In a redundancy control system used in a control device for monitoring and controlling for example plant or field equipment, in which the processing device for data computation in the control device implements redundancy, there is a demand for a device equipped with an arrangement whereby failure of the control device itself can be detected without human intervention.
The transmission device constituting a structural element of this control device constitutes a connection interface between the devices that make up the redundancy control system. If failure of the control device itself cannot be detected, erroneous data may be wrongly recognized as correct data and transmitted from the transmission device.
As an arrangement for detecting errors in transmitted data produced by failure of the transmission equipment or external noise etc, the method is known of providing a CRC value computation device for error detection whereby the CRC (Cyclic Redundancy Check) value of the entire transmission data is accurately generated and attached thereto: errors in the transmitted data can thereby be detected at the receiving-end equipment. An example is disclosed in Japanese Laid-open Patent Application No. H 4-68616 (hereinafter referred to as Patent Reference 1).
Also, as an arrangement for confirming the correctness of computational data generated in a control device at the transmission end, in which high speed computational processing is made possible by duplicating a redundant processing device and ascertaining the correctness of transmitted computational data by performing a comparison of computational data between processing devices, the computational data generated by the processing devices of the respective processing systems is deemed to be correct if there is complete agreement between these processing devices; this comparison is performed without restriction to hardware synchronization. An example is disclosed in Published Japanese Patent No. 4137387 (hereinafter referred to as Patent Reference 2).
However, in the transmitted data error detection arrangement using a CRC computation device as disclosed in Patent Reference 1, even if, in the case of a redundant processing device using a duplicated system, the processing device belonging to one of these systems has failed, so long as either of the processing devices that generate computational data is healthy, the relationship between the computational data transmitted from the processing device to the transmission device and the CRC encoded data will be correct.
In this case, although the receiving end can detect transmission errors during transmission of transmission data from the transmission devices at the transmitting end, the receiving end is unable to confirm the fact that both of the two processing devices of the redundant processing device are working correctly, so it cannot distinguish whether the computational data transmitted from the processing device at the transmission end to the transmission device is data that has been transmitted as a result of a successful comparison between the processing devices of the two systems of the redundant processing device, or whether it merely consists in data that has been directly transmitted, computed solely by a processing device of one of these systems, without being verified by comparison.
Consequently, also if one of the processing device systems had failed and the comparison processing section had failed, the processing device being incapable of identifying this itself, there was therefore the problem that, since the relationship between the computational data and the CRC encoded data was correct, the receiving end was unable to distinguish whether or not the computational data transmitted from the processing device to the transmission device had been verified by confirmation of coincidence between the two processing systems by the redundant processing device.
According to an aspect of the present technology, an object is to provide a redundancy control system and a transmission method of computational data thereof whereby detection can be achieved of the errors generated in redundant processing devices in each of redundant systems and fault diagnosis can be achieved in each of redundant systems, by performing detection of transmission errors on transmission at the receiving end and providing means for confirming encoded data of each processing system of a redundant processing device at the receiving end, in respect of computational data transmitted through the transmission device from a redundant processing device.
In order to achieve the above object, a redundancy control system according to claim 1 of the present invention is constructed as follows. Specifically, there is provided:
A redundancy control system comprising a redundant processing device of the comparison redundancy type that compares first computational data of a first processing device and second computational data of a second processing device that receive the same control data and that execute the same computational processing in parallel and that returns coincident computational data, comprising: a control device wherein aforementioned first processing device generates aforementioned first computational data in accordance with aforementioned control data and generates first generated data using a first preset generation algorithm for error detection on response in respect of aforementioned first computational data; aforementioned second processing device generates aforementioned second computational data in accordance with aforementioned control data and generates second generated data using a second preset generation algorithm for error detection on response in respect of aforementioned second computational data, and, in addition, aforementioned first processing device comprises: a redundant processing device that compares aforementioned first computational data and aforementioned second computational data and outputs coincident aforementioned computational data and aforementioned first generated data/second generated data; and a first transmission device that receives transmission data including aforementioned computational data and aforementioned first generated data/second generated data and sends this from aforementioned redundant processing device to the transmission source of aforementioned control data; and a receiving device that comprises a second transmission device that transmits aforementioned control data to aforementioned first transmission device and that receives aforementioned transmission data from aforementioned first transmission device; and a third processing device that respectively generates third generated data/fourth generated data from received aforementioned computational data and aforementioned preset first generation algorithm/aforementioned second generation algorithm and identifies the presence of an error of aforementioned received computational data by comparison of received aforementioned first generated data and aforementioned third generated data and received aforementioned second generated data and aforementioned fourth generated data and the presence of failure of aforementioned first processing device or aforementioned second processing device; characterized in that the presence of error in the received computational data is identified using a generation algorithm of each processing device that generates computational data.
In order to achieve the above object, in the redundancy control system according to claim 3 of the present invention, in claim 1, in aforementioned redundant processing device, aforementioned first processing device additionally creates first signature data in respect of aforementioned control data by encryption processing using a first signature algorithm of a preset common key cryptosystem; aforementioned second processing device additionally creates second signature data in respect of aforementioned control data by encryption processing using a second signature algorithm of a preset common key cryptosystem;
aforementioned first processing device additionally returns to aforementioned first transmission device aforementioned transmission data including aforementioned first signature data/second signature data;
and aforementioned first transmission device additionally receives from aforementioned redundant processing device aforementioned transmission data including aforementioned computational data, aforementioned first generated data/second generated data and aforementioned first signature data/second signature data and sends this to the transmission source of aforementioned control data;
and aforementioned third processing device, additionally, is arranged to perform decoding processing on the received respective aforementioned first signature data and aforementioned second signature data, using the preset aforementioned first signature algorithm and aforementioned second signature algorithm, so as thereby to authenticate and identify the received aforementioned first signature data as having been generated by aforementioned first processing device and to authenticate and identify the received aforementioned second signature data as having been generated by aforementioned second processing device.
In order to achieve the above object, in the redundancy control system according to claim 5 of the present invention, in a redundancy control system comprising a redundant processing device of the comparison redundancy type that compares first computational data of a first processing device and second computational data of a second processing device that receive the same control data and that execute the same computational processing in parallel and that returns coincident computational data,
aforementioned first processing device generates aforementioned first computational data in accordance with aforementioned control data and generates first generated data using a first generation algorithm for error detection on response in respect of aforementioned first computational data;
aforementioned second processing device generates aforementioned second computational data in accordance with aforementioned control data and generates second generated data using a second generation algorithm for error detection on response in respect of aforementioned second computational data, and, in addition,
aforementioned first processing device comprises:
a control device comprising: a redundant processing device that compares aforementioned first computational data and aforementioned second computational data and, if coincidence is found, outputs aforementioned first computational data/second computational data and aforementioned first generated data/second generated data; and a first transmission device that receives transmission data including aforementioned first computational data/second computational data and aforementioned first generated data/second generated data and sends this from aforementioned redundant processing device to the transmission source of aforementioned control data; and
a receiving device that comprises a second transmission device that transmits aforementioned control data to aforementioned first transmission device and that receives aforementioned transmission data from aforementioned first transmission device; and
a third processing device that respectively generates fifth generated data from received aforementioned first computational data and aforementioned preset first generation algorithm and generates sixth generated data from aforementioned second computational data and aforementioned preset second generation algorithm and detects the presence of an error of aforementioned received first computational data and aforementioned second computational data by comparison of aforementioned first generated data and aforementioned fifth generated data with aforementioned second generated data and aforementioned sixth generated data and detects the presence of failure by comparison of received first computational data and second computational data;
and is characterized in that the respective presence or absence of error in the received first computational data/second computational data is identified by performing comparison of the first computational data and second computational data in parallel at the sending end and receiving end.
In order to achieve the above object, a method according to claim 6 of the present invention of transmission of computational data in a redundancy control system comprising a control device that compares first computational data of a first processing device and second computational data of a second processing device that receive the same control data and execute the same computational processing in parallel, and that returns coincident computational data, and a receiving device that receives this computational data, comprising:
in aforementioned control device; in aforementioned first processing device, a step of generating aforementioned first computational data in accordance with aforementioned control data and generating first generated data using a first preset generation algorithm for error detection on response in respect of aforementioned first computational data;
in aforementioned second processing device, a step of generating aforementioned second computational data in accordance with aforementioned control data and generating second generated data using a second preset generation algorithm for error detection on response in respect of aforementioned second computational data;
in aforementioned first processing device and aforementioned second processing device, a step of mutually comparing the first computational data and aforementioned second computational data and mutually switching the comparison result;
in aforementioned first processing device, a step of confirming coincidence of the comparison results of aforementioned first computational data and aforementioned second computational data and transmitting transmission data including coincident aforementioned computational data, aforementioned first generated data and aforementioned second generated data;
in aforementioned receiving device, a step of receiving aforementioned transmission data, and generating third generated data and fourth generated data from aforementioned computational data and the preset aforementioned first generation algorithm and aforementioned second generation algorithm;
a step of comparing aforementioned first generated data and aforementioned third generated data and aforementioned first generated data and aforementioned third generated data, to detect error in received aforementioned computational data; and
characterized in that the presence or absence of an error of received computational data is identified using a generation algorithm for each processing device that generates computational data.
In order to achieve the above object, a method according to claim 7 of the present invention of transmission of computational data in a redundancy control system comprising a control device that compares first computational data of a first processing device and second computational data of a second processing device that receive the same control data and execute the same computational processing in parallel, and that returns coincident computational data, and a receiving device that receives this computational data, comprising:
in aforementioned control device, in aforementioned first processing device, a step of generating aforementioned first computational data in accordance with aforementioned control data and generating first generated data using a first preset generation algorithm for error detection on response in respect of aforementioned first computational data;
in addition, a step of generating first signature data in respect of aforementioned first computational data, using a preset first signature algorithm;
in aforementioned second processing device, a step of generating aforementioned second computational data in accordance with aforementioned control data and generating second generated data using a second preset generation algorithm for error detection on response in respect of aforementioned second computational data;
in addition, a step of generating second signature data in respect of aforementioned second computational data, using a preset second signature algorithm; in aforementioned first processing device and aforementioned second processing device, a step of mutually comparing the first computational data and aforementioned second computational data, mutually switching the comparison result, and sending aforementioned second generated data to aforementioned first processing device;
in aforementioned first processing device, a step of confirming coincidence of the comparison results of aforementioned first computational data and aforementioned second computational data and transmitting transmission data including this computational data, aforementioned first generated data, aforementioned second generated data and aforementioned first signature data/aforementioned second signature data;
in aforementioned receiving device, a step of receiving aforementioned transmission data, and generating third generated data and fourth generated data from aforementioned computational data and the preset aforementioned first generation algorithm and aforementioned second generation algorithm;
a step of comparing aforementioned first generated data and aforementioned third generated data and aforementioned second generated data and aforementioned fourth generated data, to detect error in received aforementioned computational data;
a step of, in addition, generating respectively third signature data and fourth signature data, using the preset aforementioned first signature algorithm and aforementioned second signature algorithm, from aforementioned computational data; and
a step of independently comparing aforementioned first signature data and aforementioned third signature data, and aforementioned second signature data and aforementioned fourth signature data, to perform authentication and identification as to whether or not the received computational data is data from the preset processing device; characterized in that
error identification of the received computational data and authentication and identification of the device that generated the computational data are thereby performed.
In order to achieve the above object, a method according to claim 8 of the present invention of transmission of computational data in a redundancy control system comprising a control device that compares first computational data of a first processing device and second computational data of a second processing device that receive the same control data and execute the same computational processing in parallel, and that returns coincident computational data, and a receiving device that receives this computational data, comprises:
in aforementioned control device, in aforementioned first processing device, a step of generating aforementioned first computational data in accordance with aforementioned control data and generating first generated data using a first preset generation algorithm for error detection on response in respect of aforementioned first computational data;
in aforementioned second processing device, a step of generating aforementioned second computational data in accordance with aforementioned control data and generating second generated data using a second preset generation algorithm for error detection on response in respect of aforementioned second computational data;
in aforementioned first processing device and aforementioned second processing device, a step of mutually comparing the first computational data and aforementioned second computational data and mutually switching the comparison result; in aforementioned first processing device, a step of confirming coincidence of the comparison results of aforementioned first computational data and aforementioned second computational data and transmitting transmission data including this first computational data and aforementioned second computational data, aforementioned first generated data and aforementioned second generated data;
in aforementioned receiving device, a step of receiving aforementioned transmission data, and generating fifth generated data from aforementioned first computational data and the preset aforementioned first generation algorithm;
a step of receiving aforementioned transmission data, and generating sixth generated data from aforementioned second computational data and the preset aforementioned second generation algorithm; and
a step of comparing aforementioned first generated data and aforementioned fifth generated data and aforementioned second generated data and aforementioned sixth generated data, to detect error in received aforementioned first computational data and aforementioned second computational data and comparing received aforementioned first computational data and aforementioned second computational data; characterized in that detection of the respective presence or absence of error in the received first computational data/second computational data and comparison of the first computational data and second computational data are thus effected in parallel at the transmitting end and receiving end.
Thus, with the present invention, a redundancy control system and a method of transmission of computational data thereof can be provided wherein detection of transmission error on transmission can be performed at the receiving end in respect of computational data transmitted through a transmission device from a redundant processing device and error in the computational data in each redundancy system generated by a redundant processing device, and failure diagnosis of each redundancy system, are possible.