This invention relates to an Inherently Fail Safe processing or control apparatus having a first processing unit with
a first processor and a memory containing a predetermined data processing and/or control program;
at least one input port for input data received from at least one remote unit;
at least one output port for output data to be transmitted to at least one remote unit under the control of said first processing unit.
At present, even railway systems are controlled by computer-based control apparatuses.
This arrangement provides considerable system logic-related advantages. The system logic is reproduced by a set of algorithms and particularly by a set of the Boolean equations. The states of the various yard elements such as signals, switches, track circuits, etc. are controlled in the form of the Boolean variables, wherefrom the computer determines the state that said elements shall take in view of a train arrival or a new condition. The new states are also provided as Boolean variables to be transmitted as digital data to the local actuators of the different yard elements, which actuators change the received variables into corresponding control signals to be transmitted to the elements driven thereby.
Here, this computation task requires some power, but does not actually require a dedicated hardware construction of the processing unit. Hence, advantages would result from the use of processing units consisting of commercial, non application-specific hardware.
Nevertheless, the use of commercial hardware is currently not recommended for central control units of railway systems, which require Inherent Fail-Safe levels in determining vital controls.
The problem is similarly encountered in control devices of operating units, such as digital graphic subsystems, which replace the well-known panels or in data input subsystems, such as keyboards or in the control of other operating units that require the use of dedicated processing units.
In all the above cases, there are two problem levels. First, the output of the control unit must be safely forced to a safety state whenever a processing fault occurs in any unit involved in the control data output generation. A second aspect consists in that the currently available extra-fast processors have a cache which may store the input data of processing cycles occurred before the running cycle whereby, as a result of random or systematic faults, the microprocessor processing units may generate output control data from input data related to past, obsolete cycles, resulting in serious consequences.
The invention is intended to provide an Inherently Fail-Safe control apparatus that may use non Fail-Safe, low-cost and high-power hardware to execute all system logic-related calculations, i.e. to determine the system control data from input data, while ensuring Inherently Fail-Safe execution of vital functions.