JPH0261755A - Device for monitoring computer system with two processor - Google Patents

Abstract

PURPOSE: To process the operation of the entire system by making two processors perform monitoring by the same right and performing monitoring by a certain kind of shake-hand drive in the middle of a series of data exchange to be cyclically performed. CONSTITUTION: The processor 20 logically processes a signal protocol generated from the change of the combination of a signal line on a bus 1, watchdog signals on a lead wire 33 and software reset signals on the lead wire 34 and monitors the error of the processor 10. It is similar for the processor 10 as well. When the watchdog signals without the error are inputted to the input terminals of pumping circuits 27 and 28, a static logic level L is generated at the output terminals of the circuits. When the watchdog signals are omitted or take a static signal value, the other logic level are respectively generated at the output terminals of the pumping circuits 27 and 28. In such a manner, it becomes impossible to let a failed processor send out reset pulses to the other, operatable processor while the cause 15 unknown.

Description

[Detailed Description of the Invention] <Industrial Application Field> The present invention relates to a device for monitoring a computer system having two processors and a processor, and more specifically, the present invention relates to a device for monitoring a computer system having two processors and a controller, and more specifically, the present invention relates to a device for monitoring a computer system having two processors and a controller, and more specifically, two processors are connected to each other via a data line and a control line. The present invention relates to a device for monitoring a computer system having two processors fixedly connected to each other by separate input and output ports, in particular for determining the air-fuel mixture supplied to an internal combustion engine.

BACKGROUND OF THE INVENTION Separate multi-computer systems are known, in which the main computer is operated in normal operation in an undisturbed state and performs all the tasks related to the necessary check and control functions. The sub-computer is used only as an emergency computer, taking over emergency functions in the event that the main computer fails, thereby allowing at least limited functionality to be maintained. Emergency computers are not normally used unless an emergency situation arises. In such systems, the main computer is monitored anyway. In the event of a fault or malfunction being detected by excessive monitoring equipment, the emergency computer may cover part or all of the work of the main computer.

German patent application P 35 39 407.2 describes a computer system with two processors for controlling variables of an internal combustion engine. The two computers are provided with double gates, one gate feeding the main computer and the other gate feeding the measurement values to the emergency computer. The two computers are configured to have the ability to process the same task. Of course, the emergency function realized in this case is primarily the feeding of the sensor signals to the two processors or, in an emergency, the feeding of the output signals of the two processors to the final processing stage. If the monitoring device detects a fault in the relevant processor, the final processing stage that controls the fuel supply via the AND gate is shut down.

However, the above specification does not provide a detailed explanation of how to monitor the main and emergency functions of two processors performing the same task. There is no mention of how multiple processors can be made to monitor each other, especially if the two processors are operated asynchronously and are used for completely different purposes.

It is therefore an object of the invention to provide a control device which operates with two processors with as simple as possible, yet strong safety features, so that the two processors have the same degree of protection and the same rights even in a fault-free state. The goal is to be able to process the work of the entire system with the help of a computer.

Therefore, unless a failure occurs, data must be and must be able to be exchanged between the two processors. In order to be able to put the entire system into use even if one of the processors fails or if only an error occurs in the data transmission, it is necessary to identify the error that has occurred. Once an error has been identified, each processor must take appropriate action according to the type of error in order to make the system usable.

Means for Solving the Problems> In order to solve the above problems, the present invention provides a system in which two processors perform monitoring with the same right, and this monitoring is performed periodically between the two processors. A configuration is adopted in which a type of shakehand drive is used during data exchange. That is, until the two processors periodically exchange data and instructions via data and control lines, the first each processor is provided with a first input terminal that recognizes the monitoring signal of the other processor, and the first input terminal and output terminal of both processors are connected to each other. If there is no failure in program processing in both processors, the dynamic monitoring signal has a predetermined pulse duty ratio and a predetermined frequency. When there is a failure, a configuration is adopted in which the pulse duty ratio of the monitoring signal of the processor with the failure changes compared to when there is no failure in program processing.

According to the present invention, the processors can each Let's restart each other. In this case, the advantage is that processor failures can be detected very quickly.

According to a preferred embodiment of the invention, the two processors can also operate completely independently of each other, without having to be directly connected to each other or using a common 170 bus. They can be driven asynchronously with each other at various clock frequencies. Further, according to the present invention, two processors monitor each other with the same authority, so that when an error occurs, it is possible to locate the error. That is, the apparatus of the present invention can identify whether a failure has occurred in one of the processors or in a peripheral device of the processor. For this purpose, the above-mentioned periodic data exchange between the two processors is used as a verification circuit for the monitoring function.

<Example> Embodiments of the invention are shown in the drawings and explained in detail below.

According to FIG. 1, a first processor IO is provided with a port 11 for supplying signals to a data bus and a control bus 17. Processor 10 simultaneously supplies signals to a human output (10) bus 16, which is shown schematically in the figure. Similarly, the second processor 20 is also provided with a port 21 for supplying signals to the same data bus and control bus 17. This processor 20 further includes l
101 to 26. The processor 10 is provided with two output terminals 12 and 13 which are connected via leads 33 and 34 to a first input terminal 24 of the processor 20 and to a first pump circuit of a first NOR gate 29. 27 or the first output. In this embodiment, a watchdog signal (monitoring signal) is output from the output terminal 12 of the processor 10, and a software reset signal is output from the output terminal 13. Roughly speaking, the processor IO is provided with two input terminals 14 and 15, which are controlled by the first output 22 of the processor 20 or the output signal of the NOR gate 32 via leads 36 or 37. . Processor lO
The input terminal 14 of the processor 20 receives the watchdog signal of the processor 20, and the input terminal 15 is used for receiving the reset signal. In addition to the input terminal 24 described above, the processor 20 is also provided with a second input terminal 25, which is controlled by the output signal of the second Nandt gate 31. Similar to processor 100 input terminals 1.4 and 15, processor 20 input terminals 24 and 25 are also used to receive processor 10 watchdog or reset signals.

Similarly to the output terminal 13 of the processor 10, the processor 2
0 is further provided with an output terminal 23 in addition to the output terminal 22 already mentioned, and this output terminal 23 is connected to the lead wire 3.
8 controls the first input terminal of the NOR gate 30. Similarly, the output terminal 13 of the processor 10 is connected to the lead wire 34.
The first input terminal of the first NOR gate 29 is controlled via the first NOR gate 29 . The output signal of the first pumping circuit 27 is applied to the second input terminal of the NOR gate 29, and the output signal of the NOR gate 29 is applied to the second NOR gate 31 via the lead wire 41.
control the first input terminal of. Similarly, the output signal of the second pumping circuit 28 is applied to the second input terminal of the third NOR gate 30, and the output signal of the third NOR gate 30 is applied to the first input terminal of the fourth NOR gate 32 already mentioned. Control the terminal.

The second input terminals of FAZOO) 31 and 32 each have
An initialization signal (power-on pulse) is applied via the common lead 18 when the device is powered on.

The two processors IO and 20 to be monitored can be configured as a master processor and a slave processor, for example in an E-gas system (electronic fuel supply control). In that case, the two processors can operate asynchronously via the bus 17 and independently of each other up to the periodic data or instruction exchange.

The functions of the apparatus shown in FIG. 1 will be explained using FIGS. 2 and 3. In the event of a failure, two processors 10
A watchdog pulse having a predetermined frequency and a predetermined duty ratio generated at the watchdog output terminals 12 and 22 of the processor 20 and the processor 20, respectively, is transmitted to the other processor 20.
and 10 to the corresponding watchdog detection terminals 24 and 14. According to FIG. 2, each such watchdog pulse is detected by the other processor with a higher frequency pulse (strobe sampling). Mainly by accurately detecting the presence or absence of a watchdog signal, the duty ratio, and the pulse frequency on the receiving side, errors can be detected dynamically, quickly and silently, and detected reliably. Therefore, the watchdog signal shown in FIG. 2a, having a period of, for example, 40 m5 and a duty ratio of 50%, is transmitted, for example, 8 times, or at 8 equally divided points, during the period shown in FIG. sampled at these discrete time points TA according to the program.
It is compared with the signal predicted during normal driving at I to TAB. If they match, the receiving processor confirms that there is no error in the function of the processor that outputs the watchdog signal. The orderly functioning of the two processors 10 and 20 is monitored by mutually monitoring whether the expected and actual values of the watchdog signals match. via leads 33 and 37 only can be accomplished using a simple software routine.

For example, a flowchart of a simple routine is shown in FIG. Although not shown in detail in FIG. 3, a sampling counter, preferably formed in software, is provided which is incremented in the receiving processor at a frequency many times the fundamental frequency of the watchdog signal. Ru.

A predetermined sampling time TA is determined by the start command 48.
Detection 49 of the instantaneous level of the watchdog signal takes place. Here, it is simply determined whether the signal state is HG)l (H) or LOW (L). For example, the right half of the flow chart assumes that signal state H is detected. A determination is then made in flag 50 whether the same signal state H was already present at the previous sampling time. For example, if a frequency eight times the normal fundamental frequency of the watchdog signal is used as the sampling frequency, if the result of the above judgment is NO, the process proceeds to flag 53, and the counting state of the sampling counter is less than 4. A determination is made as to whether If the result of the determination of flag 50 is yes, flag 5 is
1, it is determined whether the counting state of the sampling counter is smaller than 6. If the determination of flag 53 is NO, the sampling counter is reset to zero. If the flag 51 is YES, the sampling counter is incremented by 1, and then the current state of the watchdog signal is stored in the memory as the level value for the next flag 60.

If the determination of flag 53 is YES or the determination of flag 51 is NO, it is considered that an erroneous watchdog signal exists in step 54 (frequency error, duty ratio error, constant value, etc.) ), without incrementing the sampling counter,
The watchdog signal state at that time is stored in the memory as the next flag 50 level value in step 56. For watchdog signaling, the left half of the flowchart, which is symmetrical about line of symmetry 58, is used and similar operations are performed. Therefore, mutual monitoring of the two processors 10 and 20 is possible without intervening connection circuitry.
and 20 watchdog output terminals 12 to 22 and the corresponding watchdog detection signal input terminals 24 to 14, ie completely autonomously.

The connection elements 27-32 can be connected with the aforementioned dynamic watchdog signal analysis and data bus 17 to fulfill the following functions to improve the monitoring reliability: That is, processor 20 logically processes the signal protocol resulting from changes in the combination of three signal paths: the signal path on bus 17, the watchdog signal on lead 33, and the software reset signal on lead 34. , monitors the processor 10 for errors. Similarly, processor 10 logically processes the signal protocol resulting from the combination of three signal paths: the signal path on bus 17, the watchdog signal on lead 17, and the software reset signal on lead 38. Monitor processor 20 for errors.

Processors 10 and 20 periodically exchange data in a fixed time pattern. First, processor 10 (as a master processor) communicates with processor 20 via bus 17.
Request data (as a slave processor). Processor 20 serves data requests on a predetermined cycle time basis. As a result, processor 2
0 to the processor 10, the processor recognizes this fact. In other words, in the case of the processor 10, it recognizes that there is no response for data transmission to its own data request, and in the case of the processor 20, even if the cycle time has elapsed, the processor 1
Recognize that there is no data request from 0. The bus 17 thus forms, together with the signals carried on it and the comparison of these signals with the underlying signal protocol, a two-way monitoring function for mutually monitoring the two processors.

Each processor can restart the other processor if it is paused (software reset). Outputting the reset pulse to leads 34-38 leading to the processor 20-10 is provided by the processor 20-1 to which the processor 10-20 has its input terminals 14-24 applied.
The prerequisite is to identify that a watchdog signal of 0 has an error as already mentioned. When an error-free watchdog signal is applied to the input terminals of the pumping circuits 27 and 28, a quiet logic level (here, for example, L) is generated at the output terminals of the pumping circuits 27 and 28. If the watchdog signal is missing or has a quiet signal value,
The output terminals of pumping circuits 27 and 28 each have the other logic level. Therefore, if there is no error in the watchdog signal of the processor that sends out the reset pulse, the software reset pulse having the L level sent out from each processor 10 to 20 will pass through the NOR gates 29 and 31 to 30 and 32 to the other processor. It is transmitted to processors 2o to 10.

In this way, it is impossible for a failed processor to send a reset pulse to the other operational processor for unknown reasons. Alternatively, for example, when switching on and operating a system of this kind, a common disconnection signal (power on) having an H level can be used to connect the two NOR gates 31 and 32 instead of respectively sending a software reset pulse. It is also possible to send it to both processors simultaneously via the Therefore, the exchange of software reset signals between two processors represents another monitoring function by which the two processors monitor each other. By detecting these monitoring functions, it is not only possible to recognize faulty drive states, but also to locate faults of this type, as will be explained below.

For example, processor 1o may request data from processor 2o but recognize that data transmission is not performed, or processor 2o may recognize that no data request is made from processor 1o even after a transmission cycle has elapsed. If both processors recognize that the other processor has a fault-free watchdog signal and is therefore active, then there is a fault in the control line of bus 17. Something is recognized. On the other hand, in the case of a data line failure, data transmission is still possible. A data line failure is recognized by processor 1o sending a checkword to processor 20 and processor 2o returning an incorrect checkword to processor 10. In that case, processor 10 recognizes that processor 20 maintains the transmission protocol for data exchange and that the watchdog signal of processor 2o is present in an error-free state, but by processing an erroneous check word. Conclude that there is a fault in the data line of the data bus. The processor 2o recognizes that the processor 10 is maintaining the transmission protocol and that its watchdog signal is present in an error-free state, and likewise concludes that there is an error on the data bus.

For example, when processor 10 is not operating, processor 20 recognizes that processor 10 does not request data after a transmission cycle and that the processor 10's watchdog signal is missing. processor 20
recognizes the above two conditions and determines that there is a failure in the bromo-fusa IO. And the processor 20 is Bromo
・Send a reset pulse to 10. processor 1
As soon as 0 is re-enabled, processor 1.0 outputs an error-free watchdog signal requesting data from processor 20. If the processor 10 is not activated, there will be no output of the watchdog signal;
Moreover, since no data request is made to the processor 20, the processor 20 reacts according to a predetermined program. The same thing is done conversely for the processor 20 as well.

For example, when the watchdog signal is not output from the processor 20, the processor 10 recognizes this. When processor 20 correctly responds to a data request from processor 10, processor 10 recognizes that processor 20 is active and that there is an error on the watchdog signal output terminal of processor 20. Processor 10 transfers this information to processor 2 via data bus 17.
0. On the other hand, if an error occurs in the watchdog signal of the processor 10, the bromo fusa 20 recognizes it and transmits the corresponding information to the bromo fusa 20.

In the above embodiment, if there is no failure, the monitoring signals output from both processors can be configured to have substantially the same pulse duty ratio and frequency.

In addition, if there is no fault, a predetermined phase shift exists between the two monitoring signals, and the configuration can be such that this phase shift is lost if a fault occurs in program processing in either processor.

In addition, at least one of the two processors connects another data bus 16.2 unrelated to the data and control lines 17.
It can be configured such that it is connected to 6.

Furthermore, the two processors can be configured to be driven at different frequencies.

Further, check words for checking data transmission on the data line outputted via the data line and the control line can be configured to differ in direction.

Also, as long as there is no fault, one of the two processors can be driven preferentially as a master processor, and the other can be driven as a slave processor at a lower priority, and if a fault is detected, the two processors Each can be configured to perform substantially the same emergency functions with the same capabilities.

Furthermore, the second input terminal 15.25 for receiving the reset/restart signal of each processor is dynamically connected to the second output terminal 13.23 for outputting the software reset signal of the respective other processor. It can be configured as follows.

In addition, if a failure occurs in program processing in one processor, the processor can be stopped by generating more software reset signals per unit time than when there is no failure. Multiple software reset pulses can be configured to be generated from the non-faulty processor.

<Effects of the Invention> Therefore, in the device of the present invention, although the two processors operate independently of each other, they can monitor each other with a high degree of certainty. The processor can respond differently to different types of errors according to various programmed fail-safe routines. Also, since the error is located, it can be eliminated, for example by restarting one processor when it stops working with the other processor that is still functioning. Another option is to permanently suspend a failed or malfunctioning processor if a restart (reset) attempt is unsuccessful. In general, since it is possible to respond in various ways using software when an error occurs, the scope of use of the entire system can be significantly expanded. It goes without saying that the detection of errors can also be used to report the errors, for example to the driver of the motor vehicle, or to store them in an error memory, which can be consulted in particular in motor vehicle work. Furthermore, the device according to the invention provides that, unlike the illustrated embodiment, the data exchange between the two processors is not via a dedicated bus 17 fixedly arranged between the separate boards 11 and 21, but rather via a system bus 17. Alternatively, it can also be used in a two-processor system, such as in general via a part of the system bus in which the detected measured quantities are stored or the processing results are read out.

[Brief explanation of the drawing]

Figure 1 is a block diagram of the device of the present invention, Figures 2 (a) and (b)
) is an explanatory diagram schematically showing detection of a dynamic watchdog signal, and FIG. 3 is a flowchart of the detection program shown in FIG. 2. 11.21...Port, 12.22...Output terminal,
13.23...Output terminal, 14.24...Input terminal 15.25...Input terminal, 16...Data bus, 1
7...Data line and control line, 27.28...Pumping circuit FIG, 2

Claims (11)

[Claims] (1) An apparatus for monitoring a computer system with two processors, in which the two processors are fixedly connected to each other via data and control lines (17) by ports (11, 21), comprising: a first processor which is operable independently of each other and which outputs a dynamic supervisory signal to each processor until the processors periodically exchange data and instructions via the data and control lines;
output terminals (12, 22) are provided for each processor, and each processor is provided with a first input terminal (14, 24) for recognizing the monitoring signal of the other processor; The input terminals (14, 24) and output terminals (22, 12) of the processors are connected to each other, and the dynamic monitoring signal is a predetermined pulse when there is no problem in program processing in both processors. If there is a failure in program processing in either processor, the pulse duty ratio of the monitoring signal of the processor with the failure will be lower than in the case where there is no failure in program processing. 1. A device for monitoring a computer system having two processors, characterized in that the computer system has two processors. (2) Each of the first output terminals (12,
33, 22, 37) are connected to the input terminals of a pumping circuit (2728), from the output terminals of which a quiet monitoring signal can be taken out, and a respective one for outputting a software reset signal. A second output terminal (13, 23) is provided, and each processor has a second input terminal (13, 23) for receiving the reset/restart signal of the other processor.
5, 25) are provided, and each second input terminal (15
, 25) are provided with logic circuits (30, 32, 29, 31) each having three input terminals,
Each of the three input terminals has a first input terminal (38,
34) are the second output terminals (23, 34) for outputting software reset signals of the other processor, respectively.
13), and the second input terminals of the logic circuits are respectively controlled by the other processor (22, 12)
It is connected to the output terminal of the pumping circuit (28, 27), and supplies an initialization signal to the third input terminal of the logic circuit (30, 32, 29, 31) via the power supply line (18). Device according to claim 1, characterized in that it is capable of: (3) The apparatus according to claim 1, characterized in that, in the absence of a fault, the monitoring signals output from both processors have substantially the same pulse duty ratio and frequency. (4) A patent claim characterized in that in the absence of a fault, a predetermined phase shift exists between both monitoring signals, and this phase shift is lost if a fault occurs in program processing in either processor. Apparatus according to scope 3. (5) At least one of the two processors is connected to another data bus (16, 26) unrelated to the data line and control line (17). The device described in. (6) The device according to claim 1, wherein the two processors can be driven at different frequencies. 7. Device according to claim 1, characterized in that the check words outputted via the data and control lines (17) for checking the data transmission on the data lines differ with respect to direction. (8) Device according to claim 2, characterized in that the logic circuits are each formed from two series cascade circuits (29, 31), (30, 32). (9) As long as there is no fault, one of the two processors can be driven preferentially as a master processor and the other can be driven as a slave processor at a lower priority, and if a fault is detected, the two processors 9. Apparatus according to any one of claims 1 to 8, characterized in that each of the processors performs substantially the same emergency functions with the same capabilities. (10) The second input terminals (15, 25) that receive the reset/restart signal of each processor interact with the second output terminals (13, 23) that output the software reset signal of the other processor, respectively. 10. The device according to any one of claims 1 to 9, characterized in that the device is connected to (11) If a failure occurs in program processing in one processor, the processor can be stopped by generating more software reset signals per unit time than when there is no failure. 11. The apparatus of claim 10, wherein the multiple software reset pulses are generated by the non-faulty processor.