Safety-relevant computer system
10489228 ยท 2019-11-26
Assignee
Inventors
Cpc classification
G06F11/0739
PHYSICS
G06F11/1608
PHYSICS
G06F11/0796
PHYSICS
G06F11/1654
PHYSICS
International classification
G06F11/14
PHYSICS
G06F11/16
PHYSICS
Abstract
A safety-relevant computer system, in particular a railway safety system, contains at least two hardware channels. A memory check results of the channels are fed to at least one comparator, which triggers an error response if the memory check results are not equal. In order to be able to use diverse software programs created by compilers, memory check results of the diverse software programs of each channel are fed to the comparator. The memory check results of a first software program of the first and second channels are compared with each other and the memory check results of a second software program of the first and second channels are compared with each other.
Claims
1. A safety-relevant computer system, comprising: at least one comparator; and at least two hardware channels including a first hardware channel and a second hardware channel, wherein memory check results of said hardware channels are forwarded to said at least one comparator, said at least one comparator triggering an error response if the memory check results are not equal, each of said hardware channels having compilers and at least two diverse software programs built by said compilers, the memory check results of said diverse software programs being forwarded to said comparator, wherein the memory check results of a first software program of said first and second hardware channels being compared with one another and the memory check results of a second software program of said first and second hardware channels are compared with one another.
2. The safety-relevant computer system according to claim 1, further comprising an output comparator; and wherein each of said hardware channels and each of said diverse software programs has precisely one common output module, wherein said output module of all of said hardware channels are connected to said output comparator.
3. The safety-relevant computer system according to claim 1, wherein the safety-relevant computer system is a railway safety system.
4. A method of operating a safety-relevant computer system, which comprises the steps of: operating at least two hardware channels including a first hardware channel and a second hardware channel, each of the hardware channels having compilers and at least two diverse software programs being built by the compilers; generating memory check results of the diverse software programs of the hardware channels; and forwarding the memory check results of the hardware channels to at least one comparator, the at least one comparator triggering an error response if the memory check results are not equal, wherein the memory check results of a first software program of said first and second hardware channels being compared with one another and the memory check results of a second software program of said first and second hardware channels are compared with one another.
Description
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING
(1) The FIGURE schematically shows the most important components of a safety-relevant computer system.
DESCRIPTION OF THE INVENTION
(2) A computer system with two channels A and B, which each have a central processing unit CPU and an operating system of the type A or B, respectively, is shown. Both channels A and B process the same input data 1 and compile it into identical output data 2, if the data is processed without errors. The input data 1 can be, for example, the element status of field elements, such as switches, signals, level crossings etc., of a railway safety installation, which are compiled in the two channels A and B into output data 2 in order to display the element statuses on a monitor with signaling safety, i.e. SIL4. Additionally, each channel A and B is equipped with diverse software programs, which are built by a compiler X and a second compiler Y. The compilers X and Y generate memory check results X.sub.A, Y.sub.A and Y.sub.B, X.sub.B in both channels A and B. The memory check results X.sub.A, Y.sub.A, Y.sub.B and X.sub.B, for example checksums, are forwarded to a SIL4 comparator 3. This performs a comparison of the memory check results X.sub.A and X.sub.B with regard to the first software program by the compiler X and a comparison of the memory check results Y.sub.A and Y.sub.B with regard to the second software program by the compiler Y. If the memory check results X.sub.A and X.sub.B with regard to the first software program built by the compiler X and/or the memory check results Y.sub.A and Y.sub.B with regard to the second software program built by the compiler Y are not equal, then a data processing error is present on the first channel A and/or the second channel B, so that the comparator 3 brings about, by reacting on the two channels A and B, an error response 4, preferably a switching off which is safe in signal engineering terms, of the safety-relevant computer system. If the comparator 3 declares an error-free data processing on the two channels A and B, then an output module X.sub.OUT of the first software program, built by means of the compiler X, of the first channel A and an output module Y.sub.OUT of the second software program, built by means of the compiler Y, of the second channel B each generate outputs, which are forwarded to an output comparator 5 and, if they match, form the output data 2. The two other software programs, namely that of the second compiler Y on the first channel A and that of the first compiler X on the second channel B, do not generate any output data, but rather they are solely used for the comparability of the memory check results Y.sub.A and X.sub.B with the memory check results X.sub.A and Y.sub.B generated by the respective other channel B and A. In this way, it becomes possible to use diverse software programs on compilers X and Y, whereby an extremely elaborate compiler validation can be dispensed with.