JPS6143348A - Fail-safe computer system - Google Patents

Abstract

PURPOSE:To detect faults with a simple constitution of a computer system and to attain the application of this system even to a single structure microcmputer system, by using also a softwate function to actuate periodically a digital output program and monitoring this actuating period. CONSTITUTION:A microcomputer 1 for control contains a progarm memory ROM3, a variable memory RAM4 and a digital output circuit 5 centering on a microprocessor 2. A fail-safe frequency comparator 6 functions as a frequency window comparator having a fail-safe function and checks the frequency of a signal E and delivers a coincidence signal G which is set at ''1'' only when the frequency of the signal E is ketp within a prescribed range together with a self-normalcy checking signal F.

Description

[Detailed Description of the Invention] [Field of Application of the Invention] The present invention relates to a control microcomputer that requires fail-safe characteristics, and particularly to a fail-safe computer system that is applicable even when the microcomputer system is a single system. Regarding.

[Background of the invention]

In recent years, microcomputers have become widely used to control various vehicles and transport equipment, but in such cases, if the microcontroller malfunctions, there is a risk of serious safety problems. Therefore, a completely safe microcomputer system is required.

This -1-! For example, a fail-safe microcomputer system for the system is described in [-Nikkei Electronics 4, 1982.3. The design of a fault-tolerant system seen in a railway signal control system by Mr. Omura and Mr. Nakamura of J.A. The paper introduces a method of realizing this by fail-safe verification of i number of clock-synchronized -f icon buses (address bus p 7 1 Hasna, etc.).

According to this conventional example, failure detection can be performed at high speed, but
On the other hand, since it assumes a multiple microcomputer system and requires a large number of fail-safe comparators corresponding to the number of buses to be compared, the cost increases.
Another disadvantage is that it cannot be applied to a single-layer microcomputer system.

[Purpose of the invention]

SUMMARY OF THE INVENTION An object of the present invention is to provide a fail-safe microcomputer system that eliminates the drawbacks of the prior art described above, requires fewer comparators, and is applicable to heavy-duty microcomputer systems.

[Summary of the invention]

In order to achieve this object, the present invention is characterized in that a digital output program is operated periodically using a software function, and a failure is detected by monitoring this cycle.

[Embodiments of the Invention] Hereinafter, the fail-safe computer system according to the present invention will be described in detail with reference to the illustrated embodiment. FIG. 1 shows an embodiment of the present invention, and in the figure, 1 is a control microcomputer (computer); A read-only memory, which is a program memory, is centered around the microprocessor (central processing unit) 2.3. Random access memory which is variable memory4. It is composed of a digital output circuit 5. In addition, peripheral circuits such as a clock circuit and an address decoder are necessarily limited, but this point is well known and will therefore be omitted.

6 is a fail-safe frequency comparator, which operates as a frequency window comparator with a fail-safe function, checks the frequency of the signal E output from the digital output circuit 5, and only when the frequency is within a predetermined frequency range. It outputs a coincidence signal G that becomes 1〃 and its own normality check signal F. Meanwhile, in parallel with this configuration, the software of the microcomputer 1 is configured as shown in the flowchart of FIG. That is, after starting the system and completing the initial process 'P4 (10), the digital output circuit 5 alternately outputs SS □ #,
%I It is output.

For this purpose, for example, a dummy counter (soft counter) is provided, and each time the step (20) is passed, the value is increased from 10% to %.
1, and a signal that changes from turtle 1 to ant 0 may be given to the digital output circuit 5. after that,
At step 5 (30), the microcomputer 1 performs the original processing that should be performed, and returns to step (current) again.

If this is done, there will be no interruptions in the program, so steps (20) and (30) will operate periodically in an infinite loop, and the output signal E of the digital output circuit 5 will be 0. %1 is a signal that is periodically inverted nine times, which indicates that a pulse of approximately constant frequency is obtained from the digital output circuit 5.

The reason why the frequency of the pulsed signal E at this time is not completely constant is as follows. That is, in general, the processing time of the original processing program of the microprocessor 1 in step (30) has fluctuations due to microscopic differences in the program bus (judgment statements, etc.).

This signal E of approximately constant frequency (this is called fl)
is input within the fail-safe frequency range 6 and compared under the comparison characteristics shown in FIG.
), a coincidence signal G=1 is obtained only when the value is between . These frequencies fX, , f are based on the J8 wave number f of the signal E obtained when the microcomputer 1 is functioning normally and the processing shown in Fig. 2 is being repeated correctly. , fail safe j! This is set in advance in the 8 wave number comparator 6.

Therefore, in a cabinet where the microcomputer 1 is functioning properly, the frequency of the signal B is f, as shown in Figure 3, and the frequency 'f
It is within the window determined by iifc and fR, and a coincidence signal (f-1) is obtained.

However, if a failure occurs in the microcomputer 1, the time required for the processing shown in Figure 2 may change from the normal time, or the processing may stop, for example, the frequency of the signal E may change. deviates from the correct value fl and becomes fI
When the value changes as follows and is out of the window determined by fL and fi, the -i signal G becomes 0, and a failure can be detected.

On the other hand, when the fail-safe frequency comparator 6 fails, its own normality check signal F is lost, so fail-safe is maintained.

Therefore, according to the embodiment shown in FIG. 1, it is possible to obtain a 7-fail-safe microcomputer system by using only one frequency comparator, and it is applicable even if the microcomputer system is not a multiplex system, and is sufficiently fail-safe. can give sex.

Next, a fourth embodiment of the fail-safe frequency comparator 6 will be described.
This will be explained using figures.

The example shown in Fig. 4 is known as the ring calculation method, and is widely used in the field of automatic train control devices (ATC devices) where fail-safe performance is required, and is disclosed in Patent No. 923.
No. 327, Patent No. 964816, Patent No. 107274
This is a known method that is explained in detail in each specification of No. 5.

The fail-safe frequency comparator 6 shown in FIG.
It is basically composed of a correspondence signal generation section 12 and a frequency comparison circuit 11, which are time-divisionally operated by a control circuit 14, and perform a frequency window comparison with respect to the frequency fi of the signal E applied to the input terminal IO, and a logic output circuit 13. A coincidence signal u't-1 is outputted from the output terminal 16, and a self-check signal P' is outputted from the output terminal 17.

To explain the operation in detail, at a certain time slot, the alternating signal generator 12 outputs the memory 15 and the control circuit 1.
When the signal a'' of the frequency change determined by the output of 4 is generated, this is input to the frequency comparator circuit 11 via the feed balun loose 18, and the signal E (D@wave efs A comparison output is obtained.

Next, in another evening slot, the police box signal generator 12
When the comparison is output, the contents of the memory 15 at a different address than the previous one are read out by the output from the control circuit 1.
Unlike the previous time, a signal a with a frequency of 7' is generated, and the frequency comparison circuit 11 now compares this frequency with the frequency f1 of the signal E.
A comparison is made with the following and a comparison output is generated. Therefore, if the frequency read from one address of the memory 15 is set as fX shown in FIG. 3, and the frequency read from the other address is set as f, then the frequency A window comparison will be performed.

On the other hand, in yet another address of the memory 15, Ayan$,
Data necessary for self-checking of the number comparison circuit 11 and the correspondence signal generation section 12 is set, and in a specific time slot other than the above-mentioned soft frequency ratio time slot, 15→18→ A feedback type loop of 11→19→15 is checked, and by performing cyclic operations including this operation, 7 fail safety is maintained. When this cyclic operation stops, the self-checking cyclic signal F appearing at the terminal 17 disappears, making it possible to detect an abnormality in a fail-safe state.

Further, the alternating signal generating section 12 also functions to generate an output signal indicating that the output of the frequency comparison circuit 11 is within a predetermined zone in a specific time slot other than the above, and outputs a logic output signal from the control circuit 14. Circuit 13 connects terminal 16
A signal G indicating the normal range is output as an alternating signal.

In addition, a memory CRC check (cyclic redundancy check) is also applied, but detailed explanation is given in the above specification and will not be repeated here.

Next, FIG. 5 shows an embodiment in which the present invention is applied to a dual system microcomputer, in which microcomputers IA and IB form a dual system and are loosely coupled (clocks are independent). In addition, these microcontroller IA.

Although the input/output interfaces of the IB are not shown in the diagram, they can be connected to each other or operated by switching from one side to the other using known switching means, as in the case of a normal duplex system. It has become.

In addition, there is a switching unit which is different from the switching of the input/output interface described above, and which switches the alternating signals EA and EiB from the respective microcomputers IA and IB in a time-sharing manner. It functions as an input to the

Therefore, also in this embodiment, the frequency f of the signal EA]
The frequency f1B of the signal EB and the frequency f1B of the signal EB are respectively detected on a time-division basis as to whether or not they are within a predetermined range.
Abnormality detection becomes possible in the same way as in the embodiment shown in the figure. At this time, the fail-safe frequency comparator 6 can detect any abnormality in the application of the switching section, so fail-safe properties are maintained.

FIG. 6 shows an embodiment in which the present invention is applied to a dual-system microcomputer system, and unlike the embodiment in FIG.
Dual system microcontroller IA, IB two signals EA, E
B is directly compared as a frequency, and the output frequency of one microcomputer is used as a reference to check whether the output frequency of the other microcomputer is within a predetermined range or not in a fail-safe manner. , Therefore, for example, the frequency of the signal EA output from the microcomputer IA is f
When lA is set/hi, the frequency flB of the output signal ILB of the microcomputer IB is 11 people - ΔfL<fIB<fl^+ΔfII ・・
A fail-safe frequency comparator 60 is used to check whether the frequency is within the range of (1).

FIG. 7 shows an embodiment of such a fail-safe frequency comparator 60, in which 21 is a terminal for inputting the signal EB from the microcomputer IB, and n is the selection-j path.

Next, the operation of this embodiment will be explained.

This embodiment also performs time-division operation, but the number of time slots is set to be greater than that in the case of Fig. 4.
As a result, the bubble selection circuit B selects the terminal 10 and inputs the signal EA, and the alternating signal generator 12 and the frequency comparison circuit 11 determine in what frequency range the frequency flA is the reference input frequency. , for each frequency band in a time-division manner, are compared and determined, and then stored as the reference frequency flA. The accuracy of the division of the mantissa at this time is determined by the number of reference frequency data set in the memo IJ-15.

Next, the selection circuit 22 is switched to the terminal 21, and the microcomputer IB
Take in the signal 1jB and store it as the reference frequency fl.
A is used to perform the comparison according to the above formula (1) in a time-sharing manner,
It is checked whether the frequency flB of the signal wb is within a predetermined difference (-ΔfL, +Δ111) with respect to the reference frequency flA.

Then, the coincidence signal G is output only while formula (1) is satisfied, so that abnormality detection can be performed.

Here, when the selection operation by the selection circuit section stops, it means that the same input is always compared, and the apparent frequency is VJ.
There is a possibility that the number of L is determined to be within a predetermined range, and an erroneous output is generated, thereby disabling the fail-safe function. Therefore, in response to this, a new time slot is provided, the output a of the signal generator 12 is inputted to the selection circuit η, and the output frequency of the selection circuit 4 is changed using the newly provided time slot. Input into the frequency comparison 1g circuit 11, -
If the cyclic ratio is carried out, it is possible to easily detect the stoppage of the selection operation by the selection circuit bn, and it is possible to maintain fail-safe even in the event of a failure of the selection circuit B.

In the embodiments shown in FIGS. 5 and 6, the microcomputers IA and 113 that form each of the dual systems can be loosely coupled, so the clock circuits can be made independent, and the clock circuits can be independent. No new synchronization is required.

Furthermore, in the embodiments shown in FIGS. 5 and 6, even if a failure occurs in one system, the other system can operate in a fail-safe manner similar to the embodiment shown in FIG. It is possible to maintain high reliability at all times by making full use of the dual system.

In the above embodiment, an infinite loop as shown in Fig. 2 is used to maintain the periodicity of the program, but instead of this, periodicity can be obtained by running the program using a timer interrupt. Good too. In this case,
It may also be possible to guarantee the correct operation of a part of the program.

〔Effect of the invention〕

As explained above, according to the present party, the microcomputer program for generating digital output is run periodically, and failure detection is performed based on this cycle, thus eliminating the drawbacks of the conventional technology. It does not require multiple 7-way safety devices and can be applied to dual-system microcomputer systems, so it can be made smaller by LSI, which makes it easier to reduce costs, and it can also be applied to dual-system microcomputer systems. - It is possible to easily provide a fail-safe computer system that can always have high reliability.

[Brief explanation of drawings]

FIG. 1 is a block diagram showing an embodiment of a fail-safe computer system according to the present invention, FIG. 2 is an explanatory diagram of a program in the medical example of FIG. 1, FIG. 3 is also an explanatory diagram of production, and FIG. A block diagram showing an example of a fail-safe frequency ratio softener, FIGS.
FIG. 7 is a block diagram showing another embodiment of the fail-safe B'1 wave number comparator. 1, IA, IB...Microcomputer, 5
...Digital output circuit, 6.60...
- Fail-safe frequency comparator, 20... selection circuit. 1st f! 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 L? -J mark

Claims (1)

[Claims] 1. In a computer system that performs arithmetic processing using a central processing unit, a digital output that generates a signal that alternately changes between one and the other of two states each time the arithmetic processing is executed. A circuit and a frequency comparator that inputs the signal output from the digital output circuit are provided, and a failure is detected based on whether the state change frequency of the signal is out of a predetermined range. A fail-safe computer system. 2. A fail-safe computer system according to claim 1, wherein the frequency comparator has a fail-safe function.