JPH06259267A - Fault detector for asnychronous duplex system microcomputer system - Google Patents

Abstract

PURPOSE:To provide a fail safe microcomputer control system improved in comparison with the conventional system. CONSTITUTION:In MPU 1 and 2 of respective systems, the sum value of all the ROM storing programs is calculated and inputted to the MPU of the other system, the fault check of the sum value is performed in the manner of software by the MPU of the other normal system, when any fault is generated, a contact chr of a check relay CHR is dropped by stopping a watchdog(WD) signal normally generated at a fixed frequency so as to cut off the AND outputs of the MPU 1 and 2 to a control relay RY, and control is stopped.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a failure detecting device for an asynchronous dual microcomputer system.

[0002]

2. Description of the Related Art For example, in a computer system to be introduced into a railway signal security device or the like, a bus synchronous dual system has been generally used in the past as one of techniques for improving system reliability. In this system, two systems of computers that perform the same processing for the same input information are operated in synchronization, and the output information of the microcomputers of each system corresponding to the input information is collated with each other at the bus level,
The system is configured to judge whether the system is normal or abnormal based on the match / mismatch of the matching results, and to stop the control output when there is an error, thereby ensuring the fail-safe of the control system by the computer.

[0003]

However, the conventional bus-synchronous dual system has a structure in which the outputs of the respective systems are compared at the bus level to make a failure determination, and hardware such as a verification circuit is used for the failure determination. However, there is a problem that the number of hardware parts is large. Further, because of bus synchronization, high synchronization precision is required, and for example, strict control of clock precision and component threshold level precision is required. Further, since the bus data is serially output and compared by the collation circuit, the collation processing takes time, and the speedup of the data processing for coping with the increase in the amount of information due to the high density of traffic in recent years is dealt with. Is limited.

Further, when a failure occurs in a failure detection program or the like that is not executed in normal operation, such a program failure is a hidden mode failure that does not appear in the table because it is not executed in normal operation. In a bus-synchronized duplex system, it is different if a program that outputs the sum value to the bus is inserted. However, when an implicit mode failure occurs in which such a program that is not normally executed fails, this program is executed. Since the failure can be found only when the bus level verification is performed, the failure detection may be delayed.

The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a computer system superior to the conventional bus-safe dual system which is a fail-safe computer system.

[0006]

Therefore, as shown in FIG. 1, the present invention is provided with two microcomputers for performing the same processing on the same input information, and each system based on the input information is provided. A failure detection device for an asynchronous dual-system microcomputer system that controls a controlled object by using a logical product output of microcomputer output information as a control output, and keeps a watchdog signal constant when a program executed during normal operation of the system is normal. While each system is provided with a watchdog signal generating means for generating at a frequency, a sum check means for calculating a sum value of a ROM storing a system program and outputting the sum value to a microcomputer of another system, etc. Other system's sum value input from system's sum check means and normal other system's normal sum check value Comparing the sum check value with the sum check value comparing means, when the comparison result of the sum check value comparing means is inconsistent, the abnormality determining means for stopping the watch dog signal when it is determined to be abnormal, and the watch dog signal other than the constant frequency. And a control output stopping means for stopping the control output to the controlled object.

Further, as indicated by the dotted line in FIG. 1, the operation information of the controlled object based on the control output based on the output information of the microcomputer of each system is input to the microcomputer of each system, and the microcomputer of each system is input. The output information and the operation information of the control target are compared and judged to be matched or not.

[0008]

In this structure, when the same input information is input to the microcomputers of the respective systems, the microcomputers of the respective systems generate outputs corresponding to the input information. Further, in each system, the sum check means calculates the sum value of the ROM, and the sum value is output to each other system. Then, the sum check value comparing means compares the input sum value of the other system with a normal sum check value stored in advance,
If they match, there is no stop operation of the watchdog signal by the abnormality determining means, a watchdog signal of a constant frequency is generated from the watchdog signal generating means, and the stop operation of the control output by the control output stopping means is not executed. The controlled object is controlled based on the logical product output of the outputs generated from the microcomputers of the respective systems.

On the other hand, when the comparison results of the sum check value comparing means do not match, the abnormality determining means determines that the program is abnormal in another system and stops the watchdog signal from the watchdog signal generating means. As a result, the control output stopping means operates to interrupt the logical product output to the control target and stop the control of the control target. As a result, it is not necessary to provide hardware such as a matching circuit, and it is possible to detect failures with software and reduce the number of parts.
Costs can be reduced because it is not necessary to synchronize each system. Further, it is possible to quickly find a failure that cannot be found in the normal operation in the past, and eliminate a failure in the implicit mode. Further, since collation processing using serial data is not necessary, it becomes possible to sufficiently cope with speeding up of data processing.

Further, the operation information of the controlled object by the control output based on the output information of the microcomputer of each system is input to each microcomputer of each system, and the output information of the microcomputer and the operation information of the controlled object for each system. By comparing and determining whether the control output matches the operation of the controlled object, it is possible to more surely monitor whether or not the control output and the operation of the controlled object match, and to improve safety.

[0011]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of the present invention will be described below with reference to the drawings. FIG. 2 is a diagram showing the configuration of this embodiment. In FIG. 2, two system, for example, A system and B system microprocessor units (hereinafter referred to as MPUs) 1 and 2 are RO
It is composed of a one-chip microcomputer including M, RAM, I / O, a timer and the like, performs the same processing asynchronously with respect to the same input information, and generates outputs corresponding to the respective input information. The outputs generated from the MPUs 1 and 2 are input to an AND gate 3 which performs a logical product operation, and the logical product output is a check relay CH described later.
Control relay RY to be controlled via R contact chr
To the control output.

On the other hand, in each of the MPUs 1 and 2 of the A system and the B system, a watchdog signal (hereinafter, referred to as a WD signal) having a constant frequency is generated when the program executed during the normal control operation is normal. Then, the WD signals of both systems are output from the bandpass filters (hereinafter referred to as BPF) 4 and 5 to the negative power supply circuits 8 and 9 via the Schmitt circuits 6 and 7, and the WD signals are predetermined. When outputting at a constant frequency, the negative power supply circuits 8 and 9 generate negative power supplies to drive the driver circuits 10 and 11, respectively. Then, a chopping signal of a predetermined frequency is input from the MPU 2 to the B-system driver circuit 11, and the negative power supply circuit 9
When a negative power supply is generated from the next Schmitt circuit 12
An AC signal corresponding to the chopping signal is input to the A-system driver circuit 10 via. In the A-system driver circuit 10, when the AC signal from the B-system is input while the negative power supply is generated from the negative power supply circuit 8, the driver circuit 14 in the next stage is driven via the Schmitt circuit 13 in the next stage. , The negative power supply circuit 15 of the next stage is driven to energize the above-mentioned check relay CHR to lift its contact chr.

Further, in each of the A and B MPUs 1 and 2,
The sum value of all ROMs is always calculated at a constant cycle, and the sum value is input to the other system. That is, the sum value of the A system is input to the MPU 2 of the B system, and the sum value of the B system is input to the MPU 1 of the A system. The MPUs 1 and 2 each store the sum check value of the other system in the normal state, and the stored value is compared with the input sum value of the other system to determine a match / mismatch. If they do not match, it is determined that the program of the other system is abnormal, the WD signal is stopped, the driving of the corresponding negative power supply circuit 8 or 9 is stopped, and the check relay C
Stop energizing the HR and drop its contact chr to AN
The control output from the D gate 3 to the control relay RY is cut off.

Therefore, each of the MPUs 1 and 2 has the functions of a watchdog signal generation means, a sum check means, a sum check value comparison means and an abnormality determination means, and each BPF.
4, 5, Schmitt circuits 6, 7, 12, 13, negative power supply circuit 8,
9, 15, driver circuits 10, 11, 14 and check relay C
The HR constitutes the control output stopping means. Furthermore,
The operation information of the contact ry of the control relay RY to be controlled is input to the MPUs 1 and 2 of the A system and the B system, and the output of each MPU 1 and 2 is compared with the operation of the contact ry of the relay RY based on this output. , Check whether the operation corresponding to the output is actually executed, and if it is not executed, WD
The signal is stopped and the control of the control relay RY is stopped.

Next, the failure detecting operation of the microcomputer system will be described. Each MPU of A system and B system
The same input information is input to 1 and 2, the same processing is executed based on the input information, and the respective outputs are input to the AND gate 3. The AND gate 3 generates a logical product output of the inputs from the MPUs 1 and 2. When the outputs of the MPUs 1 and 2 have a logical value of 1, the output of the AND gate 3 has a logical value of 1 and the control relay RY is excited to raise the contact ry, thereby increasing the output of each MPU.
If either of the outputs 1 and 2 has the logical value 0, AND
The output of the gate 3 becomes a logical value 0 and the control relay RY is demagnetized and its contact ry falls, which is on the safe side of control.

When the program is normally executed in each system, the WD signal of each system is generated at a constant frequency and passes through the BPFs 4 and 5, respectively, and the Schmitt circuits 6 and 7 are triggered to generate the WD signals. Negative power supply is generated from the negative power supply circuits 8 and 9, and the corresponding driver circuits 10 and 11 are driven. Therefore, the AC signal corresponding to the frequency of the chopping signal is input from the B-system driver circuit 11 to the Schmitt circuit 12 at the next stage to trigger the Schmitt circuit 12, and the Schmitt circuit 12 causes the A-system driver circuit 10 to operate. An AC signal is input to, and triggers the Schmitt circuit 13 at the next stage. As a result, the negative power supply circuit 15 is driven by the driver circuit 14 in the next stage, the negative power supply is applied to the check relay CHR and excited, and the contact chr is lifted.

Therefore, if the MPUs 1 and 2 of each system are normal, the contact chr of the check relay CHR is raised and the output of the AND gate 3 based on the outputs of the MPUs 1 and 2 corresponding to the input information is checked. Contact point c of relay CHR
Input to control relay RY via hr, AND gate 3
The control relay RY is controlled according to the output of the. On the other hand, if the program does not operate normally during normal operation, W
Since the frequency of the D signal changes or stops, BPF4, 5
The Schmitt circuits 6 and 7 in the next stage are not triggered and the negative power supply circuits 8 and 9 do not operate. For example, if the A system side fails, an AC signal is input from the B system Schmitt circuit 12 to the A system driver circuit 10, but the A system negative power supply circuit 8 does not operate and the driver circuit 10 cannot be driven. The Schmitt circuit 13 in the next stage cannot be triggered. When the B system side fails, no AC signal is input from the B system Schmitt circuit 12 to the A system driver circuit 10. Therefore, even if the A system negative power supply circuit 8 can drive the driver circuit 10. After all, the Schmitt circuit 13 in the next stage cannot be triggered. Therefore, if at least one of the A system and the B system fails, the check relay CHR is not excited and the contact chr of the check relay CHR is dropped, and the output of the AND gate 3 is not input to the control relay RY. The control of the relay RY is stopped. Therefore, even if the output of the AND gate 3 becomes a logical value 1 due to a failure, when the failure occurs, the check relay CH
Since the contact chr of R drops, the output of the logical value 1 from the AND gate 3 to the control relay RY is cut off, so that the control relay RY does not operate.

In addition, in each system, all R
The OM sum value is calculated, and the sum value is input to each of the other systems. Then, in each system, the sum value of the other system to be input is compared with the normal sum check value of the other system stored in advance, and if they do not match, it is judged that the program of the other system is abnormal, and the WD signal is generated. To stop. This allows
Similar to the above, either one or both of the negative power supply circuits 8 and 9
Does not operate, the check relay CHR is demagnetized and its contact chr drops, so that the control of the control relay RY is stopped.

Therefore, the abnormality of the program executed at the normal time is checked by the generation form of the WD signal, and the abnormality such as the failure detection program which is not normally executed, that is, the hidden mode failure which does not appear in the table in the normal operation is detected. Since the check can be performed by the always-executed sum check, the conventional bus-synchronized dual microcomputer system can quickly find a failure that cannot be detected immediately, and eliminates the implicit mode failure. Further, since the watchdog signal and the sum check method are adopted for the failure detection, the hardware such as the matching circuit used in the conventional bus synchronous dual system is not required and the number of parts can be reduced and the synchronization of the microcomputer can be achieved. Therefore, it is not necessary to manage parts with high precision, so the cost can be reduced.

Further, since the negative power source is used as the operating power source of the check relay CHR, the check relay CHR operates only when the WD signal is normally generated, and the MPU is operated.
There is no concern that the check relay CHR will operate when the positive power supply for driving 1 and 2 is placed around, and the safety is excellent. Further, the control relay RY based on the output from the AND gate 3
Since the operation result of the contact ry of is captured in the MPUs 1 and 2 of each system and compared with the output results of the MPUs 1 and 2 in each MPU 1 and 2, it is checked whether or not the operation is performed as output. , It is a highly secure system.

[0021]

As described above, according to the present invention, the abnormality of the program that is normally executed can be detected by the frequency change of the watchdog signal, and the abnormality of the program that is not normally executed can be obtained by normalizing the sum value of the ROM. Since it is configured to detect by the sum check value comparison means of another system, the number of hardware can be reduced, the number of parts can be reduced, and it is not necessary to synchronize microcomputers, and parts management is easy and cost is reduced. it can. Moreover, abnormalities in programs that are not normally executed can be detected quickly, and implicit mode failures in which abnormalities do not appear in the table can be eliminated. Therefore, it is possible to provide a fail-safe microcomputer control system which is lower in cost than the conventional fail-safe microcomputer system, which is a bus-synchronized duplex system, and which has an excellent failure detection function.

[Brief description of drawings]

FIG. 1 is a block diagram showing the configuration of the present invention.

FIG. 2 is a system configuration diagram showing an embodiment of the present invention.

[Explanation of symbols]

 1,2 MPU 3 AND gate 4,5 BPF 6,7,12,13 Schmitt circuit 8,9,15 Negative power supply circuit 10,11,14 Driver circuit CHR Check relay chr Check relay contact RY Control relay ry Control relay contact

Claims (2)

[Claims] 1. A control target is controlled by using two microcomputers that perform the same processing for the same input information, and using a logical product output of output information of the microcomputers of each system based on the input information as a control output. A failure detection device for an asynchronous dual microcomputer system,
While each system is equipped with a watchdog signal generating means for generating a watchdog signal at a constant frequency when a program executed during normal operation of the system is normal, the sum value of the ROM storing the system program is calculated and the sum is calculated. Sum check means for outputting each value to the microcomputer of the other system, and sum check for comparing the sum value of the other system input from the sum check means of the other system with the normal sum check value of the other system stored in advance. Value comparison means,
Abnormality determination means for determining that there is an abnormality when the comparison result of the sum check value comparison means is inconsistent and stopping the watchdog signal, and stopping the control output to the control target when the watchdog signal is other than the constant frequency And a control output stopping unit for controlling the failure of the asynchronous dual-system microcomputer system. 2. The operation information of the controlled object based on the control output based on the output information of the microcomputer of each system is input to the microcomputer of each system, and the output information of the microcomputer and the operation information of the controlled object for each system. 2. The failure detection device for an asynchronous dual microcomputer system according to claim 1, wherein the device is configured to compare and judge whether or not it matches.