CA2004562C - System comprising a processor - Google Patents
System comprising a processorInfo
- Publication number
- CA2004562C CA2004562C CA002004562A CA2004562A CA2004562C CA 2004562 C CA2004562 C CA 2004562C CA 002004562 A CA002004562 A CA 002004562A CA 2004562 A CA2004562 A CA 2004562A CA 2004562 C CA2004562 C CA 2004562C
- Authority
- CA
- Canada
- Prior art keywords
- processors
- logic means
- arrangement including
- processor
- gate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000012360 testing method Methods 0.000 claims abstract description 31
- 238000001514 detection method Methods 0.000 claims description 5
- 230000001419 dependent effect Effects 0.000 claims description 3
- 238000010998 test method Methods 0.000 claims 2
- 238000000034 method Methods 0.000 description 2
- 230000011664 signaling Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 1
- 230000000644 propagated effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L21/00—Station blocking between signal boxes in one yard
- B61L21/04—Electrical locking and release of the route; Electrical repeat locks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0706—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
- G06F11/0721—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment within a central processing unit [CPU]
- G06F11/0724—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment within a central processing unit [CPU] in a multiprocessor or a multi-core unit
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0751—Error or fault detection not based on redundancy
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0796—Safety measures, i.e. ensuring safe condition in the event of error, e.g. for controlling element
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/22—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
- G06F11/2205—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested
- G06F11/2236—Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing using arrangements specific to the hardware being tested to test CPU or processors
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mechanical Engineering (AREA)
- Computer Hardware Design (AREA)
- Hardware Redundancy (AREA)
- Safety Devices In Control Systems (AREA)
- Train Traffic Observation, Control, And Security (AREA)
- Test And Diagnosis Of Digital Computers (AREA)
Abstract
An interlocking system for a railway comprises a plurality of processors (A, B and C), the system having an input (1) for receiving input information and an output (2) for providing control information. Each of the processors is adapted to test itself to check that it is operating correctly and each of the processors is also adapted to test another of the processors to check that the other processor is operating correctly, each of the processors also being so tested by another of the processors. The system is shut down or put into a more restricted mode of operation if a fault in its operation is detected, either as a result of a processor's self-testing routine or as a result of one of the processors detecting that another processor is not operating correctly. This achieves the integrity of a "dual-channel" system with only a single "channel"
of hardware.
of hardware.
Description
zoa)~
A SYSTEM COMP~ISING A PROCESSOR
The present invention relates to a system comprising a processor.
Ill the field of railway signalling, for example, S it is essential that systems be designed with safety in mind. For example, in the event of a fault in an interlocking system controlling points and/or signal lights, the system should not set the points and/or the lights to a potentially dangerous condltion. More particularlyl in the event of a faultr a controlled signal lamp should not be set to "green" for example, so that, for safety, a train does not have authority to proceed.
One way of seeking to achieve fault deteation is to provide two (preferably dissimilar) interlocking systems in hardware and compare the control outputs of the two systems. If the output of one of the systems agrees with the output of the other sy~tem, then the operation determined by it is allowed to occur. If the outputs do not agree, then it is assumed there is a fault in one of the systems. Such an arrangement can be termed a "dual-channel" system.
According to the present invention from one aspect, there is provided a system for performing a function, the system comprising a processor and having an input for receiving information and an output, the system being such that, in use, the processor i9 tested to check that it is operating correctly by at least two testing methods, at least one of which methods is not carried out by the processor itself.
According to the present invention from another aspect, there is provided a system for performing a Eunction, the system comprising a plurality of processor~ and having an input for recelving input information and an output, in which s~stem:
a) each of the processors is adapted to test itself to check whether it is operating correctly;
and b) each of the processors is adapted to test another of the processors to check that the other processor is operating correctly, each of the processors being so tested by another of the processors.
The present invention will now be described, by way of example, with reference to the accompanying drawings, in which:
Figure 1 is a block diagram of an interlocking system for use in railway signalling; and Figure 2 shows a prefexred manner of realising of what is shown in Flgure 1.
The interlocking system to be described by way of : example is for use in controlling signal lights and points at the beginning or end of a passing loop in a railway. Referring to Figure 1, the interlocking system comprises three serially coupled processors A, B
and C, input information to the system being applied via an input 1 and processed by processor A, processor B carrying out the interlocking function and control information being provided via an output 2 from processor C.
Each of the processors A, B and C is adapted to test itself by carrying out an internal, self-testing routine to check that it is operating correctly. The processor~ A, B and C have outputs 3, 4 and 5 ~00~5~
~-3--respectiv~ly, on which appear signals indicative of the results oE the respective self-testing routines.
Outputs 3, 4 and 5 are coupled to a gate 6 which carries out an AND function~ The output 7 of gate 6 is S coupled to an input of a gate 8 (which also carries out an AMD function) to provide to it a signal indicative either that all the processors A, B and C believe themselves to be operating correctly or that at least one of them believes it is not operating correctly.
As well as carrying out an internal, sel~-testing routine, each of processors A, B and C carries outa test on a respectiv'e one of the other processors and has a test carried out on it by a respective one of the other processors (for example, different from the one it tests itself). Thus, for example, processor A tests processor C by interrogating it via a link 9 and receives back via a link 10 a signal depending on the result of the test; processor B tests processox A by interrogating it via a link 11 and receives back via a link 12 a signal depending on the result of the test;
and processor C tests processor B by interrogating it via a link 13 and receives back via a link 14 a signal depending on the result of the test.
A signal indicative of the result of processor A's test on processor C appears on an output 15 from processor A to cause a switching device 18 to be closed if the result is that processor C is believed to be operating correctly but open otherwise; a signal indicative of the result of processor B's test on processor A appears on an output 16 from processor B to cause a switching device 19 to be closed if the result is that processor A is believed to be operating S~i~
correctly but open otherwise; and a signal indicative of the result of processor C's test on processor B
appears on an output 17 from processor C to cause a switching device 20 to be clo.sed if the result is that processor B is believed to be operating correctly but open otherwise. The switching devices 18, 19 and 20 are connected in series to the other input of circuit 8 to provide to it either an indication that all the processors A, B and C are believed to be operatlng correctly (i.e. signal D, as a result of all the switches 18l 19 and 20 being closed) or an indication that at least one of the processors is believed not to be operating correctly (i.e. the absence of signal D, as a result of at least one of switching devices 18, 19 and 20 being open). It will be appreciated that switches 18, 19 and 20 and signal D result in the signals on outputs 15, 16 and 17 being subjected to an AND function. As an alternative, the AND function may be achieved by a discrete AND gate, to respective ones of the inputs of which the outputs 15, 16, 17 are connected, the output of the AND gate being connected to the other input of gate 8. The function of such another AND gate could, instead, be carried out by the software of one of the processors (not the one which provides by its software the function of gate 6, if such is the case - see below).
In operation, the signal at the output of gate 8 only allows the system to continue its normal controlling functions if both the signal at its input connected to the output 7 of gate 6 is indicative that all the processors A, B and C believe themselves to be operating correctly and the indication at its other input is indicative that each of the processors A, B
and C is believed by another processor to be operating correctly~ If either or both of these conditions is or ~o~s~
--5-~
are not ful~illed, then the sic3nal at the output of gate 8 is such ~s to cause the system to be shut down or put into a different (e.g. more restricted) mode of operation.
Thus, in the descrlbed system, the lntegrity or "health" of each of processors A, s and C is checked in two waysr once by its own internal self-testing routine and secondly by means of a test performed on it by another processor (by way of example, not the one it is testing itself). Thus, a fault in any of the processors will be detected in two ways, one of which is not dependent on the faulty processor itself~ Each detection method can independently cause the system to be shut down or put into a different (e.g. more restricted~mode of operation to ensure a safe system failure mode.
To enhance safety, detection of a fault in a processor by either or both of the above methods may he propagated around the system from processor to processor/ via the inter-processor testing links, so that any of the processors can cause the system ko be shut down or put lnto a different (e.g. more restricted) mode of operation via its respective one of outputs 15, 16 and 17 land/or outputs 3, 4 and 5) in response to detection of a fault anywhere in the system, regardless of whether it has detected the fault itself.
The above system enables the achievement of the integrity of a "dual-channel" system using only a single "channel" of hardware.
Preferably, the system may be realised as shown in Figure 2, in which items which are the sarne as in 2~04~
Figure 1 have the same re~erence numerals as in Figure 1. The processor B is adapted to be a so-called "vital logic module" of the system and within it the AND
function of gate 6 i~ carried out by the processor's 5 sof tware, the outputs 3, 4 and 5 being included in an internal bus 21.
A SYSTEM COMP~ISING A PROCESSOR
The present invention relates to a system comprising a processor.
Ill the field of railway signalling, for example, S it is essential that systems be designed with safety in mind. For example, in the event of a fault in an interlocking system controlling points and/or signal lights, the system should not set the points and/or the lights to a potentially dangerous condltion. More particularlyl in the event of a faultr a controlled signal lamp should not be set to "green" for example, so that, for safety, a train does not have authority to proceed.
One way of seeking to achieve fault deteation is to provide two (preferably dissimilar) interlocking systems in hardware and compare the control outputs of the two systems. If the output of one of the systems agrees with the output of the other sy~tem, then the operation determined by it is allowed to occur. If the outputs do not agree, then it is assumed there is a fault in one of the systems. Such an arrangement can be termed a "dual-channel" system.
According to the present invention from one aspect, there is provided a system for performing a function, the system comprising a processor and having an input for receiving information and an output, the system being such that, in use, the processor i9 tested to check that it is operating correctly by at least two testing methods, at least one of which methods is not carried out by the processor itself.
According to the present invention from another aspect, there is provided a system for performing a Eunction, the system comprising a plurality of processor~ and having an input for recelving input information and an output, in which s~stem:
a) each of the processors is adapted to test itself to check whether it is operating correctly;
and b) each of the processors is adapted to test another of the processors to check that the other processor is operating correctly, each of the processors being so tested by another of the processors.
The present invention will now be described, by way of example, with reference to the accompanying drawings, in which:
Figure 1 is a block diagram of an interlocking system for use in railway signalling; and Figure 2 shows a prefexred manner of realising of what is shown in Flgure 1.
The interlocking system to be described by way of : example is for use in controlling signal lights and points at the beginning or end of a passing loop in a railway. Referring to Figure 1, the interlocking system comprises three serially coupled processors A, B
and C, input information to the system being applied via an input 1 and processed by processor A, processor B carrying out the interlocking function and control information being provided via an output 2 from processor C.
Each of the processors A, B and C is adapted to test itself by carrying out an internal, self-testing routine to check that it is operating correctly. The processor~ A, B and C have outputs 3, 4 and 5 ~00~5~
~-3--respectiv~ly, on which appear signals indicative of the results oE the respective self-testing routines.
Outputs 3, 4 and 5 are coupled to a gate 6 which carries out an AND function~ The output 7 of gate 6 is S coupled to an input of a gate 8 (which also carries out an AMD function) to provide to it a signal indicative either that all the processors A, B and C believe themselves to be operating correctly or that at least one of them believes it is not operating correctly.
As well as carrying out an internal, sel~-testing routine, each of processors A, B and C carries outa test on a respectiv'e one of the other processors and has a test carried out on it by a respective one of the other processors (for example, different from the one it tests itself). Thus, for example, processor A tests processor C by interrogating it via a link 9 and receives back via a link 10 a signal depending on the result of the test; processor B tests processox A by interrogating it via a link 11 and receives back via a link 12 a signal depending on the result of the test;
and processor C tests processor B by interrogating it via a link 13 and receives back via a link 14 a signal depending on the result of the test.
A signal indicative of the result of processor A's test on processor C appears on an output 15 from processor A to cause a switching device 18 to be closed if the result is that processor C is believed to be operating correctly but open otherwise; a signal indicative of the result of processor B's test on processor A appears on an output 16 from processor B to cause a switching device 19 to be closed if the result is that processor A is believed to be operating S~i~
correctly but open otherwise; and a signal indicative of the result of processor C's test on processor B
appears on an output 17 from processor C to cause a switching device 20 to be clo.sed if the result is that processor B is believed to be operating correctly but open otherwise. The switching devices 18, 19 and 20 are connected in series to the other input of circuit 8 to provide to it either an indication that all the processors A, B and C are believed to be operatlng correctly (i.e. signal D, as a result of all the switches 18l 19 and 20 being closed) or an indication that at least one of the processors is believed not to be operating correctly (i.e. the absence of signal D, as a result of at least one of switching devices 18, 19 and 20 being open). It will be appreciated that switches 18, 19 and 20 and signal D result in the signals on outputs 15, 16 and 17 being subjected to an AND function. As an alternative, the AND function may be achieved by a discrete AND gate, to respective ones of the inputs of which the outputs 15, 16, 17 are connected, the output of the AND gate being connected to the other input of gate 8. The function of such another AND gate could, instead, be carried out by the software of one of the processors (not the one which provides by its software the function of gate 6, if such is the case - see below).
In operation, the signal at the output of gate 8 only allows the system to continue its normal controlling functions if both the signal at its input connected to the output 7 of gate 6 is indicative that all the processors A, B and C believe themselves to be operating correctly and the indication at its other input is indicative that each of the processors A, B
and C is believed by another processor to be operating correctly~ If either or both of these conditions is or ~o~s~
--5-~
are not ful~illed, then the sic3nal at the output of gate 8 is such ~s to cause the system to be shut down or put into a different (e.g. more restricted) mode of operation.
Thus, in the descrlbed system, the lntegrity or "health" of each of processors A, s and C is checked in two waysr once by its own internal self-testing routine and secondly by means of a test performed on it by another processor (by way of example, not the one it is testing itself). Thus, a fault in any of the processors will be detected in two ways, one of which is not dependent on the faulty processor itself~ Each detection method can independently cause the system to be shut down or put into a different (e.g. more restricted~mode of operation to ensure a safe system failure mode.
To enhance safety, detection of a fault in a processor by either or both of the above methods may he propagated around the system from processor to processor/ via the inter-processor testing links, so that any of the processors can cause the system ko be shut down or put lnto a different (e.g. more restricted) mode of operation via its respective one of outputs 15, 16 and 17 land/or outputs 3, 4 and 5) in response to detection of a fault anywhere in the system, regardless of whether it has detected the fault itself.
The above system enables the achievement of the integrity of a "dual-channel" system using only a single "channel" of hardware.
Preferably, the system may be realised as shown in Figure 2, in which items which are the sarne as in 2~04~
Figure 1 have the same re~erence numerals as in Figure 1. The processor B is adapted to be a so-called "vital logic module" of the system and within it the AND
function of gate 6 i~ carried out by the processor's 5 sof tware, the outputs 3, 4 and 5 being included in an internal bus 21.
Claims (7)
1. A single channel interlocking system comprising:
a plurality of processors for collectively receiving external input information, deriving internal interlocking information from the external input information, and providing external control information based on the external input information and the internal interlocking information, such that each of said plurality of processors is responsive to different information and performs a different function of the interlocking system;
a common internal bus connecting said plurality of processors into a single hardware channel, said common internal bus including at least one external input for inputting said external input information and at least one external output for outputting said external control information;
first fault-detection means for causing each of the processors to test itself to check whether it is operating correctly and to provide a respective first operation signal dependent on the result of that test;
second fault-detection means for causing each of the processors to be tested for correct operation by a respective other of the processors and for causing said respective other processor to provide a respective second operation signal dependent on theresult of that test;
first logic means for subjecting the first operation signals to a first logical function to provide a first status signal, the first status signal being of a first kind if the first operation signals are such that each of the processors determines it is operating correctly and of a second kind if the first operation signals are such that at least one of the processors determines it is not operating correctly; and second logic means for subjecting the second operation signals to a second logical function to provide a second status signal, the second status signal being of a first kind if the second operation signals are such that each of the processors testing another processor determines that said another processor is operating correctly and of a second kind if the second operation signals are such that at least one of the processors determines that the processor it is testing is not operating correctly, the first logic means and the second logic means being selected from structurally different but functionally interchangeable ones of the group consisting of a gate arrangement including at least one dedicated electronic gate, a software arrangement including at least one software controlled processor, andan electro-mechanical arrangement including a plurality of electromechanical switches, whereby each of the processors is independently tested by two dissimilar test procedures and the results from the two dissimilar test procedures are independently processed by two dissimilar logic means.
a plurality of processors for collectively receiving external input information, deriving internal interlocking information from the external input information, and providing external control information based on the external input information and the internal interlocking information, such that each of said plurality of processors is responsive to different information and performs a different function of the interlocking system;
a common internal bus connecting said plurality of processors into a single hardware channel, said common internal bus including at least one external input for inputting said external input information and at least one external output for outputting said external control information;
first fault-detection means for causing each of the processors to test itself to check whether it is operating correctly and to provide a respective first operation signal dependent on the result of that test;
second fault-detection means for causing each of the processors to be tested for correct operation by a respective other of the processors and for causing said respective other processor to provide a respective second operation signal dependent on theresult of that test;
first logic means for subjecting the first operation signals to a first logical function to provide a first status signal, the first status signal being of a first kind if the first operation signals are such that each of the processors determines it is operating correctly and of a second kind if the first operation signals are such that at least one of the processors determines it is not operating correctly; and second logic means for subjecting the second operation signals to a second logical function to provide a second status signal, the second status signal being of a first kind if the second operation signals are such that each of the processors testing another processor determines that said another processor is operating correctly and of a second kind if the second operation signals are such that at least one of the processors determines that the processor it is testing is not operating correctly, the first logic means and the second logic means being selected from structurally different but functionally interchangeable ones of the group consisting of a gate arrangement including at least one dedicated electronic gate, a software arrangement including at least one software controlled processor, andan electro-mechanical arrangement including a plurality of electromechanical switches, whereby each of the processors is independently tested by two dissimilar test procedures and the results from the two dissimilar test procedures are independently processed by two dissimilar logic means.
2. The single channel interlocking system of claim 1, wherein the first logic means is a gate arrangement including at least one dedicated electronic gate, and the second logic means is a software arrangement including at least one software controlledprocessor.
3. The single channel interlocking system of claim 1, wherein the first logic means is a gate arrangement including at least one dedicated electronic gate, and the second logic means is an electro-mechanical arrangement including a plurality of electromechanical switches.
4. The single channel interlocking system of claim 1, wherein the first logic means is a software arrangement including at least one software controlled processor, and the second logic means is a gate arrangement including at least one dedicated electronic gate.
5. The single channel interlocking system of claim 1, wherein the first logic means is a software arrangement including at least one software controlled processor, and the second logic means is an electro-mechanical arrangement including a plurality ofelectromechanical switches.
6. The single channel interlocking system of claim 1, wherein the first logic means is an electro-mechanical arrangement including a plurality of electromechanical switches and the second logic means is a gate arrangement including at least one dedicated electronic gate.
7. The single channel interlocking system of claim 1, wherein the first logic means is an electro-mechanical arrangement including a plurality of electromechanical switches and the second logic means is a software arrangement including at least one software controlled processor.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB8903175A GB2228114B (en) | 1989-02-13 | 1989-02-13 | A system comprising a processor |
| GB8903175.1 | 1989-02-13 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2004562A1 CA2004562A1 (en) | 1990-08-13 |
| CA2004562C true CA2004562C (en) | 1998-07-07 |
Family
ID=10651582
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002004562A Expired - Lifetime CA2004562C (en) | 1989-02-13 | 1989-11-27 | System comprising a processor |
Country Status (9)
| Country | Link |
|---|---|
| US (1) | US5504860A (en) |
| EP (1) | EP0382972B1 (en) |
| JP (1) | JPH02242438A (en) |
| AU (1) | AU634748B2 (en) |
| CA (1) | CA2004562C (en) |
| DE (1) | DE68926667T2 (en) |
| ES (1) | ES2087086T3 (en) |
| GB (1) | GB2228114B (en) |
| ZA (1) | ZA90447B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2730074B1 (en) * | 1995-01-27 | 1997-04-04 | Sextant Avionique | FAULT-TOLERANT COMPUTER ARCHITECTURE |
| US5671348A (en) * | 1995-06-06 | 1997-09-23 | General Railway Signal Corporation | Non-vital turn off of vital output circuit |
| DE19653551C1 (en) * | 1996-12-20 | 1998-02-05 | Siemens Ag | Functional ability determination method for processing unit |
| GB2348034A (en) * | 1999-03-17 | 2000-09-20 | Westinghouse Brake & Signal | An interlocking for a railway system |
| US6922625B2 (en) * | 2002-12-12 | 2005-07-26 | Honeywell International Inc. | Jet engine control and protection system and method |
| DE102004024386A1 (en) * | 2004-05-17 | 2005-12-15 | Siemens Ag | Method and circuit arrangement for testing functions and / or algorithms implemented in electronic circuits |
| US8028961B2 (en) | 2006-12-22 | 2011-10-04 | Central Signal, Llc | Vital solid state controller |
| JP5095273B2 (en) | 2007-06-22 | 2012-12-12 | 株式会社東芝 | Control device |
| CN101580073B (en) * | 2008-05-12 | 2012-01-25 | 卡斯柯信号有限公司 | Computer interlocking system code bit-level redundancy method |
| JP5404437B2 (en) * | 2010-01-13 | 2014-01-29 | 株式会社東芝 | Safety output device |
| US20130063282A1 (en) | 2010-05-31 | 2013-03-14 | Central Signal, Llc | Roadway detection |
| CN103144657B (en) * | 2013-03-15 | 2015-07-22 | 卡斯柯信号有限公司 | Main processing subsystem provided with check plate and used for general trackside safety platform |
Family Cites Families (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| FR2162093B1 (en) * | 1971-12-02 | 1977-04-08 | Hitachi Ltd | |
| GB1434186A (en) * | 1972-04-26 | 1976-05-05 | Gen Electric Co Ltd | Multiprocessor computer systems |
| DE2612100A1 (en) * | 1976-03-22 | 1977-10-06 | Siemens Ag | DIGITAL DATA PROCESSING ARRANGEMENT, IN PARTICULAR FOR RAILWAY SAFETY TECHNOLOGY |
| DE2651314C2 (en) * | 1976-11-10 | 1982-03-25 | Siemens AG, 1000 Berlin und 8000 München | Safety output circuit for a data processing system that emits binary signals |
| DE2701925C3 (en) * | 1977-01-19 | 1981-10-15 | Standard Elektrik Lorenz Ag, 7000 Stuttgart | Vehicle control with two on-board computers |
| GB1604492A (en) * | 1978-05-30 | 1981-12-09 | Westinghouse Brake & Signal | Railway control systems |
| DE2939487A1 (en) * | 1979-09-28 | 1981-04-16 | Siemens AG, 1000 Berlin und 8000 München | COMPUTER ARCHITECTURE BASED ON A MULTI-MICROCOMPUTER STRUCTURE AS A FAULT-TOLERANT SYSTEM |
| DE3003291C2 (en) * | 1980-01-30 | 1983-02-24 | Siemens AG, 1000 Berlin und 8000 München | Two-channel data processing arrangement for railway safety purposes |
| US4581700A (en) * | 1981-08-07 | 1986-04-08 | Sab Harmon Industries, Inc. | Processing system for grade crossing warning |
| FR2512980B1 (en) * | 1981-09-14 | 1983-12-23 | Aero Etudes Conseils | |
| DE3137450C2 (en) * | 1981-09-21 | 1984-03-22 | Siemens AG, 1000 Berlin und 8000 München | Safety output circuit for a data processing system |
| US4517639A (en) * | 1982-05-13 | 1985-05-14 | The Boeing Company | Fault scoring and selection circuit and method for redundant system |
| EP0096510B1 (en) * | 1982-06-03 | 1988-07-27 | LUCAS INDUSTRIES public limited company | Control system primarily responsive to signals from digital computers |
| WO1984000071A1 (en) * | 1982-06-16 | 1984-01-05 | Boeing Co | Autopilot flight director system |
| FR2540685A1 (en) * | 1983-02-03 | 1984-08-10 | Jeumont Schneider | INTERFACE FOR CONNECTING A COMPUTER SYSTEM TO AN ACTUATOR DEVICE |
| US4695946A (en) * | 1984-10-25 | 1987-09-22 | Unisys Corporation | Maintenance subsystem for computer network including power control and remote diagnostic center |
| US4622667A (en) * | 1984-11-27 | 1986-11-11 | Sperry Corporation | Digital fail operational automatic flight control system utilizing redundant dissimilar data processing |
| AU568977B2 (en) * | 1985-05-10 | 1988-01-14 | Tandem Computers Inc. | Dual processor error detection system |
| JPS6272248A (en) * | 1985-09-25 | 1987-04-02 | Hitachi Ltd | Active/standby changeover method for data transmission system |
| US4873685A (en) * | 1988-05-04 | 1989-10-10 | Rockwell International Corporation | Self-checking voting logic for fault tolerant computing applications |
-
1989
- 1989-02-13 GB GB8903175A patent/GB2228114B/en not_active Expired - Lifetime
- 1989-11-17 DE DE68926667T patent/DE68926667T2/en not_active Expired - Fee Related
- 1989-11-17 EP EP89311943A patent/EP0382972B1/en not_active Expired - Lifetime
- 1989-11-17 ES ES89311943T patent/ES2087086T3/en not_active Expired - Lifetime
- 1989-11-27 CA CA002004562A patent/CA2004562C/en not_active Expired - Lifetime
-
1990
- 1990-01-22 ZA ZA90447A patent/ZA90447B/en unknown
- 1990-02-09 AU AU49258/90A patent/AU634748B2/en not_active Expired
- 1990-02-09 JP JP2031315A patent/JPH02242438A/en active Pending
-
1994
- 1994-11-17 US US08/341,341 patent/US5504860A/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| GB8903175D0 (en) | 1989-03-30 |
| EP0382972B1 (en) | 1996-06-12 |
| GB2228114A (en) | 1990-08-15 |
| DE68926667T2 (en) | 1996-10-24 |
| AU634748B2 (en) | 1993-03-04 |
| EP0382972A3 (en) | 1991-08-07 |
| AU4925890A (en) | 1990-08-16 |
| DE68926667D1 (en) | 1996-07-18 |
| ES2087086T3 (en) | 1996-07-16 |
| CA2004562A1 (en) | 1990-08-13 |
| GB2228114B (en) | 1993-02-10 |
| JPH02242438A (en) | 1990-09-26 |
| US5504860A (en) | 1996-04-02 |
| EP0382972A2 (en) | 1990-08-22 |
| ZA90447B (en) | 1990-10-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2004562C (en) | System comprising a processor | |
| EP0082859B1 (en) | Antiblocking regulator system | |
| US4270715A (en) | Railway control signal interlocking systems | |
| US4897640A (en) | Method and electrical circuit for the reliable detection of process states within freely couplable units | |
| US6161202A (en) | Method for the monitoring of integrated circuits | |
| CN110388561A (en) | Safety switch | |
| US4683105A (en) | Testable, fault-tolerant power interface circuit for normally de-energized loads | |
| Rao et al. | Microprocessor-based railway interlocking control with low accident probability | |
| EP1291662B1 (en) | Debugging system for semiconductor integrated circuit | |
| JP2005511386A (en) | Method for controlling railway operation process requiring safety and apparatus for carrying out this method | |
| GB1489921A (en) | Railway control systems | |
| JP2763146B2 (en) | Digital protection relay device | |
| Min et al. | A fail-safe microprocessor-based system for interlocking on railways | |
| JP3754773B2 (en) | Electronic level crossing control device | |
| JPS60256185A (en) | Control panel | |
| Nieckau | Reliability analysis of electronic modules with digital inputs | |
| JPS54103976A (en) | Logical circuit diagnoser | |
| SU377776A1 (en) | ALL-UNION | |
| JPH0630477A (en) | Method and device for detecting fault position on signal transmission line | |
| SU1091127A1 (en) | Device for monitoring parameters | |
| SU1109683A1 (en) | Device for automatic checking of electrical circuits | |
| CZ256295A3 (en) | Programmable safety device for a crossing | |
| Cegłowski et al. | Highly reliable microcomputer systems for railway control | |
| JPS61221698A (en) | Safety protective device for nuclear reactor | |
| JPH02266731A (en) | Loopback test system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKEX | Expiry |