JPH07295844A - Fail-safe controller and train controller - Google Patents

Abstract

PURPOSE:To assure the correctness of a computing process itself and also assure the fail-safe performance for the real-time control. CONSTITUTION:An output collation type processor 2 is provided on a stage following a bus collation type processor 1. The processor 2 performs the input/ output processing of the real-time data having the dependence on time among the necessary processings. Meanwhile the processor 1 performs the input/output processing or the data having no dependence on time. These processors 1 and 2 exchange the necessary information with each other and also carry out each allotted processing. The input/output processing related to the real-time control is carried out by the processor 2, and the information having no dependence on time is processed by the processor 1. Furthermore the necessary information are exchanged between both processors 1 and 2. So that the fail-safe performance is secured for the processing related to the real-time control and the accurate processing is assured. Then the correctness and the fail-safe performance can be secured for both processors as a whole.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a fail-safe control device using a microcomputer, and particularly to a fail-safe control device suitable for use in control requiring high fail-safety such as control of railway vehicles. And a train control device using the device.

[0002]

2. Description of the Related Art In general, control of a railway vehicle or the like may lead to a human life accident if the control based on an erroneous calculation is performed. Therefore, the control device is required to have a fail-safe property. . As a fail-safe control device capable of satisfying such demands, various types of fail-safe control devices have been developed and put into practical use.

One of them is to configure a control device by using an element having a fail-safe property so that a circuit itself constituting the control device has a fail-safe property. The relay circuit is a typical one, but with the advancement of the control function, its use is now limited to the part directly connected to the controlled object.

Instead of this, in recent years, arithmetic processing is performed by hardware such as a microcomputer having no fail-safe property, and the failure is detected by checking the processing status of the hardware or the output result by some means,
At that time, a method of configuring a device so as not to perform an unsafe operation is becoming mainstream.

The control device using the microcomputer described above uses, as its failure detection method, a self-diagnosis type processing device having a built-in failure detection circuit and an operation of a plurality of processing devices by multiplexing the processing devices. Are used to detect faults by using a collation type processing device. The present invention relates to one using the latter collation type processing device.

There are two types of collation type processing devices, a bus collation type and an output collation type, depending on the difference in the collation method.

In the case of using a bus collation type processing device, a plurality of processing devices (CPUs) are operated in synchronization, data on the bus is constantly compared bit by bit, and when a mismatch occurs, an error occurs. It is considered. Since this method can check all the data appearing on the bus, it is possible to immediately detect an error in the processing process of the processing device, and therefore the advantage that the processing itself can be executed without fail. Have

In the case of using an output collation type processing device, outputs output from a plurality of CPUs to the outside are compared, and when a mismatch occurs, it is considered that an abnormality has occurred. This method has an advantage that the input / output timing can be controlled relatively easily because it is not necessary to synchronize a plurality of CPUs.

As a prior art relating to a fail-safe control device using this type of output collation type processing device,
For example, the technique described in Japanese Patent Laid-Open No. 63-271540 is known.

[0010]

In the prior art using the above-described bus collation type processing device, the clocks are shared between the CPUs in order to operate a plurality of CPUs in synchronization, and there is an abnormality in the clocks. If it occurs, there is a problem that it affects the processing of all CPUs.
Therefore, this conventional technique has a problem in that, when an abnormality occurs in a clock, an abnormality occurs in processing of information having time dependency, and a failure occurs when processing related to real-time control is performed. Cause

Further, in the prior art using the output collation type processing device, since only the final outputs of a plurality of CPUs are compared, an internal abnormality may occur until an abnormality occurs in the output signal. However, there is a problem in that the abnormality is delayed and the discovery of the abnormality is delayed. Further, this conventional technique has a problem that, when the output is represented by a bit string rather than on / off of a signal, the matching is difficult in terms of a circuit.

An object of the present invention is to solve the above-mentioned problems of the prior art, to ensure the validity of the arithmetic process itself of the CPU, and to ensure the fail-safe property in real-time control. Another object of the present invention is to provide a fail-safe control device that can be used, and also to provide a train control device that uses this device.

[0013]

According to the present invention, an object of the present invention is to provide an output collation type processing unit in the subsequent stage of a bus collation type processing unit, and among the necessary processes, real-time data having time dependence. The output collation type processing device executes the input / output and the processing of the above, and the bus collation type processing device executes the input / output and the processing of the data having no time dependence, and these processing devices mutually perform the processing. This is achieved by having the necessary information exchanged.

[0014]

According to the present invention, since the input / output and the processing related to the real-time control are performed by the output collation type processing device, the fail-safe property of the processing related to the real-time control can be ensured. Since the processing device of the bus collation type processes the information having no time dependency, the accuracy of these processes can be guaranteed. As described above, according to the present invention, the processing is shared between the two processing devices, and necessary information is exchanged with each other, whereby the correctness and fail-safety of the processing of the entire device can be ensured.

[0015]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of a fail-safe control device according to the present invention will be described in detail below with reference to the drawings.

FIG. 1 is a block diagram showing a configuration of a fail-safe control device according to an embodiment of the present invention, FIG. 2 is a block diagram showing a configuration of a train control device to which the present invention is applied, and FIG. 3 is applying the present invention. FIG. 4 is a block diagram illustrating a functional configuration of the train control device, FIG. 4 is a block diagram illustrating a configuration of a bus matching type processing device, and FIG. 5 is a block diagram illustrating an internal configuration of a CPU.
6 is a block diagram showing the configuration of the bus collating circuit, FIG. 7 is a block diagram showing the configuration of the input / output control device, and FIG. 8 is a block diagram showing the configuration of the output collating circuit. 1 to 8, 1 is a bus collation type processing device, 2 is an output collation type processing device, 3 is a relay unit (RYU), 4 is a signal communication transceiver (TRX), 5 is a transmission / reception antenna, and 6 is Speed generator, 7 brake control unit (BCU), 8 vehicle wheels, 9 rails, 10a, 20b clock generators (CPG), 11a, 11b, 21a, 21
b is a microcomputer (CPU), 12 is a bus verification circuit (BCMP), 13a to 13c, 23a and 23b are communication control circuits (CCU), 15a and 15b are control signal bus drivers, 16a and 16b are control gates, 17a, 1
7b is a bidirectional data bus driver, 22 is an output matching circuit (OCMP), and 24a and 24b are pulse counters (CN).
T).

As shown in FIG. 1, a fail-safe control device according to an embodiment of the present invention is a bus collation type processing device 1.
And an output collation type processing device 2.
The bus collation type processing device 1 includes two CPUs 11a and 11a.
b, data between the bus collation circuit 12 that collates each bit of data on the bus of these CPUs and reports the fact to the CPU when there is a discrepancy, and the output collation type processing device 2. Communication control circuit 13a, 1 for controlling transmission and reception of
3b and a communication control circuit 13c for controlling the transmission / reception of data to / from an external device.

Further, the output collation type processing device 2 stores data between the two CPUs 21a and 21b, the output collation circuit 22 for collating outputs of the calculation results of these CPUs, and the bus collation type processing device 21. An interface circuit that controls input / output of data between the communication control circuits 23a and 23b that controls transmission / reception and an external device. In the illustrated example, a counter (CNT) that counts speed pulses from a speed generator described later. 24a, 24b.

FIG. 2 shows a train control onboard device and its peripheral devices to which the failsafe control device according to the present invention is applied. The illustrated train control onboard device includes a bus verification type processing device (FS-CPU) 1 and an input / output control device (F
Output collation type processing device 2 used as S-IOU)
, A relay unit (RYU) 3, a signal communication transceiver (TRX) 4, a transmission / reception antenna 5, and a speed generator 6
And a brake control unit (BCU) 7.

In FIG. 2, a signal communication transceiver (TR
X) 4 receives the position data of the preceding train which is periodically sent from the track circuit on track via the rail from the signal communication device on the ground. This received data is taken into the FS-CPU 1 and used for the processing described later.

On the other hand, an output collation type processing device (hereinafter referred to as FS
-IOU) 2 takes in the distance pulse detected by the speed generator 6 installed on the axle of the wheel, thereby calculating the position of the own train and detecting the position difference from the preceding train, The speed limit of the train is calculated, and the current speed of the own train is calculated. Then, when the current speed of the train exceeds the calculated speed limit, the output verification type processing device 2 issues a brake command and controls the brake unit 7 via the relay unit 3 to secure the train. To operate.

In this case, the FS-CPU 1 shares the processing of communication with the ground and calculation of the speed limit pattern, and the FS-CPU 1
The IOU 2 shares the process of calculating the brake control command every moment based on the speed limit pattern. In FIG. 2, NBF is a regular brake command, EBF is
Indicates an emergency brake command, and FDF indicates a failure detection signal of the FS-CPU1.

The relay unit 3 is responsible for AC amplification of the alternating brake command, its rectification, and drive of the relay. The brake command is alternated to prevent the control device output or the relay drive circuit from loosening the brake due to the failure of the control device. This is to obtain fail-safety of control by changing the command to alternate stop and setting the brake to the operating side, which is a method that has been conventionally adopted.

Next, the function of the train control onboard device shown in FIG. 2 will be described with reference to FIG.

The FS-CPU 1 checks the presence or absence of an error in the data such as the position of the preceding train received from the ground by the data reception error check function, and if there is no error,
The data Xp of the preceding train position is passed to the file reference error check function. The file reference error check function uses the data Xp of the preceding train position and FS-IOU2.
Based on the train position data Xf received from, the slope information of the route between them and the speed limit information such as curves and turnouts are extracted from the line data file, and after checking those data, the speed limit calculation function Transfer the data to. The speed limit calculation function is based on the received data, and does not collide with the preceding train and does not exceed the speed limit on the way.
Calculate p (xi). At this time, the gradient information is used to calculate the effective deceleration of the train.

Xi shown in FIG. 3 is an inflection point of the pattern due to gradient change, speed limitation, etc., and Vp (xi)
Is the speed limit at that point. The speed limit patterns {Vp (x0), Vp (x
1), ~, Vp (xn)} are checked and then FS
-Passed to IOU2. Note that instead of this speed limit pattern, it is possible to use a pattern expressed by its square instead of speed, and in the case of speed, it is possible to express a speed limit parabolic pattern with a straight line as F
The interpolation calculation in S-IOU2 can be performed by linear calculation.

The example of the train control described above is that the route condition is held as data of the on-board device and the train is controlled based on the data. In such a system, if an incorrect speed pattern is generated by an incorrect process, in the worst case, a collision with a train ahead will also occur. That is, in the train control system as described above, if the generated pattern data is erroneous even if it is 1 bit, it will be completely different numerically. Must be carried out.

Therefore, in the train control device to which the fail-safe control system according to the present invention is applied, the FS-CPU 1 is constituted by a dual system bus collation type processing device.
The CPU 1 is made to calculate the speed limit pattern from the route condition held as the data of the on-board device. Although not shown in the figure, FS-CP
All the processing in U1 is duplicated, and the speed limit pattern calculated in each system is output to FS-IOU2 after confirming that there is no error by bus collation.

On the other hand, the FS-IOU2, to which the speed limit pattern data has been passed, first corrects the speed pulse input from the speed generator 6 by the speed generator input wheel system correction function, and the speed pulse is converted into the distance. Pass to the integration function and speed detection function. The distance integration function integrates the speed pulses to calculate the own train position Xf (t), and the speed detection function uses the signal from the cycle timer function and the speed pulse to determine the time change amount of the own train position Xf (t). The train speed Vf (t) is calculated. The own train position Xf (t) is given to the FS-CPU 1 and also passed to the speed limit interpolation function, and the own train speed Vf (t) is passed to the brake control calculation control function.

The speed limit interpolation function is used for the train position Xf.
(T) and the speed limit pattern sequence {Vp (x0), Vp (x1), ..., Vp (x) received from the FS-CPU1.
n)} based on Xi <Xf <Xi−1, that is,
From the speed limit pattern, a pair of inflection points Vp (xi) and Vp (xi-1) that include the own train position are selected, and the space between them is interpolated by interpolation to set the speed limit Vp at the own train position Xf.
Calculate (xf).

The brake command calculation control function compares the input speed limit Vp (xf) with the current train speed Vf (t), and if Vf> Vp as a result of the comparison, outputs a regular brake command. Further, if Vf> Vp + α (α is a constant: for example, 5 km / h), an emergency brake command is output. Although not shown in the figure, all the processing in the FS-IOU2 is duplicated, and the final output of the brake command output of each of these systems is determined by comparing and collating the RYU3. Via BCU7.

At this time, the brake command of each system and the finally output brake command are output as an alternating signal, and when the braking action is shown, the alternating stop is output, and when the braking action is shown, the alternating signal is output. This prevents failing of the brake due to a failure of the output circuit or the like, and achieves fail-safe. In the above description, the brake control is taken as an example, but the same applies to the case of outputting a power running command, that is, an acceleration command in automatic train operation.

Since the FS-IOU2 performs input / output and processing related to real-time control such as counting and integration of speed pulses, it is possible to secure fail-safety of processing related to real-time control. It is composed of an output collation type processing device.

In the train control device to which the fail-safe control method according to the present invention having the above-mentioned configuration is applied, further, between the FS-CPU1 and the FS-IOU2, the FD indicating the presence / absence of a failure of the FS-CPU1. Signals are being passed. This FD signal is the FS-CPU1
Is indicated by an alternation signal, and a failure is indicated by an alternation stop. Therefore, when the alternation of the FD signal is stopped, the FS-IOU2 can know that the FS-CPU1 has failed, and thus the train can be controlled on the safe side.

Furthermore, FS-CPU1 and FS-IOU2
Is capable of exchanging data with each other via a communication port. For example, FS-CPU1 to FS-IO
The data sent to U2 is sent back to FS-CPU1 again,
The FS-CPU1 checks whether or not there is an error in the data received by the FS-IOU2, and if an error is detected, it stops the alternation of the FD signal and performs processing for the FS-IOU2 to safely control the train. It can be made possible.

The fail-safe control system for train control described above is a bus collation type processing device for processing fixed data having no time dependency, such as retrieval of route information and calculation of speed limit patterns. -The CPU 1 is caused to perform processing related to information having time dependency such as speed and distance to the FS-IOU 2 which is an output collation type processing device.

The reason why the FS-IOU2, which is an output collation type processing device, is made to perform the process of generating the current position information Xf (t) of the train and the speed information Vp (xf) is as described above. For such processing, it is necessary to count the distance pulse signal from the speed generator 6, but when the clock of the CPU goes wrong, when the bus collation type processing device is caused to perform such processing, the pulse signal is generated. This is because the signals are mistakenly counted and the speed and the current position are mistakenly recognized, which is very dangerous.

In other words, when such information is processed by the FS-CPU 1, the clocks are shared between the two CPUs, and if a clock error occurs, the operations of both CPUs will go wrong at the same time. There is a risk that an abnormality cannot be found due to the difference in processing results. Therefore, the processing of time-dependent information is processed by the CPU.
The above-mentioned problem can be solved by sharing the task with the FS-IOU2 which is an output collation type output device having an independent clock for each. The processing of information having no time dependency is affected by the clock abnormality in terms of processing speed, but does not affect the processing accuracy itself, so that a problem may occur even if the FS-CPU 1 performs processing. There is no.

Next, with reference to FIG. 4, the configuration of the bus collation type processing device will be described.

The CPUs 11a and 11b form a dual system processing device, and operate in synchronization with a common clock generator CPG10. CPU
The output signal on the bus output from each of 11a and 11b is collated for each bit by the bus collating circuit BCMP12.

Serial communication control circuit CCU 13a, 13
Reference numerals b and 13c denote ports for performing communication control of data transmission / reception with the FS-IOU2, a control device of the ground transmission / reception device, a circuit, and the like, and three ports are shown in the drawing. The number of these ports is arbitrary, and although not shown in the figure, an external bus interface can be provided.

The control signal bus drivers 15a and 15b are
CCUs 13a and 13b are dual CPUs 11a and 11b
Are configured so that they can be commonly accessed from each of the bidirectional data bus drivers 17a and 17b.
Is configured so that the CCUs 13a, 13b and the CPUs 11a, 11b can bidirectionally access the other party. The control gates 16a and 16b are CPUs.
It is a gate that determines which of the outputs from 11a and 11b is valid. In the illustrated example, the control gates 16a and 16b simply enable the CPU 11a at all times, but the CPU 11b may always be enabled at all times.
It may be controlled so that one of them is made effective by other methods.

The bus collation type processing device 1 configured as described above has a CPU which constitutes a dual system inside thereof.
The signals 11a and 11b are driven by the same clock and always operate in synchronization with each other. A signal that is asynchronously input from the outside is always synchronized and supplied to the dual CPUs 11a and 11b. The bus collating circuit 12 compares and collates corresponding bits of the data D0a-D7a and D0b-D7b for each bus cycle of the CPU 11a and CPU 11b which are always operating in synchronization in this way, and even one bit does not match. Error occurs, an error signal BER is output and each C
It is supplied to the PUs 11a and 11b as an interrupt signal (interruption NMI that cannot be masked).

In the above structure, the memory is the CPU
CPUs 11a and 11b that exist inside 11a and 11b
Data that is input or output via the bus from outside the computer is also subject to verification. A memory provided outside each of the CPUs 11a and 11b is a target of data collation, and each CPU 1
1a, CPU 11b, if it is necessary to target the local memory used by these CPUs 11a, C
A memory may be connected to the external local bus of the PU 11b.

Next, the internal structure of the CPUs 11a and 11b will be described with reference to FIG.

The CPU 11a and the CPU 11b have the same configuration, and the microprocessor 111 and a read-only memory (RO for storing programs and fixed data).
M) 113 and writable memory (RAM) 114
A programmable timer (PTM) 115 used for controlling a control cycle and the like, and a direct memory access controller (DMAC) 112 for performing data transmission in communication control etc. at high speed by a dedicated circuit instead of the CPU,
Bus gate 1 for separating the CPU from the outside bus
And 16 are provided.

The CPUs 11a and 11 having the above-mentioned configuration
Reference numeral b is a one-chip microcomputer in which all of them are integrated in one chip, and a one-chip microcomputer which has already been put into practical use and is commercially available can be used as it is. Each of the input and output signals is mainly composed of an external interface bus signal, read data strobe RD (output), write data strobe WR (output), address lines A0 to A15 (output), data line D0.
~ D7 (input / output), memory access wait control line WAI
(Input), interrupt request signal IRQ (input), bus error interrupt (or non-maskable interrupt) NMI
(Input), DMA transfer request signal DREQ (input), DM
The A transfer confirmation signal DACK (output) and the clock signal CK have the same operations as those of a general microcomputer system, and the details thereof will be omitted. In the illustrated example, the data has a structure of 8 bits and the address has a structure of 16 bits, but the number of bits of data on the bus and the number of address bits can be set arbitrarily.

Next, the configuration of the bus matching circuit 12 will be described with reference to FIG.

The bus matching circuit 12 includes a plurality of exclusive OR (EOR) gates 121 and a logical OR (OR) gate 12.
2, 125 and AND gates 123, 124
And a flip-flop 126. The exclusive OR (EOR) gate 121 compares the signal on the data bus from the dual CPU for each bit, and outputs the output to "0" when they match and the output when they do not match. Set to "1". The logical sum (OR) gate 122 is
The sum of the comparison results of all the bits is obtained, and the output thereof shows "1" when there is a difference of even one bit in the data between both CPUs, and "0" when all the bits match.

This signal is taken into the flip-flop 126 at the trailing edge of the signal obtained by ANDing and ORing the signals RDa, RDb, WRa and WRb for controlling the reading and writing of data.
Used as a bus error signal BER. Crash signal BER is C
Supplied as an interrupt signal to the PU, each CPU
Performs error processing based on this interrupt signal.

Next, the configuration of the FS-IOU2, which is an output collation type processing device, will be described with reference to FIG. FS-I
The OU 2 has the configuration already described with reference to FIG.

In FIG. 7, CPUs 21a and 21b constituting the dual processing device have the same configuration as CPUs 11a and 11b, and clock pulse generator 20a and
It is driven independently by the clock from 20b. The serial communication control circuits CCU 23a and 23b are F
The pulse counters CNT24a and 24b are connected to the S-CPU1, other control devices, circuits, and the like to control communication with these devices, and the pulse counters CNT24a and 24b count speed pulses from the speed generator. This result is used to calculate the current position and speed of the train. Output matching circuit OC
The MP22 compares and collates the outputs of the CPUs 11a and 11b, and outputs a regular brake command and an emergency brake command based on the result.

The FS-IOU2 having the above-mentioned configuration uses the output verification instead of the bus verification as the processing check method, except that the two CPUs are driven by independent clocks. It is configured almost the same as the CPU 1.

Next, referring to FIG. 8, the output collating circuit 22
The configuration of will be described.

The output collating circuit 22 has an output register 220.
a and 220b and comparators 221 and 222. The output registers 220a and 220 temporarily store the respective outputs from the CPUs 21a and 21b forming the dual system, and here, the normal brake commands NB (NBa and NBa) are stored.
Bb) and the emergency brake command EB (EBa and EBb) are converted. Regular brake commands NBa, NB from both systems
b is compared by the comparator 221, and the emergency brake commands EBa and EBb are compared by 222. The result is
Regular brake command NBF or emergency brake command EB
It is output as F.

The comparators 221 and 222 are, as shown,
It is configured by connecting two flip-flops, and only when the inputs from both systems are alternating signals, the output is used as an alternating signal. In the brake command in the above example, the brake relieving is represented by an alternating signal, and the braking operation is represented by an alternating stop.Therefore, if either one of the brake outputs from both systems is in an alternating stop, the output of the comparator is also an alternating It will stop and operate the brake.

According to the fail-safe control method according to the above-described embodiment of the present invention, of the information necessary for control, the information having no time dependency is processed by the dual system arithmetic unit by bus collation. Therefore, more accurate processing can be performed. Further, since the processing related to the real-time control is performed in the dual system operation unit by the output collation, the fail-safe operation can be guaranteed even when the real-time information is misaligned due to the abnormality of the device.

As a result, according to the fail-safe control method according to the embodiment of the present invention, the information necessary in the control process and the correctness of the processing can be guaranteed by the dual system arithmetic unit by the bus collation. The final system fail-safe property is guaranteed by the dual system operation unit by output collation, so that it is possible to perform real-time control safely while assuring the correctness of the process as a whole device.

In the train control device to which such fail-safe control is applied, the bus collation type processing device performs the process of calculating the speed limit pattern from the route condition held as the data of the on-board device. By doing so, it is possible to guarantee the correctness of the pattern data, and by having the output collation type processing device perform input / output and processing such as speed pulse counting and integration, which are processing related to real-time control. The fail-safe property of the processing related to the real-time control can be secured, and the fail-safe property of the entire device can be made higher.

In the above-described embodiment of the present invention, the bus collation type processing device and the output collation type processing device are each configured by the CPU configured in the dual system. The processing device may be composed of a larger number of CPUs.

[0061]

As described above, according to the present invention, C
It is possible to provide a fail-safe control device that can guarantee the validity of the PU calculation process itself and can reliably guarantee the fail-safe property in real-time control.

Further, according to the present invention, by applying such a fail-safe control device to a train control device, it is possible to provide a train control device having higher fail-safety as a whole. .

[Brief description of drawings]

FIG. 1 is a block diagram showing a configuration of a fail-safe control device according to an embodiment of the present invention.

FIG. 2 is a block diagram showing a configuration of a train control device to which the present invention has been applied.

FIG. 3 is a block diagram illustrating a functional configuration of a train control device to which the present invention has been applied.

FIG. 4 is a block diagram showing a configuration of a bus verification type processing device.

FIG. 5 is a block diagram showing an internal configuration of a CPU.

FIG. 6 is a block diagram showing a configuration of a bus matching circuit.

FIG. 7 is a block diagram showing a configuration of an input / output control device.

FIG. 8 is a block diagram showing a configuration of an output comparison circuit.

[Explanation of symbols]

1 Bus collation type processing device 2 Output collation type processing device 3 Relay unit (RYU) 4 Signal communication transceiver (TRX) 5 Transmission / reception antenna 6 Speed generator 7 Brake control unit (BCU) 8 Wheels of vehicle 9 Rails 10, 20a, 20b Clock generator (CP
G) 11a, 11b, 21a, 21b Microcomputer (CPU) 12 Bus collation circuit (BCMP) 13a to 13c, 23a, 23b Communication control circuit (CC)
U) 15a, 15b Control signal bus driver 16a, 16b Control gate 17a, 17b Bidirectional data bus driver 22 Output matching circuit (OCMP) 24a, 24b Pulse counter (CNT)

Claims (9)

[Claims] 1. A plurality of microcomputers are used,
In the fail-safe control device that controls the control target by detecting the error of the process and the failure of its own device by comparing the output and detecting the difference of the process result, the process results of multiple microcomputers are And a second processing device for detecting an error by comparing outputs of a plurality of microcomputers to the outside, the first processing device comprising: A fail-safe control device that processes data having no time dependency, and the second processing device processes data having time dependency. 2. A plurality of microcomputers are used,
In the fail-safe control device that controls the control target by detecting the error of the process and the failure of its own device by comparing the output and detecting the difference of the process result, the process results of multiple microcomputers are And a second processing device for detecting an error by comparing outputs of a plurality of microcomputers to the outside, the first processing device comprising: A fail-safe control device that performs a process based on data stored in a storage device, and the second processing device performs a process related to input / output of data to / from a control target. 3. A plurality of microcomputers are used,
In the fail-safe control device that controls the control target by detecting the error of the process and the failure of its own device by comparing the output and detecting the difference of the process result, the process results of multiple microcomputers are And a second processing device for detecting an error by comparing outputs of a plurality of microcomputers to the outside, the first processing device comprising: , The output performs a process represented by a numerical value such as a bit string, and the second processing device performs a process represented by a binary output such as ON / OFF of a signal. 4. The processing error detection information is transmitted to the second processing device when a processing error is detected in the first processing device. Fail-safe control device. 5. The first processing device obtains a control parameter required by the second processing device by calculation and transmits the control parameter to the second processing device. The fail-safe control device according to 1 to 4. 6. The second processing device returns the control parameter received from the first processing device to the first processing device, and the first processing device receives the control parameter transmitted by itself. The fail-safe control device according to claim 5, wherein a transmission error is detected by collating with a control parameter received from the second processing device. 7. The first arithmetic unit transmits the transmission error detection information to the second processing device when a transmission error is detected by the control parameter returned from the second processing device. The fail-safe control device according to claim 6. 8. The method according to claim 4, wherein the second processing device issues a stop command to the control target when receiving the processing error detection information or the transmission error detection information. Fail-safe control device. 9. The first processing device uses the information about the position of the preceding train sent by communication and the information about the route shape, the speed limit, and the vehicle performance stored on the car to allow the train position to accept. The second processing device performs a calculation for calculating a speed, and the second processing device performs a calculation for determining at least one of a brake command and a powering command by calculating the current position of the train, the speed, and comparing the allowable speed with the train speed. A train control device using the fail-safe control device according to claim 1.