1. Field of the Invention:
This invention relates to a vital, i.e. fail-safe, digital control system responsive to the application of sequentially produced keyboard instructions to establish a particular output configuration based on the keyboard instructions, which finds particular, but not exclusive, utility in the environment of a modern rail transit system.
2. Description of the Prior Art:
Modern rail transit systems employ cycle checking and diversity safety design techniques to protect against unsafe conditions. Cycle checking involves the continuous testing of a device, circuit, or computer instruction to ensure that it is completely functional. Diversity, on the other hand, involves the use of two or more independent channels to produce a permissive output, in which the channels are selected so that a single disruptive event cannot cause identical failures in all of the channels, and all channels must agree before permissive output is accepted. These safety design techniques are directed to the promotion of fail-safe, or "vital", operation, in which any failures which occur tend to result in a condition which is no more dangerous (or conversely at least as safe) as if an equipment failure has not occurred.
In my U.S. Pat. No. 4,090,173, cross-referenced above, is disclosed a vital digital communication system wherein the digital logic, whether implemented using hard-wired logic, or microprocessor technology, is checked by vital circuits before an output is allowed, thereby protecting against erroneous operation of the system. To that end, this prior system employs an encoder and a decoder arranged to communicate via a vocabulary of predetermined messages, each formed by a pair of digital complementary words separated by framing bits of a predetermined bit pattern, with the predetermined messages being repetitively generated and applied by the encoder to the decoder.
In one embodiment of my prior vital digital communication system, the decoder employs a microprocessor which is arranged to decode each message and then to sequence through a number of check procedures to determine proper microprocessor operation. These checking procedures include generating a predetermined bit pattern at the output ports of the microprocessor and then delivering this output bit pattern to the microprocessor input ports through a buffer in such a way that the output bit position is shifted to the left one bit upon application to the input ports. The predetermined bit pattern is cycled through the microprocessor until it reaches its initial position, whereupon the presence of the bit pattern and its initial position and the number of cycles required to achieve this condition are used to produce a Port Test word to be used in the checking procedure. The Port Test word is then arithmetically combined with a modified version of the received message word, with the result used to address in a loop-up table stored in memory to obtain a further quantity which is again added to the previous result. This final result, evidenced as a checkword, is a predetermined bit pattern. Since it is not stored in the microprocessor, it can only be generated by correct microprocessor operation, or a highly unlikely sequence or failures. The thusly produced checkword is then applied to external logic to determine the presence thereof, with such determination resulting in the production of a validation signal, which then enables the activation of particular outputs, according to the instruction defined by the input message.
The above previously disclosed communication system is thusly seen to employ repetitive input messaging, with checking procedures in which the microprocessor outputs are continuously manipulated to validate system operation.
However, this prior digital communication system does not specifically address an application where literally hundreds of relays are to be operated by manually entered keyboard instructions. In such a situation, prolonged delays may occur between sucessive keyboard instructions, or between the sequential pressing of keyboard keys in the programming of a particular instruction, so that the system must be capable of reliably verifying valid operation under various operating conditions, including a standby condition in which no keyboard instructions are generated. Additionally, the continuous manipulation of all the microprocessor inputs and/or outputs during the checking procedure can become quite burdensome in an application where literally hundreds of bits of information are continuously being evaluated. In that event, the software and hardware requirements of the system may become prohibitive, not to mention the cycling time delays experienced in processing all the data to verify valid system operation.