The invention relates to a method and system for reliable monitoring of clock rates in a redundant system with at least two clock signals. In particular, the method and system use existing components and tolerate slight deviations in clock rates.
German Patent 38 32 800 C2 describes an arrangement for reliable monitoring, by means of signal technology, of a dual-channel reliable computer against missing or drifting clock signals in one direction. In each computer channel the inverted clock signals are monitored for antivalence by a dual-channel control element. As soon as it has been determined that the clock signals for the dual-channel computer are no longer antivalent, a switch is triggered that interrupts at least the supply voltage for the computer""s output port. For this purpose, a special relay arrangement is provided, which ensures that the switch is only closed for the supply voltage of the computer channels when the clock signals are error-free.
The described arrangement has the disadvantage that the relay circuit needed for implementing it is complex and therefore expensive, and requires a considerable amount of space. Another disadvantage is that in the event of a phase shift between the clock signals by 180 degrees only, there is no more antivalence of the clock signals, so that the output ports are switched off. Such a small drift of the clock signal sources can usually only be prevented using a disproportionate amount of technical resources, especially in the case of extended operation. In addition, such a small drift of the clock signal sources is insignificant for the proper operation of the dual-channel computer, so that shutoff would not be necessary for such a small deviation over a long operating period.
German Patent 36 25 318 C2describes an arrangement for reliable monitoring of two clock signals using signal technology, in which the clock signals are offset in time with respect to each other, and they each trigger a monoflop assigned to them. The output signals of the monoflops are sent to a reliable antivalence comparator using signal technology, and the output signal of the comparator is in turn monitored by a reliable RS memory using signal technology. The output signal of the RS memory controls a switch element that can turn off the power or signal flow.
In this case too there is the disadvantage that even a phase difference of 180 degrees in the two monitored clock signals causes the power flow or the signal flow to be turned off. Such a small deviation in the two clock signals, especially over a relatively long period of operation, can only be prevented with a large effort, and usually only results in a small delay, but not in an error that would justify a shutoff.
European Patent Application 742 498 A2 describes a method for taking into consideration a single-channel program code in a dual-channel reliability-oriented system structure. The single-channel program code is called in one channel of the dual-channel reliability-oriented system structure, and at the same time a monitoring function is started in both channels. Both monitoring functions include a cross-comparison of data or results, where the result or the regular running of the single-channel program code is checked in both channels, independently of one another, by reading the process status in each. If it is then established that the process states in the two channels differ, an error response is triggered. This method has the disadvantage that only the regular running of programs can be monitored. No clock signal monitoring is provided.
European Patent Application 742 499 A2 describes a method for reliable processing of reliability-oriented process signals. For this purpose, the process signals to be monitored are sent independently to at least two computers that are also independent of one another, forming two monitoring channels. Then the process signals are subjected to input processing in which the computers perform a cross-comparison of results and data. The output signals resulting from the input signal processing are interpreted in the monitoring channels, and results and data are cross-compared. The process-status-dependent signals are then generated. Finally, these signals are subjected to output signal processing, in which the results and data are cross-compared again. The signals thus obtained are used for redundant triggering of reliability-relevant process parameters. This method has the disadvantage that, while it is well-suited for monitoring parameters generated in a process, it does not allow a clock signal to be monitored.
It is known from DIN V VDE 0801/01.90, xe2x80x9cGrundsatze fur Rechner in Systemen mit Sicherheitsaufgabenxe2x80x9d [Principles for computers in systems performing reliability functions], Attachment point B.2.1.6.2, that in a reliable system the clock must also be monitored. For this purpose, the publication proposes that a xe2x80x9cwatchdogxe2x80x9d circuit having a separate time base be used, or, in a multichannel system, mutual monitoring be performed. It is not disclosed in this publication which method and which circuit are used to perform mutual monitoring.
The present invention is thus a method and a circuit arrangement to perform the method, whereby reliable monitoring of the clock rates of at least two clock signals is possible. Existing modules should preferably be used to form the circuit arrangement. Furthermore, slight deviations of the clock rates, which do not result in malfunction, must be tolerated by the system.
Accordingly, the invention is a method for reliable monitoring of clock rates in a redundant multichannel system having independent clock signal generators for generating clock signals that are compared to one another, including the steps of supplying the clock signals from at least two channels to corresponding independent counters, counting the clock signals in the independent counters using the clock rates, and reading the independent counters with at least two processors operating substantially synchronously over time. The method also includes exchanging the counter readings between the at least two processors via an interface, comparing in one processor at least one counter reading exchanged via the interface with a local counter reading of the processor, and performing an error handling procedure if a result of the comparison exceeds a pre-selected tolerance in one of a difference and a quotient computed between the at least one exchanged counter reading and the local counter reading.
In a different embodiment, the invention is a circuit arrangement for reliable monitoring of clock rates in a redundant multichannel system having independent clock signal generators for generating clock signals in each channel of the system, where each channel includes a processor for receiving the clock signal from the corresponding independent clock signal generator, a counter bidirectionally connected to the processor, and an interface bidirectionally connected to the processor and to additional processors of other channels.
The invention is based on the theory that an excessive number of error shutdowns of a dual-channel system occur in practice due to differing clock rates. In particular, during long periods of operation over several days, even slight phase differences between the independent clock generator units may add up and cause an error shutdown due to different clock rates. This is, however, undesirable, since such a slight difference between the two clock generator units only results in a slight delay in the range of a few clock periods, but usually does not result in unreliable operation.
According to the present invention, to determine that the two clock rates are identical, a first processor causes a counter to count with a first clock signal supplied to this processor. Using the second clock signal supplied to it, the second processor also causes a counter to count. The readings of the counters are stored in defined time intervals by the at least two processors in a memory that is common to all processors. Subsequently, each processor loads the reading of the other processors and compares it with its own reading. If it is established that the two readings are within a tolerance range, one of the counter readings is used as a reference for all other counters, and the other readings are adjusted to become equal to this reference reading. Further monitoring of the processors will then be based on this reference value for the respective counter. If a counter reading is outside the tolerance range, an error is triggered on both channels.
According to the invention, a distinction can be advantageously made between a slight deviation between the clock generator units which can be tolerated, and a difference in the clock rates that endangers the reliability of the operation. Furthermore, a slight deviation in the clock rates is compensated for, so that the deviations cannot add up and become larger over the duration of the operation. Thus the deviation between the clock generator units can be qualitatively evaluated.