Field of the Invention
The present invention relates to a device for validating digital messages, of the type in which the absolute identity and the dynamic state of two digital messages originating from two processing channels in parallel are checked, prior to producing, by means of an output amplifier, an on/off analogue safety signal ensuring the operation of an actuator.
In any system of operation liable, following malfunctions, even if only hypothetical, to affect the safety of persons served by this system, it is absolutely vital to organise the system so that it can guarantee, whatever the disturbances or deterioration contemplated, that it is completely impossible for situations to occur that are dangerous both for such persons and for the equipment controlled by the said system.
For this purpose, the corresponding automatic devices are designed and organised in such a way that any malfunction necessarily places the system either in a state of more restricted operation (the slowing down, or even halting of rolling stock, for example), or in a state of absolute safety (cutting off the power supply, for example).
While the fail-safe concept of safety, which is widely used in the field of rail transport, makes use of only one processing channel, this cannot apply to automatic devices based upon digital management which could, in this case, guarantee only a level of safety which, while high, was probabilistic, and non-absolute.
However, the interpretation and management power of digital systems is such that this solution is chosen increasingly often, although this choice makes it necessary to use two processing channels in parallel, for which rigorously identical results are demanded.
For this purpose, use is made of a circuit designed to be fail-safe and which constitutes the decision making or validating component and which performs the intersection function causing the results from the two digital processing channels to converge. After the absolute identity and the dynamic state of the two binary messages originating from the digital processing channels have been checked, the said validating circuit decides to send the corresponding on/off orders to the actuator or actuators of the system.
It will be noted as of now that these messages are recurrent. In other words, each of them is constituted by a sequence of several bytes transmitted in series and continuously, "bit by bit". In addition, the software of the digital processing channels is organised in such a way that the transmitted messages never comprise more than a few successive bits, for example three, at the same binary value, which makes it possible to check their dynamic state. Thus, in the event of a "freezing", simultaneous or otherwise, of the messages transmitted by the two processing channels, the system must declare itself defective by switching over automatically to the safety condition.
In the present state of the art, the first of the two validation functions, namely the identity checking of the messages, necessitates a circuit of the type shown in FIG. 1, comprising, for the two messages, X and Y, at least two complementary inverters, two logic AND gates and one logic OR gate. As to the second validation function, namely the dynamic checking of the messages, this necessitates a circuit of the type shown in FIG. 2, comprising at least three logic AND gates and two fall time delay devices.
Such circuits are, in appearance, very simple, but, when they are designed to be fail-safe, they require a very large number of components, which leads to equally severe crowding, for instance on the surfaces of the printed circuits.