The present invention relates to information processing systems, and particularly to an arrangement for verifying the vital (fail-safe) operation of a larger information processing system.
An appreciation of the larger system can be gained by reference to co-pending applications Ser. Nos. 267,218 and 267,214, assigned to the assignee of the present invention, the details of the disclosures of which are incorporated herein by reference. In particular, FIG. 10 of application Ser. No. 267,214 depicts the larger system in block form.
The invention is especially suitable for use in railway signalling and control systems which must be vital in their operation, that is, restricted to the safe or "off" state of each output which controls a signal, switch machine, or other signalling or control operation, unless the allowed or "on" condition thereof is enabled.
The present invention is an improvement in vital processing systems using a computer or central processing unit which, per se, is non-vital in its operation; for example, a microprocessor-controlled interlocking control system for the control of traffic control devices. Such a system is described in an article by David B. Rutherford, Jr., entitled "Fail-Safe Microprocessor Interlocking--An Application of Numerically Integrated Safety Assurance Logic", published in the proceedings of the Institution of Railway Signal Engineers (IRSE), Sept. 25-27, 1984. That system is described in greater detail in U.S. patent application Ser. No. 550,693 filed in the name of David B. Rutherford, Jr. on Nov. 10, 1983 and entitled "Vital processor" now U.S. Pat. No. 4,831,521. That system is also described in U.S. patent application Ser. No. 550,430 filed in the name of James R. HoeIscher on Nov. 10, 1983 and entitled "Vital Interface System for Railway Signalling", now U.S. Pat. No. 4,611,291 issued Sept. 9, 1986. Both of these applications are assigned to the same assignee as the present application.
Reference may also be made to U.S. Pat. No. 4,740,972 to David B. Rutherford, entitled "Vital Processing System Adapted for the Continuous Verification of Vital Outputs from a Railway Signalling and Control System", which is also assigned to the same assignee as the present application.
In U.S. Pat. No. 4,740,972, the function of a vital relay driver as part of a vital processing system is thoroughly disclosed and it will be understood that the device of the present invention, namely a vital power controller (VPC), is similar to the function of a vital relay driver--namely to receive and validate checkwords produced by another processor performing a vital system function. As long as the checkwords are correct and received within a designated time, the vital relay driver or vital power controller provides vital power to the system outputs. However, whenever an incorrect checkword is received, or no checkword has been received within a designated time, the vital power controller stops producing vital power, thereby disabling the system outputs.
All of the above-cited references contain disclosures which aid in understanding the concepts of the present invention, and they describe in great detail certain common components or features. Accordingly, the details of such disclosures are incorporated herein by reference.
Although a vital power controller or VPC perform the same function as a vital relay driver, it does so in a more cost-effective manner. In a VPC, the vital power is produced by a DC-to-DC converter which requires a vital high-frequency drive signal to produce the vital power output. This high-frequency signal is derived from circuitry which receives its power from the amplified and filtered VPC output signal.
A known arrangement of the sort just described is depicted in FIG. 1 of the drawing. Therein it will be seen that a DC-to-DC converter 16 and its associated drive circuitry functions as the vital power amplifier, which serves to amplify a low power DC voltage signal from passive analog circuitry 14, also appearing in FIG. 1.
A significant drawback is that in previous VPC designs there has been a loss of power whenever a bad checkword due to any source has been received, or when no checkword has been received within a designated time period. Accordingly, although these techniques of the prior art ensure safety, a system is created which is very susceptible to noise. If any noise enters the system at any point in the process by which the checkwords are created and communicated, there is the possibility that the noise will interfere with normal checkword production; hence, the VPC will cease producing vital power and, therefore, may result in a complete system reset.
Accordingly, the primary object of the present invention is to overcome the above-noted significant drawback of previous vital power controller constructions and to ensure that a measure of forgiveness is introduced into the VPC in the event the noise generated in the system produces spurious or faulty checkwords.
Thus, it is provided that as long as valid checkwords are regularly received and occasional bad checkwords or missing checkwords are encountered only at or below a selected rate, vital power will continue to be furnished. However, if there are indeed hardware failures, these will be rapidly detected by the VPC because such failures will result in the creation of repeated bad checkwords at a rate much higher than that tolerated by the VPC.