JPS5931738B2 - Parallel triple system configuration method for computer system - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION The present invention relates to a parallel triple system configuration method suitable for computers, particularly microcomputers.

Conventionally, in computer systems, a parallel multiple system configuration such as a parallel dual system system has been adopted in order to improve the reliability of information.

In such a system, for example, the mountain systems that make up the dual system are processed in a synchronized manner, and the processing results are synchronized and output from the mountain system of the dual system monitoring device. A method is adopted in which a large amount of output information is collated in parallel, and if there is a match, it is output to an output device. In such a system, in order to ensure consistency in processing results, it is necessary to match the content and timing of the input data for the mountain systems, and furthermore, as mentioned above, the progress of the processing must be synchronized.

In addition, dual-system monitoring equipment collates a large amount of output information in parallel, and if it matches, it latches the output information and outputs it to the output device, and if it does not match, it interrupts the processing device and performs a fault diagnosis routine. Perform processing such as executing . For this reason, support devices such as input devices and dual-system monitoring devices become large-scale and complex. Furthermore, in order to synchronize processing, the processing capacity is usually smaller than that of a single-system system, and an extremely complex and large-scale operating system is required. Furthermore, computer systems generally have excellent failure detection functions through the use of error detection codes and the like, and are less likely to output erroneous results. Furthermore, computer systems are expensive. Under the above circumstances, a parallel triple system configuration is rarely adopted, mainly from an economical standpoint considering the performance/price ratio, and even in systems that require both reliability and high availability, a parallel triple system configuration is used. Generally, a system + standby system configuration is adopted. On the other hand, in small-scale systems such as microcomputers, the cost of processing equipment is low, and they are being applied to the field of control devices that were conventionally configured with wired logic. It is often required to have a high operating rate. However, in microcomputer systems, for example, the processing devices are generally extremely small and therefore have extremely high reliability compared to large computer systems. It is difficult and economically undesirable to add supporting hardware with reliability that matches the reliability. Furthermore, compared to computer systems, they have a lower ability to detect their own failures and are more likely to output erroneous processing results. On the other hand, compared to devices based on wiring logic, the behavior in the event of a failure is complex and difficult to predict. In some cases, a device that is already configured in a triple system using wiring logic is replaced with a microcomputer. From the above point of view, the demand for a triplex system configuration for microcomputers is much greater than that for computer systems, and furthermore, it is impossible to apply the triplex system configuration method for computer systems as is. It is an object of the present invention to eliminate the drawbacks of the conventional methods as described above and to provide an effective triple system configuration method that can be applied to small-scale processing devices such as microcomputers.

A feature of the present invention is that each of the two processing units constituting the triple system is equipped with a serial data transmission interface, and each processing unit can exchange required data with other systems via the serial data transmission interface. The comparison results are outputted to a failure determination circuit, and the failure determination circuit determines the failure system 5 from the comparison results of each system and performs necessary processing.

The second feature of the present invention is that only when the first system is in a failure state as a result of the above determination, an abnormality signal is output when there is a discrepancy in the verification results of the remaining two systems.

Next, the present invention will be explained in detail with reference to examples.

FIG. 1 is a diagram showing one embodiment of the present invention, and is a block diagram of a parallel triplex system using microcomputers. 1st
In the figure, numerals 111, 112, and 1134 are microcomputers that are components of a parallel triplex system, and constitute an I system, a system, and a system processing device, respectively. 120
100 is an input/output interface for each microcomputer, 100 is a failure determination circuit for determining a failure system, 130
is a controlled device controlled by this triplex system.

FIG. 2 shows the microcomputers 111 to 11 in FIG.
2 is a diagram showing an example of the internal configuration of 2 in FIG.
0X (X takes a value of 1, 2, or 3 and represents each system. The same applies hereinafter) is a microprocessor, 21X is a program memory, 22X is a working memory 18, and 23X is a parallel input/output interface (hereinafter abbreviated as PIO). ), 24X, 2
5X is a serial data transmission interface (hereinafter abbreviated as SIO) for verifying data with other systems, and 26X is a failure detection circuit for detecting failures in the microcomputer 11X. FIG. 3 is a diagram showing one embodiment of the internal configuration of the failure determination circuit 100 shown in FIG.
1-305 are AND gates, 311-315 are 0R gates, 321-323 are flip-flops, 331-33
5 is an output buffer, and 340 is a sampling pulse generation circuit that regulates the sampling period of the system. FIG. 4 is a flowchart showing the processing contents of each microcomputer in the embodiment shown in FIG. Next, the operation of the embodiment shown in FIGS. 1 to 4 will be explained.

The processing program shown in FIG. 4 is activated by inputting the sampling lock SC generated by the sampling lock generation circuit 340 in FIG. 3 to the microcomputers 111 to 113 of each system. The processing program first starts from the controlled device 130 to the input/output interface 120.
Collects input data through the system and edits it into the required format. (FIG. 4 401) For example, the input/output line SDl of one SIO 24l of the I-system microcomputer 111
is connected to the SIO 242 of the system, the other SlO 25l is connected to the SIO 252 of the system, and each SIO 24l
, 25l, the input data is compared with other systems. At this time, the input/output interface 120 does not perform any matching processing on the input data to each system, so when the input data changes, etc., due to subtle differences in the data acquisition timing of each system, Differences may occur in the input data of each microcomputer 111-113. Therefore, if a discrepancy is found as a result of the above verification, matching is attempted according to a predetermined procedure (fourth step).
Figure 402). Next, control logic operations are performed within each microcomputer (Fig. 4 403), and the results are compared with other systems in the same manner as the input data described above (Fig. 4 403).
04). As a result of the comparison, if the output data match, a failure judgment signal Fxy (x indicates the judgment system, y indicates the system to be judged) of logic ゛0''゜ is output.For example, the I system microcomputer compares the system If the results match, the I-system failure judgment signal Fl2 is output as ``0'', and if the result of the comparison with the system does not match, the I-system failure judgment signal F,3 is output as ``1'' (Fig. 4, 40).
5). Next, it is determined from the status display signal DN of the input data already fetched in block 401 whether there is a system that has already failed and has been released (406 in FIG. 4), and if there is no system, the output data is input as is. It is output to the output interface 120 (407 in FIG. 4). At the conclusion of the judgment 406, if there is a system that has already been released, it means that two systems are currently running in parallel, and in this case, it is determined whether the data comparison results with the other system match. (Fig. 4 408
), if they match, output the output data as is to the input/output interface 120; if they do not match,
Since it is impossible to determine which of the two systems is normal, control is no longer possible, and the abnormality signal EMx is output, and the suppression is stopped (409 in FIG. 4). Of the above explanations, the fourth
The input/output data shown in Figures 402 and 404 are compared with the other two systems if all three systems are normal, or only with the other normal system if one system is released due to a failure. . Next, the operation of the failure determination circuit 100 will be explained.

Table 1 shows a truth table showing the operation of this determination circuit. Basically, the conditions under which a system is determined to be faulty are such that the system is determined to be faulty in both of the other two systems (as a result of comparison with that system, it is determined that there is a mismatch). ), or the failure detection circuit 26X of its own system detects the failure. Therefore, first, the AND gate 301 in FIG.
Take AND of F32. Similarly, the AND gate 302 is
The AND gate 303 ANDs the failure determination signals Fl3 and F23 for the I system and the system of the systems, and the AND of the failure determination signals F2, , F3l for the system and the I system of the systems.

As a result, if we take item number 1 of the truth table in Table 1 as an example, if the failure judgment signal F2l for the I system of the system and the failure judgment signal F3l for the I system of the system are both logic ゛゛1''. For example, the AND by the AND gate 303 is established, and the AND
A logic "1" is output from the D gate 303, and as a result, a logic "1" is output from the 0R gate 313.
It is input to the D input of flip-flop 323. The timing input T of the flip-flop 323 receives the sampling clock S from the sampling clock generation circuit 340.
A latch pulse LP having a sufficiently high frequency with respect to C is inputted through the AND gate 305, and a logic "1" signal from the 0R gate is taken in in synchronization with this latch pulse LP.As a result, the output Q of the flip-flop 323 A logic “1” signal is output from output buffer 3.
33, it is output as the I-system release output DNO1.
This I-system release output DNO1 operates a relay (not shown) to cut off the supply voltage to the I-system and release the I-system. The above-mentioned output of the flip-flop 323 is input to each microcomputer via the 0R gate 315 as a state display signal DN in which the l system is released, and is also sent to the buffer 334 as a failure display output DNO to the outside.
The signal is output through the I-system and lights up a lamp etc. to indicate the occurrence of an I-system failure. Furthermore, this signal is applied to the negative input of AND gate 305, thereby inhibiting the latch pulse LP from being input to flip-flops 321-323 from now on, and holding the output of each flip-flop. Furthermore, the above 0
The output of the R gate 315 is applied to the AND gate 304, and when the abnormal signals EM, -EM3 are output from each system, this signal is allowed to be output via the output buffer 335. In this state, the system shown in FIG. 1 then enters parallel dual operation of the system and the I system. The system and I-system microcomputers 112 and 113 know that the two-system operation has started when the above-mentioned status display signal DN is input. This means that for these systems and the microcomputers 112 and 113 of the system, the I system microcomputer 1
This means that 11 has been released. This is because the fact that each of the microcomputers 112 and 113 is not released at this point means that each of these systems is normal, and the faulty system is therefore unable to connect to the system that it has determined to be faulty. Because it is none other than that. As a result, rather than performing subsequent data collation only between the system and the I system, the collation method is switched (although this is not shown in Figure 4, 402, 404
). After this, if a failure occurs in either of the microcomputers 112, 113 of the system 1, a mismatch of the verification data will occur.
In this case, it is no longer possible to determine which system is abnormal. However, since either system is normal, this normal system can normally process the blocks 408 and 409 in FIG. 4, and therefore the abnormal signals EM2 and EM3
This abnormal signal EM2 (assuming that EM2 is output) is outputted as an abnormal output signal EMO via the 0R gate 314 AND gate 304 and the output buffer 335.

This abnormal signal EMO means that the control function has been lost in this system, and emergency processing such as powering off the entire system and outputting an alarm is taken at the abnormal signal EMO, and the control is stopped. The above is the operation when it is determined as a failure by another system as a result of verification, but if a severe failure occurs, it is possible to detect the failure by the failure detection circuit 26X of the own system. In this case, taking item number 4 in Table 1 as an example, the I-system failure detection circuit 261 detects a failure, and the I-system failure detection signal FD
Output l. This failure detection signal FDl is immediately inputted to the flip-flop 323 via the 0R gate 313 of the failure determination circuit 100, and measures such as outputting the I-system release output DNOl are taken by the same procedure as above. In addition, in the above explanation, the reason why the abnormal signals EM1 to EM3 from each system are gated by the AND gate 303 and the output of the 0R gate 315 is that when a failure occurs in the first I system, the malfunction of this failure system occurs. This is to prevent the abnormal output signal EMO from being output and stopping the entire system when the abnormal signal EMx is output. Furthermore, in the flowchart of FIG. 4, when determining the presence or absence of a faulty system in block 406, the reason why the determination is first made is based on the status display signal DN taken in in block 401 is because this signal is used for each system. The faults that occurred after that were found by collating the output data, and the faulty system was released when the judgment result was output in block 405.
This is because there is no risk of the faulty system outputting incorrect output data. Note that the input/output interface 120 does not compare the output data from each system, but simply ANDs or ORs the output data depending on the polarity of the output data and outputs the result to the controlled device 130. Furthermore, when a faulty system occurs, the faulty system release output DNOx is used to cut off the output data of the faulty system within the input/output interface. As described above, according to the present invention, in order to collate the processing results between the parallel triplex systems, the processing results of the other systems obtained through serial data transmission are collated by the software of each system, and only the determination results are sent to the external system. Since this method uses the judgment result of the normal system to determine the faulty system, the support hardware required for parallel triple system operation is a serial data transmission interface for data communication, It only has a failure determination circuit with an extremely simple configuration.

Moreover, the serial data transmission interface is one LS
I(LargeScaleIntegratedCir
It is expected that this function will be included in microprocessors in the near future. This method of configuring a triplex system is most suitable for a microcomputer system, which has very little effect on the overall system, is small, inexpensive, and relatively reliable. Furthermore, the system automatically switches to dual system operation after failure of the first system, maintains the control function until the failure of the second system, and constantly compares output data between two or more systems, improving reliability and operation. It is possible to provide a system with excellent efficiency.

Furthermore, since the abnormal output signal is software-driven and output only during dual system operation after failure of the first system, it is possible to prevent the entire system from stopping due to malfunction of the first system during triple system operation. When a failure occurs during dual system operation, the system can be reliably stopped by the remaining normal system operation, providing a highly reliable and safe system.

[Brief explanation of the drawing]

FIG. 1 is an overall configuration diagram of a parallel triplex system showing one embodiment of the present invention, FIG. 2 is a block diagram showing an embodiment of the microcomputer of the embodiment of FIG. 1, and FIG. A fourth block diagram showing an embodiment of the failure determination circuit of the embodiment shown in FIG.
The figure is a flowchart showing the processing contents of the embodiment shown in FIG. 100... Failure determination circuit, 111-113...
... Mitaro computer, 120 ... Input interface, 130 ... Controlled device,
IOD: Input/output data, SD: Verification data, D: Failure control data.

Claims (1)

[Claims] 1. Three computer systems operated in parallel are connected via a serial data transmission interface, and the processing results of each computer system are transmitted to the other two systems via the serial data transmission interface. The processing results of the other system obtained as a result are compared with the processing results of the own system by software, and the matching results are output to the respective failure judgment circuits. A method for configuring a parallel triple system for a computer system, characterized in that the failure occurrence status of each system is determined from the comparison results of the two systems. 2. In the parallel triple system configuration computer system according to claim 1, the determination circuit inputs the occurrence of a failure in the 1st system as an input signal to each computer system, and each computer system uses the input signal to determine the occurrence of a failure in the 1st system. After detecting the occurrence, the data is compared with the remaining one system using the method described above, and if a discrepancy occurs, an abnormal signal indicating that one of the remaining two systems is faulty is output to the judgment circuit, and the judgment is performed. A method for configuring a parallel triple system of a computer system, characterized in that the circuit outputs the abnormality signal to the outside only when detecting the occurrence of a failure in the first system.