This invention relates to processing systems that require a high level of operational safety, in particular the processing systems used in the transportation of people. More specifically, the invention concerns a processing system that has two computers that are intrinsically safe providing a suitable level of safety and, in particular by implementing a redundant configuration, good system availability in the event of one of the computers failing.
Applications relating to secured verification/command processing are commonly used in automated transport, such as automatic urban trains. These applications use intrinsically safe computers that are capable of guaranteeing secure operation and detecting operating errors in the processing effected. An example computer is described in EP-A-1 089 175. The computer implements a technique that includes detecting errors by means of a data encoding system and, if necessary, ensuring commands are in a safe position for passengers, which may include stopping the train.
Performing an emergency stop on the train is not good for the passengers or the profitability of the trains. For this reason, the command system must be duplicated to enable it to tolerate faults: computers are organized into pairs so that one can replace the other in the event of a fault. However, this duplication may result in new safety problems. It is possible to imagine a number of scenarios in which the back-up computer does not have a consistent view of the environment and compromises the safety of the command if it takes over.
To prevent inconsistency between two computers, a method is known for ensuring that they receive and process exactly the same data in the same order. However, even if they are receiving the same inputs, it is not impossible that the two computers provide different results, which may be safe when taken individually, but that may result in a more significant fault if the situation persists.
Equally, a divergence between results may well be a temporary situation that neither poses a serious problem nor requires any safety measures to be taken that may cause a nuisance to traffic.
A redundant processing system is described in the article by D. Essamé, J. Arlat and D. Powell entitled ‘PADRE: a Protocol for Asymmetric Duplex Redundancy’ published in Dependable Computing for Critical Applications (DCCA-7), C. B. Weinstock and J. Rushby, Eds., and Dependable Computing and Fault-Tolerant Systems 12, pp. 229-248, IEEE Computer Society Press, 1999 (Proc. IFIP 7th Working Conf. held in San Jose, Calif., USA, January 1999). This article describes, from a theoretical point of view, an asynchronous system for managing duplex redundancy in the basis of intrinsically safe processing units. In particular, this article introduces the principle of detecting potential contextual inconsistencies between redundant processing units. However, the asynchronism of this management mechanism and the lack of precise information on the way contextual inconsistencies are detected mean that the mechanism described in the article is not entirely applicable to the a verification/command system generating secure digital outputs requiring good responsiveness.