JPH07120294B2 - Fault tolerant method and system - Google Patents

Description

Description: TECHNICAL FIELD The present invention relates to a fault tolerant method and system, and more particularly to a method and system for performing mutual diagnosis of subsystems suitable for improving system reliability.

[Conventional technology]

With the development of computers in recent years, computers have come to play an important role. Along with that, the credibility of the computer has been strongly demanded. Permanent hardware failures, software bugs, and temporary data errors due to electrical noise and radiation incidence are among the causes of malfunctions that impair the reliability of the computer.

In order to increase the reliability of the system, a method of making the subsystems constituting the system redundant and multiplexed is used. Regarding the handling method of the output of the multiplexed subsystem, James N. Gray et al., Edited by Eiichi Watanabe, Fault Tolerant System, Tuna Hirbutsk, (1986), No. 11
According to pages 12 to 12, there is a method of making a majority vote and a method of switching the output based on the diagnosis result of the subsystem.

Hereinafter, a known example will be described with reference to FIG.

Outputs 3-1 of redundant subsystems 1-1 to 1-N
.About.3-N are input to the output selection circuit 5 '. The output selection circuit 5'takes a majority decision of the outputs 3-1 to 3-N and selects from the outputs 3-1 to 3-N based on the diagnosis result of the subsystems 1-1 to 1-N. Then, the final output 6 is generated.

[Problems to be Solved by the Invention]

Among the above-mentioned conventional techniques, the method based on the majority decision is strong against transient faults because the output is selected depending on whether the data match / mismatch. However, if a majority of subsystems prepared are not normal, the system is Since normal operation is not guaranteed, there is a problem that it is weak against multiple faults. On the other hand, the method of switching the output based on the diagnosis result (standby redundancy method) is strong against multiple faults because the survival of the system is guaranteed as long as one or more subsystems survive. However, if the diagnosis result is incorrect, the normality of the output is not guaranteed, and furthermore, when an abnormality is detected as a result of the diagnosis and the output is switched, the output is temporarily interrupted, so it is weak to the transient fault. I got it. For this reason, a method based on majority voting has been used for applications in which reliability and continuity of output signals are first required.

SUMMARY OF THE INVENTION It is an object of the present invention to provide a method of selecting an output of a subsystem which has the advantages of the above-mentioned conventional technology, that is, a majority voting method that is strong against transient faults and a standby redundancy method that is strong against multiple faults.

[Means for Solving the Problems] In order to achieve the above object, the present invention estimates the reliability of the output of each subsystem during operation from the results of self-diagnosis and data comparison between subsystems. , Select the output of the subsystem with the highest estimated reliability among the subsystems. Here, the reliability of the output means the probability that the output signal is correct, and is represented as a function of the event occurring in the system.

Focusing on the results of self-diagnosis and data comparison between subsystems, the following algorithm is used to select the subsystem with the highest reliability.

: A subsystem which is diagnosed as normal as a result of self-diagnosis and whose processing result matches that of another subsystem is regarded as normal, and its output is made the final output.

When there is no subsystem that satisfies the condition of :, the subsystem whose processing result matches that of another subsystem is regarded as normal, and its output is set as the final output.

When there is no subsystem satisfying the condition of :, the subsystem diagnosed as normal as a result of self-diagnosis is regarded as normal, and its output is made the final output.

If there is no subsystem that satisfies the condition of :: Stop the output or output a signal warning that normal output cannot be obtained.

[Action]

Let Pdε be the failure rate of self-diagnosis (probability that a subsystem is erroneously judged to be normal even though it is abnormal), Paε be the probability that incorrect data will match, and Pε be the probability that an error will occur. .

The probability that incorrect data will match is considered to be the probability that two random data will match, assuming that the error is random. Paε = 2 ^-n (1) where n: It is expressed as the bit length of data. When data is collated by software in a computer system, since the bit length n of the normal data often takes a large value, Paε ≈ 0 ...... (2) and Paε << Pdε ...... (3) Conceivable.

Considering the above, the reliability Rd of the output in each case of the above means is However, k is the number of subsystems that are regarded as normal.

By using the above means (4), (5), (6)
And a highly reliable output is sequentially selected. That is, the output with the highest reliability among the redundant subsystems is selected.

Embodiments Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 shows a basic embodiment of the present invention. Redundant subsystems 1-1 to 1-N (N: number of subsystems,
Data processing functions 200-1 to 200 that perform data processing, which is the original purpose of the computer system.
With -N. Based on the judgment results S1 to SN by the function (hereinafter, abbreviated as a judgment function) 204 for estimating the reliability of the output and judging the output with the highest reliability, the output selection circuit 5 outputs the output from each subsystem. The output with the highest reliability is selected from among 3-1 to 3-N and is set as the final output. According to this embodiment, since the reliability of the output is estimated and the output is selected based on the estimated reliability, the output from the subsystem with the highest reliability is always the final output 6. it can. Also, if even one subsystem is operating normally, the output of that normal subsystem can be used as the final output of the system, so it is possible to build a system that is resistant to multiple faults. it can.

Here, the determination result is the data processing functions 200-1 to 200-N.
It is decided by comprehensively judging from the output from. The determination result determines which subsystem output is selected. The determination result si indicates information indicating whether the subsystem 1-i is normal or abnormal. That is, i represents the number of the subsystem that is the object of determination.

FIG. 2 shows another embodiment in which the decision function 204 is multiplexed and incorporated into the subsystems 1-1 to 1-N.
-1 to 204-N. In the case of this embodiment,
The determination results S1 to SN by the determination functions 204-1 to 204-N are output for each subsystem. These are assumed to be mutual diagnosis results 4-1 to 4-N. Each mutual diagnosis result is composed of the judgment results S1 to SN in each subsystem. According to the present embodiment, the judgment function 204 in FIG.
It is possible to prevent erroneous output from being selected due to erroneous determination due to failure or malfunction of the determination function due to multiplexing with 04-1 to 204-N. Further, as shown in FIG. 12, it is possible to provide each subsystem with selection functions 205-1 to 205-N.

Here, the mutual diagnosis result means a result of a diagnosis performed between a plurality of redundant subsystems, and is determined by a coincidence or non-coincidence of data between the self-diagnosis result and the subsystems. The mutual diagnosis result indicates normality / abnormality of each subsystem that is an object of diagnosis. The present invention mainly provides means for mutual diagnosis.

This mutual diagnosis is determined by each subsystem. That is, different results may be obtained depending on the subsystem that is the main body of diagnosis.

The mutual diagnosis result 4-i (i: 1 to N is a natural number) indicates the mutual diagnosis result determined by the subsystem 1-i. That is, i represents the number of the subsystem that is the main subject of diagnosis.

An example for estimating the reliability of the output and determining the output with the highest reliability will be shown below.

FIG. 3 is an embodiment showing the judgment function of the present invention.

With the algorithm shown in Fig. 1, the subsystem with the highest Rd can be selected.

As in equations (4), (5), and (6), the reliability Rd of the output depends on the self-diagnosis result of the subsystem and the combination of the data match / mismatch and the event, that is, the subsystem symptom. Is represented.

In Fig. 1, the symptoms are shown in descending order of Rd. (Syndromei): It is described as the reliability of the output when Syndromei is observed. Syndrome 1 represents the best symptom, that is, no abnormality is detected, while Syndrome L represents the worst symptom, that is, abnormality is detected in all check items. For example, if there are only two check items, the self-diagnosis result and the comparison of the data, Syndrome1 indicates that no abnormality is detected in the self-diagnosis and the data match, and SyndromeL indicates the abnormality in the self-diagnosis. Is detected and the data is inconsistent.

According to the algorithm shown in FIG. 3, it is possible to select the signal of the subsystem having the highest Rd among the individual subsystems by gradually decreasing the symptom grade from the best symptom as follows.

if any subsystem hes Syndromel then select the sub
system (s) which has Syndromel, else if any subsystem has Syndrome2 then select th
e subsystem (s) which has Syndrome2, :: else if any subsystem has SyndromeL-1 then select
The subsystem (s) which has SyndromeL−1, else output fail safe signal. FIG. 4 is an embodiment showing another determination function of the present invention, and is the most reliable when Paε <Pdε (8) holds. Is an algorithm for selecting the output of a high subsystem.

In the figure, “Normal” indicates that the subsystem was judged to be normal as a result of self-diagnosis, and “Match” indicates that other subsystems whose processing result matches the processing result of the subsystem. It means that it exists.

<Self-diagnosis method> As a self-diagnosis method, taking a computer system as an example, a bit error is corrected by an ECC (Error Correcting Code) encoder / decoder attached to a RAM.
Information that it has been detected Detection results (bus error, address error, etc.) by the error detection function of the microprocessor Execution result of the hardware function diagnostic program Distributed allocation data (important data is multiplexed even within the same subsystem) They are collated every other time, and if a mismatch is detected, a majority decision is made to correct them.) Collation result A method using the error detection result by the error detection function added to the arithmetic unit of the microprocessor has been proposed in the past. However, these may be used.

<Self-Diagnosis Result Stage> FIG. 5 shows an embodiment showing a judgment function when the self-diagnosis result has several stages (two stages in the case of the present embodiment).
For example, when the information that the bit error is corrected and detected by the above-mentioned ECC is used as the result of the self-diagnosis, two-level information of 1-bit error correction and 2-bit error detection is obtained as the result.

SEC-DED (Single Error Correctio
n Double Error Detection) coded ECC, 3bi
When an error of t or more occurs, it is detected as a 1-bit or 2-bit error. Also, although it may be extremely small,
In some cases, errors of 3 bits or more cannot be detected. Therefore, even if a correctable 1-bit error is detected or if no error is detected, it is possible that an error of 3 bits or more has occurred. Here, the event that a 1-bit error has not occurred is referred to as "normal 1", and the event that an error of 2 bits or more has not occurred is referred to as "normal 2". Let Pdε ₁ and Pdε ₂ be Paε <Pdε ₁ <Pdε ₂ (9).

According to this embodiment, the reliability of output is The subsystem outputs can be sequentially selected.

Even in the event that the processing result matches the processing results of other subsystems, there are several stages in the reliability of the output of the subsystem depending on the number of subsystems whose processing results match.
Also in this case, it is possible to judge the phenomenon of “match” in several stages as in the present embodiment.

Further, when the missing rate of the self-diagnosis result is extremely low and Paε >> Pdε ₁ (15) holds, the output may be selected by the algorithm shown in FIG.

<Setting of Output Reliability Level> FIG. 7 shows the embodiment of FIG. 3 with the addition of a judgment as to whether or not the output reliability is higher than the required value.

From Syndrome1 to SyndromeL-1, if there are subsystems with progressively lower symptom grades and output reliability higher than the required value, select the subsystem output and there is no subsystem that meets the conditions. In that case, a signal indicating an error is output.

According to this embodiment, it is possible to prevent the output of the reliability less than the required value, and to guarantee the safety of the operation of the system.

The required value of reliability can be set by the level value in the figure as shown in FIG. When the output that does not meet the required level is not obtained, the output can be stopped or a signal indicating a warning can be output to maintain not only the survival probability of the system but also the safety.

Here, the level represents the required level of reliability, and depending on the value, Can be

The fail-safety of the control device is necessary to maintain the safety of the operation of the controlled object, and the application field where the malfunction of the system such as traffic control poses a risk to human life or causes great confusion in society. Then it is a particularly important function.

Further, according to the present embodiment, by selecting an appropriate level, it is possible to construct a fault tolerant computer capable of meeting various purposes with the same system configuration. For example, in computers used in commercial online systems, improving availability must be the first consideration. In such a case, if the above-mentioned level is set to 0, the lowest level of reliability of output is lowered, but the highest availability can be obtained. Moreover, in a computer used for flight control of an aircraft, the reliability of output must be considered first. In such a case, the highest output reliability can be obtained by setting the above-mentioned level to 2.
As described above, according to the present embodiment, Availa
Compatibility and trade-off between bility and output reliability are extremely easy.

It is also necessary to change the required reliability level during operation depending on the application of the computer. For example, in flight control of an aircraft, the safety of passengers can be guaranteed by setting an appropriate level for each stage of flight. Consider when an aircraft takes off. Speed is
By setting the above-mentioned level to 2 until V1 is exceeded, it is possible to immediately cancel takeoff in the event of a slight computer malfunction. By setting the above-mentioned level to 1 or 0 after the speed exceeds V1, it is possible to continue acceleration and take off and then land.

<Hardware Configuration> FIG. 9 shows an example of hardware for implementing the present invention.

In order to carry out the present invention, since the complicated condition judgment as described above is necessary, in the computer system, these condition judgments (mutual diagnosis) are preferably executed by software, and the condition judgments are multiplexed. In order to do so, it is preferable to implement these condition determinations in the redundant subsystems 1-1 to 1-N. Information such as processing results necessary for mutual diagnosis and self-diagnosis results are exchanged via the communication path 2 connecting the subsystems. When it is necessary to limit the final output of the system to one, the mutual diagnosis result (information indicating whether each subsystem is normal or abnormal) based on the condition judgment finally performed by the software in the output selection circuit 5 4- 1
It is only necessary to select from the outputs 3-1 to 3-N in terms of hardware by means of .about.4-N to obtain the final output 6.

Figure 10 shows an example of the configuration of each subsystem. The subsystem 1 is a bus 101, MPU (Micro Processing Unit) 102,
ECC encoder / decoder 103, RAM (Random Access Memory) 104,
DMAC (Direct Memory Access Controller) 105, ROM (Re
This can be configured by adding a mutual diagnosis result output interface 109 and an inter-subsystem communication interface 110 to a computer including an ad only memory) 106, an input interface 107, and an output interface 108.

The output selection circuit 5 is already applied for Japanese Patent Application No. Sho 63-118603.
According to the MV (Modified Voter) provided by the issue, this block diagram is shown in FIG.

Table 1 shows a switch matrix 50 that is placed in front of the majority circuit to construct an MV that can support up to a quadruple system.
An example of the logical table of is shown below. In this table, S1 to S4 are subsystem 1
Judgment result about -1 to 1-4 (subsystem 1-1
~ 1-4 is information indicating whether normal or not) S1 to S4, and 3-1 to 3-4 represent outputs from the subsystems 1-1 to 1-4. Further, FS represents a fail safe signal (all 0 or 1), and * represents Don't Care.

When all of the subsystems 1-1 to 1-3 are determined to be normal, the subsystem 1 is included in the three-input majority circuit 51.
The outputs 3-1 to 3-3 of -1 to 1-3 are input, and the same operation as a normal majority vote is performed. Subsystem 1-1 to 1-3
If one of the subsystems becomes the fault state, the output of the subsystem 1-4 instead of the output of the subsystem in the fault state becomes the output 50-4 via the switch matrix 50 and the majority circuit 51. Entered in. As described above, in this case, the MV realizes a majority decision with a standby system (HMR: Hybrid Majority Redundancy). According to this switch matrix, if only one subsystem is normal and the others are abnormal, the outputs of the normal subsystems are input to all the input terminals of the majority decision circuit 51, and the majority decision circuit 51 Output the same signal as the output.

When using this MV for triple system, subsystem 1-4
It is sufficient to set the determination result S4 regarding the above to the fault, that is, 0. In this case, the logical table of the switch matrix is as shown in Table 2. When it is determined that all of the subsystems 1-1 to 1-3 are normal, the outputs 3-1 to 3-3 of the subsystems 1-1 to 1-3 are input to the majority decision circuit 51 and the normal operation is performed. Do the same as majority voting. If only one subsystem is normal and the other is abnormal, the output of the normal subsystem is input to the majority voting circuit 51 as in the case of the quadruple system, and the majority voting circuit The same signal as the output will be output.

When using MV for the dual system, subsystem 1-
The determination results S3, S4 for 3, 1-4 may be set to false, that is, 0. In this case, the logical table of the switch matrix is as shown in Table 3. When both subsystems 1-1 and 1-2 are determined to be normal, the majority decision circuit 51 outputs the results of the majority decision of 3-1, 3-2, FS. In this case, 3-1 (= 3-2) when 3-1 = 3-2
Output is obtained. When 3-1 ≠ 3-2, 3
Since -1,3-2 are either 1 or 0 and FS is either all 1 or all 0, signals of all 1 or all 0, that is, FS can be obtained at the output of the majority decision circuit 51. When one of the subsystems 1-1 and 1-2 is determined to be normal, the outputs of the subsystem determined to be normal are input to all the input terminals of the majority voting circuit 51, and the majority voting circuit 51 is normal. Output the output of the subsystem that is determined to be.

FIG. 12 shows a processing flow of the present invention. The results of the data processing 200-1 to 200-N in the respective subsystems are exchanged between the subsystems 1-1 to 1-N via the communication path 2 and used for the data comparisons 201-1 to 201-N. . Also, the results of self-diagnosis 202-1 to 202-N in each subsystem 20
3-1 to 203-N are also exchanged between subsystems. Data ratio in the judgment function 204-1 to 204-N of each subsystem 1-1 to 1-N Based on the comparison results 201-120 to 1-N and the exchanged self-diagnosis results 203-1 to 203-N, the output of the subsystem to be selected is determined by the method provided by the present invention, and the selection function 20
The output is selected from 5-1 to 205-N to be the outputs 3-1 to 3-N of the subsystem.

The output selection circuit 5 selects the final output 6 from the outputs 3-1 to 3-N of the subsystems based on the mutual diagnosis results 4-1 to 4-N from the subsystems 1-1 to 1-N. To do.

Data processing 200-1 to 200-N, data comparison 201-1 to 201-
N, judgment function 204-1 to 204-N, selection function 205-1 to 205-N
Can be implemented in either hardware or software. These functions should be implemented by software in order to reduce the amount of hardware in the entire system and to reduce the size and weight.

In the figure, data comparison 201-2 to 201-N, judgment function 204
-2-204-N and selection functions 205-2-205-N are omitted.

When there is an error in the design and manufacturing when designing and manufacturing the subsystems 1-1 to 1-N, the data processing 200-1 to 200-2
The 00-N result may make the same error. In this case, in this method, since the erroneous processing result data are matched with each other, the erroneous data is output as it is. To prevent such adverse effects, design and manufacturing are
Diversity).

As a method of design diversity, the hardware of subsystems 1-1 to 1-N is designed and manufactured separately.

Data processing 200-1 to 200-N, data comparison 201-1 to 2
01-N, judgment function 204-1 to 204-N or selection function 205-
When implementing 1-205-N by software, all or some of them are designed and manufactured separately for each subsystem.

And so on.

A particular method is called N-Version Programming, and it is widely practiced to use different languages for each version in order to increase the independence between versions.

The embodiments shown in FIG. 13 and FIG. 14 are applied to the method of image input of the robot manipulator.

The robot manipulator recognizes the shape, position, posture, etc. of the operation target object from the image collected from the image input device, and determines the approach start point and the approach angle of the operation device. In that case, the fault tolerant method of the present invention is applied as follows.

As shown in FIG. 13, a plurality of image input devices are installed at different positions, the operation target object is photographed from different angles, and images are collected. The collected image is evaluated based on the quality of the position of the image input device, the sharpness of the screen information, the normality / abnormality of the image input device, etc., and the highest reliability among the combinations,
Select the combination that is the easiest to operate.

FIGS. 14 (a), (b), (c) and (d) show images taken from four different directions for the same operation target object. The object has 6 degrees of freedom with respect to the reference coordinates, and the position and orientation of the object are determined by the coordinates X, Y, Z of the barycentric position p and the total of 6 parameters of the direction angles α, β, γ. On the other hand, the image input device also has 6 degrees of freedom and can obtain an image of an object from different positions and angles. Each image in FIG. 14 has a different directional angle (yaw angle) β about the vertical axis, but the other parameters are the same. When all of the images on these four surfaces can be obtained clearly, it is possible to obtain accurate recognition results of the position and orientation of the object using all four surfaces. However, if the quality of the image deteriorates for some reason, the parameters obtained from the images on the four sides may not match. In such a case, the information obtained from the highly reliable image is adopted and the others are rejected. In the example of FIG. 14, the reliability is high in the order of (d) → (a) → (b) → (c) due to the low spatial frequency near the center of gravity. Therefore, if the images of the four planes are normally obtained and the parameters obtained from them match each other without a large error, the reliability of the parameters can be maximized by using all the images of the four planes. However, if the parameters obtained from the images on the four sides do not match,
By discarding the parameters obtained from the image in the order of (c) → (b) → (a) → (d), deterioration of the reliability of the parameters is prevented as much as possible.

If the image input device is defective and a specific image is blurred or cannot be obtained, give the priority of reliability to the remaining images, and so on. Maintain credibility.

Since the positional relationship between the image input device and the operation target object changes from moment to moment, it is necessary to always determine which image of the image input device has the highest reliability by analyzing the image. To this end, for example, the image analysis processing device of FIG.
By using the computer, the reliability of the image is frequently evaluated and the image input device is diagnosed.

<Creation of Judgment Results> Judgment results S1 to SN are created from mutual diagnosis results 4-1 to 4-N by a judgment circuit provided in Japanese Patent Application No. 63-118603, and subsystems 1-1 to 1 -N mutual diagnosis result 4-1
It is created by taking out each of the sub-systems from 4 to 4-N and making them the judgment results S1 to SN.

Also, in order to prevent the wrong judgment results S1 to SN from being output due to a microprocessor runaway, etc.,
As shown in Fig. 15, the judgment results S1 ~
A key code may be provided to the output interfaces 109.1 to 109-N of the SN so that specific key code data must be written in order to make the determination results S1 to SN normal.

Further, as shown in Japanese Patent Application No. 63-118603, by multiplexing the MV50 and the judgment circuit and collecting the outputs by a majority circuit, it is possible to prevent the deterioration of the reliability due to the complicated circuit of the MV50 and the judgment circuit. It is possible to provide a highly reliable system.

FIG. 16 shows an example of C language coding of the judgment part. agree indicates whether output data match or not, check indicates normal / abnormal as a result of self-diagnosis, and good indicates mutual diagnosis results 4-1 to 4
Represents -N. Each bit of data of agree, check, and good is the 17th
As shown in the figure, the normal / abnormal states of the respective subsystems are shown. If normal, H level is shown, and if abnormal, L level is shown. For example,
If the data of subsystem 1-1 does not match the data of other subsystems and the data of other subsystems 1-2 to 1-N do match, 1 bit from the LSB side of the variable agree. Only the eyes are at the L (0) level, and the other bits are at the H (1) level.

If only subsystem 1-1 is judged to be abnormal as a result of self-diagnosis, only the first bit from the LSB side of variable check becomes L (0) level, and other bits are H (1).
It becomes a level.

If the structure of each variable is defined as described above, the mutual diagnosis result 4-
1 to 4-N, that is, the judgment necessary to obtain the variable good is bit
It can be easily implemented as in the embodiment of FIG. 16 by the logical operation for each. According to this embodiment, it is possible to deal with a system having an arbitrary multiplicity by the same algorithm by appropriately declaring the types of the variables agree, check, and good.

〔The invention's effect〕

According to the present invention, when a large number of subsystems remain, the output selection criterion is tightened to obtain a highly reliable output, and when the number of remaining subsystems decreases, selection is possible. The standard can be relaxed to ensure the survival of the entire system. Further, when the reliability of the output does not meet the required level, a warning is issued to secure the fail-safety of the operation of the system.

Further, since it is possible to easily cope with arbitrary redundancy, it is possible to improve the degree of freedom in designing a fault tolerant computer system.

[Brief description of drawings]

1 and 2 are diagrams showing an embodiment of the present invention, and FIGS. 3, 4, 5, 5, 6, 7 and 8 are diagrams showing an embodiment of a judgment function, FIGS. 9, 10, 12, and 15 are diagrams showing an example of hardware for carrying out the present invention, FIG. 11 is a configuration diagram of MV, and FIGS. 13 and 14 show the present invention. FIG. 16 is a diagram showing an example in which C is applied, FIG. 16 is a diagram showing an example of coding in C language, FIG. 17 is a diagram showing an example of data configuration, and FIG. 18 is a configuration diagram of a conventional technique. 1-1 to 1-N ... Subsystem, 2 ... Communication path, 3-
1-3-N ... Output, 4-1-4-N ... Mutual diagnosis result, 5, 5 '... Output selection circuit, 10-10-1-N ... Interface, 15 ... Majority decision circuit, 18: Switch matrix, S1 to SN ... Judgment result, 410-1 to 410-N ...
… Switch matrix output.

 ─────────────────────────────────────────────────── --- Continuation of the front page (56) Reference JP-A-60-142431 (JP, A) JP-A-58-10258 (JP, A) JP-A-64-67634 (JP, A) JP-A-59- 218563 (JP, A)

Claims (11)

[Claims] 1. A fault tolerant method in which output signals of a plurality of redundant subsystems are input to an output selection circuit, and the output selection circuit selects and outputs a signal input from the subsystem. As a result, if no abnormality is detected, and as a result of data comparison, the data from the subsystem with the highest degree of reliability that matches the data is selected first, and the subsystem with the highest degree of reliability does not exist. Selects the output from the subsystem with the second highest reliability as a result of self-diagnosis and data comparison. If the subsystem with the second highest reliability does not exist, the result of self-diagnosis and data comparison is selected. , A fault-tolerant method, characterized in that the outputs from subsystems having successively lower reliability are selected. 2. The fault tolerant method according to claim 1, wherein the redundant subsystems are supplied with signals sampled by different means or at different positions. 3. A method of different data processing in a redundant subsystem (N-version Programmin).
The fault-tolerant method according to claim 1, wherein the method is realized by g). 4. A fault tolerant method in which output signals of a plurality of redundant subsystems are input to an output selection circuit, and the output selection circuit selects and outputs a signal input from the subsystem. As a result, it is judged as normal, and as a result of data comparison with other subsystems, the data from the subsystem with the highest reliability that matches the data is selected first. If the subsystem does not exist, the subsystem whose data matches as a result of the data comparison is selected as the subsystem output with the second highest reliability, and the subsystem with the second highest reliability is selected. If the subsystem does not exist, the subsystem determined to be normal as a result of the self-diagnosis is set as the subsystem with the third highest reliability, Off Oort tolerant method characterized by selecting the output of. 5. A fault-tolerant method in which output signals of a plurality of redundant subsystems are input to an output selection circuit, and the output selection circuit selects and outputs the signals input from the subsystems. As a result, it is determined that a bit error has not occurred, and as a result of data comparison with other subsystems, the subsystem with the same data is set as the subsystem with the highest reliability and the output of that subsystem is output. If you select the above and the subsystem with the highest reliability does not exist, the self-diagnosis result determines that an error of 2 bits or more has not occurred, and the data comparison result with other subsystems indicates that the data is Select the matching subsystem as the second most reliable subsystem and select the output of that subsystem. If it does not exist, as a result of data comparison with other subsystems, the subsystem whose data matches is selected as the subsystem with the third highest reliability, and the output of that subsystem is selected. If the above subsystem does not exist, the subsystem determined to have no bit error as a result of self-diagnosis is selected as the subsystem with the highest reliability and the output of that subsystem is selected. If the above subsystem with high reliability does not exist, the subsystem that is judged not to have an error of 2 bits or more as a result of self-diagnosis is output as the subsystem with the 5th highest reliability. A fault-tolerant method characterized by selecting. 6. A fault tolerant method in which output signals of a plurality of redundant subsystems are input to an output selection circuit, and the output selection circuit selects and outputs a signal input from the subsystem. As a result, it is judged as normal, and as a result of data comparison with other subsystems, the data from the subsystem with the highest reliability that matches the data is selected first. If the subsystem does not exist, the subsystem judged to be normal as a result of self-diagnosis is selected as the subsystem with the second highest reliability, and the output of that subsystem is selected. If the above subsystem does not exist, as a result of the data comparison, the subsystem having the same data is regarded as the third highest subsystem and the subsystem is output. Off Oort tolerant method characterized by selecting. 7. A fault tolerant method in which output signals of a plurality of redundant subsystems are input to an output selection circuit, and the output selection circuit selects and outputs a signal input from the subsystem. As a result, when no abnormality is detected, and as a result of data comparison, the data from the subsystem with the highest reliability that matches the data is output first, and the subsystem with the highest reliability does not exist. Selects the output from the subsystem with the second highest reliability and the reliability higher than the required level as a result of self-diagnosis and data comparison, and if the second subsystem with the second highest reliability does not exist, As a result of self-diagnosis and data comparison, it is preferable to select the output from the subsystem whose reliability is successively lower and whose reliability is higher than the required level. Off Oort tolerant way to. 8. A plurality of redundant subsystem output signals are input to an output selection circuit, and the output selection circuit is redundant in a fault-tolerant system for selecting and outputting a signal input from the subsystem. Means for estimating the reliability of the output of the subsystem, the reliability estimated by the first means determines the highest subsystem among the redundant subsystems, and determines the reliability of the subsystem. A fault-tolerant system comprising a second means for selecting an output. 9. The output reliability level is preset, and when no subsystems satisfying the output reliability level are present, the output is stopped or a warning signal is output. The fault tolerant system according to claim 8. 10. The fault tolerant system according to claim 8, wherein the redundant subsystems input signals sampled by different means or at different positions. 11. A method of different data processing in a redundant subsystem (N-version Programmin).
The fault tolerant system according to claim 8, characterized in that it is realized by g).