abnormally. In the following description, it is assumed that two or more calculation units of the first and second main calculation units 2A and 2B and a preliminary calculation unit 3 described later do not simultaneously perform the same abnormal operation.

  The preliminary calculation unit 3 performs the same calculation process on the same input information as the first and second main calculation units 2A and 2B in synchronization with the first and second main calculation units 2A and 2B. Part.

  In the present embodiment, for example, the state shown in FIG. 1 is set to an initial state, and the first main arithmetic unit 2A and a main collation unit 4 described later are connected by a first path A which is a data bus, The second main arithmetic unit 2B and the main verification unit 4 are connected by a second path B which is a data bus, and a third path which is a data bus from which data from the preliminary arithmetic unit 3 is output and branches in two directions The initial path is selected by first and second switching units 6 and 7 described later so that C is not connected to the first path A and the second path B.

  Specifically, the main collation unit 4 collates each data calculated from the first and second main arithmetic units 2A and 2B and output on each path, and when the respective data match, When the operations of the first and second main arithmetic units 2A and 2B are determined to be normal and the respective data do not match, one of the operations of the first and second main arithmetic units 2A and 2B is abnormal. It is determined. When the main collation unit 4 determines that the operations of the first and second main arithmetic units 2A and 2B are normal, the data output from the first and second main arithmetic units 2A and 2B The operation of the controlled object is controlled based on this. When the main verification unit 4 determines that one of the operations of the first and second main calculation units 2A and 2B is abnormal, the control target operation is controlled to be on the safe side. ing. When the main collation unit 4 determines that the operations of the first and second main arithmetic units 2A and 2B are normal, for example, although not shown, it outputs an alternating output and turns on the relay via a transformer. . When this relay is in the ON state, the control object is continuously controlled based on each data output from the first and second main arithmetic units 2A and 2B. Further, when determining that one of the operations of the first and second main arithmetic units 2A and 2B is abnormal, for example, the main verification unit 4 fixes the output value and turns off the relay. When this relay is turned off, the operation of the control target is stopped and controlled so as to be on the safe side, for example.

  Specifically, the sub collation unit 5 and the first main computation unit 2A and the second main computation before the main collation unit 4 collates the data from the first and second main computation units 2A and 2B. The data from the unit 2B and the preliminary calculation unit 3 are collated with each other, and the data match / mismatch is detected. In the present embodiment, as shown in FIG. 1, the sub-collation unit 5 includes a first sub-collation unit 5 </ b> A that detects a match / mismatch between the first route A and the third route C, and a second route. A second sub-collation unit 5B that detects a match / mismatch between the data on B and the third route C, and a third sub-check unit that detects a match / mismatch between the data on the first route A and the second route B. It is comprised with the collation part 5C. Then, each sub-collation unit 5A, 5B, 5C outputs a coincidence / non-coincidence detection result to the control unit 8 to be described later, as indicated by a dotted line in FIG.

  The first switching unit 6 is a switching unit that can selectively switch and connect either the first main computation unit 2A or the preliminary computation unit 3 to the main verification unit 4, and is controlled by the control unit 8 described later. For example, as shown by arrows in FIG. 1, the switching operation of the first and third paths A and C is performed.

  The second switching unit 7 is a switching unit that can selectively switch and connect either the second main calculation unit 2B or the preliminary calculation unit 3 to the main collation unit 4, and is controlled by a control unit 8 to be described later. For example, as shown by the arrow in FIG. 1, the switching operation of the second and third paths B and C is performed.

  The control unit 8 determines whether the operations of the first main calculation unit 2A, the second main calculation unit 2B, and the preliminary calculation unit 3 are normal based on the detection result of the sub-collation unit 5, and the determination result Accordingly, the switching control of the first and second switching units 6 and 7 is performed.

  For example, as shown in FIG. 1, the controller 8 determines that the first and second main arithmetic units 2A and 2B operate normally when the operations of the first and second main arithmetic units 2A and 2B are normal. The first and second switching units 6 and 7 are controlled so as to be connected to the main verification unit 4, and as shown in FIG. 2, the operation of the preliminary calculation unit 3 is normal, and the first main calculation unit 2A When it is determined that the operation is abnormal, the first and second switching units 6 and 7 are controlled so as to connect the preliminary calculation unit 3 and the second main calculation unit 2B to the main verification unit 4, and the illustration is omitted. However, when it is determined that the operation of the preliminary calculation unit 3 is normal and the operation of the second main calculation unit 2B is abnormal, the preliminary calculation unit 3 and the first main calculation unit 2A are connected to the main verification unit 4. In this way, the first and second switching units 6 and 7 are configured to be controlled.

  Specifically, as shown in FIG. 2, the control unit 8 determines that the operation of the preliminary calculation unit 3 is normal and the operation of the first main calculation unit 2A is abnormal. The second switching unit is configured to control the first switching unit 6 to be connected to the main verification unit 4 and to connect the second main calculation unit 2B to the main verification unit 4 (in the direction indicated by the solid line in FIG. 2). 7 is controlled. Although not shown, the control unit 8 determines that the operation of the preliminary calculation unit 3 is normal and the operation of the second main calculation unit 2B is abnormal. The second switching unit 7 is controlled so as to be connected, and the first switching unit 6 is controlled so that the first main calculation unit 2A is connected to the main verification unit 4.

  In addition, when the control unit 8 in the present embodiment obtains a detection result of coincidence from the first, second, and third sub-collation units 5A, 5B, and 5C, for example, the first and second main arithmetic units 2A, It is determined that the operation of 2B is normal. In addition, the control unit 8 detects the coincidence of the data of the preliminary calculation unit 3 and the first main calculation unit 2A from the first sub-collation unit 5A, or from the second sub-collation unit 5B to the preliminary calculation unit. When the coincidence of the data of 3 and the second main calculation unit 2B is detected, it is determined that the operation of the preliminary calculation unit is normal. The control unit 8 determines that the operation of the first main calculation unit 2A is abnormal when it obtains a detection result that the first and third sub-collation units 5A and 5C do not match and the second sub-collation unit 5B matches. I do. Furthermore, when the control unit 8 obtains a detection result indicating that there is a mismatch from the second and third sub-collation units 5B and 5C and a match from the first sub-collation unit 5A, the operation of the second main calculation unit 2B is abnormal. Make a decision. Then, the control unit 8 determines that the operation of the preliminary calculation unit 3 is abnormal when it obtains a detection result indicating that there is a mismatch from the first and second sub-collation units 5A and 5B and a match from the third sub-collation unit 5C. I do. For example, when the control unit 8 determines that the operation of the preliminary calculation unit 3 is abnormal, for example, it is determined that the operation of the first and second main calculation units 2A and 2B is abnormal thereafter. Even if it exists, it controls so that the 1st and 2nd main calculating parts 2A and 2B may be connected to the main collation part 4 as it is, without switching an abnormal side main calculating part to the preliminary | backup calculating part 3. FIG. In this case, the main verification unit 4 determines that the operation of either of the main calculation units 2A and 2B is abnormal, and performs control so that the operation to be controlled is on the safe side.

  In the present embodiment, when the control unit 8 obtains a detection result of coincidence from the sub-collation units 5A, 5B, and 5C, the operation of the first and second main arithmetic units 2A and 2B is normal. The determination is made, but the present invention is not limited to this, and when the sub collation unit 5 detects at least the coincidence of the data of the first main calculation unit 2A and the second main calculation unit 2B, Any configuration that determines that the operations of the second main arithmetic units 2A and 2B are normal may be used. For example, when the detection result of coincidence is obtained from the third sub-collation unit 5C, it may be determined that the operations of the first and second main arithmetic units 2A and 2B are normal.

  Further, when the control unit 8 obtains a detection result that the first and third sub-collation units 5A and 5C do not match and the second sub-collation unit 5B matches, the operation of the first main calculation unit 2A is abnormal. However, the present invention is not limited to this, and the sub-collation unit 5 uses at least the data from the first main arithmetic unit 2A and the data from the second main arithmetic unit 2B and the preliminary arithmetic unit 3 to each other. What is necessary is just the structure which determines with the operation | movement of 2 A of 1st main calculating parts being abnormal when a mismatch is detected, respectively. For example, it may be determined that the operation of the first main calculation unit 2A is abnormal when the detection result of mismatch is obtained from the first and third sub-collation units 5A and 5C.

  Furthermore, when the control unit 8 obtains a detection result indicating that there is a mismatch from the second and third sub-collation units 5B and 5C and a match from the first sub-collation unit 5A, the operation of the second main calculation unit 2B is abnormal. However, the present invention is not limited to this, and the sub-collation unit 5 uses at least the data from the second main computation unit 2B and the data from the first main computation unit 2A and the preliminary computation unit 3 Any configuration may be used as long as the operation of the second main calculation unit 2B is determined to be abnormal when mismatches are detected. For example, it may be determined that the operation of the second main calculation unit 2B is abnormal when the detection result of mismatch is obtained from the second and third sub-collation units 5B and 5C.

  When the control unit 8 obtains a detection result that the control unit 8 does not match from the first and second sub-collation units 5A and 5B and matches from the third sub-collation unit 5C, the operation of the preliminary calculation unit 3 Although it is determined to be abnormal, the present invention is not limited to this, and the sub-collation unit 5 at least receives data from the preliminary computation unit 3 and each data from the first and second main computation units 2A and 2B. When the discrepancy is detected, the operation of the preliminary calculation unit 3 may be determined to be abnormal. For example, it may be determined that the operation of the preliminary calculation unit 3 is abnormal when the detection result of mismatch is obtained from the first and second sub-collation units 5A and 5B.

  Next, the control operation of the bus synchronous dual computer system 1 according to the present embodiment will be described with reference to FIGS. In the initial state, the first and second main arithmetic units 2A and 2B and the preliminary arithmetic unit 3 operate normally, and two or more arithmetic units among the arithmetic units are simultaneously operated. It shall not cause abnormal operation. In addition, as shown in FIG. 1, the state in which the first and second main arithmetic units 2A and 2B normally perform arithmetic processing and control the operation of the controlled object is defined as the initial state, and in this initial state, the first main A control operation when the arithmetic unit 2A fails and continues to output abnormal data will be described. In the above initial state, for example, even when abnormal data is temporarily output from the first main calculation unit 2A due to a temporary cause due to noise or the like, the description is omitted because the same control operation is performed. .

First, the control operation until the first main arithmetic unit 2A fails and starts to output abnormal data will be described. First, the same input information is input to the first and second main calculation units 2A and 2B and the preliminary calculation unit 3 and the same, for example, a clock signal is simultaneously input, and the same calculation processing is performed in synchronization.
Next, before the main collation unit 4 collates the data from the first and second main arithmetic units 2A and 2B, each of the sub collation units 5A, 5B and 5C includes the first and second main arithmetic units 2A. , 2B and the preliminary calculation unit 3 are collated with each other, and a detection result indicating that the data match each other is output to the control unit 8. Then, the control unit 8 determines that both the first and second main arithmetic units 2A and 2B perform normal operations based on the detection results from the sub-collation units 5A, 5B, and 5C, and the preliminary arithmetic unit. 3 is determined to perform a normal operation, and a control command for maintaining the initial state shown in FIG. 1 is output to the first and second switching units 6 and 7, and the first and second switching units 6 and 7 The first and second paths A and B that connect the first and second main arithmetic units 2A and 2B to the main verification unit 4 are continuously selected. Here, the data output from the first main calculation unit 2A passes through the first path A, and the data output from the second main calculation unit 2B continues to the main verification unit 4 via the second path B. Entered. Then, the main collation unit 4 collates each input data, collates whether or not each data matches, obtains a collation result indicating that they match, and obtains the first and second main arithmetic units 2A. , 2B is determined to be normal. Then, for example, the operation of the controlled object is continuously controlled based on the data output from the first and second main arithmetic units 2A and 2B.
As described above, the following description will be given on the assumption that a failure has occurred in the first main arithmetic unit 2A as shown in FIG. 2 when the preliminary arithmetic unit 3 is operating normally. The third sub-collation unit 5C detects that the data of the first main computation unit 2A and the second main computation unit 2B are inconsistent, and the first sub-collation unit 5A The second sub-collation unit 5B detects that the mutual data of the calculation unit 3 is inconsistent, and the second sub-collation unit 5B detects that the data of the second main calculation unit 2B and the preliminary calculation unit 3 match. Based on the detection result, the control unit 8 determines that the operation of the preliminary calculation unit 3 is normal and the operation of the first main calculation unit 2A is abnormal, and replaces the data from the first main calculation unit 2A. The control command is output to the first switching unit 6 so that the data from the preliminary calculation unit 3 is input to the main verification unit 4, and the first switching unit 6 connects the preliminary calculation unit 3 to the main verification unit 4. The third route C to be selected is selected. Furthermore, the control unit 8 outputs a control command to the second switching unit 7 so that the data from the second main calculation unit 2B is continuously input to the main verification unit 4, and the second switching unit 7 The second path B connecting the calculation unit 2B to the main verification unit 4 is continuously selected.
Finally, the main collation unit 4 collates each data from the input preliminary computation unit 3 and the second main computation unit 2B, collates whether or not each data matches, and each data matches The operation result of the preliminary calculation unit 3 and the second main calculation unit 2B is determined to be normal. Then, for example, the operation of the controlled object is continuously controlled based on each data output from the preliminary calculation unit 3 and the second main calculation unit 2B. Then, after the path is switched so that the data from the preliminary calculation unit 3 is input to the main collation unit 4 in this way, for example, the data collation is not performed by the sub-collation unit 5, but the main collation unit 4 and after that, for example, when the main collation unit 4 obtains a collation result indicating that the respective data do not match, it is determined that the operation of either the preliminary computation unit 3 or the second main computation unit 2B is abnormal. To do. Then, the control target operation is controlled to be on the safe side.

  The control operation when a failure occurs in the second main arithmetic unit 2B in the initial state is also briefly described below. When the preliminary calculation unit 3 performs a normal operation, the second and third sub-collation units 5B and 5C detect a mismatch, and the first sub-collation unit 5A detects a match. Then, the control unit 8 determines that the operation of the preliminary calculation unit 3 is normal and the operation of the second main calculation unit 2B is abnormal, and the data from the preliminary calculation unit 3 is used instead of the second main calculation unit 2B. Is switched to the main verification unit 4 to control the second switching unit 7. Furthermore, the control unit 8 controls the first switching unit 6 so that the data from the first main calculation unit 2A is continuously input to the main verification unit 4. The main verification unit 4 obtains a verification result that the input data from the first main calculation unit 2A and the preliminary calculation unit 3 coincide with each other, and the first main calculation unit 2A and the preliminary calculation unit 3 It is determined that the operation is normal. Then, for example, the control target operation is continuously controlled based on each data output from the first main arithmetic unit 2A and the preliminary arithmetic unit 3. After the path is switched so that the data from the preliminary calculation unit 3 is input to the main verification unit 4 as described above, the sub-verification unit 5 does not perform the data verification as described above. For example, when the main verification unit 4 obtains a verification result indicating that each data does not match, the operation of either the preliminary calculation unit 3 or the first main calculation unit 2A is abnormal. Is determined. Then, the control target operation is controlled to be on the safe side.

  With such a configuration, in the bus synchronous dual computer system 1 according to the present embodiment, one of the first and second main arithmetic units 2A and 2B fails when the preliminary arithmetic unit 3 is normal and an abnormality occurs. Calculation that is determined to perform an abnormal operation by switching the abnormal side calculation unit to the preliminary calculation unit when calculating abnormal data continuously or when calculating abnormal data temporarily due to transients due to noise, etc. The preliminary calculation unit 3 is connected to the main verification unit 4 instead of the unit, and the main verification unit 4 verifies each data calculated from the main calculation unit that operates normally with the preliminary calculation unit 3 and output on each path. When the data matches, the operation of the controlled object can be controlled based on the data output from the data collated operation unit, and the original operation of the controlled object can be continued. In this way, it is possible to provide the bus synchronous dual computer system 1 that further improves the operation rate of the control target. Further, when the data collated by the main collation unit does not match, control is performed so that the operation to be controlled is on the safe side, so that safety can be ensured as in the conventional case.

  By the way, it is determined that the operation of the first main calculation unit 2A is abnormal, and the first switching unit 6 performs normal operation as shown in FIG. 2 and from the preliminary calculation unit 3 via the first switching unit 6. Is input to the main verification unit 4, for example, as indicated by a dotted line in FIG. 2, the data from the preliminary calculation unit 3 via the second switching unit 7 due to a malfunction of the second switching unit 7. Are also input to the main verification unit 4. In this case, the main collation unit 4 collates the data from the preliminary computation unit 3, and the main collation unit 4 obtains a collation result of coincidence. Therefore, abnormal data is calculated from the preliminary computation unit 3. Even if it is done, it will determine with the calculating part performing normal operation | movement. As described above, the bus synchronous dual computer system according to the second embodiment described later can perform the main verification even when the data from the same calculation unit is input to the main verification unit 4 in a fail-out state. The unit 4 is configured so that an abnormality can be detected.

  FIG. 3 is a schematic block diagram showing a second embodiment of the bus synchronous dual computer system 1 according to the present invention. In the dual computer system 1 according to the present embodiment, each switching unit (first switching unit) that switches between the two arithmetic units (first main arithmetic unit 2A, second main arithmetic unit 2B) and the preliminary arithmetic unit 3. 6, a second switching unit 7 and a third switching unit 10, which will be described later, are provided, and each input unit (not shown) of the data of the verification unit (main verification unit 4) is connected to the preliminary calculation via each switching unit. When connected to the unit 3, different data can be input to each input unit. In addition, the same code | symbol is attached | subjected to the element same as 1st Embodiment of FIG. 1, description is abbreviate | omitted, and only a different part is demonstrated.

  Specifically, in the present embodiment, the third path C, which is the data bus described above, is connected to the middle part of the path connecting the preliminary computation unit 3 and the first switching unit 6 as shown in FIG. 1 branch section S1 is provided, a path (C1) branched from the first branch section S1 is connected to the second switching section 7, and the second branch section S2 is connected to the path between the first branch section S1 and the preliminary calculation section 3. A branch path C2 that branches from the second branch section S2 is provided, and a data bus is configured with the path between the first branch section S1 and the second branch section S2 as the main path C3. As shown in FIG. 3, the bus synchronous dual computer system 1 according to the present embodiment further includes a conversion unit 9, a third switching unit 10, and a restoration unit 11.

  The conversion unit 9 converts the data input from the preliminary calculation unit 3 into data of a different format and outputs it, and is provided on the branch path C2 as shown in FIG. In the present embodiment, the conversion unit 9 is composed of an encryption circuit that encrypts input data and outputs the encrypted data. The encryption circuit encrypts the data in a different format and, for example, adds data that can be identified later that the data is encrypted data. Based on the added data, the restoration unit 11 described later can determine whether the input data is encrypted data.

  The third switching unit 10 is a switching unit that can selectively switch and connect either the main route C3 or the branch route C2 to the first branch unit S1, as shown in FIG. 3, on the main route C3. Is provided. Further, for example, as shown in FIGS. 3 and 4, the third switching unit 10 may set the state connected to either the main route C3 or the branch route C2 as an initial state, and although not shown, A state in which neither is connected may be set as an initial state.

  The restoration unit 11 restores the original data when the input data is the data converted by the conversion unit 9, and converts the data into data of a different format when the data is not converted. Is. In the present embodiment, the restoration unit 11 is composed of a decryption circuit that decrypts and outputs the data encrypted by the encryption circuit described above. If the data added by the encryption circuit determines that the data input to the decryption circuit is encrypted data, the data is decrypted to the original data and is not encrypted. When determining, it is configured to encrypt data in different formats.

  In the present embodiment, as shown in FIG. 3, the control unit 8 determines that the operation of the preliminary calculation unit 3 is normal and the operation of the first main calculation unit 2A is abnormal, as shown in FIG. Is connected to the first branch unit S1, and the operation of the preliminary calculation unit 3 is normal and the operation of the second main calculation unit 2B is abnormal as shown in FIG. When it determines with there being, it is comprised so that the 3rd switching part 10 may be controlled so that the branch path C2 may be connected to 1st branch part S1. As shown in FIGS. 3 and 4, the restoration unit 11 is configured to be provided on a path (C1) connecting the second switching unit 7 and the first branch unit S1.

  Next, the control operation of the bus synchronous dual computer system 1 according to the present embodiment will be described with reference to FIGS. In the initial state, the first and second main arithmetic units 2A and 2B and the preliminary arithmetic unit 3 operate normally, and two or more arithmetic units among the arithmetic units are simultaneously operated. It shall not cause abnormal operation. In addition, the state in which the first and second main arithmetic units 2A and 2B normally perform arithmetic processing and control the operation of the control target is set as an initial state, and in this initial state, the first main arithmetic unit 2A fails, The control operation when the abnormal data is continuously output will be described. In the above initial state, for example, even when abnormal data is temporarily output from the first main calculation unit 2A due to a temporary cause due to noise or the like, the description is omitted because the same control operation is performed. .

  In the initial state, as shown in FIG. 3, the following description will be made assuming that a failure has occurred in the first main arithmetic unit 2A. The first and third sub-collation units 5A and 5C detect mismatch and the second sub-collation unit 5B detects coincidence, and the control unit 8 operates normally in the preliminary calculation unit 3 and abnormal in the first main calculation unit 2A. The third switching unit 10 outputs a control command so as to select the main route C3 and the first switching unit 6 selects the route C4. Further, the control unit 8 outputs a control command to the second switching unit 7 so that the data from the second main calculation unit 2B is continuously input to the main verification unit 4. And the main collation part 4 collates each data from the input preliminary | backup calculation part 3 and the 2nd main calculation part 2B, and performs the same control operation | movement as 1st Embodiment after that. In the state shown in FIG. 3, if the second switching unit 7 malfunctions as shown in FIG. 5, the data from the preliminary calculation unit 3 is decoded via the main path C3 and the path C1 (decoding unit (restoring unit)). 11), the data is converted into data having a format different from that of the original data, and is input to the main verification unit 4.

  In this manner, the same data as the data output from the preliminary calculation unit 3 is input to the main verification unit 4 from one input unit, and the data converted into data in a format different from the original data is input to the other unit. Since the main collating unit 4 can determine that the operation of the calculating unit is abnormal because the data is inconsistent with each other, the main collating unit 4 collates the data of the preliminary calculating units 3 with each other. Even in the case of a fail-out state of being able to do, control can be performed so that the operation of the controlled object is on the safe side.

  In the initial state, as shown in FIG. 4, the control operation when a failure occurs in the second main arithmetic unit 2B will also be described briefly below. The second and third sub-collation units 5B and 5C detect mismatch, and the first sub-collation unit 5A detects coincidence, and the control unit 8 operates normally in the preliminary calculation unit 3 and abnormal in the second main calculation unit 2B. The third switching unit 10 outputs a control command to select the branch path C2 and the second switching unit 7 selects the path C1, and the data from the first main calculation unit 2A continues to be the main verification. A control command is output to the first switching unit 6 so as to be input to the unit 4. The data from the preliminary calculation unit 3 is encrypted by the encryption circuit (conversion unit 9) on the branch path C2, and then decrypted to the original data by the decryption circuit (reconstruction unit 11) on the path C1. The same data as the data output from the preliminary calculation unit 3 is input to the main verification unit 4. The main collating unit 4 collates the input data from the first main arithmetic unit 2A and the preliminary arithmetic unit 3, and thereafter performs the same control operation as in the first embodiment. In the state shown in FIG. 4, although not shown, if the first switching unit 6 malfunctions, the data from the preliminary calculation unit 3 is encrypted by the encryption circuit (conversion unit 9) via the branch path C2. And input to the main verification unit 4 via the path C4.

  In this way, the main verification unit 4 receives the data decrypted into the same data as the data output from the preliminary calculation unit 3 and the encrypted data, and the main verification unit 4 receives the mutual data. Since the operation of the operation unit can be determined to be abnormal because it is inconsistent, the control is performed even in a fail-out state in which the data of the preliminary operation units 3 are collated by the main collation unit 4. It is possible to control the target operation so that it is on the safe side.

  In the present embodiment, the case where the first or second switching unit 6 or 7 malfunctions has been described. However, the control unit 8 malfunctions without being limited to the case where the first or second switching unit 6 or 7 malfunctions. In the case of instructing the first and second switching units 6 and 7 to perform an erroneous switching operation, or as a result of the erroneous operation of the control unit 8 and the first and second switching units 6 and 7 being overlapped, the above-described fail-out state is obtained. Even in such a case, the control can be performed so that the operation to be controlled is on the safe side as described above.

  In the present embodiment, each switching unit that switches between the two calculation units and the preliminary calculation unit is provided, and each input unit of the data of the collation unit is connected to the preliminary calculation unit via each switching unit. As an example of a configuration in which different data can be input to each input unit when connected to the control unit 8, the operation of the preliminary calculation unit 3 is normal and the operation of the first main calculation unit 2A is abnormal Is determined, the third switching unit 10 is controlled so that the main route C3 is connected to the first branch unit S1, the operation of the preliminary calculation unit 3 is normal, and the operation of the second main calculation unit 2B is performed. The case where the third switching unit 10 is configured to be controlled to connect the branch path C2 to the first branch unit S1 when it is determined to be abnormal has been described. As shown in FIGS. 6 and 7 showing a modification of the embodiment, the preliminary calculation When it is determined that the operation of the unit 3 is normal and the operation of the first main arithmetic unit 2A is abnormal, the third switching unit 10 is controlled so as to connect the branch path C2 to the first branch unit S1 ( In addition, when it is determined that the operation of the preliminary calculation unit 3 is normal and the operation of the second main calculation unit 2B is abnormal, the main path C3 is connected to the first branch unit S1. 3 The structure which controls the switch part 10 (refer FIG. 7) may be sufficient. In the case of this configuration, as shown in FIGS. 6 and 7, the restoration unit 11 is configured by being provided on a path (C4) connecting the first switching unit 6 and the first branch unit S1.

  In the present embodiment, the conversion unit 9 is configured by an encryption circuit, and the restoration unit 11 is configured by a decryption circuit. However, the conversion unit 9 and the restoration unit 11 are input data. May be configured by an inverting circuit that inverts and outputs. This inversion circuit outputs, for example, data obtained by inverting the data of 0 to 1 and the data of 1 to 0 in the data, and the conversion unit 9 and the restoration unit 11 are configured by the same inverting circuit. Thereby, the structure of the conversion part 9 and the decompression | restoration part 11 is simplified.

  By the way, the backup circuit including the preliminary calculation unit 3, the conversion unit 9, the third switching unit 10, the restoration unit 11, the first switching unit 6, and the second switching unit 7 is the first main calculation unit 2A or the second. It is not used until it is determined that the operation of the main arithmetic unit 2B is abnormal. Therefore, before it is determined that the first main calculation unit 2A or the second main calculation unit 2B is abnormal, for example, the conversion unit 9 and the restoration unit 11 may both be in a short-circuit failure state. Yes (see FIG. 8).

  In the state of FIG. 8, a failure of the second main arithmetic unit 2B occurs, it is determined that the operation of the preliminary arithmetic unit 3 is normal and the operation of the second main arithmetic unit 2B is abnormal, and the second switching unit 7 As shown in FIG. 9, the normal operation is performed, and the unencrypted data of the preliminary calculation unit 3 passes through the input / output short-circuit line C5 of the conversion unit 9 and the input / output short-circuit line C6 of the restoration unit 11 to the second path. When data is input to the main verification unit 4 from B, for example, the data of the preliminary calculation unit 3 that is not encrypted from the first path A is converted due to a malfunction of the first switching unit 6 indicated by a dotted line in FIG. It is assumed that the data is input to the main verification unit 4 via the input / output short-circuit line C5 of the unit 9.

  Further, in the state of FIG. 8, it is determined that a failure of the first main arithmetic unit 2A has occurred, the operation of the preliminary arithmetic unit 3 is normal, and the operation of the first main arithmetic unit 2A is abnormal, and the first switching unit 10 performs a normal operation as shown in FIG. 10, and when the data of the preliminary computation unit 3 that is not encrypted from the first path A is input to the main verification unit 4, the second shown by the dotted line in FIG. 10. Due to a malfunction of the switching unit 7, the data of the preliminary calculation unit 3 that is not encrypted from the second path B is also input to the main verification unit 4 via the input / output short-circuit line C 6 (see FIG. 10) of the restoration unit 11. It is also assumed that.

  In the state shown in FIG. 9 and FIG. 10, the main collation unit 4 collates the data from the preliminary calculation unit 3, and the main collation unit 4 obtains a collation result of coincidence. Even if abnormal data is calculated from the calculation unit 3, it is determined that the calculation unit is operating normally. Although not shown, even if a short-circuit failure occurs only in the restoration unit 11, the same data is obtained from the first route A and the second route B as in the case of FIGS. An input to the unit 4 is also assumed.

  The bus synchronous dual system computer system according to the third embodiment to be described later is a case where at least the restoration unit 11 is short-circuited before it is determined that the first main calculation unit 2A or the second main calculation unit 2B is abnormal. As described above, the restoration unit 11 is configured to prevent the restoration unit 11 from entering a fail-out state in which the same data is input to the main verification unit 4 from the first route A and the second route B as described above. It is configured by adding a fault diagnosis function.

  FIG. 11 is a schematic configuration diagram showing a third embodiment of the bus synchronous dual computer system 1 according to the present invention. In the bus synchronous dual computer system 1 according to the present embodiment, any one of the two arithmetic units (first main arithmetic unit 2A, second main arithmetic unit 2B) is connected to each switching unit (first switching unit). 6, the second switching unit 7 and the third switching unit 10) are periodically switched to the preliminary calculation unit 3. In addition, the same code | symbol is attached | subjected to the element same as 2nd Embodiment of FIG. 3, description is abbreviate | omitted, and only a different part is demonstrated.

  Specifically, in the present embodiment, the second switching unit 7 is periodically switched and connected to the preliminary calculation unit 3 side, and the third switching unit 10 is periodically switched to the branch path C2 side in synchronization with the switching connection. Configure to connect to. The periodic switching connection of the second switching unit 7 and the third switching unit 10 is configured to be performed by a periodic switching command from a timer unit (not shown) provided in the control unit 8, for example. Specifically, the timer unit is connected to the second switching unit 7 by switching to the preliminary calculation unit 3 side, maintaining the state for a predetermined time, and then switching to the second main calculation unit 2B side. A series of control commands are output at a predetermined cycle (for example, every several seconds), and the third switching unit 10 is switched to the branch path C2 side and maintained for a predetermined time, and then switched to the main path C3 side. Is output in synchronization with the control command for periodic switching connection of the second switching unit.

  Next, the control operation of the bus synchronous dual computer system 1 according to the present embodiment will be described with reference to FIG. In the initial state, the first and second main arithmetic units 2A and 2B and the preliminary arithmetic unit 3 are operating normally, and then the recovery unit 11 is short-circuited. The conversion part 9 is demonstrated below as what does not cause a short circuit failure simultaneously. Further, since the control operation when the first and second main arithmetic units 2A and 2B and the preliminary arithmetic unit 3 are out of order is the same as that of the second embodiment, the description thereof is omitted.

  In the initial state, first, the timer unit (not shown) of the control unit 8 switches and connects the second switching unit 7 to the preliminary calculation unit 3 side, and issues a control command to maintain this state for a predetermined time. A control command for switching to the third switching unit 10 to the branch path C2 side and maintaining this state for a predetermined time in synchronization with the control command for the switching connection of the second switching unit 7 Output. Here, when the second switching unit 7 and the third switching unit 10 are switched and connected as shown by the solid line in FIG. 11, if the conversion unit 9 and the restoration unit 11 are normal, the main verification unit 4 is input. Each data is collated to obtain a collation result that they match, and for example, the operation of the control target is controlled based on each data output from the first main computation unit 2A and the preliminary computation unit 3.

  Then, the timer unit (not shown) of the control unit 8 outputs a control command for maintaining the states of the second switching unit 7 and the third switching unit 10 indicated by solid lines in FIG. 7, a control command for switching connection to the second main arithmetic unit 2 </ b> B side is output, and a control command for switching connection to the main path C <b> 3 side is transmitted to the third switching unit 10 of the second switching unit 7. Output in synchronization with the control command for switching connection. As a result, the second switching unit 7 and the third switching unit 10 are switched and connected as shown by a broken line in FIG. 11 to return to the initial connection state, and the series of the second switching unit 7 and the third switching unit 10 is performed. The switching operation for fault diagnosis is completed. The timer unit of the control unit 8 periodically issues the control command to the second switching unit 7 and the third switching unit 10 so as to perform this series of switching operations at a predetermined cycle (for example, every several seconds). By outputting, the switching operation for failure diagnosis is repeated.

  Here, after returning to the initial connection state indicated by the broken line in FIG. 11 and before the switching connection indicated by the solid line in FIG. . After this short-circuit failure has occurred, when the second switching unit 7 is next switched and connected to the preliminary computation unit 10 side and the third switching unit 10 is switched and connected to the branch path C2 side, the main verification unit 4 Each input data is collated to obtain a collation result indicating that there is a mismatch. For example, it is determined that there is some failure in the standby circuit including the restoration unit 11, the conversion unit 9, the third switching unit 10, and the like. Control is performed so that the operation of the controlled object is on the safe side.

  As described above, when a short-circuit failure occurs in the restoration unit 11 by periodically performing a switching operation for failure diagnosis of the standby system circuit, the main verification unit 4 says that each input data is inconsistent. By obtaining the collation result, for example, it can be determined that there is some failure in the standby circuit including the restoration unit 11 and the like, and control can be performed so that the operation to be controlled is on the safe side. Therefore, as described above, the first route A and the second route B are used when at least the restoration unit 11 is short-circuited before it is determined that the first main calculation unit 2A or the second main calculation unit 2B is abnormal. Therefore, it is possible to prevent the same data from being input to the main verification unit 4 from being in a fail-out state (for example, FIGS. 9 and 10).

  In addition, although it was assumed that the control command for the periodic switching connection is issued from the timer unit, the present invention is not limited to this, and a program for the control command for the switching connection is provided in the arithmetic unit, and the arithmetic unit (for example, the first and second control units). The main calculation unit) may instruct the control unit 8 each time for switching, and based on this command, the control unit 8 may output a switching control command to each switching unit.

  Further, in the description of the control operation of the bus synchronous dual computer system 1 according to the present embodiment, the restoration unit 11 is first short-circuited as shown in FIG. It is also assumed that 9 will short-circuit first. Even in this case, the main collation unit 4 obtains a collation result that the input data is inconsistent, and determines that there is a failure in the standby system circuit so that the operation to be controlled is on the safe side. To control. Thereby, it can prevent beforehand that it will be in the fail-out state shown in FIG. 9 that both the conversion part 9 and the decompression | restoration part 11 have short-circuit failure.

  Also in the modification of the second embodiment shown in FIGS. 6 and 7, there is a possibility that a fail-out state is caused due to the failure of the standby circuit as shown in FIGS. In this case, although not shown, the first switching unit 6 is periodically switched and connected to the preliminary calculation unit 3 side, and the third switching unit 10 is periodically connected to the main path C3 side in synchronization with the switching connection. To be configured. In this case, for example, the timer unit is connected to the first switching unit 6 by switching to the preliminary calculation unit 3 side and maintaining the state for a predetermined time, and then switching to the first main calculation unit 2A side. A series of commands are output at predetermined intervals (for example, at intervals of several seconds), and are switched to the third switching unit 10 for switching to the main path C3 side and maintained for a predetermined time before switching to the branch path C2 side. The control command is output in synchronization with the periodic switching connection control command of the first switching unit 6.

  Note that the switching connection control command for failure diagnosis of the standby system circuit is not limited to the timer unit, and may be performed by an arithmetic unit provided with a switching connection control command program.

DESCRIPTION OF SYMBOLS 1 Bus synchronous double system 2A 1st main calculating part 2B 2nd main calculating part 3 Preliminary calculating part 4 Main collation part (collation part)
5 Sub-collation part (another collation part)
6 First switching unit 7 Second switching unit 8 Control unit 9 Conversion unit 10 Third switching unit 11 Restoration unit C2 Branch route C3 Main route S1 First branch point S2 Second branch point

Claims (7)

In the computer system that controls the operation of the controlled object by the bus synchronous dual system from the result of collating each data of the two arithmetic units by the collating unit,
A preliminary calculation unit is provided separately from the calculation unit,
When the one of the two operational unit and two arithmetic unit normal preliminary calculation unit from irradiation combined results in a different collating section each data of the preliminary computation unit before verification is abnormal, the abnormal side switching the arithmetic unit to the preliminary calculation section, of the preliminary calculation unit and the bus synchronization duplex system capable of outputting the data to the control target of the normal side computing section computing system. The another collation unit is configured to collate each data from the two computation units and the preliminary computation unit to detect a match / mismatch of each other data,
It is determined whether or not the operations of the two calculation units and the preliminary calculation unit are normal based on the detection result of the other verification unit, and the abnormal calculation unit is determined as a preliminary calculation unit according to the determination result. 2. The bus synchronous dual computer system according to claim 1, wherein the computer system is switched to a computer system. A first main arithmetic unit and a second main arithmetic unit are provided as the two arithmetic units, and the preliminary arithmetic unit synchronizes the same arithmetic processing with respect to the same input information as the first and second main arithmetic units. The other collating unit is configured to collate each data from the first main computing unit, the second main computing unit, and the preliminary computing unit, and detect the coincidence / mismatch of each other. ,
A first switching unit capable of selectively connecting the first main computation unit and the preliminary computation unit to the verification unit;
A second switching unit capable of selectively switching and connecting the second main computation unit and the preliminary computation unit to the verification unit;
It is determined whether or not the operations of the first main arithmetic unit, the second main arithmetic unit, and the preliminary arithmetic unit are normal based on the detection result of the other collation unit, and the first main operation unit is operated according to the determination result. And a control unit that performs switching control of the second switching unit;
Bus Synchronization double-system computer system of claim 2, wherein the configuring comprises a. When determining that the operations of the first and second main arithmetic units are normal, the control unit connects the first and second main arithmetic units to the verification unit. 2 When the switching unit is controlled to determine that the operation of the preliminary calculation unit is normal and the operation of the first main calculation unit is abnormal, the preliminary calculation unit and the second main calculation unit are If the first and second switching units are controlled so as to be connected to each other, and the operation of the preliminary calculation unit is normal and the operation of the second main calculation unit is abnormal, the preliminary calculation unit 4. The bus synchronous dual system according to claim 3, wherein the first and second switching units are configured to control the first main arithmetic unit and the collating unit . Computer system. The control unit operates the first and second main arithmetic units when the other collating unit detects at least coincidence of data between the first main arithmetic unit and the second main arithmetic unit. Is determined to be normal, and at least when a mismatch is detected between the data from the first main arithmetic unit and the data from the second main arithmetic unit and the preliminary arithmetic unit, the first main arithmetic unit is detected. When the operation of the arithmetic unit is determined to be abnormal, and at least when a mismatch between the data from the second main arithmetic unit and the data from the first main arithmetic unit and the preliminary arithmetic unit is detected, When the operation of the second main arithmetic unit is determined to be abnormal and a match between the data of the preliminary arithmetic unit and the first main arithmetic unit is detected, or the preliminary arithmetic unit and the second When a match between the data in the main processor is detected, Serial bus synchronization duplex system computer system of claim 4, wherein the operation of the pre-calculation unit is determined configuration to be normal. When each switching unit that switches between the two calculation units and the preliminary calculation unit is provided, and each input unit of the data of the collation unit is connected to the preliminary calculation unit via each switching unit, bus synchronization double-system computer system according to claim 1 or 2 different data input unit is characterized in that a possible input configurations. Bus Synchronization double-system computer system according to claim 6, characterized in that switching said one of the two calculation unit, the pre-calculation unit periodically via the respective switching unit.