The present invention relates to an input-output control apparatus, an input-output control method, a process control apparatus and a process control method. In particular, the present invention relates to a control apparatus aiming at highly reliable control suitable for preventing a plurality of input-output devices from inputting or outputting output values falsely. More specifically, the present invention relates to a control apparatus that has a plurality of input-output areas and that prevents false inputs and outputs in cooperation with software.
In a control computer applied to a control apparatus in a device, it is necessary to provide suitable protection from both aspects of hardware and software so as to prevent a failure of a component or a bug in a control program from causing dangerous operation. In particular, access control means for protecting shared resources, such as a memory storing programs and data and input-output devices, from unintended access caused by the failure and bug is one of the most important functions. As regards implementation of the access control means, there is known a technique for implementing the protection of a memory region by utilizing an address translation mechanism so as to prevent a processor from falsely accessing an important region on the memory because of a bug or the like in the control program. According to this technique, false access to a memory region which should not be originally accessed is prevented by registering only information of a memory region permitted to access from the program and generating exception processing due to access violation in response to access to other regions in a MMU (Memory Management Unit) incorporated in a processor.
In addition, in a memory access protection apparatus in JP-A-6-75861, an example in which access to a predetermined memory region is controlled by monitoring an address output onto a bus is disclosed.
As for elements of demanded reliability, there are availability and safety. The availability becomes important in control of devices. The safety becomes important in device protection. Implementation means of these two elements are antinomic in many parts.
If an apparatus is configured to be divided into a sub-apparatus in charge of availability and a sub-apparatus in charge of safety, then not only the apparatus becomes complicated but also duplication or complication in running and maintenance work lowers the reliability of human elements in some cases.
For attaining high safety, it is desired to take into consideration not only the case where false access from a control task executed in the processor to shared resources, such as the memory and the input-output devices is caused, but also the case where false access to the memory and other input-output devices is caused by a failure or the like in an input-output device itself, and configure the apparatus so as to be able to prevent them.
The access control utilizing the address translation function of the MMU is effective for false access from the processor caused by a bug or the like in the control program. In the case where data is transferred between the memory and I/O input-output devices without the intervention of the processor, however, the access control utilizing the address translation function of the MMU is not sufficient.
As for a technique of providing an access control information table and preventing access only to a specific address by taking an operation mode and a task as the unit, a hardware resource increase or a performance fall occurs in use in which fine control is exercised for each of several tens input-output devices in a system.
Supposing that ordinary control and safety control aiming at device protection coexist on the same control computer, a control task corresponding to each mode and an input-output device corresponding to it are mixedly present in the same computer system. As a matter of course, it is necessary in this case to change over the access control state for access from the processor to the shared resources, when changeover between an ordinary control mode and a safety control mode is conducted. For a system in which ordinary input-output devices and safety input-output devices are mixedly present, however, false input-output protection with an individual input-output device taken as the unit becomes necessary.