JPH07277191A - Dual system device - Google Patents

Abstract

PURPOSE:To provide a reliable dual system device for continuing an operation as far as possible even if a fault is generated partially by arranging a means for synchronizing a MPU of respective systems and a system to system interface for receiving and transmitting data between the respective systems. CONSTITUTION:A contact signal of a trail relay TR is used as an input signal in a device for adapting the other device A to be a signal for a railroad and driving and controlling this. Contact signals of respective separating relays CRa, CRb for separating own system when abnormalities of respective systems are detected y respective normal relays Ra and Rb are used for an output line for driving the other device A. A main system a and a secondary system b are formed by respectively connecting MPU boards Ma and Mb including a plurality of CPUs and input boards Ea and Eb and output boards Oa, Ob with respective system buses Ba, Bb. The both system buses Ba and Bb are connected to each other by system to system interface boards ia and ib so as to mutually transmit and receive data.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a dual system device, such as an electronic interlocking device, which is provided to enhance the reliability of the device.

[0002]

2. Description of the Related Art Conventionally, in the field of train control, in order to improve the reliability of the device, it is generally performed to make the device a double system.

A conventional dual system signal security device will be described. A master system device (hereinafter referred to as a master system) and a slave system device (hereinafter referred to as a slave system) are provided in a completely independent state.
Although data input and logical judgment are independently performed in parallel in each system, the output is connected to another device via a switch (for example, a relay).
It is configured to be controlled by the output of only the main system.

The logic judgment result of the master system is sent to the slave system via the inter-system interface so as to match the logic judgment result of the slave system, and the slave system is kept in the standby state. Further, since the output of the slave system is separated from other devices by the switch, output processing or diagnosis of the output circuit is not performed. And
When a failure occurs on the master system side, the slave system is configured to control other devices in place of the master system.

As described above, the conventional dual system device has a feature that the structure is simple because no synchronization processing is required between the master system and the slave system.

However, the above-mentioned conventional dual system device is
Reliability was sometimes impaired because each system was completely independent.

For example, if the input board of the main system first fails and is switched to the slave system and then the output board of the slave system fails, the normal output board (main Although the system side) and the normal input board (slave system side) are present, the device is completely stopped, resulting in a decrease in reliability.

Further, when the used system is switched from the master system to the slave system or from the slave system to the master system, the output to another device is performed via the switching relay, and the slave system outputs until then. Since no processing is performed, there is a drawback that the output to other devices is momentarily cut off. Further, although the slave system is performing output processing, there is a problem that failure of the output circuit cannot be manifested early if the diagnosis of the output circuit is not performed.

Therefore, the present invention has been made to solve the above-mentioned drawbacks, and its purpose is to monitor a dual system device as a whole, and when another part of the two systems fails,
The two systems complement each other's failure points and continue their operations as much as possible to improve reliability and provide a dual system device without instantaneous interruption of output to other devices. To do.

[0010]

In order to achieve the above-mentioned object, a dual system device according to the present invention is a microprocessor unit (hereinafter referred to as MPU) which operates by a predetermined program common to both a master system and a slave system. ), The inter-system that is provided between the synchronization means that synchronizes the operation of the MPU of each system and the system bus of each system, and that exchanges data between the systems. Interface means, input means connected to the system buses of the respective systems to input the same data, and output means connected to the system buses of the respective systems and having output sides connected to other devices and wired OR It is characterized by having and.

Further, the MPU, the input means and the output means which are respectively connected to the main system and the slave system have a self-diagnosis function and a function of judging the degree of failure when a failure occurs. When a failure occurs in any one of the input means or the output means, it has a switching means for switching the connected one of the input means or the output means having a lower failure level to the main system.

Further, the master system sends the input data of the input means of the master system to the slave system, and the input means of the slave system has a mismatch between the sent input data and its own input data. Sometimes, it is characterized by having an input data matching means for matching the transmitted input data.

[0013]

In the above structure, both MPUs are synchronized by the synchronizing means. Then, the other device is controlled by being wired-OR coupled with both output means. That is, the other device is controlled with both systems as one system.

Further, when a failure occurs in any of the input means or the output means, the switching means switches the connected one of the input means or the output means having a lower failure level to the main system.

Then, the input data matching means sends the input data of the input means of the master system to the slave system, and the input means of the slave system has a mismatch between the sent input data and its own input data. Then, the received input data is matched.

[0016]

Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a block diagram showing a schematic configuration of an example device for driving and controlling the other device A as a railway traffic signal, and a track circuit (not shown) as an input signal.
The contact signal of the orbital relay TR is used, and the output line for driving the other device A has its own system when normal relays Ra and Rb, which will be described later, detect an abnormality in each system a and b. There are provided contact signals of disconnection relays CRa and CRb for disconnecting.

Each of the main system a and the sub system b is a system bus Ba and Bb, each of which includes a plurality of CPUs.
It is configured by connecting the PU boards Ma and Mb, the input boards Ea and Eb, and the output boards Oa and Ob. And
Both system buses Ba and Bb are connected by inter-system interface boards ia and ib, and are configured to exchange data with each other. Each MPU board M above
The a and Mb are connected to normal relays Ra and Rb, which are output during normal operation of the MPU boards Ma and Mb, respectively.

In FIG. 1, a 'and b'are both MPU boards M.
It is a signal line connecting a and Mb, and is used when transmitting and receiving a status signal, which will be described later, for synchronizing both MPUs.

In the present invention, the expressions of the master system and the slave system are used. However, each system of the present invention has no master-slave relationship like the conventional double system, and other devices will be used as described later. Each system is controlled in the same row. Therefore, the master system and the slave system in the present invention have a master-slave relationship for matching to one of the systems or to the mismatch of the input data generated at the critical timing when the deviation becomes large in the synchronization. Is. For convenience of explanation, the expression of the main system or the sub system may be expressed as a system or b system.

In FIG. 1, input / output boards Ea, Eb,
Although only one Oa and Ob are connected to each system bus Ba and Bb, this is for the purpose of simplifying the drawing, and it goes without saying that a plurality of boards may be connected. An input / output board may be connected.

FIG. 2 is a detailed block diagram of each of the MPU boards Ma and Mb. Both boards Ma and Mb have MPUs 2a and 2b driven by basic clocks 1a and 1b composed of crystal oscillators, respectively. is doing. In addition, each MP
U2a and 2b are respectively connected to the system buses Ba and Bb via an interface (not shown).

Each MPU board Ma, Mb has a fixed period timer 3a, 3b for generating a status signal for a predetermined time at each predetermined time, and output buffers 6a, 6b for outputting the status signal to another system. And an input buffer 7a for inputting a status signal from another system,
7b and a monitor timer 4 having basic clocks 4a 'and 4b' for monitoring the fixed period timers 3a and 3b, respectively.
a and 4b. The status signal is a signal with a duty of 50%, and when the rising edge changes, MP
The U-boards Ma and Mb are configured to generate a fixed-cycle timer interrupt.

The counters 5a and 5b provided on the respective MPU boards Ma and Mb are self-systems (here, the master system a is the self-system. Note that the following () indicates when the slave system b is the self-system. The output signal of the fixed-cycle timer 3a (3b) (status signal (see () in FIG. 2))
And the output signal (status signal (see () of FIG. 2)) of the fixed cycle timer 3b (3a) of the other system.
AND circuit 8a (8b) that receives an input via b (6a)
It is configured to be driven with the output signal of. The counters 5a and 5b have their own MPU 2a (2
The count value can be written or read from b).

Next, the synchronization control operation will be described with reference to the flowchart of FIG. 3 and the time chart of FIG.

Now, the power of a dual system (not shown) is turned on, the input / output / internal auxiliary relays, etc. are cleared, and predetermined initial processing such as presetting of all timers is performed, and the dual system is switched on. It is assumed that it has been started up and is in operation (step 100 in FIG. 3, hereinafter referred to as step S). During this operation, the slave system b changes from L (low) to H (high) of the status signal of the master system a, and the master system a selects the master system as the master system. Timers 3a, 3b, monitoring timers 4a, 4b,
The counters 5a and 5b are set (S102 and S in FIG. 3).
104, S106. See (a) of FIG. ). Therefore, at this time point, both systems a and b have a perfect cycle.

When the operation is continued, due to the error of the basic clocks 1a and 1b of the two systems a and b, the synchronization state of the status signals from the constant period timers 3a and 3b of the respective systems a and b is deviated. come. For example, the basic clocks 1a and 1b are 10
In the case of MHz, there is usually an error of about 100 Hz, so the above-mentioned deviation occurs. In addition, this deviation is several hundred
If it is on the order of μs, there is no problem in the operation of the device, so that it is acceptable (see t0 in FIG. 4).

When the deviation becomes large, the synchronization state of the systems a and b is lost. Therefore, when the deviation becomes, for example, 100 μs or more, the fixed period timer 3b and the monitoring timer 4b of the slave system b are set to the main system a. Fixed-cycle timer 3a and monitoring timer 4
A synchronization process for matching with a is performed.

The synchronization processing will be described below.

When the double systems a and b continue to operate,
The counter 5b of the slave system b receives both the status signal (see FIG. 2) from the fixed cycle timer 3b of the self system (slave system b) and the status signal (see FIG. 2) from the other system (master system a). When H, counts. Therefore, when the status signals of the two systems completely match, the count value N
Is N = 1/2 × T (T: time of one cycle). Further, when the two status signals are deviated, the count value N becomes N = 1/2 × (T-t1) (t1: deviation time). Assuming that the time allowed for deviation between the two status signals is t0, the count value N is now N = 1/2.
If × (T-t1) ≧ (1/2) × T-t0, the deviation is within the allowable time, so the subordinate system does not reset the fixed cycle timer 3b and the monitoring timer 4b of its own system, and operates as it is. Is continued (S110, S112 affirmative, S114 affirmative, S120 in FIG. 3; see (B) in FIG. 4).

However, the count value of the counter 5b is N
= 1/2 x (T-t1) <1/2 x (T-t0) (No in S114; see (c) in Fig. 4), it is determined that a deviation exceeding the allowable time has occurred. Because it means the main system a
Status signal of the fixed cycle timer 3a (see FIG. 2)
Is changed from H to L, the subordinate system resets the fixed period timer 3b and the monitoring timer 4b of its own system. As a result, the fixed-cycle timer interrupts of both systems a and b are synchronized (S116 and S118 in FIG. 3; see (D) in FIG. 4).

As described above, the apparatus of this embodiment is compatible with both systems a,
When the status signal of b has deviated more than a predetermined amount,
The fixed cycle timer 3b and the monitoring timer 4b of the slave system b are connected to the master system a.
Since the constant period timer 3a and the monitoring timer 4a are matched with each other, both systems a and b can always maintain the synchronized state.

Next, the control operation of the apparatus of this embodiment will be described using the failure level table of Table 1 and the processing flow of FIG.

Now, the two systems a and b are synchronized by the above-described synchronization processing, and in this state, the input processing (S200, S3) is performed.
00) is executed, but when the external conditions that operate asynchronously are input even if the two systems a and b are completely synchronized,
It is inevitable that the input values of the two systems a and b will not match at the critical timing. For example, in the case of the input of the track relay TR, when the main system a is “without train” and the subordinate system b is “with train”, in the case of “without train”, the display G (blue) of the other device (signal) A is displayed. ) Light, R for "with train"
Since the (red) light is turned on, the traffic light A turns on the R and G lights, which is in a very inconvenient state. Therefore,
In order to prevent this, it is necessary to match the data between the two systems a and b. Therefore, the input data is sent from the master a to the slave b, and the slave b matches the data to the master a (S202, S302; see FIG. 5). In addition, the exchange of data between systems is performed by the inter-system interface boards ia and ib.
Done through.

Each system a, b has a function of self-diagnosing the state of each board Ma, Mb, Ea, Eb, Oa, Ob in its own system by a known self-checking method. Then, the detected failure is, as shown in Table 1,
The levels are classified in consideration of the degree of influence of the failure on the other device A.

[Table 1]

Table 1 shows the relationship between the effect of the failure of each board and the failure level. The failure level has the highest level 0 and has the relationship of 0>1>2>3> 4. . Therefore, even if the output circuits Oa and Ob are faulty, when the fault acts on the dangerous side with respect to the other device A, the fault level is positioned high (level 1), but acts on the safe side. If so, the level is ranked low (level 4). Further, the level of this failure is configured to be used for determining the selection of the master system a and the slave system b. Therefore, when two systems a and b fail at the same time, the system with the lower failure level becomes the main system. Since the failure information is exchanged between the two systems a and b via the intersystem interface boards ia and ib at a predetermined cycle, it is possible to understand the failure status of the other systems (S21).
0, S310. (See FIG. 5).

Further, the control operation will be described. When all the boards Ma, Mb, Ea, Eb, Oa, Ob are normal, the MPU boards Ma, Mb receive the data input from the input boards Ea, Eb, respectively. Use other device A
Is simultaneously performed, and the other device A is controlled via the output boards Oa and Ob based on the calculation result. That is, the other device A is not controlled by either the main system a or the slave system b, but has a form in which both systems a and b are controlled as one system.

Next, a case where the MPU board Ma or Mb fails will be described. In this case, the faulty system cannot perform its function, and therefore the disconnection relay CRa (or CR) is connected via the normal relay Ra (or Rb).
b) is restored (turned off) and self-disconnecting. Since the other device A can perform the input, logical judgment, and output processes of the normal system MPU board Ma (or Mb), the control of the other device A is continued. Of course, when a failure occurs, the person in charge is notified of the failure, and the failed MPU board is replaced. Both MPU board M
When a and Mb fail at the same time, the other device A can no longer be controlled, and the device is completely stopped.

The control operation for maintaining the function of the dual system device in a state where the same type of boards (for example, the input boards Ea and Eb) in the two systems a and b have failed will be described.

It is assumed that a level 3 failure occurs in the a-system (main system) input board Ea from the normal state of both systems. At this time, since the b system is normal, the control is switched so that the a system is newly processed as the slave system and the b system is newly processed as the master system. After that, the a-system uses the b-system (main system) input data obtained via the inter-system interface boards ia and ib as the input data to execute the logic judgment process and the output process.

Next, the a-system failure board (input board E
If a level 2 failure occurs in the b-system input board Eb before (a) is replaced, the b-system cannot obtain correct input data, and cannot execute the logic judgment process. Therefore, the failure levels of the two systems a and b are 4 for the a system and 2 for the b system.
Therefore, the control is switched so that the a system is newly processed as the main system and the b system is newly processed as the slave system. Therefore, the b-system uses the a-system (main system) input data obtained via the intersystem interface board ia as the input data to execute the logic judgment process and the output process. That is, the system having a low failure level is set as a new main system and the processing is continued.

The two systems a and b have different types of boards (for example, an input board Ea (or Eb) and an output board Oa (or O).
A control operation for maintaining the function of the dual system device when a failure occurs in b)) will be described.

It is assumed that a level 4 failure has occurred in the output board Ob of the b system (slave system) from the normal state of both systems. At this time, since the system a (main system) is normal, the system a naturally operates as the main system.

Next, the b system failure board (output board O
If a level 2 failure occurs in the a-system input board Ea before the b) is replaced, the two failure levels are a-system 2 and b-system 4. To the subordinate, b
The control is switched so that the system is processed as the main system. Then, the slave system a executes the logic judgment process and the output process based on the input data of the system b.

As described above, regarding the outputs, since the outputs of the two systems a and b are connected to the other device A by wired OR, the other device A can be normally operated by the a system. In addition, regarding input, the input data is transferred from the master system to the slave system, and the slave system performs data matching processing with the master system.
It is possible to mask inconsistencies between two systems.

As described above, the apparatus of this embodiment is provided with each system a,
Since the respective MPU boards Ma and Mb of b are operated in synchronization, the other device A can be controlled as much as possible even if a failure occurs in a part of each board, and the reliability is further improved. be able to.

Further, since the other device A is connected to the output boards Oa and Ob by wired OR, there is a feature that there is no possibility of instantaneous interruption during system switching unlike the conventional dual system.

[0047]

The dual system device according to the present invention is provided with the MP of each system.
U-system interfacing means provided between the synchronizing means for synchronizing the operation of the U and the system buses of the respective systems and for exchanging data between the respective systems, and the system bus of the respective systems are respectively connected. Input means for inputting the same data, and output means connected to the system buses of the respective systems and having output sides connected to other devices and wired OR, so that even if a part fails , The operation can be continued as much as possible, and the reliability can be further improved.

Further, when a failure occurs in any of the input means or the output means, a switching means for switching the connected one of the input means or the output means having a lower failure level to the main system is provided. The failure can be dealt with in a timely manner.

Further, the input means of the slave system makes the input data sent from the master system match the sent input data when there is a mismatch between the input data and the self input data. When it has, it becomes possible to mask the disagreement between the two systems which occurs at the critical timing.

[Brief description of drawings]

FIG. 1 is a block diagram showing a schematic configuration of a device according to an embodiment of the present invention.

FIG. 2 is a block diagram showing details of an MPU board.

FIG. 3 is a time chart showing a synchronization control operation.

FIG. 4 is a flowchart showing a synchronization control operation.

FIG. 5 is a flowchart showing data transfer between a master and a slave.

[Explanation of symbols]

a Main system device (main system) b Sub system device (slave system) Ma, Mb MPU board Ba, Bb System bus Ea, Eb Input board Oa, Ob Output board 1a, 1b Basic clock 2a, 2b MPU (microprocessor unit) 3a, 3b fixed-cycle timer 4a, 4b monitoring timer 5a, 5b counter

Claims (3)

[Claims] 1. A dual system device comprising a microprocessor unit that operates by a predetermined program common to a master device and a slave device, and a synchronization for synchronizing the operation of the microprocessor unit of each system device. And an intersystem interface means provided between the system buses of the respective system devices for exchanging data between the system devices, and connected to the system bus of the respective system devices to input the same data. A dual system device, comprising: an input device for connecting to the system bus of each system device, and an output device connected to a wired OR at the output side of the system device. 2. The microprocessor unit, the input means and the output means respectively connected to the main system device and the slave system device respectively have a self-diagnosis function and also have a function of judging the degree of failure when a failure occurs. And a switching means for switching, when a failure occurs in any one of the input means or the output means, the connected one of the input means or the output means having a lower failure level to the main system device. The dual system device according to claim 1. 3. The master unit sends the input data of the input unit of the master unit to the slave unit, and the input unit of the slave unit outputs the sent input data and its own input data. 3. The dual system device according to claim 2, further comprising input data matching means for matching the transmitted input data when a mismatch occurs.