1. Field
The disclosed concept pertains generally to vital outputs and, more particularly, to apparatus that output a number of vital outputs for a processor. The disclosed concept also pertains to systems and methods that output a number of vital outputs for a processor.
2. Background Information
Many known control systems operate from a main controlling central processing unit (CPU), which communicates to distributed input/output (I/O) points on either a serial or a parallel bus configuration. In safety critical control systems, diagnostics can be applied by the controlling CPU to each distributed I/O point to ensure data integrity and safe system operation.
Known modem control equipment can respond to momentary stimulus or pulsed control energy. A non-limiting example of such control equipment for the railroad industry is a pneumatic switch machine. Until recently, control energy in vital systems was required to never be falsely energized for more than one second. More recently, it is required that vital control outputs never fail in an energized state.
It is known to provide diagnostics on an I/O board for a system CPU. For example, the I/O board employs an “echo register”. On each session that the system CPU has with the I/O board, several steps occur. First, the I/O board's echo register is read. The echo register is a register that gets written to on every read or write to the I/O board regardless of what register is being accessed. This register complements the last data read or written and holds the complemented data. On the next access, the echo register is read first and the complemented data from the last access is expected. This ensures data integrity.
As another example, the I/O board employs a “type register”. On each session the system CPU has with the I/O board, the I/O board's type register is read. The type register is a fixed number assigned to each type of board. The system CPU knows what boards are installed and their address, and expects to see those boards in the system each time it needs to access them.
As a further example, the I/O board employs output diagnostics. For example, diverse voltage sources and diverse resistor dividers form specific voltages on first inputs to comparator amplifiers. For example, 0.75 VDC (for a 12 VDC system (or 1.5 VDC for a 24 VDC system) is the level below which a vital output is guaranteed to be off. After separate diverse voltage dividers are switched into the set of comparators on their other inputs, the comparators are checked to ensure proper operation and that they properly indicate an on state or off state. Then, the actual outputs are switched through the comparators to measure them as being on or off. Next, each output is toggled by the system CPU to ensure that they all remain dynamic and are not stuck on or off. These diagnostics toggle two outputs at a time and are performed about every 100 ms. Given system loading and the inherent delay of dropping a vital cut off relay (VCOR) coil, there is a small possibility for an output to be in a falsely energized state for up to about one second. This one second criteria arose from the fact that traditional railroad switch machines would not or could not attempt to move their points in one second or less. Also, traditional cab signal equipment would not respond to code changes in less than one second; hence, a falsely energized output for less than one second was accepted.
It is believed that it is not feasible to ensure that vital control outputs never fail in an energized state by implementing changes to known diagnostics of safety critical control systems. For example, it is believed that the logistics of implementing a hypothetical retrofit program to the known diagnostics of safety critical control systems are not feasible or are impossible in view of the potential lack of the available processing power of the controlling CPU. For example, if some form of a hypothetical new diagnostic were to be applied to a system from a system executive standpoint (e.g., software changes), then current processor timing and system loading might prove too much for the additional diagnostic tasks.
There is room for improvement in apparatus for outputting a vital output for a processor.
There is also room for improvement in systems and methods for outputting a vital output for a processor.