1. Field of the Invention
The present invention relates to an arrangement for testing computers which are utilized for the control, regulating, or monitoring of processes.
Microcomputer-supported control systems are finding increasing application in areas which are subject to more stringent safety requirements.
This increasingly deals with processes in which, for reasons of safety, the process may not be stopped immediately upon occurrence of a malfunction, or which, for reasons of availability, will not stop. This task is generally solved through the employment of redundant regulating or control systems having two or more independent operational channels, which fulfill regulating or control tasks, and a microcomputer, wherein the microcomputer assumes the switching control, the monitoring and error locating in the two operational channels.
The safety concept proceeds from the assumption that the computer, as long as it operates faultlessly, will recognize errors in the control channels and, through corrective reaction can restore the system under its control into a safe condition. However, the functional reliability hereby ultimately still depends upon possible sources of error in the computer. Computer malfunctions can be limited in duration (for instance, power supply disruptions, crosstalk) or permanent (for instance, component failure). Typical fault conditions may result from stoppage of the computer (system pulse failure), when the computer runs in an endless loop; from data errors, particularly dynamic errors, dependent upon predetermined bit combinations; through a defective arithmetic unit so that commands (for instance, comparisons) can no longer be correctly executed; and from changes in the software, also in software redundancy through defective program memories.
2. Discussion of the Prior Art
Through the utilization of two or more computers (multiprocessor systems) which mutually monitor each other, the functional reliability can be increased, but only with a considerable demand, inasmuch as for the exclusion of system errors, in general there are required diverse hardware and software (Dissertation by Knornschild, RTP 1981, Volume 8).
However, for general applications, the condition of the process under control is described not only through logical conditions (for example, switch positions, limit transducers), but also through continual parameters. This fact further restricts the applicability of a multiprocessor system because the coincidence of several computers cannot be verified by trivial comparisons at bit pattern levels, but L only through comprehensive, additional software procedures.
More readily controllable is a single computer which is more satisfactory from the standpoint of development and also manufacturing costs and which, for error protection, is coupled to a control unit. A simple procedure which is normally used for this purpose is based on the "watchdog" concept, adopted to await an always uniform report from the computer within a periodic time frame. However, this will generally only verify as to whether the computer is still at all operating but not whether it is properly operating in its essential functions and correctly executes commands that are relevant to safety. Watchdog circuits incorporating retriggerable trigger elements will, as a rule, detect only the first two of the above-mentioned error conditions (lack of a life signal). Nevertheless, this installation fails to detect, or detects with inadequate certainty, the remaining potential error conditions. Moreover, in most of the control circuits of this type a failure of the circuit itself will remain undetected.
Precisely for applications which are relevant to safety, however, in which jeopardy to personnel and systems must be precluded with a maximum of certainty, the detection of these failures is a necessity which can be achieved only by monitoring through additional problem-oriented hardware.