US20110214125A1 - Task management control apparatus and method having redundant processing comparison - Google Patents

Task management control apparatus and method having redundant processing comparison Download PDF

Info

Publication number
US20110214125A1
US20110214125A1 US13/105,041 US201113105041A US2011214125A1 US 20110214125 A1 US20110214125 A1 US 20110214125A1 US 201113105041 A US201113105041 A US 201113105041A US 2011214125 A1 US2011214125 A1 US 2011214125A1
Authority
US
United States
Prior art keywords
input
processors
computation
output
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/105,041
Inventor
Akira Bando
Shin Kokura
Takashi Umehara
Masamitsu Kobayashi
Hisao Nagayama
Naoya Mashiko
Masakazu Ishikawa
Masahiro Shiraishi
Akihiro Onozuka
Hiromichi Endoh
Tsutomu Yamada
Satoru Funaki
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2005170275A external-priority patent/JP2006344087A/en
Priority claimed from JP2005190874A external-priority patent/JP4102814B2/en
Application filed by Individual filed Critical Individual
Priority to US13/105,041 priority Critical patent/US20110214125A1/en
Publication of US20110214125A1 publication Critical patent/US20110214125A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/38Concurrent instruction execution, e.g. pipeline, look ahead
    • G06F9/3836Instruction issuing, e.g. dynamic instruction scheduling or out of order instruction execution
    • G06F9/3851Instruction issuing, e.g. dynamic instruction scheduling or out of order instruction execution from multiple instruction streams, e.g. multistreaming
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/165Error detection by comparing the output of redundant processing systems with continued operation after detection of the error
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1675Temporal synchronisation or re-synchronisation of redundant processing components
    • G06F11/1683Temporal synchronisation or re-synchronisation of redundant processing components at instruction level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1675Temporal synchronisation or re-synchronisation of redundant processing components
    • G06F11/1687Temporal synchronisation or re-synchronisation of redundant processing components at event level, e.g. by interrupt or result of polling
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1695Error detection or correction of the data by redundancy in hardware which are operating with time diversity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30181Instruction operation extension or modification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/30181Instruction operation extension or modification
    • G06F9/30189Instruction operation extension or modification according to execution mode, e.g. mode flag
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/30Arrangements for executing machine instructions, e.g. instruction decode
    • G06F9/38Concurrent instruction execution, e.g. pipeline, look ahead
    • G06F9/3885Concurrent instruction execution, e.g. pipeline, look ahead using a plurality of independent parallel functional units
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/845Systems in which the redundancy can be transformed in increased performance

Definitions

  • the present invention relates to a task management apparatus for control apparatus, input/output control apparatus, information control apparatus, task management method, input/output controlling method, and information controlling method.
  • the regular-system/standby-system structure is known as a form of the multiple-mechanism programmable electronic apparatus. This structure is able to improve the availability because it can be switched to the standby system when a failure is found in the regular system.
  • JP-A-2004-234144 describes a programmable electronic apparatus using a plurality of processors for increasing the safety.
  • processing facilities having potential hazards such as atomic power plant and chemical plant employ protective means such as barriers for the passive countermeasure and a safety device such as an emergency shutdown device for the active countermeasure in order to reduce the influence of hazards on the workers and the peripheral environment in case of an accident.
  • a safety device such as an emergency shutdown device for the active countermeasure
  • the control means for the safety device or the like has so far been realized by electromagnetic/mechanical means such as relays.
  • PLC Programmable Logic Controller
  • the IEC 61508-1.about.7 “Functional safety of electrical/electronic/programmable electronic safety-related systems” part 1.about.part 7 (abbreviated IEC 61508) is the international standard issued according to this trend. It specifies the requirements for the electrical/electronic/programmable electronic safety-related system to be used in part of the safety control system.
  • the IEC 61508 defines the Safety Integrity Level (SIL) as a measure of ability of the safety control system, or specifies requirements corresponding to levels 1 through 4.
  • SIL Safety Integrity Level
  • the higher level of SIL indicates the larger degree to which the processing installation is capable of reducing its potential risk. In other words, it means how much surely the processing equipment can implement the safety control when an abnormality is detected in the equipment.
  • the safety control system Even if the safety control system is inactive in the normal operating condition, it is required to immediately become active when a trouble occurs in the processing installation. To this end, it is important to usually make self-examination, or to continue to check its own health, or good condition.
  • the safety control system that needs high SIL is required to implement self-diagnosis over a wide range and with high precision in order to minimize the probability that the system becomes inactive due to a failure not detected.
  • diagnostic rate indicates the rate of detectable failures, when that autognosis technique is employed, relative to all failures that could occur in each constituent.
  • diagnosis technique “Abraham” of RAM described in, for example, U.S. Pat. No. 6,779,128, it is said that the maximum diagnostic rate of 99% can be claimed.
  • failure detecting means for a processor as a single constituent, it is effective to employ a method of monitoring the matching between the output results from a plurality of monitors used.
  • each processor executes the same control processing at the same time and confirms that its output is coincident with those of the other processors.
  • JP-A-6-290066 describes a method in which two processors are operated in synchronism with each other and the same information is supplied as an input to the processors so that the outputs can be made coincident, thereby checking the excellent condition of the processors.
  • the reliability required for the programmable electronic equipment has factors of availability and safety.
  • the availability is important for the control of equipment, and the safety is important for the protection of equipment. Since the means for realizing these two factors has the property of trade-off, it was difficult to satisfy both the availability and safety.
  • a partial unit that takes charge of the availability and another partial unit responsible for the safety have respectively been provided to produce an apparatus, the apparatus has become not only large-sized, but also reduced in its reliability because the human factors become unreliable due to the multiplicity and complication of the running/maintenance operations.
  • the factors of the reliability required for the programmable electronic system are the availability and safety.
  • the availability is a key component for the control of equipment, but the safety is weighty in the protection of equipment.
  • the means for realizing these two factors includes many antimony portions.
  • the apparatus has become standard practice to divide the apparatus into the partial units for the availability and safety.
  • the apparatus has become not only large-sized, but reduced in its reliability because the human factors become unreliable due to the multiplicity and complication of the running/maintenance operations.
  • the control system that needs high safety takes a method in which it verifies if the processors are in good conditions by checking the outputs of a plurality of processors, and produces an output to the following stages of memory and IO only when coincidence occurs.
  • the operation timing of each processor is matched to each other, and the same control input information is also supplied to each processor so that the processor can produce the same output.
  • the processors have come to be highly efficient.
  • the control system comprised of a plurality of processors has the fear that the processors might produce no outputs of the same frequency and phase even if a single clock is supplied to the plurality of processors.
  • the programmable electronic system has been demanded not only for the reliability such as safety, but also for the improvement of convenience by speeding up the network processing and the normal control processing not required for such reliability as to get by checking up on the outputs of the processors.
  • the control processing is desired to make with high speed or when the network processing for treating a large amount of data is wanted to perform, the programmable electronic system has been required to divide into the component units for executing these processes and for making the process for the reliability.
  • an objective of the invention to provide apparatus and methods capable of solving any one of the above problems.
  • an apparatus having a plurality of processors is designed to achieve small size, high performance and safety, thus having high reliability.
  • an apparatus in which results are received that are obtained when at least two systems make compatible computations on data of a common object to be processed.
  • a start signal is fed from at least either one of the two systems, a computation command signal is supplied to at least two systems.
  • an apparatus in which results are received that are obtained when at least two systems make compatible computations on data of a common object to be processed, and other results are received that are obtained when at least two systems make different computations on data of different objects to be processed.
  • a switching signal is generated that indicates that at least the two systems made different computations separately or compatible computations in a multiple way. When this signal indicates that the at least two systems made different computations, judgment is made to allow at least one of the results of the different computations to be supplied.
  • This method has a step of storing, in a first identification data region, identification data that identifies the object of which the data is processed by a predetermined one of at least the two systems, a step of storing, in a second identification data region, identification data that identifies the object of which the data is processed by the other one of at least the two systems, a step of storing, in a first processed data region, first processed data as a processed result from the predetermined one of at least the two systems, a step of storing, in a second processed data region, second processed data as a processed result from the other one of at least the two systems, a step of comparing the first identification data and the second identification data, and a step of comparing the first processed data and the second processed data.
  • an apparatus in which results are received that are obtained when at least two systems make compatible computations in a multiple way on data of a common object to be processed, and other results are received that are obtained when at least the two systems make different computations on data of different objects to be processed.
  • a switching signal is generated that indicates that at least the two systems made different computations or compatible computations.
  • a programmable electronic system having an input/output device, a plurality of processors and a memory, this programmable electronic system further having provided therein a unit for switching the operation modes of the processors, a unit for comparing the outputs of the processors and a unit for protecting a memory region defined by a table from being written.
  • the output-comparing unit is operated/stopped in accordance with the output from the operation mode-switching unit so that the memory-write protecting unit can be operated when the output-comparing unit is stopped.
  • the processors can be independently operated when the output-comparing unit is stopped, thus increasing the controlled computation performance.
  • the output that affects the safety can be prevented from being erroneously written.
  • the danger-side signal output due to false computation by the processors can be prevented, thus improving the reliability.
  • the operation mode-switching unit has first and second timer counters.
  • the first timer counter is started by a check operation start command and reset by check operation start signals from the plurality of processors.
  • the second timer counter is reset and started by the check operation start signals from the plurality of processors. Then, an abnormal output is produced when the outputs from the two timer counters exceed a preset range.
  • This construction can detect that the output-comparing unit is stopped, and increase the reliability.
  • a bus diagnosis unit is provided to diagnose the stuck disconnection of bus.
  • the bus diagnosis is started under the condition that the independent operations of the plurality of processors have been completely finished.
  • the diagnosis is normally finished under the condition that the comparing/checking process is started. Therefore, it is possible not only to prevent the processors from making erroneous computations, but also to prevent the danger-side signal output from being produced due to bus failure, thus increasing the reliability.
  • This output comparing unit includes a unit for detecting the end of the independent operations of the plurality of processors, a unit for generating operation start commands of a check operation program to the plurality of processors at intervals of a predetermined time, a command output unit for causing the next step of the check program to wait, a hold unit for holding the comparison signals from the plurality of processors, and a unit for comparing the comparison signals held in the hold unit.
  • the program becomes active when the independent operations of the processors have been finished.
  • the wait command to the processors operating ahead is released when the output to the hold unit has been finished.
  • the wait command to the processors operating late is released at the end of the comparing process.
  • This construction can reduce the capacity for holding the comparison signals from the processors operating ahead.
  • the pipeline processing can speed up the computation, and holding and comparing operations.
  • at least one of the plurality of processors is ordered to make computations with relatively high reliability away from the computation with relatively low reliability so that the processors can make the same computations.
  • the results of the computations made by the plurality of processors are compared with each other, and the data associated with the computations of the processors is allowed to supply on the basis of the compared results.
  • FIG. 1 is a diagram showing the whole construction of an embodiment of a control system according to the invention.
  • FIG. 2 is a diagram showing an example of the operation mode switching unit as another embodiment according to the invention.
  • FIG. 3 is a timing chart showing the operation of each portion.
  • FIG. 4 is a diagram showing an example of the computing system as still another embodiment according to the invention.
  • FIG. 5 is a state transition diagram showing the operation of the system bus interface portion of the above embodiment according to the invention.
  • FIG. 6 is another state transition diagram showing the operation of the error detection unit of the above embodiment according to the invention.
  • FIG. 7 is a timing chart showing the processing operation of two processors of the embodiments according to the invention.
  • FIG. 1 is a diagram showing the construction of an embodiment of a programmable electronic apparatus according to the invention.
  • a programmable electronic apparatus has two processors.
  • An A-system processor 1 and a B-system processor 2 are respectively connected through buffers 3 and 4 to an external access unit 5 .
  • the external access unit 5 is connected to an input/output unit and a memory.
  • the A-system processor 1 and B-system processor 2 are operated in two alternate modes of check mode and independent mode under the control of an operation-mode switching unit 6 .
  • the same program is executed on the A-system processor 1 and B-system processor 2 .
  • a data hold unit 7 and output check unit 8 confirm that the data from the A-system processor 1 and B-system processor 2 are coincident with each other.
  • same data is supplied through a data synch unit 9 to the A-system processor 1 and B-system processor 2 .
  • the output data from and input data to the processors are respectively supplied through a check buffer unit 10 to and from the external access unit 5 .
  • Either one of the data hold unit 7 , output check unit 8 , synch unit 9 and check buffer unit 10 is operated to produce a signal when a check mode command 601 becomes level H.
  • a protection table 12 operates in the independent mode, and inhibits the writing when the address data of the buffer 3 is within a previously defined protection range of a physical address page.
  • the input to and output from the B-system processor 2 are supplied through the buffer 4 from and to the external unit 5 , respectively, and a protection table 13 inhibits data from being written in the protection range.
  • Output switch units 14 and 15 cause the input signals from registers 104 and 204 to be supplied to output buffers 3 and 4 only when an output 605 from a NOT gate 604 is level H.
  • an operating system 101 of the A-system processor 1 issues a check mode start command 102 of level H to the operation-mode switching unit 6 (t 1 ).
  • the operation-mode switching unit 6 that has received the check mode start command 102 generates a check mode command 601 (level H) (t 4 ) if check mode ready signals 103 and 203 from the A-system and B-system processors 1 and 2 are of valid level (level H)(t 2 , t 3 ).
  • the A-system processor starts the check mode computation (t 5 ).
  • the check mode ready signal 103 is reset by the leading edge, or start of the check mode computation 105 (t 6 ).
  • the check mode ready signals 103 and 203 are produced under the condition that the A-system processor 1 and B-system processor 2 finish the independent mode computation and that a cache memory is cleared. Thus, it is possible to eliminate the computation-time deviation due to the different program operations before the start of the check mode.
  • the check mode command 601 is fed directly to the A-system processor 1 , while a signal 603 resulting from delaying it by an amount of a set time (Td) through a timer circuit 602 is supplied to the B-system processor 2 (t 7 ).
  • Td set time
  • the B-system processor is started to make the check mode computation (t 8 ).
  • the check mode ready signal 203 is reset by the leading edge of the check mode computation 205 (t 9 ).
  • the delay time is set to be two bus cycles of operation mode switching unit 6 so that the computation operation of A-system processor can be always ahead and that the computation lag due to the check can be minimized.
  • the output from a register 104 of A-system processor 1 is written in a register 701 of the data hold unit 7 .
  • a write wait signal 702 is released, thus allowing data to be again written in the register 104 of A-system processor 1 .
  • a comparator 801 of the output check unit 8 verifies that the write control signal W of a register 204 of B-system processor 2 and the write control signal W of the register 701 are coincident, it supplies the write control signal W to a register 11 of the check buffer unit 10 .
  • a wait signal 802 is released, thus allowing a comparator 803 to produce its output.
  • the comparator 803 When the comparator 803 confirms that the address signal 701 fed from the A-system processor 1 and held in the register 701 and the address signal 204 from the B-system processor 2 are coincident, it supplies the address signal to the register 11 of check buffer unit 10 . At the same time, a wait signal 804 is released, thus allowing a comparator 805 to produce its output.
  • the comparator 805 verifies that the data 701 fed from the A-system processor 1 and held in the register 701 and the data 204 from the B-system processor 2 are coincident, it supplies the data signal to the register 11 of check buffer unit 10 . At the same time, a wait signal 806 from the output check unit 8 is released, thus allowing the register 204 of B-system processor 2 to again write.
  • the input data distributing operation will be described next.
  • the read control signal R of the register 104 of A-system processor 1 is transmitted through the read control signal R of the register 11 of check buffer unit 10 to the external access unit 5 .
  • the address and data signals are supplied through the register 11 and read into the register 104 .
  • the data of register 11 is transmitted to a register 901 of data synch unit 9 .
  • a comparator 902 checks if the read-in control signal R of register 901 is coincident with the read-in control signal R of register 204 of B-system processor 2 . If they are coincident, a wait signal 903 is released.
  • a comparator 904 checks if the address signal of register 901 is coincident with the address signal of register 204 . If they are coincident with each other, a wait signal 905 is released so that a gate circuit 906 is operated. Thus, the data signal of register 901 is transmitted to register 204 . Then, a wait signal 907 is released, thus allowing the check buffer unit 10 to rewrite.
  • the check mode command 601 becomes level L (t 12 ), and the check mode command 603 is also turned level L by an AND gate 620 .
  • the independent operation mode starts (t 14 ).
  • the diagram of FIG. 3 shows that the B-system processor still continues the independent computation mode 206 when the A-system processor finishes the independent mode computation 106 (t 14 ) and the check mode start command 102 again rises up (t 15 ).
  • the check circuit starts the self-diagnosis operation (t 17 ).
  • the check mode ready signal 103 to the A-system processor 1 and the check mode ready signal 203 to the B-system processor 2 become level H (t 18 ).
  • the check circuit makes the self-diagnosis operation just before the check mode computation, the check circuit can enhance the safety.
  • the output switch units 14 and 15 are respectively comprised of gate circuits 141 through 144 , and 151 through 154 , thus enabling data to be inputted and outputted between the register 104 , 204 and the buffer 3 , 4 when the inverted signal 605 of the check mode command 601 is level H.
  • the protection tables 12 and 13 become active when the inverted signal 605 of the check mode command 601 is level H, and refer to the address signals 121 and 131 to produce access protection signals 122 and 132 when they are within a predetermined physical address range. These access protection signals 122 and 132 control gate circuits 123 and 133 with NOT circuits to stop the writing in the protective range.
  • FIG. 2 shows an embodiment of an operation mode switching unit according to the invention.
  • a leading edge detector 606 receives the check mode start command 102 from the operating system 101 of A-system processor 1 , and detects a set pulse signal 607 , by which a timer counter 609 is started.
  • the check mode ready signals 103 and 203 from the A-system processor 1 and B-system processor 2 are supplied to an AND gate 619 , the AND gate produces an output signal 608 , by which the timer counter 609 is reset.
  • the timer counter 609 supplies an output 610 to a comparator 611 , and the comparator 611 produces an abnormal output 612 when the output 610 exceeds a preset range. Thus, the delay at the time of the check operation can be detected.
  • a timer counter 615 is provided to start just when it is reset by a pulse signal produced from a leading edge detector 613 that receives the output signal 608 from the AND gate 607 .
  • the timer counter 615 supplies an output 616 to a comparator 617 , and the comparator 617 produces an abnormal output 618 when the output 616 exceeds a preset range. Thus, it is possible to detect the abnormality of the check computation period.
  • a bus diagnosis unit for examining a stuck disconnection of bus is provided to start its operation when the independent operations of the plurality of processors have been completely finished.
  • the diagnosis operation is normally finished, the comparison check process can be started.
  • This output check processing is implemented by an independent operation end detecting unit for detecting the end of the independent operations of the plurality of processors, a unit for generating check operation program start commands of different timings to the plurality of processors, a command output unit for making the next step of the check program wait, a hold unit for holding the comparison signals from the plurality of processors, and a comparing check unit for comparing and checking the comparison signals held in the hold unit.
  • This construction makes it possible to reduce the amount of capacity for holding the comparison signals from the processors operating ahead.
  • the pipeline processing can speed up the operations of computation, holding and comparison.
  • a control system that needs high reliability and high performance has a function to cause a plurality of processors to operate when high reliability is required, so that the processors can be examined if they have good conditions by comparing the outputs, and has another function to cause the processors to perform independent processes, thereby improving the performance. That is, it realizes the comparison between the outputs from CPUs.
  • this embodiment has the following features.
  • FIG. 4 shows the construction of the control system of this embodiment according to this invention. Although two processors are used in this embodiment, this embodiment can have an arbitrary number of processors that do not restrict the invention.
  • control system to be described here is connected to a memory circuit, but this is not particularly stated.
  • A-system processor 1001 executes a control task and that the B-system processor 1003 executes a communication task.
  • the A-system processor 1001 and the B-system processor 1003 are not always necessary to synchronously operate at the same frequency and in the same phase.
  • the A-system processor 1001 outputs an address signal and data signal on an A-system processor bus 1050 .
  • the A-system processor 1001 asserts a bus start signal 1051 at the time of beginning bus access.
  • An A-system interface portion 1002 continues to assert an A-system wait signal 1052 until an A-system bus ready signal 1067 or an A-system interruption control ready signal 1068 is asserted.
  • the A-system processor 1001 executes write access, the A-system processor 1001 continues to output address and data to the A-system processor bus 1050 while the A-system wait signal 1052 is being asserted.
  • the A-system processor 1001 executes read access, the A-system processor 1001 continues to output address to the A-system processor bus 1050 and to wait read data while the A-system wait signal 1052 is being asserted. When the A-system wait signal 1052 is negated, the A-system processor 1001 receives the data on the A-system processor bus 1050 as a read value.
  • the B-system processor 1003 supplies an address signal and data signal on a B-system processor bus 1055 .
  • the B-system processor 1003 asserts a bus start signal 1057 at the time of beginning bus access.
  • a B-system interface portion 1004 continues to assert a B-system wait signal 1056 until a B-system bus ready signal 1065 or a B-system interruption control ready signal 1069 is asserted.
  • the B-system processor 1003 executes write access, the B-system processor 1003 continues to supply the address and data to the B-system processor bus 1055 while the wait signal 1056 is being asserted.
  • the B-system processor 1003 executes read access, the B-system processor 1003 continues to supply the address to the B-system processor bus 1055 and to wait read data while the wait signal 1056 is being asserted. When the wait signal 1056 is negated, the B-system processor 1003 receives data on the B-system processor bus as read value.
  • An A-system area judge 1013 has a function to judge whether the device to be currently accessed is a highly reliable IO 1018 by the value of address on the A-system processor bus 1050 .
  • the judge 1013 asserts an A-system highly reliable access signal 1060 .
  • a B-system area judge 1014 has a function to judge whether the device to be currently accessed is the highly reliable IO 1018 by the value of address on the B- system processor bus 1055 .
  • the B-system area judge 1014 asserts a B-system highly reliable access signal 1061 .
  • a comparator 1015 has a function to compare the A-system processor bus 1050 and B-system processor bus 1055 .
  • the comparator compares the address, access-type of either write or read and write data on the A-system processor bus 1050 with those on the B-system processor bus 1055 . If those are coincident with each other, the comparator 1015 asserts a compared-result coincident signal 1062 .
  • a system bus interface portion 1016 makes access to the highly reliable IO 1018 , normal IO 1020 and network IO 1022 through a system bus 1017 according to the A-system processor bus 1050 , B-system processor bus 1055 , A-system highly reliable access signal 1060 , B-system highly reliable access signal 1061 and compared-result coincident signal 1062 .
  • the highly reliable IO 1018 is connected to an input/output device 1019 that is required to have high reliability.
  • the normal IO 1020 is connected to an input/output device 1021 that will be enough if it has normal reliability.
  • the network IO 1022 takes interface to a network 1023 , and when it requires a process by a processor such as receiving process, it asserts a network interrupt 1066 , expecting the processor to process.
  • An error detector 1012 has a function to judge whether the A-system processor 1001 and B-system processor 1003 normally operate or fail according to the A-system highly reliable access signal 1060 , B-system highly reliable access signal 1061 and compared-result coincident signal 1062 . If the error detector 1012 judges that a trouble occurs, it asserts a failure report signal 1064 .
  • An interrupt control portion 1005 has a function to control an A-system interrupt signal 1053 to A-system processor 1001 and an interrupt signal 1054 to B-system processor 1003 .
  • the interrupt control portion 1005 also has an A-system interrupt request register 1006 that asserts the A-system interrupt signal 1053 and an A-system interrupt factor register 1008 that indicates the factor of interrupt.
  • the interrupt control portion 1005 has a B-system interrupt request register 1007 that asserts the B-system interrupt signal 1054 and a B-type interrupt factor register 1009 that indicates the factor of interrupt.
  • A-system interrupt request register 1006 A-system interrupt factor register 1008 , B-system interrupt request register 1007 and B-system interrupt factor register 1009 are constructed to be able to be accessed from the A-system processor 1001 and B-system processor 1003 .
  • failure report signal 1064 and network interrupt 1066 are fed from the outside.
  • the A-system interrupt signal 1053 transmits the interrupt produced from the A-system interrupt request register 1006 or from the failure report signal 1064 .
  • the interrupt produced from the failure report signal 1064 takes priority over that produced from the A-system interrupt register 1006 .
  • the B-system interrupt signal 1054 transmits the interrupt produced from the B-system interrupt request register 1007 , the network interrupt 1066 or the interrupt produced from the failure report signal 1064 .
  • the interrupt produced from the failure report signal 1064 takes priority over that produced from the B-system interrupt request register 1007 .
  • the interrupt produced from the B-system interrupt request register 1007 takes priority over the network interrupt 1066 .
  • the order of priority is the interrupt produced from the failure report signal 1064 , the interrupt produced from the B-system interrupt request register 1007 , and the network interrupt 1066 .
  • FIG. 5 is a state transition diagram showing the operation status of system bus interface portion 1016 .
  • the system bus interface portion 1016 has the four states as shown in FIG. 5 .
  • the state 1200 indicates idle status in which the A-system processor 1001 and B-system processor 1003 both do not make access to the system bus 1017 .
  • the state 1201 indicates A-system processor's access status in which the A-system processor 1001 makes access to the normal IO 1018 .
  • the state 1202 indicates B-system processor's access status in which the B-system processor 1003 makes access to the network IO 1022 .
  • the state 1203 indicates the status in which the A-system and B-system processors make access to the highly reliable IO 1018 .
  • the transition condition 1204 under which the state 1200 shifts to state 1201 is satisfied under the condition that the A-system processor 1001 starts to access and that the A-system highly reliable access signal 1060 is not asserted.
  • the transition condition 1206 under which the state 1200 shifts to state 1202 is satisfied under the condition that the A-system processor 1001 does not start to access, that the B-system processor 1003 starts to access, and that the B-system highly reliable access signal 1061 is not asserted.
  • the transition condition 1208 under which the state 1200 shifts to state 1203 is satisfied under the condition that the A-system processor 1001 starts to access, that the A-system highly reliable access signal 1060 is asserted, that the B-system processor 1003 starts to access, that the B-system highly reliable access signal 1061 is asserted, and that the compared-result coincidence signal 1062 is asserted.
  • This condition indicates that the A-system processor 1001 and B-system processor 1003 both make access to the same address of the highly reliable IO 1018 .
  • the transition condition 1205 is satisfied by the report of access completion sent from the normal IO 1020 through the system bus 1017 .
  • the transition condition 1207 is satisfied by the report of access completion sent from the network IO 1022 through the system bus 1017 .
  • the transition condition 1209 is satisfied by the report of access completion sent from the highly reliable IO 1018 through the system bus 1017 .
  • the system bus interface portion 1016 responds to the requests from the A-system processor 1001 and B-system processor 1003 according to the results of judgment from the A-system area judge 1013 and B-system area judge 1014 , thus allowing them to make access to either one of the highly reliable IO 1018 , normal IO 1020 and network IO 1022 connected to the system bus 1017 .
  • the access to the highly reliable IO 1018 must satisfy the transition condition 1208 in which both of the A-system processor 1001 and B-system processor 1003 make access to the same address of highly reliable IO 1018 .
  • the A-system bus ready signal 1067 is asserted when the transition conditions 1205 and 1209 are satisfied, and the B-system bus ready signal 1065 is asserted when the transition conditions 1207 and 1209 are satisfied.
  • FIG. 6 is a state transition diagram showing the operation of the error detector 1012 .
  • the state 1300 indicates the idle condition in which the A-system processor 1001 and B-system processor 1003 both do not make access to the highly reliable IO 1018 .
  • the state 1301 indicates the condition in which the A-system processor 1001 makes access to the highly reliable IO 1018 and waits for the B-system processor 1003 to produce the same output as that from the A-system processor 1001 .
  • the state 1302 indicates the condition in which the A-system processor 1001 makes access to the highly reliable IO 1018 , and waits for the B-system processor 1003 to produce the same output as that from the A-system processor 1001 , but it is judged to be timeout error after the lapse of a constant time.
  • the state 1303 indicates the condition in which the A-system processor 1001 and B-system processor 1003 make access to the highly reliable IO 1018 , but the outputs from those processors are not coincident, or it is judged to be error.
  • the state 1305 is the condition in which the B-system processor 1003 makes access to the highly reliable IO 1018 and waits for the A-system processor 1001 to produce the same output as that from the B-system processor 1003 .
  • the state 1304 is the condition in which the B-system processor 1003 makes the highly reliable IO 1018 , and waits for the A-system processor 1001 to produce the same output as that from the B-system processor 1003 , but it is judged to be timeout error after the lapse of a constant time.
  • the transition condition 1306 is satisfied under the condition that the A-system highly reliable access signal 1060 is asserted but the B-system highly reliable access signal 1061 is not asserted.
  • the transition condition 1307 is satisfied when the B-system highly reliable access signal 1061 is asserted and the compared-result coincidence signal 1062 is asserted.
  • the transition condition 1309 is satisfied when the B-system highly reliable access signal 1061 is asserted but the compared-result coincident signal 1062 is not asserted.
  • the transition condition 1308 is satisfied when the transition conditions 1307 and 1309 are not satisfied but a constant time has elapsed.
  • the transition condition 1316 is satisfied when the B-system highly reliable access signal 1061 is asserted but the A-system highly reliable access signal 1060 is not asserted.
  • the transition condition 1315 is satisfied when the A-system highly reliable access signal 1060 is asserted and the compared-result coincident signal 1062 is asserted.
  • the transition condition 1312 is satisfied when the A-system highly reliable access signal 1060 is asserted, and the B-system highly reliable access signal 1061 is asserted, but the compared-result coincident signal 1062 is not asserted.
  • the transition condition 1313 is satisfied when the transitions 1315 and 1312 are not satisfied, but a constant time has elapsed.
  • the transition condition 1317 is satisfied when the A-system highly reliable access signal 1060 is asserted, and the B-system highly reliable access signal 1061 is asserted, but the compared-result coincident signal 1062 is not asserted.
  • transition conditions 1310 , 1311 and 1314 mean to be always satisfied and to shift to the state 1300 at the next cycle after the transition to the states 1302 , 1303 and 1304 .
  • the error detector 1012 manages that the A-system processor 1001 and B-system processor 1003 make access to the highly reliable IO 1018 .
  • the processors to make access to the highly reliable IO 1018 transit to states 1302 , 1303 and 1304 when the outputs from both the processors are different or when either one of the processors does not make access to the highly reliable IO 1018 within a constant time. In these states 1302 , 1303 and 1304 , the failure report signal 1064 is asserted.
  • the highly reliable IO 1018 when the failure report signal 1064 is asserted, recognizes that a failure has occurred, thus making the output be switched to a stable state.
  • the stable state means that the current output is continued to keep or it is the same condition as the power supply is disconnected.
  • the stable state differs for each object to be controlled.
  • the error detector 1012 reports a failure interrupt using interrupt signals 1053 and 1054 to the A-system processor and B-system processor 1003 when a failure occurs. The processors that have received the failure interrupt immediately suspend the current processes and execute the failure process.
  • FIG. 7 is a timing chart showing the normal processing operation of the A-system processor 1001 and B-system processor 1003 .
  • the A-system processor 1001 When the A-system processor 1001 has finished the last control task n after processing the successive tasks from the control task 0, it executes a start task to start a B-system processor highly reliable task. This start task makes access to the B-system interrupt request register 1007 within the interrupt control portion 1005 , thereby producing an interrupt to the B-system processor 1003 , and it ends. Then, the A-system processor 1001 executes a highly reliable task. This highly reliable task controls the input/output device 1019 that is connected to the highly reliable IO 1018 and required for its reliability. The A-system processor 1001 periodically executes a sequence of processes from control task 0 to highly reliable task.
  • the B-system processor 1003 executes communication tasks one after another according to the network interrupt produced from the network IO 1022 and receives the interrupt from the start task that the A-system processor 1001 executed, it executes the same highly reliable task as that in the A-system processor 1001 .
  • the A-system processor 1001 and B-system processor 1003 perform the same process, so that the operation can be guaranteed by the matching of the outputs from the two processors.
  • the B-system processor 1003 again processes the communication tasks one after another according to the network interrupt 1066 produced from the network IO 1022 .
  • the B-system processor 1003 receives the interrupt and finishes the process, it makes access to the interrupt control portion 1005 , and clears the interrupt factor.
  • the interrupt control portion 1005 masks the lower priority network interrupt 1066 .
  • the B-system processor 1003 does not suspend the processing because the network interrupt 1066 does not come while the B-system processor 1003 is executing the highly reliable task.
  • the processing is performed by a plurality of processors.
  • the outputs from the processors are compared with each other. Only when the compared result is judged to be coincident, the outputs are supplied. Therefore, the reliability is improved.
  • the processing that does not attach importance to the reliability is performed by each of the plurality of processors independently, so that it can be more efficiently carried out.

Abstract

An input/output control apparatus including: a unit that controls input/output of data relating to a computation of a plurality of processors in response to an access request from a second input/output unit and an access request from a first input/output unit which requires higher reliability than said second input/output unit, and orders at least one of a plurality of processors to perform a computation relating to the access request from said first input/output unit away from the computation relating to the access request from said second input/output unit in case of that said first input/output unit issued an access request, so that a same computation is made by said plurality of processors; a unit that compares the results of said computations relative to the access request from said first input/output unit provided from said plurality of processors; and a unit that allows the data associated with said computations of said processors to be output on the basis of said compared results.

Description

    CROSS REFERENCE TO RELATED APPLICATION
  • This is a continuation of U.S. application Ser. No. 11/447,724, filed Jun. 7, 2006. This application relates to and claims priority from Japanese Patent Application No. 2005-170275, filed on Jun. 10, 2005 and No. 2005-190874, filed on Jun. 30, 2005.The entirety of the contents and subject matter of all of the above is incorporated herein by reference.
    • BACKGROUND OF THE INVENTION
  • The present invention relates to a task management apparatus for control apparatus, input/output control apparatus, information control apparatus, task management method, input/output controlling method, and information controlling method.
  • The fields of Electronics and information technology have been developed, and the functions required for single apparatus have become complicated and compounded. The development of these fields and the function's complexity and compounding tendency made great contributions to widening the application of programmable electronic apparatus and to improving the reliability required at the same time.
  • For the commonly known high reliability, there are known methods of constructing multiple mechanisms or using a plurality of processors in the programmable electronic apparatus.
  • The regular-system/standby-system structure is known as a form of the multiple-mechanism programmable electronic apparatus. This structure is able to improve the availability because it can be switched to the standby system when a failure is found in the regular system.
  • On the other hand, JP-A-2004-234144 describes a programmable electronic apparatus using a plurality of processors for increasing the safety.
  • In addition, processing facilities having potential hazards such as atomic power plant and chemical plant employ protective means such as barriers for the passive countermeasure and a safety device such as an emergency shutdown device for the active countermeasure in order to reduce the influence of hazards on the workers and the peripheral environment in case of an accident. Of these countermeasures, the control means for the safety device or the like has so far been realized by electromagnetic/mechanical means such as relays. Recently, however, the technology in the control equipment that is programmable as represented by the Programmable Logic Controller (PLC) has been developed and thus demanded to use as control means for the safety control system.
  • The IEC 61508-1.about.7, “Functional safety of electrical/electronic/programmable electronic safety-related systems” part 1.about.part 7 (abbreviated IEC 61508) is the international standard issued according to this trend. It specifies the requirements for the electrical/electronic/programmable electronic safety-related system to be used in part of the safety control system. The IEC 61508 defines the Safety Integrity Level (SIL) as a measure of ability of the safety control system, or specifies requirements corresponding to levels 1 through 4. The higher level of SIL indicates the larger degree to which the processing installation is capable of reducing its potential risk. In other words, it means how much surely the processing equipment can implement the safety control when an abnormality is detected in the equipment.
  • Even if the safety control system is inactive in the normal operating condition, it is required to immediately become active when a trouble occurs in the processing installation. To this end, it is important to usually make self-examination, or to continue to check its own health, or good condition. In addition, the safety control system that needs high SIL is required to implement self-diagnosis over a wide range and with high precision in order to minimize the probability that the system becomes inactive due to a failure not detected.
  • In the IEC 61508, autognosis techniques are presented to use for each of the kinds of components that constitute the safety control system, and the effectivity of each technique is shown in a form of diagnostic rate. The diagnostic rate indicates the rate of detectable failures, when that autognosis technique is employed, relative to all failures that could occur in each constituent. In the diagnosis technique “Abraham” of RAM described in, for example, U.S. Pat. No. 6,779,128, it is said that the maximum diagnostic rate of 99% can be claimed.
  • In addition, as the failure detecting means for a processor as a single constituent, it is effective to employ a method of monitoring the matching between the output results from a plurality of monitors used.
  • As a method for mutually examining the outputs from a plurality of processors, it is effective to employ the means that each processor executes the same control processing at the same time and confirms that its output is coincident with those of the other processors.
  • As a typical example, JP-A-6-290066 describes a method in which two processors are operated in synchronism with each other and the same information is supplied as an input to the processors so that the outputs can be made coincident, thereby checking the excellent condition of the processors.
    • SUMMARY OF THE INVENTION
  • The reliability required for the programmable electronic equipment has factors of availability and safety. The availability is important for the control of equipment, and the safety is important for the protection of equipment. Since the means for realizing these two factors has the property of trade-off, it was difficult to satisfy both the availability and safety. Although a partial unit that takes charge of the availability and another partial unit responsible for the safety have respectively been provided to produce an apparatus, the apparatus has become not only large-sized, but also reduced in its reliability because the human factors become unreliable due to the multiplicity and complication of the running/maintenance operations.
  • The factors of the reliability required for the programmable electronic system are the availability and safety. The availability is a key component for the control of equipment, but the safety is weighty in the protection of equipment. The means for realizing these two factors includes many antimony portions.
  • Therefore, it has become standard practice to divide the apparatus into the partial units for the availability and safety. Thus, the apparatus has become not only large-sized, but reduced in its reliability because the human factors become unreliable due to the multiplicity and complication of the running/maintenance operations.
  • The control system that needs high safety, as disclosed in JP-A-6-290066, takes a method in which it verifies if the processors are in good conditions by checking the outputs of a plurality of processors, and produces an output to the following stages of memory and IO only when coincidence occurs.
  • According to this method, the operation timing of each processor is matched to each other, and the same control input information is also supplied to each processor so that the processor can produce the same output.
  • However, as the object to be controlled becomes complicated, the processors have come to be highly efficient. As a result, the control system comprised of a plurality of processors has the fear that the processors might produce no outputs of the same frequency and phase even if a single clock is supplied to the plurality of processors.
  • Thus, it is hard for the future control system comprised of a plurality of processors to synchronize the processor outputs. In order to check up on the outputs of the processors and diagnose the good or bad operation of the processors, it is necessary to take a method for checking the outputs irrespective of the synchronous or asynchronous outputs of the processors. In addition, in order to compare the outputs of the processors, it is necessary for the plurality of processors to execute a single process. Thus, the processing performance per processor can be reduced to half as much as the usual processing performance.
  • On the other hand, the programmable electronic system has been demanded not only for the reliability such as safety, but also for the improvement of convenience by speeding up the network processing and the normal control processing not required for such reliability as to get by checking up on the outputs of the processors. Particularly when the control processing is desired to make with high speed or when the network processing for treating a large amount of data is wanted to perform, the programmable electronic system has been required to divide into the component units for executing these processes and for making the process for the reliability.
  • It is an objective of the invention to provide apparatus and methods capable of solving any one of the above problems. Specifically, an apparatus having a plurality of processors is designed to achieve small size, high performance and safety, thus having high reliability.
  • It is another objective of the invention to provide a high-reliable programmable electronic system constructed to achieve all of small size, high performance and safety by using a plurality of processors.
  • According to the invention, to achieve the above objectives, there is provided an apparatus in which results are received that are obtained when at least two systems make compatible computations on data of a common object to be processed. In this apparatus, when a start signal is fed from at least either one of the two systems, a computation command signal is supplied to at least two systems.
  • In addition, there is provided an apparatus in which results are received that are obtained when at least two systems make compatible computations on data of a common object to be processed, and other results are received that are obtained when at least two systems make different computations on data of different objects to be processed. In this apparatus, a switching signal is generated that indicates that at least the two systems made different computations separately or compatible computations in a multiple way. When this signal indicates that the at least two systems made different computations, judgment is made to allow at least one of the results of the different computations to be supplied.
  • Moreover, there is provided a method in which results are received that are obtained when at least two systems make compatible computations on data of a common object to be processed. This method has a step of storing, in a first identification data region, identification data that identifies the object of which the data is processed by a predetermined one of at least the two systems, a step of storing, in a second identification data region, identification data that identifies the object of which the data is processed by the other one of at least the two systems, a step of storing, in a first processed data region, first processed data as a processed result from the predetermined one of at least the two systems, a step of storing, in a second processed data region, second processed data as a processed result from the other one of at least the two systems, a step of comparing the first identification data and the second identification data, and a step of comparing the first processed data and the second processed data.
  • In addition, there is provided an apparatus in which results are received that are obtained when at least two systems make compatible computations in a multiple way on data of a common object to be processed, and other results are received that are obtained when at least the two systems make different computations on data of different objects to be processed. In this apparatus, a switching signal is generated that indicates that at least the two systems made different computations or compatible computations.
  • More specifically, there is provided a programmable electronic system having an input/output device, a plurality of processors and a memory, this programmable electronic system further having provided therein a unit for switching the operation modes of the processors, a unit for comparing the outputs of the processors and a unit for protecting a memory region defined by a table from being written. The output-comparing unit is operated/stopped in accordance with the output from the operation mode-switching unit so that the memory-write protecting unit can be operated when the output-comparing unit is stopped.
  • With this construction, the processors can be independently operated when the output-comparing unit is stopped, thus increasing the controlled computation performance. In addition, the output that affects the safety can be prevented from being erroneously written. Moreover, when the output-comparing unit is operative, the danger-side signal output due to false computation by the processors can be prevented, thus improving the reliability.
  • In addition, the operation mode-switching unit has first and second timer counters. The first timer counter is started by a check operation start command and reset by check operation start signals from the plurality of processors. The second timer counter is reset and started by the check operation start signals from the plurality of processors. Then, an abnormal output is produced when the outputs from the two timer counters exceed a preset range.
  • This construction can detect that the output-comparing unit is stopped, and increase the reliability.
  • Moreover, a bus diagnosis unit is provided to diagnose the stuck disconnection of bus. The bus diagnosis is started under the condition that the independent operations of the plurality of processors have been completely finished. The diagnosis is normally finished under the condition that the comparing/checking process is started. Therefore, it is possible not only to prevent the processors from making erroneous computations, but also to prevent the danger-side signal output from being produced due to bus failure, thus increasing the reliability.
  • This output comparing unit includes a unit for detecting the end of the independent operations of the plurality of processors, a unit for generating operation start commands of a check operation program to the plurality of processors at intervals of a predetermined time, a command output unit for causing the next step of the check program to wait, a hold unit for holding the comparison signals from the plurality of processors, and a unit for comparing the comparison signals held in the hold unit. The program becomes active when the independent operations of the processors have been finished. The wait command to the processors operating ahead is released when the output to the hold unit has been finished. In addition, the wait command to the processors operating late is released at the end of the comparing process.
  • This construction can reduce the capacity for holding the comparison signals from the processors operating ahead. Moreover, the pipeline processing can speed up the computation, and holding and comparing operations. In addition, when the computations with relatively high reliability are requested, at least one of the plurality of processors is ordered to make computations with relatively high reliability away from the computation with relatively low reliability so that the processors can make the same computations. The results of the computations made by the plurality of processors are compared with each other, and the data associated with the computations of the processors is allowed to supply on the basis of the compared results.
  • Thus, small size, high performance, and safety can be achieved at the same time, and also the high reliability can be realized.
  • In addition to the reliability such as safety, it is possible to enhance the convenience by increasing the speed of the network processing and the normal control processing that does not need such reliability as to get by comparing the outputs from the processors.
  • Other objects, features and advantages of the invention will become apparent from the following description of the embodiments of the invention taken in conjunction with the accompanying drawings.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a diagram showing the whole construction of an embodiment of a control system according to the invention.
  • FIG. 2 is a diagram showing an example of the operation mode switching unit as another embodiment according to the invention.
  • FIG. 3 is a timing chart showing the operation of each portion.
  • FIG. 4 is a diagram showing an example of the computing system as still another embodiment according to the invention.
  • FIG. 5 is a state transition diagram showing the operation of the system bus interface portion of the above embodiment according to the invention.
  • FIG. 6 is another state transition diagram showing the operation of the error detection unit of the above embodiment according to the invention.
  • FIG. 7 is a timing chart showing the processing operation of two processors of the embodiments according to the invention.
    •  DESCRIPTION OF THE EMBODIMENTS
  • Embodiments of the invention will be described with reference to the accompanying drawings.
  • FIG. 1 is a diagram showing the construction of an embodiment of a programmable electronic apparatus according to the invention.
  • First, the whole construction and the operation of each portion will be described briefly.
  • As illustrated, a programmable electronic apparatus has two processors. An A-system processor 1 and a B-system processor 2 are respectively connected through buffers 3 and 4 to an external access unit 5. The external access unit 5 is connected to an input/output unit and a memory.
  • The A-system processor 1 and B-system processor 2 are operated in two alternate modes of check mode and independent mode under the control of an operation-mode switching unit 6.
  • In the check mode, the same program is executed on the A-system processor 1 and B-system processor 2. Before they supply their outputs to the external access unit 5, a data hold unit 7 and output check unit 8 confirm that the data from the A-system processor 1 and B-system processor 2 are coincident with each other. When data is supplied from the external access unit 5 to the inside, same data is supplied through a data synch unit 9 to the A-system processor 1 and B-system processor 2. The output data from and input data to the processors are respectively supplied through a check buffer unit 10 to and from the external access unit 5.
  • Either one of the data hold unit 7, output check unit 8, synch unit 9 and check buffer unit 10 is operated to produce a signal when a check mode command 601 becomes level H.
  • In the independent mode, different programs are respectively executed on the A-system processor 1 and B-system processor 2. The input to and output from the A-system processor 1 are supplied through the buffer 3 from and to the external unit 5, respectively. A protection table 12 operates in the independent mode, and inhibits the writing when the address data of the buffer 3 is within a previously defined protection range of a physical address page. Similarly, the input to and output from the B-system processor 2 are supplied through the buffer 4 from and to the external unit 5, respectively, and a protection table 13 inhibits data from being written in the protection range.
  • Output switch units 14 and 15 cause the input signals from registers 104 and 204 to be supplied to output buffers 3 and 4 only when an output 605 from a NOT gate 604 is level H.
  • The operation of each portion will be described in detail with reference to FIGS. 1 and 3.
  • First, an operating system 101 of the A-system processor 1 issues a check mode start command 102 of level H to the operation-mode switching unit 6 (t1). The operation-mode switching unit 6 that has received the check mode start command 102 generates a check mode command 601 (level H) (t4) if check mode ready signals 103 and 203 from the A-system and B- system processors 1 and 2 are of valid level (level H)(t2, t3). Thus, the A-system processor starts the check mode computation (t5). The check mode ready signal 103 is reset by the leading edge, or start of the check mode computation 105 (t6).
  • Here, the check mode ready signals 103 and 203 are produced under the condition that the A-system processor 1 and B-system processor 2 finish the independent mode computation and that a cache memory is cleared. Thus, it is possible to eliminate the computation-time deviation due to the different program operations before the start of the check mode.
  • The check mode command 601 is fed directly to the A-system processor 1, while a signal 603 resulting from delaying it by an amount of a set time (Td) through a timer circuit 602 is supplied to the B-system processor 2 (t7). Thus, the B-system processor is started to make the check mode computation (t8). The check mode ready signal 203 is reset by the leading edge of the check mode computation 205 (t9).
  • The delay time is set to be two bus cycles of operation mode switching unit 6 so that the computation operation of A-system processor can be always ahead and that the computation lag due to the check can be minimized.
  • The output data checking operation will be described.
  • The output from a register 104 of A-system processor 1 is written in a register 701 of the data hold unit 7. When the writing in the register 701 is finished, a write wait signal 702 is released, thus allowing data to be again written in the register 104 of A-system processor 1.
  • On the other hand, when a comparator 801 of the output check unit 8 verifies that the write control signal W of a register 204 of B-system processor 2 and the write control signal W of the register 701 are coincident, it supplies the write control signal W to a register 11 of the check buffer unit 10. At the same time, a wait signal 802 is released, thus allowing a comparator 803 to produce its output.
  • When the comparator 803 confirms that the address signal 701 fed from the A-system processor 1 and held in the register 701 and the address signal 204 from the B-system processor 2 are coincident, it supplies the address signal to the register 11 of check buffer unit 10. At the same time, a wait signal 804 is released, thus allowing a comparator 805 to produce its output.
  • When the comparator 805 verifies that the data 701 fed from the A-system processor 1 and held in the register 701 and the data 204 from the B-system processor 2 are coincident, it supplies the data signal to the register 11 of check buffer unit 10. At the same time, a wait signal 806 from the output check unit 8 is released, thus allowing the register 204 of B-system processor 2 to again write.
  • The input data distributing operation will be described next. The read control signal R of the register 104 of A-system processor 1 is transmitted through the read control signal R of the register 11 of check buffer unit 10 to the external access unit 5. The address and data signals are supplied through the register 11 and read into the register 104.
  • The data of register 11 is transmitted to a register 901 of data synch unit 9. A comparator 902 checks if the read-in control signal R of register 901 is coincident with the read-in control signal R of register 204 of B-system processor 2. If they are coincident, a wait signal 903 is released. A comparator 904 checks if the address signal of register 901 is coincident with the address signal of register 204. If they are coincident with each other, a wait signal 905 is released so that a gate circuit 906 is operated. Thus, the data signal of register 901 is transmitted to register 204. Then, a wait signal 907 is released, thus allowing the check buffer unit 10 to rewrite.
  • When it is detected that the A-system processor finishes the check mode computation (t10) and that the B-system processor finishes the check mode computation (t11), the check mode command 601 becomes level L (t12), and the check mode command 603 is also turned level L by an AND gate 620. Thus, the independent operation mode starts (t14).
  • The diagram of FIG. 3 shows that the B-system processor still continues the independent computation mode 206 when the A-system processor finishes the independent mode computation 106 (t14) and the check mode start command 102 again rises up (t15). In this case, when it is detected that the B-system processor finishes the independent mode computation 206 (t16), the check circuit starts the self-diagnosis operation (t17). After the end of the self-diagnosis operation, the check mode ready signal 103 to the A-system processor 1 and the check mode ready signal 203 to the B-system processor 2 become level H (t18). Thus, since the check circuit makes the self-diagnosis operation just before the check mode computation, the check circuit can enhance the safety.
  • The output switch units 14 and 15 are respectively comprised of gate circuits 141 through 144, and 151 through 154, thus enabling data to be inputted and outputted between the register 104, 204 and the buffer 3, 4 when the inverted signal 605 of the check mode command 601 is level H.
  • The protection tables 12 and 13 become active when the inverted signal 605 of the check mode command 601 is level H, and refer to the address signals 121 and 131 to produce access protection signals 122 and 132 when they are within a predetermined physical address range. These access protection signals 122 and 132 control gate circuits 123 and 133 with NOT circuits to stop the writing in the protective range.
  • Therefore, the results obtained from the check mode computation can be protected from being affected at the time of the independent mode computation.
  • FIG. 2 shows an embodiment of an operation mode switching unit according to the invention.
  • A leading edge detector 606 receives the check mode start command 102 from the operating system 101 of A-system processor 1, and detects a set pulse signal 607, by which a timer counter 609 is started. When the check mode ready signals 103 and 203 from the A-system processor 1 and B-system processor 2 are supplied to an AND gate 619, the AND gate produces an output signal 608, by which the timer counter 609 is reset. The timer counter 609 supplies an output 610 to a comparator 611, and the comparator 611 produces an abnormal output 612 when the output 610 exceeds a preset range. Thus, the delay at the time of the check operation can be detected.
  • A timer counter 615 is provided to start just when it is reset by a pulse signal produced from a leading edge detector 613 that receives the output signal 608 from the AND gate 607.
  • The timer counter 615 supplies an output 616 to a comparator 617, and the comparator 617 produces an abnormal output 618 when the output 616 exceeds a preset range. Thus, it is possible to detect the abnormality of the check computation period.
  • In the above embodiment, a bus diagnosis unit for examining a stuck disconnection of bus is provided to start its operation when the independent operations of the plurality of processors have been completely finished. In this case, when the diagnosis operation is normally finished, the comparison check process can be started. Thus, not only the computation error in the processors but also a danger-side signal output due to the failure of bus can be prevented, so that the reliability can be enhanced.
  • This output check processing is implemented by an independent operation end detecting unit for detecting the end of the independent operations of the plurality of processors, a unit for generating check operation program start commands of different timings to the plurality of processors, a command output unit for making the next step of the check program wait, a hold unit for holding the comparison signals from the plurality of processors, and a comparing check unit for comparing and checking the comparison signals held in the hold unit. When the independent operations of the plurality of processors have been completely finished, the program is started to operate. The standby commands to the processors operating ahead are released when the outputs have been completely fed to the hold unit. In addition, the standby commands to the processors operating late are released when the comparing and checking processes have been finished.
  • This construction makes it possible to reduce the amount of capacity for holding the comparison signals from the processors operating ahead. In addition, the pipeline processing can speed up the operations of computation, holding and comparison.
  • Another embodiment of the invention will be described briefly. A control system that needs high reliability and high performance has a function to cause a plurality of processors to operate when high reliability is required, so that the processors can be examined if they have good conditions by comparing the outputs, and has another function to cause the processors to perform independent processes, thereby improving the performance. That is, it realizes the comparison between the outputs from CPUs.
  • More specifically, this embodiment has the following features.
    • (1) A single control system has a plurality of processors, a unit for judging whether the IO to which each processor accesses is expected to have highly reliable control results, a unit for comparing the outputs from the plurality of processors and judging whether the outputs coincide with each other, and a unit for making the operations that the access of the processors to the IO that is expected to have highly reliable control results is allowed to make at least only when the output results from the plurality of processors are coincident with each other, but the access is waited, when a single one of the processors accesses, until the other processors produces the same output result.
    • (2) Each of the plurality of processors provided within the single control system has a unit for executing the process of a different function, and a unit for making another processor suspend.
    • (3) The processor that executes the process to output to the IO that requires high reliability has a unit that causes another processor to interrupt its process by using the unit for making another processor suspend and that executes the process to output to the IO that requires high reliability.
  • Further embodiment of the invention will be described in detail with reference to FIG. 4. FIG. 4 shows the construction of the control system of this embodiment according to this invention. Although two processors are used in this embodiment, this embodiment can have an arbitrary number of processors that do not restrict the invention.
  • In addition, it is assumed that the control system to be described here is connected to a memory circuit, but this is not particularly stated.
  • It is assumed that the A-system processor 1001 executes a control task and that the B-system processor 1003 executes a communication task. In addition, the A-system processor 1001 and the B-system processor 1003 are not always necessary to synchronously operate at the same frequency and in the same phase.
  • The A-system processor 1001 outputs an address signal and data signal on an A-system processor bus 1050. In addition, the A-system processor 1001 asserts a bus start signal 1051 at the time of beginning bus access. An A-system interface portion 1002 continues to assert an A-system wait signal 1052 until an A-system bus ready signal 1067 or an A-system interruption control ready signal 1068 is asserted. When the A-system processor 1001 executes write access, the A-system processor 1001 continues to output address and data to the A-system processor bus 1050 while the A-system wait signal 1052 is being asserted. When the A-system processor 1001 executes read access, the A-system processor 1001 continues to output address to the A-system processor bus 1050 and to wait read data while the A-system wait signal 1052 is being asserted. When the A-system wait signal 1052 is negated, the A-system processor 1001 receives the data on the A-system processor bus 1050 as a read value.
  • The same operations are performed for the B-system processor. The B-system processor 1003 supplies an address signal and data signal on a B-system processor bus 1055. In addition, the B-system processor 1003 asserts a bus start signal 1057 at the time of beginning bus access. A B-system interface portion 1004 continues to assert a B-system wait signal 1056 until a B-system bus ready signal 1065 or a B-system interruption control ready signal 1069 is asserted. When the B-system processor 1003 executes write access, the B-system processor 1003 continues to supply the address and data to the B-system processor bus 1055 while the wait signal 1056 is being asserted. When the B-system processor 1003 executes read access, the B-system processor 1003 continues to supply the address to the B-system processor bus 1055 and to wait read data while the wait signal 1056 is being asserted. When the wait signal 1056 is negated, the B-system processor 1003 receives data on the B-system processor bus as read value.
  • An A-system area judge 1013 has a function to judge whether the device to be currently accessed is a highly reliable IO 1018 by the value of address on the A-system processor bus 1050. When the A-system processor 1001 makes access to the highly reliable IO 1018, the judge 1013 asserts an A-system highly reliable access signal 1060.
  • A B-system area judge 1014 has a function to judge whether the device to be currently accessed is the highly reliable IO 1018 by the value of address on the B- system processor bus 1055. When the B-system processor 1003 makes access to the highly reliable IO 1018, the B-system area judge 1014 asserts a B-system highly reliable access signal 1061.
  • A comparator 1015 has a function to compare the A-system processor bus 1050 and B-system processor bus 1055. The comparator compares the address, access-type of either write or read and write data on the A-system processor bus 1050 with those on the B-system processor bus 1055. If those are coincident with each other, the comparator 1015 asserts a compared-result coincident signal 1062.
  • A system bus interface portion 1016 makes access to the highly reliable IO 1018, normal IO 1020 and network IO 1022 through a system bus 1017 according to the A-system processor bus 1050, B-system processor bus 1055, A-system highly reliable access signal 1060, B-system highly reliable access signal 1061 and compared-result coincident signal 1062.
  • The highly reliable IO 1018 is connected to an input/output device 1019 that is required to have high reliability.
  • The normal IO 1020 is connected to an input/output device 1021 that will be enough if it has normal reliability.
  • The network IO 1022 takes interface to a network 1023, and when it requires a process by a processor such as receiving process, it asserts a network interrupt 1066, expecting the processor to process.
  • An error detector 1012 has a function to judge whether the A-system processor 1001 and B-system processor 1003 normally operate or fail according to the A-system highly reliable access signal 1060, B-system highly reliable access signal 1061 and compared-result coincident signal 1062. If the error detector 1012 judges that a trouble occurs, it asserts a failure report signal 1064.
  • An interrupt control portion 1005 has a function to control an A-system interrupt signal 1053 to A-system processor 1001 and an interrupt signal 1054 to B-system processor 1003. The interrupt control portion 1005 also has an A-system interrupt request register 1006 that asserts the A-system interrupt signal 1053 and an A-system interrupt factor register 1008 that indicates the factor of interrupt. In addition, the interrupt control portion 1005 has a B-system interrupt request register 1007 that asserts the B-system interrupt signal 1054 and a B-type interrupt factor register 1009 that indicates the factor of interrupt.
  • It is constructed to be able to interrupt the A-system processor 1001 or B-type processor 1003 separately. In addition, the A-system interrupt request register 1006, A-system interrupt factor register 1008, B-system interrupt request register 1007 and B-system interrupt factor register 1009 are constructed to be able to be accessed from the A-system processor 1001 and B-system processor 1003.
  • In addition, the failure report signal 1064 and network interrupt 1066 are fed from the outside. The A-system interrupt signal 1053 transmits the interrupt produced from the A-system interrupt request register 1006 or from the failure report signal 1064. Here, the interrupt produced from the failure report signal 1064 takes priority over that produced from the A-system interrupt register 1006.
  • The B-system interrupt signal 1054 transmits the interrupt produced from the B-system interrupt request register 1007, the network interrupt 1066 or the interrupt produced from the failure report signal 1064. Here, the interrupt produced from the failure report signal 1064 takes priority over that produced from the B-system interrupt request register 1007. The interrupt produced from the B-system interrupt request register 1007 takes priority over the network interrupt 1066. In other words, the order of priority is the interrupt produced from the failure report signal 1064, the interrupt produced from the B-system interrupt request register 1007, and the network interrupt 1066.
  • FIG. 5 is a state transition diagram showing the operation status of system bus interface portion 1016.
  • The system bus interface portion 1016 has the four states as shown in FIG. 5.
  • The state 1200 indicates idle status in which the A-system processor 1001 and B-system processor 1003 both do not make access to the system bus 1017.
  • The state 1201 indicates A-system processor's access status in which the A-system processor 1001 makes access to the normal IO 1018.
  • The state 1202 indicates B-system processor's access status in which the B-system processor 1003 makes access to the network IO 1022.
  • The state 1203 indicates the status in which the A-system and B-system processors make access to the highly reliable IO 1018.
  • The transition condition 1204 under which the state 1200 shifts to state 1201 is satisfied under the condition that the A-system processor 1001 starts to access and that the A-system highly reliable access signal 1060 is not asserted.
  • The transition condition 1206 under which the state 1200 shifts to state 1202 is satisfied under the condition that the A-system processor 1001 does not start to access, that the B-system processor 1003 starts to access, and that the B-system highly reliable access signal 1061 is not asserted.
  • The transition condition 1208 under which the state 1200 shifts to state 1203 is satisfied under the condition that the A-system processor 1001 starts to access, that the A-system highly reliable access signal 1060 is asserted, that the B-system processor 1003 starts to access, that the B-system highly reliable access signal 1061 is asserted, and that the compared-result coincidence signal 1062 is asserted. This condition indicates that the A-system processor 1001 and B-system processor 1003 both make access to the same address of the highly reliable IO 1018.
  • The transition condition 1205 is satisfied by the report of access completion sent from the normal IO 1020 through the system bus 1017. The transition condition 1207 is satisfied by the report of access completion sent from the network IO 1022 through the system bus 1017. The transition condition 1209 is satisfied by the report of access completion sent from the highly reliable IO 1018 through the system bus 1017.
  • Under these state transitions, the system bus interface portion 1016 responds to the requests from the A-system processor 1001 and B-system processor 1003 according to the results of judgment from the A-system area judge 1013 and B-system area judge 1014, thus allowing them to make access to either one of the highly reliable IO 1018, normal IO 1020 and network IO 1022 connected to the system bus 1017. Particularly, the access to the highly reliable IO 1018 must satisfy the transition condition 1208 in which both of the A-system processor 1001 and B-system processor 1003 make access to the same address of highly reliable IO 1018.
  • In addition, the A-system bus ready signal 1067 is asserted when the transition conditions 1205 and 1209 are satisfied, and the B-system bus ready signal 1065 is asserted when the transition conditions 1207 and 1209 are satisfied.
  • FIG. 6 is a state transition diagram showing the operation of the error detector 1012.
  • The state 1300 indicates the idle condition in which the A-system processor 1001 and B-system processor 1003 both do not make access to the highly reliable IO 1018.
  • The state 1301 indicates the condition in which the A-system processor 1001 makes access to the highly reliable IO 1018 and waits for the B-system processor 1003 to produce the same output as that from the A-system processor 1001.
  • The state 1302 indicates the condition in which the A-system processor 1001 makes access to the highly reliable IO 1018, and waits for the B-system processor 1003 to produce the same output as that from the A-system processor 1001, but it is judged to be timeout error after the lapse of a constant time.
  • The state 1303 indicates the condition in which the A-system processor 1001 and B-system processor 1003 make access to the highly reliable IO 1018, but the outputs from those processors are not coincident, or it is judged to be error.
  • The state 1305 is the condition in which the B-system processor 1003 makes access to the highly reliable IO 1018 and waits for the A-system processor 1001 to produce the same output as that from the B-system processor 1003.
  • The state 1304 is the condition in which the B-system processor 1003 makes the highly reliable IO 1018, and waits for the A-system processor 1001 to produce the same output as that from the B-system processor 1003, but it is judged to be timeout error after the lapse of a constant time.
  • The transition condition 1306 is satisfied under the condition that the A-system highly reliable access signal 1060 is asserted but the B-system highly reliable access signal 1061 is not asserted.
  • The transition condition 1307 is satisfied when the B-system highly reliable access signal 1061 is asserted and the compared-result coincidence signal 1062 is asserted.
  • The transition condition 1309 is satisfied when the B-system highly reliable access signal 1061 is asserted but the compared-result coincident signal 1062 is not asserted.
  • The transition condition 1308 is satisfied when the transition conditions 1307 and 1309 are not satisfied but a constant time has elapsed.
  • The transition condition 1316 is satisfied when the B-system highly reliable access signal 1061 is asserted but the A-system highly reliable access signal 1060 is not asserted.
  • The transition condition 1315 is satisfied when the A-system highly reliable access signal 1060 is asserted and the compared-result coincident signal 1062 is asserted.
  • The transition condition 1312 is satisfied when the A-system highly reliable access signal 1060 is asserted, and the B-system highly reliable access signal 1061 is asserted, but the compared-result coincident signal 1062 is not asserted.
  • The transition condition 1313 is satisfied when the transitions 1315 and 1312 are not satisfied, but a constant time has elapsed.
  • The transition condition 1317 is satisfied when the A-system highly reliable access signal 1060 is asserted, and the B-system highly reliable access signal 1061 is asserted, but the compared-result coincident signal 1062 is not asserted.
  • The transition conditions 1310, 1311 and 1314 mean to be always satisfied and to shift to the state 1300 at the next cycle after the transition to the states 1302, 1303 and 1304.
  • The error detector 1012 manages that the A-system processor 1001 and B-system processor 1003 make access to the highly reliable IO 1018. The processors to make access to the highly reliable IO 1018 transit to states 1302, 1303 and 1304 when the outputs from both the processors are different or when either one of the processors does not make access to the highly reliable IO 1018 within a constant time. In these states 1302, 1303 and 1304, the failure report signal 1064 is asserted.
  • In addition, the highly reliable IO 1018, when the failure report signal 1064 is asserted, recognizes that a failure has occurred, thus making the output be switched to a stable state. Here, the stable state means that the current output is continued to keep or it is the same condition as the power supply is disconnected. Thus, the stable state differs for each object to be controlled. In addition, the error detector 1012 reports a failure interrupt using interrupt signals 1053 and 1054 to the A-system processor and B-system processor 1003 when a failure occurs. The processors that have received the failure interrupt immediately suspend the current processes and execute the failure process.
  • FIG. 7 is a timing chart showing the normal processing operation of the A-system processor 1001 and B-system processor 1003.
  • When the A-system processor 1001 has finished the last control task n after processing the successive tasks from the control task 0, it executes a start task to start a B-system processor highly reliable task. This start task makes access to the B-system interrupt request register 1007 within the interrupt control portion 1005, thereby producing an interrupt to the B-system processor 1003, and it ends. Then, the A-system processor 1001 executes a highly reliable task. This highly reliable task controls the input/output device 1019 that is connected to the highly reliable IO 1018 and required for its reliability. The A-system processor 1001 periodically executes a sequence of processes from control task 0 to highly reliable task.
  • On the other hand, when the B-system processor 1003 executes communication tasks one after another according to the network interrupt produced from the network IO 1022 and receives the interrupt from the start task that the A-system processor 1001 executed, it executes the same highly reliable task as that in the A-system processor 1001. Thus, the A-system processor 1001 and B-system processor 1003 perform the same process, so that the operation can be guaranteed by the matching of the outputs from the two processors. After the end of the processing of the highly reliable task, the B-system processor 1003 again processes the communication tasks one after another according to the network interrupt 1066 produced from the network IO 1022. When the B-system processor 1003 receives the interrupt and finishes the process, it makes access to the interrupt control portion 1005, and clears the interrupt factor.
  • In addition, while the B-system processor 1003 is treating the interrupt produced when the B-system interrupt request register 1007 is accessed, the interrupt control portion 1005 masks the lower priority network interrupt 1066. Thus, the B-system processor 1003 does not suspend the processing because the network interrupt 1066 does not come while the B-system processor 1003 is executing the highly reliable task.
  • Thus, when the processing that guarantees high reliability is performed, the processing is performed by a plurality of processors. The outputs from the processors are compared with each other. Only when the compared result is judged to be coincident, the outputs are supplied. Therefore, the reliability is improved. The processing that does not attach importance to the reliability is performed by each of the plurality of processors independently, so that it can be more efficiently carried out.
  • It should be further understood by those skilled in the art that although the foregoing description has been made on embodiments of the invention, the invention is not limited thereto and various changes and modifications may be made without departing from the spirit of the invention and the scope of the appended claims.

Claims (14)

1. An input/output control apparatus comprising:
a unit that controls input/output of data relating to a computation of a plurality of processors in response to an access request from a second input/output unit and an access request from a first input/output unit which requires higher reliability than said second input/output unit, and orders at least one of a plurality of processors to perform a computation relating to the access request from said first input/output unit away from the computation relating to the access request from said second input/output unit in case of that said first input/output unit issued an access request, so that a same computation is made by said plurality of processors;
a unit that compares the results of said computations relative to the access request from said first input/output unit provided from said plurality of processors; and
a unit that allows the data associated with said computations of said processors to be output on the basis of said compared results.
2. The input/output control apparatus according to claim 1, wherein
the computation relating to the access request from said first input/output unit is a relatively high reliability computation, and
the computation relating to the access request from said second input/output unit is a relatively low reliability computation, and said plurality of processors process different computations in the relatively low reliability computation,
said apparatus further comprising a unit that produces results of different computations made by said plurality of processors.
3. The input/output control apparatus according to claim 2, wherein the request for said relatively high reliability computation is an interrupt process that breaks from one of said plurality of processors into another one of said plurality of processors.
4. The input/output control apparatus according to claim 2, wherein said relatively high reliability computation is made for the case of access to an I/O corresponding to the request for said relatively high computation.
5. The input/output control apparatus according to claim 4, wherein said access to said I/O corresponding to said request for said relatively high reliability computation is judged on the basis of an address for said access.
6. The input/output control apparatus according to claim 5, wherein each of said plurality of processors has a request register and a factor register, and said request for said relatively high reliability computation is judged on the basis of the contents written in said request register and said factor register.
7. The input/output control apparatus according to claim 6, wherein a bus wait control signal is produced in response to a bus start signal from one of said plurality of processors to control said one of said processors to wait for bus, thereby limiting said access.
8. The input/output control apparatus according to claim 2, wherein said unit that allows data to be output allows the data to be output in case the computation results from said plurality of processors coincide with each other.
9. The input/output control apparatus according to claim 8, wherein said different computations are made in case a signal that commands to execute is generated after said coincidence.
10. The input/output control apparatus according to claim 1, wherein
the computation relating to the access request from said first input/output unit is a relatively high reliability computation, and
the computation relating to the access request from said second input/output unit is a relatively low reliability computation,
when said relatively high reliability computation is requested, a signal is generated to order said at least one processor to suspend its computation.
11. The input/output control apparatus according to claim 10, further comprising a unit that limits the interruption of said plurality of processors not to make said relatively low reliability computation in case said relatively high reliability computation is being executed.
12. The input/output control apparatus according to claim 11, further comprising a unit that judges to be abnormal in case at least one of said plurality of processors does not produce said computation result for a predetermine time.
13. An information control apparatus comprising:
a plurality of processors;
a unit that controls input/output of data relating to a computation of said plurality of processors in response to an access request from a second input/output unit and an access request from a first input/output unit which requires higher reliability than said second input/output unit, and orders at least one of a plurality of processors to perform a computation relating to the access request from said first input/output unit away from the computation relating to the access request from said second input/output unit in case of that said first input/output unit issued an access request, so that a same computation is made by said plurality of processors;
a unit that compares the results of said computations relative to the access request from said first input/output unit provided from said plurality of processors; and
a unit that allows the data associated with said computations of said processors to be output on the basis of said compared results.
14. An information controlling method comprising the steps of:
when an input/output control apparatus controls input/output of data relating to a computation of a plurality of processors in response to an access request from a second input/output unit and an access request from a first input/output unit which requires higher reliability than said second input/output unit,
ordering at least one of a plurality of processors to perform a relatively high reliability computation away from a relatively low reliability computation in case of that said first input/output unit issued an access request, so that a same computation is made by said plurality of processors;
in said plurality of processors, making a transition from the computation relating to said access request from said second input/output unit to the computation relating to said access request form said first input/output unit in response to a command from said input/output control apparatus;
comparing the computed results from said plurality of processors by said input/output control apparatus; and
allowing the output associated with the computations made by said processors to be supplied on the basis of said compared results by said input/output control apparatus.
US13/105,041 2005-06-10 2011-05-11 Task management control apparatus and method having redundant processing comparison Abandoned US20110214125A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/105,041 US20110214125A1 (en) 2005-06-10 2011-05-11 Task management control apparatus and method having redundant processing comparison

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
JP2005170275A JP2006344087A (en) 2005-06-10 2005-06-10 Task management device for controller and task management method for controller
JP2005-170275 2005-06-10
JP2005-190874 2005-06-30
JP2005190874A JP4102814B2 (en) 2005-06-30 2005-06-30 I / O control device, information control device, and information control method
US11/447,724 US8161362B2 (en) 2005-06-10 2006-06-07 Task management control apparatus and method, having redundant processing comparison
US13/105,041 US20110214125A1 (en) 2005-06-10 2011-05-11 Task management control apparatus and method having redundant processing comparison

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US11/447,724 Continuation US8161362B2 (en) 2005-06-10 2006-06-07 Task management control apparatus and method, having redundant processing comparison

Publications (1)

Publication Number Publication Date
US20110214125A1 true US20110214125A1 (en) 2011-09-01

Family

ID=37525441

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/447,724 Active 2029-11-30 US8161362B2 (en) 2005-06-10 2006-06-07 Task management control apparatus and method, having redundant processing comparison
US13/105,041 Abandoned US20110214125A1 (en) 2005-06-10 2011-05-11 Task management control apparatus and method having redundant processing comparison

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US11/447,724 Active 2029-11-30 US8161362B2 (en) 2005-06-10 2006-06-07 Task management control apparatus and method, having redundant processing comparison

Country Status (2)

Country Link
US (2) US8161362B2 (en)
CA (1) CA2549540C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150074094A1 (en) * 2010-12-20 2015-03-12 King Yuan Electronics Co., Ltd. Comparison device and method for comparing test pattern files of a wafer tester

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2458260A (en) * 2008-02-26 2009-09-16 Advanced Risc Mach Ltd Selectively disabling error repair circuitry in an integrated circuit
US8010846B1 (en) * 2008-04-30 2011-08-30 Honeywell International Inc. Scalable self-checking processing platform including processors executing both coupled and uncoupled applications within a frame
JP5344936B2 (en) * 2009-01-07 2013-11-20 株式会社日立製作所 Control device
KR101178186B1 (en) * 2011-04-28 2012-08-29 주식회사 유디엠텍 Method of alarming abnormal situation of plc based manufacturing system using plc signal pattern in pc based system
US20120265904A1 (en) * 2011-06-23 2012-10-18 Renesas Electronics Corporation Processor system
US9361172B2 (en) * 2014-07-02 2016-06-07 Harris Corporation Systems and methods for synchronizing microprocessors while ensuring cross-processor state and data integrity
CN104197299A (en) * 2014-08-21 2014-12-10 浙江生辉照明有限公司 Illuminating device and voice broadcasting system and method based on device
EP3374832B1 (en) 2015-11-09 2019-10-16 Otis Elevator Company Self-diagnostic electrical circuit
JP7045293B2 (en) * 2018-09-19 2022-03-31 日立Astemo株式会社 Electronic control device
US11151002B2 (en) * 2019-04-05 2021-10-19 International Business Machines Corporation Computing with unreliable processor cores

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5257352A (en) * 1989-07-05 1993-10-26 Hitachi, Ltd. Input/output control method and system
US5504859A (en) * 1993-11-09 1996-04-02 International Business Machines Corporation Data processor with enhanced error recovery
US5664118A (en) * 1994-03-28 1997-09-02 Kabushiki Kaisha Toshiba Computer system having detachable expansion unit
US5802266A (en) * 1993-10-15 1998-09-01 Hitachi, Ltd. Logic circuit having error detection function, redundant resource management method, and fault tolerant system using it
US5898829A (en) * 1994-03-22 1999-04-27 Nec Corporation Fault-tolerant computer system capable of preventing acquisition of an input/output information path by a processor in which a failure occurs
US6092217A (en) * 1993-10-15 2000-07-18 Hitachi, Ltd. Logic circuit having error detection function, redundant resource management method and fault tolerant system using it
US6334201B1 (en) * 1997-06-12 2001-12-25 Hitachi, Ltd. Decoding circuit and information processing apparatus
US6356821B1 (en) * 1999-08-27 2002-03-12 Nec Corporation Electronic control unit for vehicle having reduced circuit scale
US20020073357A1 (en) * 2000-12-11 2002-06-13 International Business Machines Corporation Multiprocessor with pair-wise high reliability mode, and method therefore
US6483845B1 (en) * 1996-09-17 2002-11-19 Matsushita Electric Industrial Co., Ltd. Packet transmitter-receiver and packet receiver
US6513132B1 (en) * 1998-05-12 2003-01-28 Mitsubishi Denki Kabushiki Kaisha Software automatic distribution system
US6615366B1 (en) * 1999-12-21 2003-09-02 Intel Corporation Microprocessor with dual execution core operable in high reliability mode
US6691177B2 (en) * 1997-06-26 2004-02-10 Hitachi, Ltd. High speed file I/O control system with user set file structure to effect parallel access pattern over a network
US20040054855A1 (en) * 1999-12-24 2004-03-18 Hitachi, Ltd. Shared memory multiprocessor performing cache coherence control and node controller therefor
US20040154017A1 (en) * 2003-01-31 2004-08-05 International Business Machines Corporation A Method and Apparatus For Dynamically Allocating Process Resources
US6779129B2 (en) * 2000-12-01 2004-08-17 International Business Machines Corporation Method, article of manufacture and apparatus for copying information to a storage medium
US20040225819A1 (en) * 2001-07-26 2004-11-11 Ang Boon Seong Extendable bus interface
US20050240793A1 (en) * 2004-04-06 2005-10-27 Safford Kevin D Architectural support for selective use of high-reliability mode in a computer system
US7472336B2 (en) * 2004-03-10 2008-12-30 Panasonic Corporation Data detector and multi-channel data detector
US7536590B2 (en) * 2003-09-26 2009-05-19 Omron Corporation Programmable controller, programmable controller system, CPU unit and method of starting duplexed operation

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4526401A (en) * 1982-11-30 1985-07-02 Atsugi Motor Parts Co., Ltd. Electronic control system for adjustable shock absorbers
JP2646899B2 (en) 1991-07-04 1997-08-27 日本電気株式会社 Internal failure detection method using pipeline
JP3127941B2 (en) 1993-04-06 2001-01-29 横河電機株式会社 Redundant device
JP3317776B2 (en) 1994-02-16 2002-08-26 株式会社日立製作所 Information processing device
JPH08241217A (en) 1995-03-07 1996-09-17 Hitachi Ltd Information processor
JPH08272625A (en) * 1995-03-29 1996-10-18 Toshiba Corp Device and method for multiprogram execution control
JPH09325899A (en) 1996-06-05 1997-12-16 Fujitsu Ltd Information processor
JP2000148524A (en) 1998-11-09 2000-05-30 Nippon Signal Co Ltd:The Fail-safe collating device
US6624818B1 (en) * 2000-04-21 2003-09-23 Ati International, Srl Method and apparatus for shared microcode in a multi-thread computation engine
US6636949B2 (en) * 2000-06-10 2003-10-21 Hewlett-Packard Development Company, L.P. System for handling coherence protocol races in a scalable shared memory system based on chip multiprocessing
US6700718B2 (en) * 2000-09-28 2004-03-02 Seagate Technology Llc VSWR skip write detector
JP2003316598A (en) 2002-04-22 2003-11-07 Mitsubishi Electric Corp Long instruction execution processor combined with high reliable mode operation
JP2004234144A (en) 2003-01-29 2004-08-19 Hitachi Ltd Operation comparison device and operation comparison method for processor
JP4080980B2 (en) * 2003-09-26 2008-04-23 三菱電機株式会社 Electronic control unit
DE10349581A1 (en) 2003-10-24 2005-05-25 Robert Bosch Gmbh Method and device for switching between at least two operating modes of a processor unit
US7318170B2 (en) * 2004-07-09 2008-01-08 Spyder Navigations, Llc Protection of non-volatile memory component against data corruption due to physical shock
KR100607992B1 (en) * 2004-07-09 2006-08-02 삼성전자주식회사 Method and system for booting system by monitoring operating status of NAND flash memory

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5257352A (en) * 1989-07-05 1993-10-26 Hitachi, Ltd. Input/output control method and system
US5802266A (en) * 1993-10-15 1998-09-01 Hitachi, Ltd. Logic circuit having error detection function, redundant resource management method, and fault tolerant system using it
US6092217A (en) * 1993-10-15 2000-07-18 Hitachi, Ltd. Logic circuit having error detection function, redundant resource management method and fault tolerant system using it
US6513131B1 (en) * 1993-10-15 2003-01-28 Hitachi, Ltd. Logic circuit having error detection function, redundant resource management method, and fault tolerant system using it
US5504859A (en) * 1993-11-09 1996-04-02 International Business Machines Corporation Data processor with enhanced error recovery
US5898829A (en) * 1994-03-22 1999-04-27 Nec Corporation Fault-tolerant computer system capable of preventing acquisition of an input/output information path by a processor in which a failure occurs
US5664118A (en) * 1994-03-28 1997-09-02 Kabushiki Kaisha Toshiba Computer system having detachable expansion unit
US6483845B1 (en) * 1996-09-17 2002-11-19 Matsushita Electric Industrial Co., Ltd. Packet transmitter-receiver and packet receiver
US6334201B1 (en) * 1997-06-12 2001-12-25 Hitachi, Ltd. Decoding circuit and information processing apparatus
US6691177B2 (en) * 1997-06-26 2004-02-10 Hitachi, Ltd. High speed file I/O control system with user set file structure to effect parallel access pattern over a network
US6513132B1 (en) * 1998-05-12 2003-01-28 Mitsubishi Denki Kabushiki Kaisha Software automatic distribution system
US6356821B1 (en) * 1999-08-27 2002-03-12 Nec Corporation Electronic control unit for vehicle having reduced circuit scale
US6615366B1 (en) * 1999-12-21 2003-09-02 Intel Corporation Microprocessor with dual execution core operable in high reliability mode
US20040054855A1 (en) * 1999-12-24 2004-03-18 Hitachi, Ltd. Shared memory multiprocessor performing cache coherence control and node controller therefor
US6779129B2 (en) * 2000-12-01 2004-08-17 International Business Machines Corporation Method, article of manufacture and apparatus for copying information to a storage medium
US20020073357A1 (en) * 2000-12-11 2002-06-13 International Business Machines Corporation Multiprocessor with pair-wise high reliability mode, and method therefore
US20040225819A1 (en) * 2001-07-26 2004-11-11 Ang Boon Seong Extendable bus interface
US20040154017A1 (en) * 2003-01-31 2004-08-05 International Business Machines Corporation A Method and Apparatus For Dynamically Allocating Process Resources
US7536590B2 (en) * 2003-09-26 2009-05-19 Omron Corporation Programmable controller, programmable controller system, CPU unit and method of starting duplexed operation
US7472336B2 (en) * 2004-03-10 2008-12-30 Panasonic Corporation Data detector and multi-channel data detector
US20050240793A1 (en) * 2004-04-06 2005-10-27 Safford Kevin D Architectural support for selective use of high-reliability mode in a computer system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150074094A1 (en) * 2010-12-20 2015-03-12 King Yuan Electronics Co., Ltd. Comparison device and method for comparing test pattern files of a wafer tester
US9921269B2 (en) * 2010-12-20 2018-03-20 King Yuan Electronics Co., Ltd. Comparison device and method for comparing test pattern files of a wafer tester

Also Published As

Publication number Publication date
CA2549540A1 (en) 2006-12-10
US20060282702A1 (en) 2006-12-14
US8161362B2 (en) 2012-04-17
CA2549540C (en) 2008-12-09

Similar Documents

Publication Publication Date Title
US8161362B2 (en) Task management control apparatus and method, having redundant processing comparison
US5491787A (en) Fault tolerant digital computer system having two processors which periodically alternate as master and slave
US5295258A (en) Fault-tolerant computer system with online recovery and reintegration of redundant components
US5255367A (en) Fault tolerant, synchronized twin computer system with error checking of I/O communication
US4907228A (en) Dual-rail processor with error checking at single rail interfaces
US5226152A (en) Functional lockstep arrangement for redundant processors
US5249187A (en) Dual rail processors with error checking on I/O reads
US9052887B2 (en) Fault tolerance of data processing steps operating in either a parallel operation mode or a non-synchronous redundant operation mode
JP4532561B2 (en) Method and apparatus for synchronization in a multiprocessor system
US6845467B1 (en) System and method of operation of dual redundant controllers
US5251227A (en) Targeted resets in a data processor including a trace memory to store transactions
EP3770765B1 (en) Error recovery method and apparatus
JPH01152543A (en) Defect resistance computer system having defect separating and repairing function
JPH0734179B2 (en) Automatic flight controller with multiple heterogeneous data processing channels.
JPH01258057A (en) Synchronous method and apparatus for a plurality of processors
JP2000187600A (en) Watchdog timer system
JP2000112584A (en) Computer system provided with countermeasure against power supply fault and its driving method
US9128838B2 (en) System and method of high integrity DMA operation
JP4102814B2 (en) I / O control device, information control device, and information control method
CA2619742C (en) An input/output control apparatus for performing high reliability computations
EP0416732B1 (en) Targeted resets in a data processor
US20060195849A1 (en) Method for synchronizing events, particularly for processors of fault-tolerant systems
JP5337661B2 (en) Memory control device and control method of memory control device
JP2006338425A (en) Controller
JPH05265790A (en) Microprocessor device

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION