[go: up one dir, main page]

WO2018117065A1 - Processing device - Google Patents

Processing device Download PDF

Info

Publication number
WO2018117065A1
WO2018117065A1 PCT/JP2017/045420 JP2017045420W WO2018117065A1 WO 2018117065 A1 WO2018117065 A1 WO 2018117065A1 JP 2017045420 W JP2017045420 W JP 2017045420W WO 2018117065 A1 WO2018117065 A1 WO 2018117065A1
Authority
WO
WIPO (PCT)
Prior art keywords
fpga
output
signal
output signal
internal logic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2017/045420
Other languages
French (fr)
Japanese (ja)
Inventor
貴夫 今澤
雅裕 白石
悟史 西川
知彦 道券
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Publication of WO2018117065A1 publication Critical patent/WO2018117065A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/1629Error detection by comparing the output of redundant processing systems
    • G06F11/1641Error detection by comparing the output of redundant processing systems where the comparison is not performed by the redundant processing components
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/18Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
    • G06F11/183Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components
    • G06F11/184Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits by voting, the voting not being performed by the redundant components where the redundant components implement processing functionality

Definitions

  • the present invention relates to a system that requires high reliability.
  • Functional safety is adopted in systems that require high reliability, such as systems that control processes in nuclear power plants and factory plants. Functional safety reduces the risk of system failure by adding a monitoring device or a protection device to the system.
  • multiplexed hardware may be multiplexed or diversified. Multiplexing provides for a failure such as a failure by providing a plurality of hardware having the same function. In diversification, multiplexed hardware is composed of different hardware components.
  • an FPGA Field Programmable Gate Array
  • multiplexing and diversification are required for components having a basic function in each module, such as an FPGA mounted on an input / output device or an arithmetic device.
  • two hardware circuits that perform the same processing on the same input signal and generate the same output signal are provided, and the hardware circuit is confirmed by confirming that the output signals match. Normal operation can be confirmed. If an abnormality occurs in either one of the hardware circuits, the output signals of the two hardware circuits become inconsistent, so that the abnormality can be easily detected.
  • a common cause failure may occur in the multiplexed two-system hardware circuit.
  • the common factor failure is a failure in the same place in a plurality of hardware due to a common factor.
  • the output signals of the two systems show abnormal values in the same way. In that case, an abnormality cannot be detected by monitoring whether or not the output signals match.
  • a cause of the common factor failure for example, there is a lot defect in parts commonly used for a plurality of hardware.
  • An object of the present invention is to provide a technique that enables detection even if an abnormality is caused by a common factor failure.
  • a processing apparatus has a plurality of processing circuits that have different hardware configurations, perform the same processing on the same input signal, and generate the same output signal.
  • An output signal collating unit that collates the output signal of the processing circuit and outputs a collation result.
  • the processing circuits of a plurality of systems have different hardware configurations, even if a common factor failure occurs, different signals appear in the output signal, and these output signals are compared. Abnormalities can be detected.
  • FIG. 3 is a diagram illustrating a configuration of an FPGA-mounted module according to the first embodiment. It is a figure for demonstrating the case where a common factor failure occurs in Example 1.
  • FIG. 6 is a diagram illustrating a configuration of an FPGA-mounted module according to Embodiment 2.
  • FIG. 10 is a diagram illustrating a configuration of an FPGA-mounted module according to a third embodiment.
  • FIG. 1 is a diagram illustrating a configuration of an FPGA-mounted module according to the first embodiment.
  • the A system circuit and the B system circuit exist in the FPGA mounted module 3.
  • the A system circuit is provided with an input terminal unit 101, an output terminal unit 102, and an FPGA 1 having an internal logic A 103 and an internal logic B 104.
  • the internal logic A 103 and the internal logic B 104 of the FPGA 1 can be programmed from the outside.
  • the B-system circuit is provided with an FPGA 2 having the same input terminal unit 201 and output terminal unit 202 as the FPGA 1, and the same internal logic A 203 and internal logic B 204.
  • the internal logic A 203 and the internal logic B 204 of the FPGA 2 can be programmed from the outside.
  • System A internal logic A 103 and system B internal logic A 203 are functional units that perform the same processing.
  • the A-system internal logic B 104 and the B-system internal logic B 204 are functional units that perform the same processing.
  • the FPGA-mounted module 3 has an output signal verification unit 8 as a common part separately from the A system circuit and the B system circuit.
  • the output signal collation unit 8 collates the output signals A, B, and C of the FPGA 1 with the output signals A, B, and C of the FPGA 2. If the output signals A, B, C from the A system circuit and the output signals A, B, C from the corresponding B system circuit all match, it can be estimated that the FPGA-equipped module 3 is operating normally. . In that case, the output signal matching unit 8 outputs the output signals A, B, and C to the controller 30. If any one of the output signals A, B, and C does not match, the output signal matching unit 8 outputs a predetermined abnormality signal that notifies the occurrence of the abnormality.
  • the internal logic A 103 of the FPGA 1 and the internal logic A 203 of the FPGA 2 perform the same operation.
  • the internal logic B104 of FPGA1 and the internal logic B204 of FPGA2 perform the same operation.
  • FPGA 1 and FPGA 2 perform the same operation.
  • FPGA 1 and FPGA 2 are functional units that perform the same function as described above, but have different hardware configurations. Specifically, the combination of the input signal and the input terminal and the combination of the output signal and the output terminal are different for each system.
  • the input terminal PN1 is assigned to the input signal A
  • the input terminal PN2 is assigned to the input signal B
  • the input terminal PN3 is assigned to the input signal C.
  • the input terminal PN2 is assigned to the input signal A
  • the input terminal PN3 is assigned to the input signal B
  • the input terminal PN1 is assigned to the input signal C.
  • the input terminal PN4 is allocated to the output signal A
  • the input terminal PN5 is allocated to the output signal B
  • the input terminal PN6 is allocated to the output signal C.
  • the input terminal PN6 is allocated to the output signal A
  • the input terminal PN4 is allocated to the output signal B
  • the input terminal PN5 is allocated to the output signal C.
  • FIG. 2 is a diagram for explaining a case where a common factor failure occurs in the first embodiment.
  • the internal logic A 103, 203 is a circuit that performs a predetermined process with the input signal A and the input signal B as inputs and outputs an output signal A.
  • the internal logics B 104 and 204 are circuits that perform predetermined processing with the input signal C as an input, and output the output signal B and the output signal C.
  • the input terminal PN3 has failed as a common cause failure in, for example, FPGA 1 and FPGA 2.
  • the input of the internal logic B 104 becomes abnormal, so the output signals B and C output from the internal logic B 104 become abnormal.
  • the output signal matching unit 8 detects a mismatch between the output signals of the A system circuit and the B system circuit. In that case, the output signal collation unit 8 outputs a predetermined abnormality signal instead of the output signals A, B, and C to the controller 30.
  • the controller 30 executes a predetermined process control based on the output signals A, B, and C if no abnormality signal has been received. However, if the abnormality signal is received as described above, the controller 30 performs a predetermined abnormality without performing the process control. Processing will be executed.
  • the process control system has a plurality of processing circuits that have different hardware configurations, perform the same processing on the same input signal, and generate the same output signal.
  • FPGAs 1 and 2 and an output signal collation unit 8 that collates output signals of a plurality of processing circuits and outputs a collation result. Because multiple processing circuits have different hardware configurations in this way, even if a common cause failure occurs, different signals appear in the output signal, and the abnormality is detected by comparing these output signals. Is possible.
  • the output signal matching unit 5 transmits the output signals A, B, and C to the controller 30 if the output signals A, B, and C match, and abnormal if the output signals A, B, and C do not match.
  • An abnormal signal indicating that is transmitted to the controller 30. If the controller 30 has not received an abnormal signal, it is receiving the output signals A, B, and C. Therefore, the controller 30 executes process control based on the output signals A, B, and C, but receives the abnormal signal. In such a case, predetermined abnormality processing is executed without performing process control. Since the process control is executed when the output signals of the plurality of processing circuits coincide with each other, and when they do not coincide with each other, the abnormal process is executed, so that highly reliable process control can be realized.
  • the processing circuit is an integrated circuit (FPGA) configured for a specific application, and the processing circuit and the output signal matching unit 8 are configured in one module (FPGA-equipped module 3). Therefore, a module including a plurality of multiplexed processing circuits can be configured such that an abnormality is detected by collating output signals when a common factor failure occurs in the components of the processing circuits. Further, since the processing circuit is an FPGA, a plurality of processing circuits performing the same processing can be easily configured with different hardware configurations.
  • multiple FPGAs have different combinations of input / output signals and input / output terminals.
  • the hardware configuration of the FPGA can be easily changed by changing the combination of the input / output signal and the input / output terminal.
  • a module equipped with a two-system processing circuit is illustrated, but the present invention is not limited thereto, and the present invention can be applied to a module equipped with a plurality of system processing circuits.
  • a module on which a 3-system processing circuit is mounted is illustrated.
  • FIG. 3 is a diagram illustrating a configuration of an FPGA-mounted module according to the second embodiment.
  • the FPGA-mounted module 3 there are an A system circuit, a B system circuit, and a C system circuit.
  • an FPGA 1 having an input terminal unit 101, an output terminal unit 102, an internal logic C 105, an internal logic D 106, and an internal logic E 107 is provided.
  • the internal logic C 105, internal logic D 106, and internal logic E 107 of the FPGA 1 can be programmed from the outside.
  • the B-system circuit is provided with an FPGA 2 having an input terminal unit 201, an output terminal unit 202, an internal logic C 205, an internal logic D 206, and an internal logic E 207.
  • the internal logic C 205, internal logic D 206, and internal logic E 207 of the FPGA 2 can be programmed from the outside.
  • an FPGA 3 having an input terminal unit 901, an output terminal unit 902, an internal logic C 905, an internal logic D 906, and an internal logic E 907 is provided in the C system circuit.
  • the internal logic C 905, internal logic D 906, and internal logic E 907 of the FPGA 3 can be programmed from the outside.
  • the A system internal logic C 105, the B system internal logic C 205, and the C system internal logic C 905 are functional units that perform the same processing.
  • the A system internal logic D 106, the B system internal logic D 206, and the C system internal logic D 906 are functional units that perform the same processing.
  • the A system internal logic E 107, the B system internal logic E 207, and the C system internal logic E 907 are functional units that perform the same processing.
  • the FPGA-mounted module 3 has an output signal verification unit 8 as a common part separately from the A system circuit, the B system circuit, and the C system circuit.
  • the output signal collation unit 8 collates the output signals A, B, C of the FPGA 1 with the output signals A, B, C of the FPGA 2 and the output signals A, B, C of the FPGA 3.
  • the output signal matching unit 8 outputs the output signals A, B, and C to a controller (not shown). If any one of the output signals A, B, and C does not match, the output signal matching unit 8 outputs a predetermined abnormality signal that notifies the occurrence of the abnormality to the controller.
  • the internal logic C 105 of the FPGA 1 and the internal logic C 205 of the FPGA 2 and the internal logic C 905 of the FPGA 3 perform the same operation.
  • the internal logic D 106 of the FPGA 1 and the internal logic D 206 of the FPGA 2 and the internal logic D 906 of the FPGA 3 perform the same operation.
  • the internal logic E 107 of FPGA 1, the internal logic E 207 of FPGA 2, and the internal logic E 907 of FPGA 3 perform the same operation. And as the whole FPGA, FPGA 1, FPGA 2 and FPGA 3 perform the same operation.
  • FPGA 1, FPGA 2, and FPGA 3 are functional units that perform the same function as described above, but have different hardware configurations. Specifically, the combination of the input signal and the input terminal and the combination of the output signal and the output terminal are different for each system.
  • the input terminal PN1 is allocated to the input signal A
  • the input terminal PN2 is allocated to the input signal B
  • the input terminal PN3 is allocated to the input signal C.
  • the input terminal PN2 is assigned to the input signal A
  • the input terminal PN3 is assigned to the input signal B
  • the input terminal PN1 is assigned to the input signal C.
  • the input terminal PN3 is allocated to the input signal A
  • the input terminal PN1 is allocated to the input signal B
  • the input terminal PN2 is allocated to the input signal C.
  • the input terminal PN4 is assigned to the output signal A
  • the input terminal PN5 is assigned to the output signal B
  • the input terminal PN6 is assigned to the output signal C.
  • the input terminal PN5 is allocated to the output signal A
  • the input terminal PN6 is allocated to the output signal B
  • the input terminal PN4 is allocated to the output signal C.
  • the input terminal PN6 is allocated to the output signal A
  • the input terminal PN4 is allocated to the output signal B
  • the input terminal PN5 is allocated to the output signal C.
  • the internal logic C 105, 205, 905 is a circuit that performs a predetermined process with the input signal A as an input and outputs an output signal A.
  • the internal logic D 106, 206, 906 is a circuit that performs a predetermined process with the input signal B as an input and outputs an output signal B.
  • the internal logics E 107, 207, and 907 are circuits that perform predetermined processing with the input signal C as an input and output an output signal C.
  • the input terminal PN3 has failed as a common cause failure in FPGA 1, FPGA 2, and FPGA 3.
  • the input of the internal logic E 107 becomes abnormal, so the output signal C output from the internal logic E 107 becomes abnormal.
  • the output signal B output from the internal logic D 206 becomes abnormal.
  • the output signal A output from the internal logic C 905 becomes abnormal.
  • the output signal matching unit 8 detects a mismatch between the output signals of the A system circuit, the B system circuit, and the C system circuit.
  • the output signal collation unit 8 outputs a predetermined abnormality signal instead of the output signals A, B, and C to a controller (not shown).
  • the controller executes predetermined process control based on the output signals A, B, and C if no abnormality signal has been received. However, if an abnormal signal is received as described above, the controller performs predetermined abnormality processing without performing process control. Will be executed.
  • the present invention is not limited to this.
  • the third embodiment shows an example in which two FPGAs use different input / output terminals.
  • FIG. 4 is a diagram illustrating a configuration of an FPGA-mounted module according to the third embodiment.
  • the A system circuit and the B system circuit exist in the FPGA mounted module 3.
  • the A system circuit is provided with an input terminal unit 101, an output terminal unit 102, and an FPGA 1 having an internal logic A 103 and an internal logic B 104.
  • the internal logic A 103 and the internal logic B 104 of the FPGA 1 can be programmed from the outside.
  • the B-system circuit is provided with an FPGA 2 having the same input terminal unit 201 and output terminal unit 202 as the FPGA 1, and the same internal logic A 203 and internal logic B 204.
  • the internal logic A 203 and the internal logic B 204 of the FPGA 2 can be programmed from the outside.
  • System A internal logic A 103 and system B internal logic A 203 are functional units that perform the same processing.
  • the A-system internal logic B 104 and the B-system internal logic B 204 are functional units that perform the same processing.
  • the FPGA-mounted module 3 has an output signal verification unit 8 as a common part separately from the A system circuit and the B system circuit.
  • the output signal collation unit 8 collates the output signals A, B, and C of the FPGA 1 with the output signals A, B, and C of the FPGA 2. If the output signals A, B, C from the A system circuit and the output signals A, B, C from the corresponding B system circuit all match, it can be estimated that the FPGA-equipped module 3 is operating normally. . In that case, the output signal matching unit 8 outputs the output signals A, B, and C to the controller 30. If any one of the output signals A, B, and C does not match, the output signal matching unit 8 outputs a predetermined abnormality signal that notifies the occurrence of the abnormality.
  • the internal logic A 103 of the FPGA 1 and the internal logic A 203 of the FPGA 2 perform the same operation.
  • the internal logic B104 of FPGA1 and the internal logic B204 of FPGA2 perform the same operation.
  • FPGA 1 and FPGA 2 perform the same operation.
  • FPGA 1 and FPGA 2 are functional units that perform the same function as described above, but have different hardware configurations. Specifically, the two FPGAs 1 and 2 use different input / output terminals. For example, in FPGA 1, the input terminal PN1 is assigned to the input signal A, the input terminal PN2 is assigned to the input signal B, and the input terminal PN3 is assigned to the input signal C. On the other hand, in FPGA 2, the input terminal PN7 is allocated to the input signal A, the input terminal PN8 is allocated to the input signal B, and the input terminal PN9 is allocated to the input signal C.
  • the input terminal PN4 is allocated to the output signal A
  • the input terminal PN5 is allocated to the output signal B
  • the input terminal PN6 is allocated to the output signal C.
  • the input terminal PN10 is allocated to the output signal A
  • the input terminal PN11 is allocated to the output signal B
  • the input terminal PN12 is allocated to the output signal C.
  • the internal logic A 103 and 203 are circuits that perform predetermined processing with the input signal A and the input signal B as inputs and output the output signal A.
  • the internal logics B 104 and 204 are circuits that perform predetermined processing with the input signal C as an input, and output the output signal B and the output signal C.
  • the input terminal PN3 has failed as a common cause failure in FPGA 1 and FPGA 2.
  • the input of the internal logic B 104 becomes abnormal, so the output signals B and C output from the internal logic B 104 become abnormal.
  • the output signal matching unit 8 detects a mismatch between the output signals of the A system circuit and the B system circuit.
  • the output signal collation unit 8 outputs a predetermined abnormality signal instead of the output signals A, B, and C to the controller 30.
  • the controller 30 executes a predetermined process control based on the output signals A, B, and C if no abnormality signal has been received. However, if the abnormality signal is received as described above, the controller 30 performs a predetermined abnormality without performing the process control. Processing will be executed.
  • the hardware configuration of the FPGA can be easily varied by using different input / output terminals.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Hardware Redundancy (AREA)
  • Logic Circuits (AREA)
  • Safety Devices In Control Systems (AREA)

Abstract

Provided is a technology for enabling detection even when an abnormality is caused by a common cause failure. This processing device has: multiple processing circuit systems that have mutually different hardware configurations, and perform the same process and output the same output signal with respect to the same input signal; and an output signal comparison unit that compares the output signals from the multiple processing circuit systems, and outputs a comparison result. The multiple processing circuit systems have mutually different hardware configurations, so a different signal appears as the output signal even if a common cause failure occurs, and an abnormality can be detected by comparing those output signals.

Description

処理装置Processing equipment

 本発明は高い信頼性が要求されるシステムに関する。 The present invention relates to a system that requires high reliability.

 原子力発電所や工場プラントにおいてプロセスを制御するシステムなど高い信頼性が要求されるシステムでは機能安全(functional safety)が採用される。機能安全は、システムに対して監視装置あるいは保護装置などを付加することによりシステム障害のリスクを低減するものである。 Functional safety is adopted in systems that require high reliability, such as systems that control processes in nuclear power plants and factory plants. Functional safety reduces the risk of system failure by adding a monitoring device or a protection device to the system.

 機能安全のために、例えば、システムの一部をなすハードウェアが多重化あるいは多様化される場合がある。多重化は同一機能を有するハードウェアを複数設けることで、その部分の故障などの障害に備えるものである。多様化は、多重化されるハードウェアを互いに異なるハードウェア部品で構成するものである。例えば、プロセス制御システムにFPGA(Field Programmable Gate Array)が採用されることがある(特許文献1~3参照)。その場合、入出力装置や演算装置に搭載するFPGAなど、各モジュールにおける基幹機能を担う部品について多重化および多様化が要求される場合がある。例えば、同一の入力信号に対して同一の処理を行い同一の出力信号を生成する2つの系のハードウェア回路を設け、それらの出力信号が一致していることを確認することでハードウェア回路の正常動作を確認することができる。どちらか一方のハードウェア回路に異常が発生すると、2つのハードウェア回路の出力信号が不一致となるので、異常を容易に検出することができる。 ∙ For functional safety, for example, hardware that forms part of the system may be multiplexed or diversified. Multiplexing provides for a failure such as a failure by providing a plurality of hardware having the same function. In diversification, multiplexed hardware is composed of different hardware components. For example, an FPGA (Field Programmable Gate Array) may be employed in the process control system (see Patent Documents 1 to 3). In such a case, there are cases where multiplexing and diversification are required for components having a basic function in each module, such as an FPGA mounted on an input / output device or an arithmetic device. For example, two hardware circuits that perform the same processing on the same input signal and generate the same output signal are provided, and the hardware circuit is confirmed by confirming that the output signals match. Normal operation can be confirmed. If an abnormality occurs in either one of the hardware circuits, the output signals of the two hardware circuits become inconsistent, so that the abnormality can be easily detected.

特開2012-103866号公報JP 2012-103866 A 特開2010-177881号公報JP 2010-177881 A 特開2009-212230号公報JP 2009-212230 A

 しかし、多重化された2系のハードウェア回路に共通要因故障(CCF:Common Cause Failure)が発生することがある。共通要因故障とは、共通する要因により複数のハードウェアにおける同じ個所が同じように故障することである。2つの系で同時に共通要因故障が起こると、2つの系の出力信号が同じように異常な値を示す。その場合、出力信号同士が一致するか否かを監視することで異常を検出することはできない。共通要因故障の原因としては、例えば、複数のハードウェアに共通採用されている部品におけるロット不良がある。 However, a common cause failure (CCF: Common Cause Failure) may occur in the multiplexed two-system hardware circuit. The common factor failure is a failure in the same place in a plurality of hardware due to a common factor. When a common factor failure occurs in two systems at the same time, the output signals of the two systems show abnormal values in the same way. In that case, an abnormality cannot be detected by monitoring whether or not the output signals match. As a cause of the common factor failure, for example, there is a lot defect in parts commonly used for a plurality of hardware.

 本発明の目的は、共通要因故障に起因する異常であっても検出を可能にする技術を提供することである。 An object of the present invention is to provide a technique that enables detection even if an abnormality is caused by a common factor failure.

 本発明の一態様による処理装置は、互いに異なるハードウェア構成を有し、同一の入力信号に対して同一の処理を行い、同一の出力信号を生成する複数系の処理回路と、前記複数系の処理回路の出力信号を照合し照合結果を出力する出力信号照合部と、を有する。 A processing apparatus according to an aspect of the present invention has a plurality of processing circuits that have different hardware configurations, perform the same processing on the same input signal, and generate the same output signal. An output signal collating unit that collates the output signal of the processing circuit and outputs a collation result.

 本発明によれば、複数系の処理回路が互いに異なるハードウェア構成を有しているので、共通要因故障が発生しても、出力信号には異なる信号が現れ、それら出力信号を対比することにより異常を検出することが可能である。 According to the present invention, since the processing circuits of a plurality of systems have different hardware configurations, even if a common factor failure occurs, different signals appear in the output signal, and these output signals are compared. Abnormalities can be detected.

実施例1によるFPGA搭載モジュールの構成を示す図である。FIG. 3 is a diagram illustrating a configuration of an FPGA-mounted module according to the first embodiment. 実施例1において共通要因故障が発生した場合について説明するための図である。It is a figure for demonstrating the case where a common factor failure occurs in Example 1. FIG. 実施例2によるFPGA搭載モジュールの構成を示す図である。6 is a diagram illustrating a configuration of an FPGA-mounted module according to Embodiment 2. FIG. 実施例3によるFPGA搭載モジュールの構成を示す図である。FIG. 10 is a diagram illustrating a configuration of an FPGA-mounted module according to a third embodiment.

 本発明を実施するための形態について図面を用いて説明する。 Embodiments for carrying out the present invention will be described with reference to the drawings.

 図1は、実施例1によるFPGA搭載モジュールの構成を示す図である。 FIG. 1 is a diagram illustrating a configuration of an FPGA-mounted module according to the first embodiment.

 FPGA搭載モジュール3内にはA系回路とB系回路が存在する。A系回路には、入力端子部101と、出力端子部102と、内部論理A 103および内部論理B 104を有するFPGA1が設けられている。FPGA1の内部論理A 103および内部論理B 104は、外部からプログラミングが可能である。同様に、B系回路には、FPGA1と同一の入力端子部201および出力端子部202と、同一の内部論理A 203および内部論理B 204を有するFPGA2が設けられている。FPGA2の内部論理A203および内部論理B 204は外部からプロラミングが可能である。 The A system circuit and the B system circuit exist in the FPGA mounted module 3. The A system circuit is provided with an input terminal unit 101, an output terminal unit 102, and an FPGA 1 having an internal logic A 103 and an internal logic B 104. The internal logic A 103 and the internal logic B 104 of the FPGA 1 can be programmed from the outside. Similarly, the B-system circuit is provided with an FPGA 2 having the same input terminal unit 201 and output terminal unit 202 as the FPGA 1, and the same internal logic A 203 and internal logic B 204. The internal logic A 203 and the internal logic B 204 of the FPGA 2 can be programmed from the outside.

 A系の内部論理A 103とB系の内部論理A 203は同一の処理を行う機能部である。また、A系の内部論理B 104とB系の内部論理B 204は同一の処理を行う機能部である。 System A internal logic A 103 and system B internal logic A 203 are functional units that perform the same processing. The A-system internal logic B 104 and the B-system internal logic B 204 are functional units that perform the same processing.

 また、FPGA搭載モジュール3は、A系回路とB系回路とは別に共通部分として出力信号照合部8を有する。出力信号照合部8は、FPGA1の出力信号A、B、CとFPGA2の出力信号A、B、Cとを照合する。A系回路からの出力信号A、B、Cと、それぞれに対応するB系回路からの出力信号A、B、Cとが全て一致したら、FPGA搭載モジュール3が正常動作をしていると推定できる。その場合、出力信号照合部8は出力信号A、B、Cをコントローラ30に出力する。出力信号A、B、Cのいずれか一つでも一致しないものがあれば、出力信号照合部8は、異常の発生を通知する所定の異常信号を出力する。 The FPGA-mounted module 3 has an output signal verification unit 8 as a common part separately from the A system circuit and the B system circuit. The output signal collation unit 8 collates the output signals A, B, and C of the FPGA 1 with the output signals A, B, and C of the FPGA 2. If the output signals A, B, C from the A system circuit and the output signals A, B, C from the corresponding B system circuit all match, it can be estimated that the FPGA-equipped module 3 is operating normally. . In that case, the output signal matching unit 8 outputs the output signals A, B, and C to the controller 30. If any one of the output signals A, B, and C does not match, the output signal matching unit 8 outputs a predetermined abnormality signal that notifies the occurrence of the abnormality.

 上述のように、FPGA 1の内部論理A 103とFPGA2の内部論理A 203は同じ演算を行う。また、FPGA1の内部論理B104とFPGA2の内部論理B204も同じ演算を行う。そしてFPGA全体としても、FPGA 1とFPGA 2は同一の動作を行う。 As described above, the internal logic A 103 of the FPGA 1 and the internal logic A 203 of the FPGA 2 perform the same operation. The internal logic B104 of FPGA1 and the internal logic B204 of FPGA2 perform the same operation. And as the whole FPGA, FPGA 1 and FPGA 2 perform the same operation.

 本実施例では、FPGA 1への入力信号群4とFPGA 2の入力信号群5として、同じセンサ40から出力された同じ信号が用いられているので、何も故障等の異常がなければ、FPGA 1からの出力信号群6とFPGA 2からの出力信号群7は完全に一致する。 In this embodiment, since the same signal output from the same sensor 40 is used as the input signal group 4 to the FPGA 1 and the input signal group 5 to the FPGA 2, if there is no abnormality such as a failure, the FPGA The output signal group 6 from 1 and the output signal group 7 from the FPGA 2 completely match.

 FPGA 1とFPGA 2は上述したように同一の機能を果たす機能部であるが、ハードウェア構成が互いに異なる。具体的には、入力信号と入力端子の組み合わせ、出力信号と出力端子の組み合わせが系毎に互いに異なっている。例えば、FPGA 1では、入力信号Aに入力端子PN1が割り振られ、入力信号Bに入力端子PN2が割り振られ、入力信号Cに入力端子PN3が割り振られている。一方、FPGA 2では、入力信号Aに入力端子PN2が割り振られ、入力信号Bに入力端子PN3が割り振られ、入力信号Cに入力端子PN1が割り振られている。また、FPGA 1では、出力信号Aに入力端子PN4が割り振られ、出力信号Bに入力端子PN5が割り振られ、出力信号Cに入力端子PN6が割り振られている。一方、FPGA 2では、出力信号Aに入力端子PN6が割り振られ、出力信号Bに入力端子PN4が割り振られ、出力信号Cに入力端子PN5が割り振られている。 FPGA 1 and FPGA 2 are functional units that perform the same function as described above, but have different hardware configurations. Specifically, the combination of the input signal and the input terminal and the combination of the output signal and the output terminal are different for each system. For example, in FPGA 1, the input terminal PN1 is assigned to the input signal A, the input terminal PN2 is assigned to the input signal B, and the input terminal PN3 is assigned to the input signal C. On the other hand, in FPGA 2, the input terminal PN2 is assigned to the input signal A, the input terminal PN3 is assigned to the input signal B, and the input terminal PN1 is assigned to the input signal C. In the FPGA 1, the input terminal PN4 is allocated to the output signal A, the input terminal PN5 is allocated to the output signal B, and the input terminal PN6 is allocated to the output signal C. On the other hand, in the FPGA 2, the input terminal PN6 is allocated to the output signal A, the input terminal PN4 is allocated to the output signal B, and the input terminal PN5 is allocated to the output signal C.

 図2は、実施例1において共通要因故障が発生した場合について説明するための図である。ここでは、内部論理A 103、203は、入力信号Aおよび入力信号Bを入力として所定の処理を行い、出力信号Aを出力する回路である。内部論理B 104、204は、入力信号Cを入力として所定の処理を行い、出力信号Bおよび出力信号Cを出力する回路である。 FIG. 2 is a diagram for explaining a case where a common factor failure occurs in the first embodiment. Here, the internal logic A 103, 203 is a circuit that performs a predetermined process with the input signal A and the input signal B as inputs and outputs an output signal A. The internal logics B 104 and 204 are circuits that perform predetermined processing with the input signal C as an input, and output the output signal B and the output signal C.

 図2に示す通り、例えばFPGA 1およびFPGA 2に共通要因故障として入力端子PN3が故障したとする。その場合、A系回路では、内部論理B 104の入力が異常となるので内部論理B 104から出力される出力信号B、Cが異常となる。一方、B系回路では、内部論理A 203の入力が異常となるので、内部論理A 203から出力される出力信号Aが異常となる。その結果、出力信号照合部8では、A系回路とB系回路の出力信号の不一致が検出されることとなる。その場合、出力信号照合部8は、コントローラ30に出力信号A、B、Cではなく、所定の異常信号を出力する。コントローラ30は、異常信号を受信していなければ出力信号A、B、Cに基づいて所定のプロセス制御を実行するが、上述のように異常信号を受信すると、プロセス制御を行なわずに所定の異常処理を実行することになる。 As shown in FIG. 2, it is assumed that the input terminal PN3 has failed as a common cause failure in, for example, FPGA 1 and FPGA 2. In that case, in the A system circuit, the input of the internal logic B 104 becomes abnormal, so the output signals B and C output from the internal logic B 104 become abnormal. On the other hand, in the B system circuit, since the input of the internal logic A 203 becomes abnormal, the output signal A output from the internal logic A 203 becomes abnormal. As a result, the output signal matching unit 8 detects a mismatch between the output signals of the A system circuit and the B system circuit. In that case, the output signal collation unit 8 outputs a predetermined abnormality signal instead of the output signals A, B, and C to the controller 30. The controller 30 executes a predetermined process control based on the output signals A, B, and C if no abnormality signal has been received. However, if the abnormality signal is received as described above, the controller 30 performs a predetermined abnormality without performing the process control. Processing will be executed.

 以上説明したように、本実施例では、プロセス制御システムは、互いに異なるハードウェア構成を有し、同一の入力信号に対して同一の処理を行い、同一の出力信号を生成する複数系の処理回路(FPGA 1、2)と、複数系の処理回路の出力信号を照合し照合結果を出力する出力信号照合部8と、を有する。このように複数系の処理回路が互いに異なるハードウェア構成を有しているので、共通要因故障が発生しても、出力信号には異なる信号が現れ、それら出力信号を対比することにより異常を検出することが可能である。 As described above, in this embodiment, the process control system has a plurality of processing circuits that have different hardware configurations, perform the same processing on the same input signal, and generate the same output signal. (FPGAs 1 and 2) and an output signal collation unit 8 that collates output signals of a plurality of processing circuits and outputs a collation result. Because multiple processing circuits have different hardware configurations in this way, even if a common cause failure occurs, different signals appear in the output signal, and the abnormality is detected by comparing these output signals. Is possible.

 また、出力信号照合部5は、出力信号A、B、Cが一致していればその出力信号A、B、Cをコントローラ30に送信し、出力信号A、B、Cが不一致であれば異常であることを示す異常信号をコントローラ30に送信する。コントローラ30は、異常信号を受信していなければ、受信しているのは出力信号A、B、Cなので、その出力信号A、B、Cに基づいてプロセス制御を実行するが、異常信号を受信した場合にはプロセス制御を行なわずに所定の異常処理を実行する。複数の処理回路の出力信号が一致した場合にプロセス制御を実行し、それらが一致しない場合には異常処理を実行するので、信頼性の高いプロセス制御を実現することができる。 The output signal matching unit 5 transmits the output signals A, B, and C to the controller 30 if the output signals A, B, and C match, and abnormal if the output signals A, B, and C do not match. An abnormal signal indicating that is transmitted to the controller 30. If the controller 30 has not received an abnormal signal, it is receiving the output signals A, B, and C. Therefore, the controller 30 executes process control based on the output signals A, B, and C, but receives the abnormal signal. In such a case, predetermined abnormality processing is executed without performing process control. Since the process control is executed when the output signals of the plurality of processing circuits coincide with each other, and when they do not coincide with each other, the abnormal process is executed, so that highly reliable process control can be realized.

 また、本実施例では、処理回路は特定の用途に構成された集積回路(FPGA)であり、処理回路と出力信号照合部8が1つのモジュール(FPGA搭載モジュール3)内に構成されている。そのため、多重化された複数の処理回路を含むモジュールを、それら処理回路の部品に共通要因故障が発生したときに出力信号の照合で異常が検知されるように構成することができる。また、その処理回路がFPGAであるため、同じ処理を行う複数の処理回路を容易にハードウェア構成が異なるものとして構成することができる。 In this embodiment, the processing circuit is an integrated circuit (FPGA) configured for a specific application, and the processing circuit and the output signal matching unit 8 are configured in one module (FPGA-equipped module 3). Therefore, a module including a plurality of multiplexed processing circuits can be configured such that an abnormality is detected by collating output signals when a common factor failure occurs in the components of the processing circuits. Further, since the processing circuit is an FPGA, a plurality of processing circuits performing the same processing can be easily configured with different hardware configurations.

 また、複数のFPGAは、入出力信号と入出力端子の組み合わせがそれぞれに異なる。入出力信号と入出力端子の組み合わせを変えることでFPGAのハードウェア構成を容易に異ならせることができる。 Also, multiple FPGAs have different combinations of input / output signals and input / output terminals. The hardware configuration of the FPGA can be easily changed by changing the combination of the input / output signal and the input / output terminal.

 実施例1では、2系の処理回路を搭載したモジュールを例示したが、本発明がそれに限定されることはなく、複数系の処理回路を搭載したモジュールに本発明を適用することができる。実施例2では、3系の処理回路を搭載したモジュールを例示する。 In the first embodiment, a module equipped with a two-system processing circuit is illustrated, but the present invention is not limited thereto, and the present invention can be applied to a module equipped with a plurality of system processing circuits. In the second embodiment, a module on which a 3-system processing circuit is mounted is illustrated.

 図3は、実施例2によるFPGA搭載モジュールの構成を示す図である。FPGA搭載モジュール3内にはA系回路、B系回路、およびC系回路が存在する。A系回路には、入力端子部101と、出力端子部102と、内部論理C 105、内部論理D 106、および内部論理E 107を有するFPGA1が設けられている。FPGA1の内部論理C 105、内部論理D 106、および内部論理E 107は、外部からプログラミングが可能である。同様に、B系回路には、入力端子部201と、出力端子部202と、内部論理C 205、内部論理D 206、および内部論理E 207を有するFPGA2が設けられている。FPGA2の内部論理C 205、内部論理D 206、および内部論理E 207は、外部からプログラミングが可能である。同様に、C系回路には、入力端子部901と、出力端子部902と、内部論理C 905、内部論理D 906、および内部論理E 907を有するFPGA3が設けられている。FPGA3の内部論理C 905、内部論理D 906、および内部論理E 907は、外部からプログラミングが可能である。 FIG. 3 is a diagram illustrating a configuration of an FPGA-mounted module according to the second embodiment. In the FPGA-mounted module 3, there are an A system circuit, a B system circuit, and a C system circuit. In the A system circuit, an FPGA 1 having an input terminal unit 101, an output terminal unit 102, an internal logic C 105, an internal logic D 106, and an internal logic E 107 is provided. The internal logic C 105, internal logic D 106, and internal logic E 107 of the FPGA 1 can be programmed from the outside. Similarly, the B-system circuit is provided with an FPGA 2 having an input terminal unit 201, an output terminal unit 202, an internal logic C 205, an internal logic D 206, and an internal logic E 207. The internal logic C 205, internal logic D 206, and internal logic E 207 of the FPGA 2 can be programmed from the outside. Similarly, an FPGA 3 having an input terminal unit 901, an output terminal unit 902, an internal logic C 905, an internal logic D 906, and an internal logic E 907 is provided in the C system circuit. The internal logic C 905, internal logic D 906, and internal logic E 907 of the FPGA 3 can be programmed from the outside.

 A系の内部論理C 105とB系の内部論理C 205とC系の内部論理C 905は同一の処理を行う機能部である。A系の内部論理D 106とB系の内部論理D 206とC系の内部論理D 906は同一の処理を行う機能部である。A系の内部論理E 107とB系の内部論理E 207とC系の内部論理E 907は同一の処理を行う機能部である。 The A system internal logic C 105, the B system internal logic C 205, and the C system internal logic C 905 are functional units that perform the same processing. The A system internal logic D 106, the B system internal logic D 206, and the C system internal logic D 906 are functional units that perform the same processing. The A system internal logic E 107, the B system internal logic E 207, and the C system internal logic E 907 are functional units that perform the same processing.

 また、FPGA搭載モジュール3は、A系回路、B系回路、C系回路とは別に共通部分として出力信号照合部8を有する。出力信号照合部8は、FPGA1の出力信号A、B、CとFPGA2の出力信号A、B、CとFPGA3の出力信号A、B、Cを照合する。A系回路からの出力信号A、B、Cと、それぞれに対応するB系回路からの出力信号A、B、CおよびC系回路からの出力信号A、B、Cと、が全て一致したら、FPGA搭載モジュール3が正常動作をしていると推定できる。その場合、出力信号照合部8は出力信号A、B、Cを不図示のコントローラに出力する。出力信号A、B、Cのいずれか一つでも一致しないものがあれば、出力信号照合部8は、異常の発生を通知する所定の異常信号をコントローラに出力する。 Further, the FPGA-mounted module 3 has an output signal verification unit 8 as a common part separately from the A system circuit, the B system circuit, and the C system circuit. The output signal collation unit 8 collates the output signals A, B, C of the FPGA 1 with the output signals A, B, C of the FPGA 2 and the output signals A, B, C of the FPGA 3. When the output signals A, B and C from the A system circuit and the output signals A, B and C from the corresponding B system circuit and the output signals A, B and C from the C system circuit all match, It can be estimated that the FPGA-mounted module 3 is operating normally. In that case, the output signal matching unit 8 outputs the output signals A, B, and C to a controller (not shown). If any one of the output signals A, B, and C does not match, the output signal matching unit 8 outputs a predetermined abnormality signal that notifies the occurrence of the abnormality to the controller.

 上述の通り、FPGA 1の内部論理C 105とFPGA 2の内部論理C 205とFPGA3の内部論理C 905は同じ演算を行う。また、FPGA 1の内部論理D 106とFPGA 2の内部論理D 206とFPGA 3の内部論理D 906も同じ演算を行う。さらに、また、FPGA 1の内部論理E 107とFPGA 2の内部論理E 207とFPGA 3の内部論理E 907も同じ演算を行う。そしてFPGA全体としても、FPGA 1とFPGA 2とFPGA 3は同一の動作を行う。 As described above, the internal logic C 105 of the FPGA 1 and the internal logic C 205 of the FPGA 2 and the internal logic C 905 of the FPGA 3 perform the same operation. Also, the internal logic D 106 of the FPGA 1 and the internal logic D 206 of the FPGA 2 and the internal logic D 906 of the FPGA 3 perform the same operation. Furthermore, the internal logic E 107 of FPGA 1, the internal logic E 207 of FPGA 2, and the internal logic E 907 of FPGA 3 perform the same operation. And as the whole FPGA, FPGA 1, FPGA 2 and FPGA 3 perform the same operation.

 本実施例では、FPGA 1への入力信号群4とFPGA 2の入力信号群5とFPGA 3の入力信号群10として、不図示の同じセンサから出力された同じ信号が用いられているとする。そのため、何も故障等の異常がなければ、FPGA 1からの出力信号群6とFPGA 2からの出力信号群7とFPGA 3からの出力信号群11は完全に一致する。 In this embodiment, it is assumed that the same signal output from the same sensor (not shown) is used as the input signal group 4 to the FPGA 1, the input signal group 5 of the FPGA 2, and the input signal group 10 of the FPGA 3. Therefore, if there is no abnormality such as a failure, the output signal group 6 from the FPGA 1, the output signal group 7 from the FPGA 2, and the output signal group 11 from the FPGA 3 completely match.

 FPGA 1とFPGA 2とFPGA 3は上述したように同一の機能を果たす機能部であるが、ハードウェア構成が互いに異なる。具体的には、入力信号と入力端子の組み合わせ、出力信号と出力端子の組み合わせが系毎に互いに異なっている。 FPGA 1, FPGA 2, and FPGA 3 are functional units that perform the same function as described above, but have different hardware configurations. Specifically, the combination of the input signal and the input terminal and the combination of the output signal and the output terminal are different for each system.

 例えば、FPGA 1では、入力信号Aに入力端子PN1が割り振られ、入力信号Bに入力端子PN2が割り振られ、入力信号Cに入力端子PN3が割り振られている。一方、FPGA 2では、入力信号Aに入力端子PN2が割り振られ、入力信号Bに入力端子PN3が割り振られ、入力信号Cに入力端子PN1が割り振られている。さらに、FPGA 3では、入力信号Aに入力端子PN3が割り振られ、入力信号Bに入力端子PN1が割り振られ、入力信号Cに入力端子PN2が割り振られている。 For example, in FPGA 1, the input terminal PN1 is allocated to the input signal A, the input terminal PN2 is allocated to the input signal B, and the input terminal PN3 is allocated to the input signal C. On the other hand, in FPGA 2, the input terminal PN2 is assigned to the input signal A, the input terminal PN3 is assigned to the input signal B, and the input terminal PN1 is assigned to the input signal C. Further, in the FPGA 3, the input terminal PN3 is allocated to the input signal A, the input terminal PN1 is allocated to the input signal B, and the input terminal PN2 is allocated to the input signal C.

 また、FPGA 1では、出力信号Aに入力端子PN4が割り振られ、出力信号Bに入力端子PN5が割り振られ、出力信号Cに入力端子PN6が割り振られている。一方、FPGA 2では、出力信号Aに入力端子PN5が割り振られ、出力信号Bに入力端子PN6が割り振られ、出力信号Cに入力端子PN4が割り振られている。さらに、FPGA 3では、出力信号Aに入力端子PN6が割り振られ、出力信号Bに入力端子PN4が割り振られ、出力信号Cに入力端子PN5が割り振られている。 In the FPGA 1, the input terminal PN4 is assigned to the output signal A, the input terminal PN5 is assigned to the output signal B, and the input terminal PN6 is assigned to the output signal C. On the other hand, in the FPGA 2, the input terminal PN5 is allocated to the output signal A, the input terminal PN6 is allocated to the output signal B, and the input terminal PN4 is allocated to the output signal C. Further, in the FPGA 3, the input terminal PN6 is allocated to the output signal A, the input terminal PN4 is allocated to the output signal B, and the input terminal PN5 is allocated to the output signal C.

 ここで、内部論理C 105、205、905は、入力信号Aを入力として所定の処理を行い、出力信号Aを出力する回路である。内部論理D 106、206、906は、入力信号Bを入力として所定の処理を行い、出力信号Bを出力する回路である。内部論理E 107、207、907は、入力信号Cを入力として所定の処理を行い、出力信号Cを出力する回路である。 Here, the internal logic C 105, 205, 905 is a circuit that performs a predetermined process with the input signal A as an input and outputs an output signal A. The internal logic D 106, 206, 906 is a circuit that performs a predetermined process with the input signal B as an input and outputs an output signal B. The internal logics E 107, 207, and 907 are circuits that perform predetermined processing with the input signal C as an input and output an output signal C.

 例えばFPGA 1、FPGA 2、およびFPGA 3に共通要因故障として入力端子PN3が故障したとする。その場合、A系回路では、内部論理E 107の入力が異常となるので内部論理E 107から出力される出力信号Cが異常となる。一方、B系回路では、内部論理D 206の入力が異常となるので、内部論理D 206から出力される出力信号Bが異常となる。さらに、C系回路では、内部論理C 905の入力が異常となるので、内部論理C 905から出力される出力信号Aが異常となる。 For example, it is assumed that the input terminal PN3 has failed as a common cause failure in FPGA 1, FPGA 2, and FPGA 3. In that case, in the A system circuit, the input of the internal logic E 107 becomes abnormal, so the output signal C output from the internal logic E 107 becomes abnormal. On the other hand, in the B system circuit, since the input of the internal logic D 206 becomes abnormal, the output signal B output from the internal logic D 206 becomes abnormal. Further, in the C system circuit, since the input of the internal logic C 905 becomes abnormal, the output signal A output from the internal logic C 905 becomes abnormal.

 その結果、出力信号照合部8では、A系回路、B系回路、およびC系回路の出力信号の不一致が検出されることとなる。その場合、出力信号照合部8は、不図示のコントローラに出力信号A、B、Cではなく、所定の異常信号を出力する。コントローラは、異常信号を受信していなければ出力信号A、B、Cに基づいて所定のプロセス制御を実行するが、上述のように異常信号を受信すると、プロセス制御を行なわずに所定の異常処理を実行することになる。 As a result, the output signal matching unit 8 detects a mismatch between the output signals of the A system circuit, the B system circuit, and the C system circuit. In that case, the output signal collation unit 8 outputs a predetermined abnormality signal instead of the output signals A, B, and C to a controller (not shown). The controller executes predetermined process control based on the output signals A, B, and C if no abnormality signal has been received. However, if an abnormal signal is received as described above, the controller performs predetermined abnormality processing without performing process control. Will be executed.

 実施例1では、2つのFPGAにおいて入出力信号と入出力端子の組み合わせが系毎に異なる例を示したが、本発明がこれに限定されることはない。他の例として実施例3では、2つのFPGAがそれぞれ互いに異なる入出力端子が使用される例を示す。 In the first embodiment, an example in which the combination of input / output signals and input / output terminals is different for each system in two FPGAs is shown, but the present invention is not limited to this. As another example, the third embodiment shows an example in which two FPGAs use different input / output terminals.

 図4は、実施例3によるFPGA搭載モジュールの構成を示す図である。 FIG. 4 is a diagram illustrating a configuration of an FPGA-mounted module according to the third embodiment.

 FPGA搭載モジュール3内にはA系回路とB系回路が存在する。A系回路には、入力端子部101と、出力端子部102と、内部論理A 103および内部論理B 104を有するFPGA1が設けられている。FPGA1の内部論理A 103および内部論理B 104は、外部からプログラミングが可能である。同様に、B系回路には、FPGA1と同一の入力端子部201および出力端子部202と、同一の内部論理A 203および内部論理B 204を有するFPGA2が設けられている。FPGA2の内部論理A203および内部論理B 204は外部からプロラミングが可能である。 The A system circuit and the B system circuit exist in the FPGA mounted module 3. The A system circuit is provided with an input terminal unit 101, an output terminal unit 102, and an FPGA 1 having an internal logic A 103 and an internal logic B 104. The internal logic A 103 and the internal logic B 104 of the FPGA 1 can be programmed from the outside. Similarly, the B-system circuit is provided with an FPGA 2 having the same input terminal unit 201 and output terminal unit 202 as the FPGA 1, and the same internal logic A 203 and internal logic B 204. The internal logic A 203 and the internal logic B 204 of the FPGA 2 can be programmed from the outside.

 A系の内部論理A 103とB系の内部論理A 203は同一の処理を行う機能部である。また、A系の内部論理B 104とB系の内部論理B 204は同一の処理を行う機能部である。 System A internal logic A 103 and system B internal logic A 203 are functional units that perform the same processing. The A-system internal logic B 104 and the B-system internal logic B 204 are functional units that perform the same processing.

 また、FPGA搭載モジュール3は、A系回路とB系回路とは別に共通部分として出力信号照合部8を有する。出力信号照合部8は、FPGA1の出力信号A、B、CとFPGA2の出力信号A、B、Cとを照合する。A系回路からの出力信号A、B、Cと、それぞれに対応するB系回路からの出力信号A、B、Cとが全て一致したら、FPGA搭載モジュール3が正常動作をしていると推定できる。その場合、出力信号照合部8は出力信号A、B、Cをコントローラ30に出力する。出力信号A、B、Cのいずれか一つでも一致しないものがあれば、出力信号照合部8は、異常の発生を通知する所定の異常信号を出力する。 The FPGA-mounted module 3 has an output signal verification unit 8 as a common part separately from the A system circuit and the B system circuit. The output signal collation unit 8 collates the output signals A, B, and C of the FPGA 1 with the output signals A, B, and C of the FPGA 2. If the output signals A, B, C from the A system circuit and the output signals A, B, C from the corresponding B system circuit all match, it can be estimated that the FPGA-equipped module 3 is operating normally. . In that case, the output signal matching unit 8 outputs the output signals A, B, and C to the controller 30. If any one of the output signals A, B, and C does not match, the output signal matching unit 8 outputs a predetermined abnormality signal that notifies the occurrence of the abnormality.

 上述のように、FPGA 1の内部論理A 103とFPGA2の内部論理A 203は同じ演算を行う。また、FPGA1の内部論理B104とFPGA2の内部論理B204も同じ演算を行う。そしてFPGA全体としても、FPGA 1とFPGA 2は同一の動作を行う。 As described above, the internal logic A 103 of the FPGA 1 and the internal logic A 203 of the FPGA 2 perform the same operation. The internal logic B104 of FPGA1 and the internal logic B204 of FPGA2 perform the same operation. And as the whole FPGA, FPGA 1 and FPGA 2 perform the same operation.

 本実施例では、FPGA 1への入力信号群4とFPGA 2の入力信号群5として、不図示の同じセンサから出力された同じ信号が用いられているものとする。そのため、何も故障等の異常がなければ、FPGA 1からの出力信号群6とFPGA 2からの出力信号群7は完全に一致する。 In the present embodiment, it is assumed that the same signal output from the same sensor (not shown) is used as the input signal group 4 to the FPGA 1 and the input signal group 5 to the FPGA 2. Therefore, if there is no abnormality such as a failure, the output signal group 6 from the FPGA 1 and the output signal group 7 from the FPGA 2 completely coincide.

 FPGA 1とFPGA 2は上述したように同一の機能を果たす機能部であるが、ハードウェア構成が互いに異なる。具体的には、2つのFPGA 1、2は、それぞれ互いに異なる入出力端子を使用している。例えば、FPGA 1では、入力信号Aに入力端子PN1が割り振られ、入力信号Bに入力端子PN2が割り振られ、入力信号Cに入力端子PN3が割り振られている。一方、FPGA 2では、入力信号Aに入力端子PN7が割り振られ、入力信号Bに入力端子PN8が割り振られ、入力信号Cに入力端子PN9が割り振られている。また、FPGA 1では、出力信号Aに入力端子PN4が割り振られ、出力信号Bに入力端子PN5が割り振られ、出力信号Cに入力端子PN6が割り振られている。一方、FPGA 2では、出力信号Aに入力端子PN10が割り振られ、出力信号Bに入力端子PN11が割り振られ、出力信号Cに入力端子PN12が割り振られている。 FPGA 1 and FPGA 2 are functional units that perform the same function as described above, but have different hardware configurations. Specifically, the two FPGAs 1 and 2 use different input / output terminals. For example, in FPGA 1, the input terminal PN1 is assigned to the input signal A, the input terminal PN2 is assigned to the input signal B, and the input terminal PN3 is assigned to the input signal C. On the other hand, in FPGA 2, the input terminal PN7 is allocated to the input signal A, the input terminal PN8 is allocated to the input signal B, and the input terminal PN9 is allocated to the input signal C. In the FPGA 1, the input terminal PN4 is allocated to the output signal A, the input terminal PN5 is allocated to the output signal B, and the input terminal PN6 is allocated to the output signal C. On the other hand, in the FPGA 2, the input terminal PN10 is allocated to the output signal A, the input terminal PN11 is allocated to the output signal B, and the input terminal PN12 is allocated to the output signal C.

 ここでは、内部論理A 103、203は、入力信号Aおよび入力信号Bを入力として所定の処理を行い、出力信号Aを出力する回路である。内部論理B 104、204は、入力信号Cを入力として所定の処理を行い、出力信号Bおよび出力信号Cを出力する回路である。 Here, the internal logic A 103 and 203 are circuits that perform predetermined processing with the input signal A and the input signal B as inputs and output the output signal A. The internal logics B 104 and 204 are circuits that perform predetermined processing with the input signal C as an input, and output the output signal B and the output signal C.

 例えばFPGA 1およびFPGA 2に共通要因故障として入力端子PN3が故障したとする。その場合、A系回路では、内部論理B 104の入力が異常となるので内部論理B 104から出力される出力信号B、Cが異常となる。一方、B系回路では、入力端子PN3を使用されていないので、内部論理A 203および内部論理B 204のいずれの入力にも異常が起こらず、内部論理A 204から出力される出力信号A、および内部論理B 204から出力される出力信号B、Cに異常が発生しない。その結果、出力信号照合部8では、A系回路とB系回路の出力信号の不一致が検出されることとなる。その場合、出力信号照合部8は、コントローラ30に出力信号A、B、Cではなく、所定の異常信号を出力する。コントローラ30は、異常信号を受信していなければ出力信号A、B、Cに基づいて所定のプロセス制御を実行するが、上述のように異常信号を受信すると、プロセス制御を行なわずに所定の異常処理を実行することになる。 For example, it is assumed that the input terminal PN3 has failed as a common cause failure in FPGA 1 and FPGA 2. In that case, in the A system circuit, the input of the internal logic B 104 becomes abnormal, so the output signals B and C output from the internal logic B 104 become abnormal. On the other hand, in the B system circuit, since the input terminal PN3 is not used, no abnormality occurs in any input of the internal logic A 203 and the internal logic B 204, and the output signal A output from the internal logic A 204, and No abnormality occurs in the output signals B and C output from the internal logic B 204. As a result, the output signal matching unit 8 detects a mismatch between the output signals of the A system circuit and the B system circuit. In that case, the output signal collation unit 8 outputs a predetermined abnormality signal instead of the output signals A, B, and C to the controller 30. The controller 30 executes a predetermined process control based on the output signals A, B, and C if no abnormality signal has been received. However, if the abnormality signal is received as described above, the controller 30 performs a predetermined abnormality without performing the process control. Processing will be executed.

 以上のように、本実施例では、複数のFPGAは、それぞれ互いに異なる入出力端子が使用されるので、互いに異なる入出力端子を用いることによりFPGAのハードウェア構成を容易に異ならせることができる。 As described above, in this embodiment, since a plurality of FPGAs use different input / output terminals, the hardware configuration of the FPGA can be easily varied by using different input / output terminals.

 以上、各種実施例について述べてきたが、本発明は、これらの実施例だけに限定されるものではなく、本発明の技術思想の範囲内において、これらの実施例を組み合わせて使用したり、一部の構成を変更したりしてもよい。 Although various embodiments have been described above, the present invention is not limited to these embodiments, and these embodiments can be used in combination within the scope of the technical idea of the present invention. The configuration of the part may be changed.

1…FPGA、10…入力信号群、101…入力端子部、102…出力端子部、11…出力信号群、2…FPGA、201…入力端子部、202…出力端子部、203…内部論理A、204…内部論理B、3…FPGA搭載モジュール、30…コントローラ、4…入力信号群、40…センサ、5…出力信号照合部、5…入力信号群、6…出力信号群、7…出力信号群、
8…出力信号照合部、901…入力端子部、902…出力端子部 DESCRIPTION OF SYMBOLS 1 ... FPGA, 10 ... Input signal group, 101 ... Input terminal part, 102 ... Output terminal part, 11 ... Output signal group, 2 ... FPGA, 201 ... Input terminal part, 202 ... Output terminal part, 203 ... Internal logic A, 204 ... Internal logic B, 3 ... FPGA mounted module, 30 ... controller, 4 ... input signal group, 40 ... sensor, 5 ... output signal verification unit, 5 ... input signal group, 6 ... output signal group, 7 ... output signal group ,
8: Output signal verification unit, 901: Input terminal unit, 902: Output terminal unit

Claims (6)

 互いに異なるハードウェア構成を有し、同一の入力信号に対して同一の処理を行い、同一の出力信号を生成する複数系の処理回路と、
 前記複数系の処理回路の出力信号を照合し照合結果を出力する出力信号照合部と、を有する、処理装置。 A plurality of processing circuits that have different hardware configurations, perform the same processing on the same input signal, and generate the same output signal;
An output signal collating unit that collates output signals of the plurality of processing circuits and outputs a collation result.  所定の制御を実行するコントローラを更に有し、
 前記出力信号照合部は、前記出力信号が一致していれば該出力信号を前記コントローラに送信し、前記出力信号が不一致であれば異常であることを示す所定の異常信号を前記コントローラに送信し、
 前記コントローラは、前記異常信号を受信していなければ前記出力信号に基づいて前記制御を実行し、前記異常信号を受信すると前記制御を行なわずに所定の異常処理を実行する、
請求項1に記載の処理装置。 A controller that performs predetermined control;
The output signal verification unit transmits the output signal to the controller if the output signals match, and transmits a predetermined abnormality signal indicating an abnormality to the controller if the output signals do not match. ,
The controller executes the control based on the output signal if the abnormal signal has not been received, and executes predetermined abnormality processing without performing the control when receiving the abnormal signal.
The processing apparatus according to claim 1.  前記処理回路は特定の用途に構成された集積回路であり、
 前記処理回路と前記出力信号照合部が1つのモジュール内に構成された、
請求項1に記載の処理装置。 The processing circuit is an integrated circuit configured for a specific application;
The processing circuit and the output signal matching unit are configured in one module.
The processing apparatus according to claim 1.  前記処理回路がFPGAである、請求項1に記載の処理装置。 The processing apparatus according to claim 1, wherein the processing circuit is an FPGA.  前記複数のFPGAは、入出力信号と入出力端子の組み合わせがそれぞれに異なる、請求項4に記載の処理装置。 The processing device according to claim 4, wherein the plurality of FPGAs have different combinations of input / output signals and input / output terminals.  前記複数のFPGAは、それぞれ互いに異なる入出力端子が使用される、請求項4に記載の処理装置。 The processing apparatus according to claim 4, wherein different input / output terminals are used for the plurality of FPGAs.
PCT/JP2017/045420 2016-12-20 2017-12-19 Processing device Ceased WO2018117065A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2016246251A JP2018101241A (en) 2016-12-20 2016-12-20 Processing equipment
JP2016-246251 2016-12-20

Publications (1)

Publication Number Publication Date
WO2018117065A1 true WO2018117065A1 (en) 2018-06-28

Family

ID=60788494

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/045420 Ceased WO2018117065A1 (en) 2016-12-20 2017-12-19 Processing device

Country Status (3)

Country Link
JP (1) JP2018101241A (en)
GB (1) GB2558750B (en)
WO (1) WO2018117065A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020090034A1 (en) * 2018-10-31 2020-05-07 株式会社日立製作所 Processing device
CN111331619B (en) * 2020-04-26 2023-08-25 珠海格力电器股份有限公司 Safety control device for robot, control method for robot, and robot
CA3241758A1 (en) * 2022-02-10 2023-08-17 Susumu OKUDA Safety protection system backup device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH08171581A (en) * 1994-12-16 1996-07-02 Hitachi Ltd Logic circuit with error detection function and fault tolerant system using the same
JP2009522644A (en) * 2005-12-30 2009-06-11 ハネウェル・インターナショナル・インコーポレーテッド Safety system based on reconfigurable logic gate array

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8117512B2 (en) * 2008-02-06 2012-02-14 Westinghouse Electric Company Llc Failure detection and mitigation in logic circuits
JP5590955B2 (en) * 2010-04-26 2014-09-17 ナブテスコ株式会社 Actuator control system
US20110313580A1 (en) * 2010-06-17 2011-12-22 Levgenii Bakhmach Method and platform to implement safety critical systems
AT515341B1 (en) * 2014-01-23 2015-12-15 Bernecker & Rainer Ind Elektronik Gmbh Procedure for checking the execution of software

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH08171581A (en) * 1994-12-16 1996-07-02 Hitachi Ltd Logic circuit with error detection function and fault tolerant system using the same
JP2009522644A (en) * 2005-12-30 2009-06-11 ハネウェル・インターナショナル・インコーポレーテッド Safety system based on reconfigurable logic gate array

Also Published As

Publication number Publication date
GB2558750A (en) 2018-07-18
GB2558750B (en) 2019-06-12
GB201718872D0 (en) 2017-12-27
JP2018101241A (en) 2018-06-28

Similar Documents

Publication Publication Date Title
CN110058972B (en) Electronic computers and related electronic devices for realizing at least one key function
EP1857936B1 (en) Information processing apparatus and information processing method
CN106716275B (en) Control and data transmission system, gateway module, input/output module and course control method for use
US20060142873A1 (en) Method to increase the safety integrity level of a control system
CN104850093B (en) Method and automated network for the security in monitoring automation network
CN110192185B (en) Redundant processor architecture
US20170242693A1 (en) Safety monitoring device, network system and safety monitoring method
WO2018117065A1 (en) Processing device
US10229036B2 (en) Software update of non-critical components in dual safety-critical distributed systems
US10778508B2 (en) Bypass switch with evaluation mode for in-line monitoring of network traffic
US9804575B2 (en) Multiplex control device
KR20160037939A (en) Method and electronic circuit assembly for the redundant signal processing of a safety-relevant application, motor vehicle brake system, motor vehicle having said motor vehicle brake system, and use of such an electronic circuit assembly
US10318453B2 (en) Systems and methods for transmitting interrupts between nodes
JP6088642B2 (en) Analog signal input circuit having a plurality of analog signal detection channels
US10817438B2 (en) Safety arrangement
US10346242B2 (en) Distributed real-time computer system and time-triggered distribution unit
CN107852353B (en) System with interface expansion device and method of operating interface expansion device
US11279467B2 (en) Aircraft control system
US11161533B2 (en) System, in particular for controlling signal towers in rail traffic
WO2012127612A1 (en) Programmable logic controller
US9615251B2 (en) Radio device with two radio units and a method for the transmission of information
US10417458B2 (en) Securing an unprotected hardware bus
JP6710142B2 (en) Control system
US11144026B2 (en) Plant-monitoring autonomous control system
JP2011248625A (en) Failure diagnosis circuit and failure diagnosis method of control device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17882405

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17882405

Country of ref document: EP

Kind code of ref document: A1