Computerised system

Abstract

According to an aspect of the invention, a computerised system, in particular control system is provided, which is configured, from an input vector (I.sub.n) which represents a discrete number of input variables and from a state vector (Z.sub.n) which represents a discrete number of state variables, to determine a new state vector (Z.sub.n+1) whose state variables are updated, as well as an output vector (O.sub.n) which represents a discrete number of output variables, wherein the output variables are provided for controlling at least one appliance and/or for outputting information. The system comprises a plurality of computation units which in parallel determine the new state vector and the output vector from the input vector and the state vector. According to the invention, the system is configured such that at least all news state vectors are exchanged between the computation units after each cycle.

Claims

1. A computerised system, comprising a plurality of computation units, each computation unit configured to determine, autonomously and independently of the other computation units, in a calculation cycle, from an input vector which represents a discrete number of input variables, and from a state vector, which represents a discrete number of state variables, a new state vector whose state variables are updated compared to the state vector, as well as an output vector, which represents a discrete number of output variables, and to cyclically repeat the step of determining in a plurality of calculation cycles with the updated state vector and a new, actual input vector; wherein the system is configured for at least one of: the output variables to be used for controlling at least one appliance, for information based on the output vector to be output; and wherein the system is configured such that at least all new state vectors are exchanged between the computation units after each cycle.

2. The system according to claim 1, wherein in addition to the state vectors, the output vectors and/or input vectors are also exchanged after each cycle.

3. The system according to claim 1, wherein each computation unit has its own bus, and wherein each computation unit is configured to transmit the state vector as well as, if applicable, the output vector and/or input vector to the remaining computation units via the own bus.

4. The system according to claim 1, wherein the received state vectors and, if applicable, output vectors and/or input vectors, by way of each of the computation units, are compared with their own vectors.

5. The system according to claim 4, which is configured to activate a safety reaction given a difference of one of the received vectors.

6. The system according to claim 5, wherein the safety reaction includes the result of none of the computation units of the system being taken into account for the control and/or for the output.

7. The system according to claim 1, wherein the computation units are configured to mutually transfer and examine a program code or configuration code.

8. The system according to claim 1, wherein each computation unit is configured, by way of a checksum computer, to form a checksum from the output vector and/or a subset of the output vector, said output vector comprising the output variables to be transferred to an output unit, wherein the checksum computers of the computation units differ.

9. The system according to claim 8, wherein the individual checksum computers use a different polynomial for computing the checksum.

10. The system according to claim 8, wherein the checksum computers compute with different initial vectors.

11. The system according to claim 1, wherein each computation unit independently computes a communication packet with an address, packet number, data and checksum, for each output unit of an envisaged number of output units.

12. The system according to claim 11, which is configured to join together the communication packets of the computation units into a total packet and to optionally supplement it with a global address and checksum.

13. The system according to claim 12 which is configured such that the total packet transmits redundant information only once.

14. The system according to claim 1, comprising a plurality of output units which are configured to each receive a value of at least one of the output variables and, depending on this, to output a command or information via an interface.

15. The system according to claim 14, wherein each computation unit is configured to form, by way of a checksum computer, a checksum from the output vector and/or a subset of the output vector, said output vector comprising the output variables which are to be transferred to the output unit, wherein the checksum computers of the computation units differ and wherein the output units are capable of checking whether a received data packet has correct checksums of all computation units.

16. The system according to claim 15, wherein the output units are configured to only carry out an output to the interfaces when all checksums of all computation units are correct.

17. The system according to claim 15, wherein the output units are configured to only carry out an output to the interfaces when a minimum number of checksums of all computation units are correct.

18. The system according to claim 1, wherein the computation units are assigned to a central system, comprising a network for connection of the central system to input and/or output units.

19. The system according to claim 18, comprising a second redundant network for increasing the availability.

20. A redundant system, comprising a first central system, being a system according to claim 1, and a second central system, being a system according to claim 1.

21. The redundant system according to claim 20, wherein the first and second central systems are configured to exchange at least all new state vectors with one another after each cycle.

22. The redundant system according to claim 21, wherein each central system is configured to go into a service mode if a comparison of the state vectors produced by the computation units of the central system or, if applicable, output vectors or input vectors results in a difference.

23. The redundant system according to claim 22, wherein in the service mode, the program of at least that computation unit which has produced data differing from the other computation units is newly loaded.

24. The redundant system according to claim 22, wherein that central system which returns from the service mode into an operating mode reassumes operation as a slave.

Description

(1) Principles of the invention and principles of special embodiments of the invention are hereinafter described in more detail by way of schematic drawings. The same characterisations in the drawings indicate the same or analogous elements. Concerning the description of the invention by way of FIG. 3-9, the FIGS. 1 and 2 and the notations introduced there are referred to. There are shown in:

(2) FIG. 1 the principle of a state machine;

(3) FIG. 2 a system according to the state of the art;

(4) FIG. 3 a central system of a system according to the invention, with a network;

(5) FIG. 5 the production of the complete data packet for output to an input/output unit k;

(6) FIG. 6 an alternative for the production of a complete data packet for outputting to an input/output unit k;

(7) FIG. 7 an input/output unit with a network;

(8) FIG. 8 the creation of a complete data packet from the input/output unit k to the central system; and

(9) FIG. 9 a redundant system.

(10) A system according to the invention is schematically represented in FIG. 3. The central unit has several parallel computation units PU.sup.0 . . . PU.sup.P. Each of these computation units receives the input packets IP.sub.n.sub.0 . . . .sub.kIP.sub.n.sub.p from the network interfaces NI and has stored the previous state vector Z.sub.n1.sub.0 . . . Z.sub.n1.sub.p. From this, the computation units independently of one another compute the input vector I.sub.n.sub.0 . . . I.sub.n.sub.p, the state vector Z.sub.nO . . . Z.sub.n.sub.P and the output vector O.sub.n.sub.0 . . . O.sub.n.sub.P.

(11) In FIG. 3, PR (the discussed variable are each provided with an index 0 . . . p which stands for the program unit) indicates the program reference memory, P the program memory, L the logic unit, CRI and CRO the checksum computer for incoming and outgoing data respectively, CMP the comparison logic which compares the computed vectors with the corresponding received vectors of the other computation units.

(12) According to the invention, the computation units exchange the result amongst one another after each computation of a new state vector. For this, each computation unit for example has its own bus OB.sup.0 . . . OB.sup.P, via which it transmits the result to the remaining computation units. The computation units then compare the results of the individual channels to one another by way of the comparison logic CMP.sup.0 . . . CMP.sup.P. If they determine a difference, then with an embodiment according to the first implementation, they initiate a safety reaction. An example of this is schematically represented in FIG. 4. Here, this is effected by way of the supply voltage through an individual computation element being interrupted via a switch PS.sup.0 . . . PS.sup.P for all computation elements. It is to be ensured that for interrupting the supply voltage, the switches are always capable of doing so (for which one can fall back on methods according to the state of the art).

(13) Supplementarily or alternatively, one can envisage the respective computation unit being rebooted and, after the reboot, linking itself into the process again with state data which comes from the other computation units.

(14) On account of the present invention, it is ensured that a data error in the state vector cannot propagate from one computation cycle to the next. The failure disclosure time of such an error is therefore limited to the time of a computation cycle.

(15) A data error in a computation unit can also lead to a false output vector O.sub.n.sub.0 . . . O.sub.n.sub.p, or to a false output packet .sub.0 . . . kOP.sup.0.sup.n . . . .sub.0 . . . kOP.sup.p.sup.n. In order to recognise such data errors, in a group of embodiments, each computation unit PU.sup.0 . . . PU.sup.P creates an individual signature .sub.0 . . . kCRC.sup.0.sup.n . . . .sub.0 . . . kCRC.sup.p.sup.n for each output packet. The signature of the individual computation units is designed such that it is not possible for any computation unit to produce the signature of another computation unit. This can be achieved for example by way of the computation units using different algorithms or the same algorithm with a different key, starting value, generator polynomial etc. The output packets together with the signatures are transferred from the computation units to the network interfaces NT. These network interfaces compose the output packets of the individual computation units into a message, which is represented in FIG. 5.

(16) In embodiments according to the first implementation, according to which differing data is not tolerated, the size of the message can optionally be reduced by way of the useful data of the output packets being comprised only once in the message. For this purpose, a protocol converter of the network interface which puts together the data packets for the network (or another unit) at the input to the network can produce a data packet as is represented in FIG. 6. If even only a single signature is not consistent with the data .sub.kDO.sub.n which can be taken from the output vector produced by any one of the computation units, then a receiving output unit can recognise that one of the units has either wrongly computed the output data or test data (signature). In the embodiments described here, the output units are always also the input units, i.e. I/O units.

(17) If the system is designed according to the second implementation, then for example either the messages are sent as is shown in FIG. 5, or a selection takes place in a suitable manner, so that with this it is ensured that at least the useable data (data identically computed by a sufficient number of computation units) is transferred to the output units.

(18) The construction of the input and output units according to an embodiment is shown in FIG. 7 with the example of a two-channel architecture. The example of FIG. 7 assumes that the data packets are put together as is illustrated in FIG. 6

(19) If the channels 0 or 1 receive a message via the network interface .sub.kIONI and the receivers .sub.k.sub.0R and .sub.k.sub.1R respectively, then they check the test data and signatures which are comprised therein. If a message does not have the minimum necessary number of valid signatures, then the input and output unit reject the message. Otherwise, the output data .sub.kDO.sub.n gets into the output register .sub.k.sub.0RD or .sub.k.sub.1RD and thus to the outputin the illustrated embodimentto a switch .sub.k.sub.0S and .sub.k.sub.1S respectively. On account of the present invention, it is therefore ensured that data errors in output packets do not leads to an incorrect output as long as the number of affected computation units is smaller than the minimum necessary number of valid signatures. According to the invention, the input and output units, on the basis of the signatures, can therefore ascertain whether a sufficient number of computation units have computed the output packet in a concordant manner.

(20) Data errors can also lead to a false input packet .sub.0 . . . kIP.sup.0.sup.n . . . .sub.0 . . . kIP.sup.P.sup.n. One falls back on the same method as with the output packets, in order to recognise such errors. Here, as is usually the case, the input variables are read in via several independent sensors. FIG. 7 shows this with the example of two current sensors .sub.k.sub.0IS and .sub.k.sub.1IS. The measured values (readings) in both channels are read into an input register .sub.k.sub.0ID and .sub.k.sub.1ID respectively. Both channels subsequently compute the usual test data A and according to the invention additionally an individual signature .sub.k.sub.0CRC.sub.n+1 and .sub.k.sub.1CRC.sub.n+1 respectively. The same assumptions apply to these signatures as to those of the output data packets, which is to say the signatures are such that they can only be produced by the respective input/output unit. The channels produce an input packet from this data and output this packet to the network interface .sub.kIONI. This, from the input packets of the channels, analogously to the output packets, produces a message as a total data packet (FIG. 8) and transmits this to the computation units PU.sup.0 . . . PU.sup.P of the central unit. The computation unit rejects a message if this message does not comprise the minimum necessary number of readings with a valid signature. In a second test step, as is usual, the computation units compare the readings, in order to ascertain whether the channels (in the case of multi-channel input/output units as is the case here) have concordantly measured the reading. By way of the present invention, it is therefore ensured that a data error in an input packet does not lead to a false input vector, as long as the number of affected channels is smaller than the minimum necessary number of valid signatures. According to the invention, the input and output units, on the basis of the signatures, can therefore ascertain whether a sufficient amount of channels have concordantly measured the reading.

(21) Error in the Program Code:

(22) Each computation unit PU.sup.0 . . . PU.sup.P, according to FIG. 3 has a program memory P.sup.0 . . . P. There are two possibilities for uncovering errors in the program code which are stored in this: Possibility 1: Each computation unit transmits the complete content of the program memory to all other computation units. These compare the received data to the content of their program reference memory PR.sup.0 . . . PR.sup.P and in the case of a difference initiate one or more of mentioned actions. Possibility 2: Each computation unit has a self-test, with which it can test the content of the program memory with regard to consistency. If a computation unit ascertains an error in its own program memory, then it signalises this to the other computation units. These then initiate one or more of the mentioned actions.

(23) It is generally known that the availability of a computation system can be improved by way of a redundant computer. Such a redundancy concept, adapted to the present invention, is represented in FIG. 9. Redundancy as a safety feature is also present in the embodiment according to FIG. 3, by way of the system comprising several computation units which optionally can also be physically separated from one another. One can envisage the computation units being individually exchangeable, for which they can be optionally implemented on different circuit boards. The embodiment of FIG. 9 is aimed at the concept of the highest safety level, with which according to the first implementation, given an error (non-consistent output data, input data or state date or ascertained program error), the computer system is immediately counted as being unsafe and a corresponding reaction is activated Then, with the implementation according to FIG. 3, this results in the operation being interrupted and the complete system being made safe by way of activating the safety reaction. There are constellations, with which it would be undesirable, would not be tolerated (for example with the control of railway safety facilities, where the complete railway traffic would need to be stopped) or would even be dangerous (control of aircraft etc.).

(24) In addition to the above-discussed possibility of ensuring operation in the case of errors by way of only demanding a minimum of data to be consistent (according to defined criteria), according to FIG. 9 there is also the possibility of providing two complete, operative computer systems according to the invention. Both computer systems CU and CU* are configured according to the invention and function for example according to the principle described above by way of FIGS. 3-8. The two computer systems can each be configured such that they can be serviced independently of one another, for example by way of the computation units and data memories etc. each being implemented on an individual circuit board or several individual circuit boards.

(25) The complete redundant system accordingly comprises the central computer systems CU and CU* (a generalisation to more than two computer systems is possible without further ado). Both computer systems are constructed identically and have several computation units PU.sup.0 . . . PU.sup.P and PU.sup.0* . . . PU.sup.P* respectively, which each form a channel. The system moreover has several I/O units .sub.O.sub.XIO . . . .sub.k.sub.XIO or is at least configured to interact with such I/O units. The IO units are realised for example in a two-channel manner but are not necessarily constructed redundantly. Redundant I/O units are also possible for particularly important I/O tasks (e.g. communication with a superordinate control centre). The system additionally has 2 redundant networks N.sub.A and N.sub.B which are connected to the central units via 2 redundant network interfaces NI.sub.A and NI.sub.B and NI.sub.A* and NI.sub.B* respectively, so that individual errors cannot cripple the complete system.

(26) In normal operation, one of the two redundant systems CU and CU* is the boss (master) and the other system follows (slave). Both systems operate 100% identically with the single exception that the master is that system which is in uninterrupted operation longer than the slave. The single difference in the processing is that the master sets the temporal procedure.

(27) On starting operation of the complete system, the personnel firstly manually start one of the redundant central systems CU or CU*. The system started first of all automatically becomes the master. As soon as the slave is started and the program has loaded, then in each cycle it adopts the complete input and state data via the communication system OB or OB*. Both systems now run independently, but produce identical states and, from this, identical notices to the IO units. If for example an error in the program code of one of the computation units of the master occurs, then this master withdraws and the slave becomes the master. One proceeds in an analogous manner if a data error is ascertained.

(28) The central system which has withdrawn is subsequently newly configured, for example by way of loading the program code or configuration code from the reference memory at each unit, from a source which is assigned to the central system or one which is external or from another central system.

(29) As soon as this central system is operationally ready, in a cycle it adopts the input and state data of the new/current master via the communication system OB and OB*. The newly reactivated central system is now operationally ready as a slave and notifies this to the master and participates again with the following cycles.

(30) If one of the computation units of the slave makes an error, then one proceeds analogously, i.e. the slave withdraws and participates again as a slave after it is operationally ready.

(31) The respective computation unit can be completely switched off as soon as an indication of a hardware error is found with a program test or by way of repeatedly successively observed data errors or program errors. This can be supplemented by a hint to the user, whereupon the affected computation unit or possibly the complete circuit board comprising the computation unit is to be exchanged. If the system is designed in a sufficiently redundant manner, then under certain circumstances such an exchange can also be unnecessary and it is sufficient if the unit remains permanently switched off