1. Field of the Invention
The present invention relates to a dual-channel data processing system for railroad safety purposes having two microcomputers processing the same data, a respective comparator being assigned to each microcomputer for the information to be compared, the comparators, given coincidence information, emitting a switching command by way of a respective output.
2. Description of the Prior Art
Switching devices employed in railroad safety systems must often assume responsibility for safety. This is true of signaling systems, line devices for train control or devices on the rail vehicles themselves. For this reason, data processing systems which are increasingly realized by microcomputers must operate according to recognized safety principles according to which, given technical faults which may potentially occur, the process, i.e. the railroad to be controlled, must be placed into a state which does not endanger persons. This, for example, can occur in that, while employing the philosophy of safety recognized for many years in the area of railroad safety, all signals deemed to be dangerous have a high signal level or an alternating voltage assigned thereto which, given a disruption of the appertaining data processing system, is switching off in all output channels. To this end, however, devices are required which recognize faulty data processing soon enough that the control commands determined by a faulty data processing system do not participate in the control process.
In a known data processing system of the type generally mentioned above, for example in the German published application 2,319,753, in order to increase the reliability of the overall system, a transfer, after the occurrence of a fault in a first of two data processing systems, is undertaken to the other data processing system which constantly operates in parallel thereto and of which it is assumed did not likewise become defective at the same point in time. In these known two-out-of-two system which of the two data processing systems supplies a faulty result in the disruptive case can only be determined at an extra expense.
In view of the required safety, a limitation to such effect that only specific system parts of a redundant data processing system are switched off cannot occur because no sufficiently safe fault recognition mechanism is provided for this purpose. Therefore, there would also be no purpose to continue operations with only one computer perceived to be intact, because the computer, due to a lack of a safe fault recognition system, can endanger persons and property when operating alone.