JP4613019B2 - Computer system - Google Patents

Description

  The present invention relates to a computer system including a computer and a watchdog timer circuit for monitoring the operation of the computer.

  In a computer system, it is necessary to stop the execution of a control program when an abnormality such as, for example, a process does not end within a predetermined time due to a malfunction of a computer control program or the like. For this reason, conventionally, a watchdog timer circuit (hereinafter referred to as a WDT circuit) for monitoring the operation of a computer is provided (see, for example, Patent Document 1).

FIG. 5 is a block diagram of such a conventional computer system.
Here, when the control program is normally executed, the computer (microcomputer in this example) 1 outputs a timer reset signal at a preset period T0 to reset the WDT circuit 2. . For this reason, the CPU reset signal is not output from the WDT circuit 2 to the computer 1.

  On the other hand, when the computer 1 detects any abnormality during execution of the control program, the computer 1 stops supplying the timer reset signal to the WDT circuit 2. The WDT circuit 2 times up when the timer reset signal is not supplied at a predetermined period T0, and outputs a CPU reset signal to the computer 1. When the CPU reset signal from the WDT circuit 2 is input, the computer 1 generates an interrupt in the program, clears various registers and I / O port data in the CPU, and returns to the initial state. The predetermined period T0 is determined in advance so as to be equal to or longer than the time required for the abnormality detection step of the control program of the computer 1 to be repeated a predetermined number of times.

Japanese Patent No. 2695775

  By the way, for example, in a computer system used for an automatic train control device for railway vehicles, air traffic control, and the like, fail-safe is always required from the viewpoint of ensuring safety.

  The conventional computer system shown in FIG. 5 has the advantage that the computer operation can be monitored by providing the computer 1 with the WDT circuit 2, but this is dealt with when an abnormality occurs in the WDT circuit 2 itself. And cannot fully meet the above fail-safe requirements.

  That is, in the case of the computer system having the conventional configuration shown in FIG. 5, even if the WDT circuit 2 has already failed at the time of starting the system, the computer 1 itself cannot recognize it and execute the control program. Can do. That is, the abnormality of the WDT circuit 2 becomes latent. For this reason, after that, even if the output of the timer reset signal is stopped because the abnormality occurred while the computer 1 is executing the control program, the CPU reset signal is not output from the WDT circuit 2, so that the computer 1 is not reset and is abnormal. Problems such as continued operation will occur.

  The present invention has been made to solve the above-described problems, and provides a computer system that can sufficiently detect a potential abnormality of a WDT circuit at an early stage and reliably meet the demand for fail-safe. For the purpose.

  In order to achieve the above object, a computer system including a computer and a watchdog timer circuit for monitoring the operation thereof employs the following configuration.

That is, according to the present invention, a WDT operation storage unit is provided that includes a computer and a watchdog timer circuit that monitors its operation , and that stores the number of times the CPU reset signal is output from the watchdog timer circuit to the computer. At the same time, the computer checks the contents of the WDT operation storage unit at the time of startup, and if the CPU reset signal has never been output from the watchdog timer circuit, the timer reset signal is output to the watchdog timer circuit. When the supply is stopped and the CPU reset signal is not output from the watchdog timer circuit accordingly, it is determined that an abnormality has occurred in the watchdog timer circuit, and the CPU executes the program at that time. While the watchdog timer circuit stops When the CPU reset signal is output from the watchdog timer circuit in response to the supply stop of the timer reset signal, the CPU reset signal is output in the WDT operation storage unit, and the CPU reset signal If the computer is reset and the computer confirms the contents of the WDT operation memory after the reset, and if it is determined that the CPU reset signal has been output even once from the watchdog timer circuit, the watchdog as a system that includes a timer circuit and the computer what sound, the computer in a computer system starts executing the predetermined control program, which is duplicated the computer system, and each computer, phase self-diagnosis completion If the difference between both timings is not within a predetermined time by comparing the communication means to notify the side and the diagnosis completion timing of the other party notified by this communication means and the self diagnosis completion timing, And a judging means for judging .

  In the present invention, when the computer system is duplicated, each computer has a communication means for notifying the other party that the computer has completed its diagnosis, and the other party notified by the communication means. There is provided judgment means for comparing the timing of completion of diagnosis and the timing of completion of self-diagnosis and judging that the system is abnormal when the difference between the timings is not within a predetermined time.

In the computer system of the present invention, the computer diagnoses the WDT circuit based on the information stored in the WDT operation storage circuit, and starts executing the control program after the computer is reset if the WDT circuit is healthy. The presence or absence of a latent abnormality in the WDT circuit can be detected at an early stage, and the request for fail-safe can be fully met. Since the WDT circuit is likely to be healthy during the execution of the control program, it is possible to reliably reset the computer when the computer operates abnormally. This point is also sufficient for failsafe requirements. It becomes possible to respond. In addition to this, when the computer system is duplicated, not only the presence / absence of abnormality of each WDT circuit but also the presence / absence of abnormality of the WDT operation memory circuit is detected by comparing the timing of completion of diagnosis between computers. Thus, the probability of abnormality detection is increased, the loss of the diagnostic function can be reliably prevented, and the reliability of the entire computer system can be further improved.

  Further, according to the present invention, in the case where the above-described computer system is duplicated, not only the presence / absence of abnormality of the WDT circuit but also the abnormality of the WDT operation memory circuit is compared by comparing the timing of completion of the computer diagnosis between the computers. Since the presence or absence can also be detected, the probability of abnormality detection is increased. For this reason, it is possible to reliably prevent the diagnosis function from being lost, and to further improve the reliability of the entire computer system.

Embodiment 1 FIG.
FIG. 1 is a configuration diagram of a computer system according to Embodiment 1 of the present invention, and the same reference numerals are given to components corresponding to those of the prior art shown in FIG.

  The computer system of the first embodiment includes a microcomputer (hereinafter simply referred to as a computer) 1 and a WDT circuit 2 for monitoring the operation thereof, and a WDT operation storage unit 3 is provided.

  The WDT operation storage unit 3 stores the number of output times of the CPU reset signal output from the WDT circuit 2 to the computer 1, and a counter, a memory, or the like is applied, for example. The stored contents of the WDT operation storage unit 3 are held as they are unless the computer system is turned off.

  On the other hand, the computer 1 can access the WDT operation storage unit 3, confirms the contents of the WDT operation storage unit 3 before starting execution of a predetermined control program, and resets the CPU from the WDT circuit 2. When no signal has been output, the timer reset signal supply to the WDT circuit 2 is stopped and the circuit 2 is diagnosed.

  Next, the operation of the computer system having the above configuration will be described with reference to the flowchart shown in FIG. In the figure, symbol S means each step.

  When the computer system is powered on, the computer 1 outputs a timer reset signal to the WDT circuit 2 at a predetermined cycle T0 while performing various initial settings (step 1). When the initial setting is completed, the computer 1 accesses the WDT operation storage unit 3 and confirms the stored contents before starting execution of a predetermined control program (step 2), and performs a diagnosis on the WDT circuit 2. It is determined whether or not (Step 3).

  That is, the WDT operation storage unit 3 counts and stores the number of times of output N every time the CPU reset signal is output from the WDT circuit 2, so that when the number of times of output N = 0, the WDT circuit 2 sends the CPU reset signal to the CPU. It can be seen that the reset signal has never been output. Therefore, in this case, the computer 1 stops supplying the timer reset signal to the WDT circuit 2 in order to confirm whether or not the WDT circuit 2 operates normally (step 4).

  At that time, if the WDT circuit 2 is abnormal due to a failure or the like, the CPU reset signal is not output from the WDT circuit 2 even if the supply of the timer reset signal to the WDT circuit 2 is stopped. Therefore, the computer 1 stops the program processing operation at that time. Thereby, it is understood that there is an abnormality in the WDT circuit 2.

  On the other hand, when the WDT circuit 2 is normal, when the supply of the timer reset signal from the computer 1 is stopped in step 4, the time is up and the CPU reset signal is output. As a result, the computer 1 is reset by this CPU reset signal, returns to the initial state of step 1 again, and sequentially executes from the initial setting process. 1 is stored.

  Subsequently, the computer 1 checks the stored contents of the WDT operation storage unit 3 (step 2), and then determines whether or not the diagnosis of the WDT circuit 2 has been performed (step 3). At this time, the WDT operation Since the storage content of the storage unit 3 is already N = 1, it can be seen that the diagnosis has been performed. For this reason, the computer 1 starts executing a predetermined control program for the first time at this stage (step 5).

  The operation of the computer 1 after step 5 is the same as in the conventional case. When the control program is normally executed, a timer reset signal is output at a predetermined cycle T0 to reset the WDT circuit 2. To do. If an abnormality occurs during the execution of the control program, the computer 1 stops outputting the timer reset signal, so that the CPU reset signal is output from the WDT circuit 2 and the computer 1 is reset.

  As described above, in the computer system according to the first embodiment, the computer 1 starts executing the control program after diagnosing the WDT circuit 2 based on the information stored in the WDT operation storage circuit 3, so that the WDT circuit Two latent abnormalities can be diagnosed early. Since the WDT circuit 2 is likely to be healthy during the execution of the control program, the computer 1 can be reliably reset when the computer 1 operates abnormally. For this reason, it is possible to reliably prevent the abnormal operation of the computer 1 from continuing, and it is possible to sufficiently satisfy the fail-safe request.

Embodiment 2. FIG.
FIG. 3 is a configuration diagram of a computer system according to the second embodiment of the present invention.

  The computer system according to the second embodiment is a so-called duplex computer system in which two computer systems having the same configuration as in FIG. 1 are arranged. Therefore, the computer systems of the respective systems A and B are provided with computers 1a and 1b, WDT circuits 2a and 2b for monitoring their operations, and WDT operation storage units 3a and 3b.

  In general, the computers 1a and 1b of the series A and B operate in parallel with each other in synchronization with each other. For example, when a computer system of one series A fails, the computer system of the other series B backs up. Therefore, fail safe operation can be secured.

  In the second embodiment, the computers 1a and 1b of the series A and B have communication means 5a and 5b for notifying the other party of the completion of diagnosis, and completion of diagnosis of the other party notified by the communication means 5a and 5b. And a judgment means 6a, 6b for judging that the system is abnormal when the difference between the two timings is not within the predetermined time ΔT.

  Next, the operation of the computer system having the above configuration will be described with reference to the flowchart shown in FIG. In the figure, symbol S means each step.

  In the computer systems of the systems A and B, the operations from when the power is turned on until the diagnosis of the WDT circuits 2a and 2b is performed once and it is determined that the diagnosis has been performed (steps 1 to 4 in FIG. 4). Is the same as in the first embodiment. Therefore, detailed description is omitted here.

  As described above, the computers 1a and 1b of the series A and B are operating in parallel with each other, and the communication means 5a and 5b of the computers 1a and 1b of the series A and B are connected to their own WDT circuit 2a, When the diagnosis of 2b is completed, information on the completion of the diagnosis is notified to the partner side (step 7). That is, when the diagnosis of the own WDT circuit 2a is completed, the communication means 5a of the computer 1a of one series A notifies the communication means 5b on the other side of the diagnosis completion information. Similarly, when the diagnosis of the own WDT circuit 2b is completed, the communication unit 5b of the other series B computer 1b notifies the other communication unit 5a of the completion of the diagnosis.

  Therefore, the judging means 6a and 6b of the computers 1a and 1b of the respective series A and B compare the timings of completion of diagnosis of the WDT circuits 2a and 2b between the counterpart and the self. Then, it is determined whether or not the difference between both timings is within a predetermined time ΔT (step 8).

  Here, for example, when an abnormality that always outputs N = 1 to the computer 1b occurs due to a failure of the WDT operation storage unit 3b in the other series B, the computer 1b in the series B actually has a WDT circuit. Since it is erroneously determined that the diagnosis has been completed despite the fact that the diagnosis of 2b has not been performed, the diagnosis completion information is not output to the partner computer 1a. For this reason, the difference between the diagnosis completion timing of the partner WDT circuit 2b and the diagnosis completion timing of its own WDT circuit 2a exceeds the predetermined time ΔT. Thereby, the judging means 6a of the computer 1 judges that some abnormality has occurred in the entire system, and stops the execution of the control program (step 9). In addition, it notifies the outside that there is a failure. This is the same even when an abnormality such as a failure of the WDT operation storage unit 3a in one series A occurs.

  On the other hand, if the computer systems of both series A and B are both normal, the diagnosis of the WDT circuits 2a and 2b is completed at almost the same timing, so the diagnosis end timing of both series A and B is within a predetermined time ΔT. Will fit. For the first time at this stage, each computer 1a, 1b starts executing a predetermined control program (step 10).

  The operations of the computers 1a and 1b after step 10 are the same as in the conventional case, and each computer 1a and 1b outputs a timer reset signal at a predetermined cycle T0 when the control program is normally executed. It outputs and resets the WDT circuits 2a and 2b. Further, when an abnormality occurs during execution of the control program, the computers 1a and 1b stop outputting the timer reset signal, so that the CPU reset signal is output from the WDT circuits 2a and 2b, and the computers 1a and 1b Reset.

  As described above, in the second embodiment, when the computer system is duplicated, the diagnosis completion timing is compared between the computers 1a and 1b as well as the presence / absence of abnormality of each WDT circuit 2a and 2b. Thus, it is possible to detect whether the WDT operation memory circuits 3a and 3b are abnormal. As a result, the probability of abnormality detection is increased, the loss of the diagnostic function can be reliably prevented, and the reliability of the entire computer system can be further improved.

  The present invention can be widely applied to computer systems in fields where fail-safe is required. The computer used in this case is not limited to a microcomputer, and may be another type of computer such as a minicomputer.

It is a block diagram of the computer system in Embodiment 1 of this invention. It is a flowchart with which it uses for operation | movement description in the computer system of FIG. It is a block diagram of the computer system in Embodiment 2 of this invention. It is a flowchart with which it uses for operation | movement description in the computer system of FIG. It is a block diagram of the conventional computer system.

Explanation of symbols

1, 1a, 1b microcomputer (computer),
2, 2a, 2b WDT circuit (watchdog timer circuit),
3, 3a, 3b WDT operation storage unit, 5a, 5b communication means, 6a, 6b determination means.

Claims (1)

E Bei a watchdog timer circuit that monitors the computer and its operation, and provided with a WDT operation storage unit for storing the number of times from the watchdog timer circuit outputs a CPU reset signal to the computer, the above-mentioned computer , Confirm the contents of the WDT operation storage unit at the time of startup, and if the CPU reset signal has not been output from the watchdog timer circuit, supply of the timer reset signal to the watchdog timer circuit is stopped, In response to this, if the CPU reset signal is not output from the watchdog timer circuit, it is determined that an abnormality has occurred in the watchdog timer circuit, and the CPU stops executing the program at that time. Timer reset for watchdog timer circuit When the CPU reset signal is output from the watchdog timer circuit in response to the supply stop of the signal, the CPU reset signal is output in the WDT operation storage unit and the computer is reset by the CPU reset signal. When the computer confirms the contents of the WDT operation storage unit after the reset, if it is determined that the CPU reset signal is output even once from the watchdog timer circuit, the watchdog timer circuit and Assuming that the system including the computer is healthy, the computer starts the execution of a predetermined control program. In the computer system, the computer system is duplicated, and each computer notifies the other party of completion of its diagnosis. Communication means A determination means for comparing the timing of completion of diagnosis of the other party notified by the communication means and the timing of completion of self diagnosis and determining that the system is abnormal if the difference between both timings is not within a predetermined time; computer system, comprising.

Images