Selective disablement in fail-operational, fail-safe multi-computer control system
First Claim
1. A selective disablement, fail-operational, and fail-safe multi-computer process control system, comprising:
- a plurality of computer systems;
a data connection between each computer and at least one other one of said computers;
each of said computer system comprising;
a plurality of outputs for controlling related functions of said process;
a plurality of inputs providing data manifestations related to the control of said process;
a data link connected to said data connection for providing data communication with another of said computer systems;
a disable connection between it and said another computer system; and
program controlled means for providing a plurality of self tests including bit by bit tests of at least a portion of the memory related to an important portion of said process and providing a test fault manifestation in response to any of said self tests failing, reading in of data from said inputs and calculating results manifestations, receiving calculation result manifestations across said data link from said another computer system, comparing the calculation result manifestations of both computer systems and, in response to comparison thereof, providing said calculation result manifestation to said outputs, or alternatively providing an error manifestation if the two calculation result manifestations do not compare, disabling said computer system in response to one or more of said self test fault manifestations, providing a manifestation over said data link to indicate to said another computer system the fact of said computer system being disabled, registering the fact of said another computer system being disabled if provided thereto over said data link, by-passing the portion of said program for comparing calculations with said another computer system in response to a registered manifestation indicating that said another computer system has disabled itself, and forcing a disabled status in said computer system and said another computer system via said disable connection in response to said error manifestation concurrently with the absence of a registered manifestation indicating that said another computer system has disabled itself, whereby, if one computer system senses disagreement with another nondisabled computer system, such one computer system will disable itself and such another computer system.
0 Assignments
0 Petitions
Accused Products
Abstract
For each of two computer systems, logic flowcharts describe background program in which highly detailed memory checksum tests of fixed memory and complementary tests of variable memory are performed, the background program being interrupted for utility programs which are for the most part responsive to transducer or other sensor and discrete inputs to calculate control values for operation of control actuators or other responsive devices. The utility programs include specific self test routines. A direct memory access unit is included in each computer for moving data between inputs of either computer and memories of both, and between the memories of both computers. Periodic testing of fault codes registering the health of each computer is done during utility program routines, any variation from normal causing further health-analysis routines to be performed until dispositive action-causing conditions are determined. Neither computer checks the internal health of other, but inputs, results and data link transmissions must compare equally between the two computers, or routines determine whether one computer will recognize itself (or a component thereof) as being faulty, and disable itself. If not, then each computer disables itself after disabling the other. A variety of self tests and other checks and routines are included. Disablement is accomplished in a complex fashion of each computer'"'"'s output, by itself, and additional disablement if instituted by the other computer.
77 Citations
5 Claims
-
1. A selective disablement, fail-operational, and fail-safe multi-computer process control system, comprising:
-
a plurality of computer systems; a data connection between each computer and at least one other one of said computers; each of said computer system comprising; a plurality of outputs for controlling related functions of said process; a plurality of inputs providing data manifestations related to the control of said process; a data link connected to said data connection for providing data communication with another of said computer systems; a disable connection between it and said another computer system; and program controlled means for providing a plurality of self tests including bit by bit tests of at least a portion of the memory related to an important portion of said process and providing a test fault manifestation in response to any of said self tests failing, reading in of data from said inputs and calculating results manifestations, receiving calculation result manifestations across said data link from said another computer system, comparing the calculation result manifestations of both computer systems and, in response to comparison thereof, providing said calculation result manifestation to said outputs, or alternatively providing an error manifestation if the two calculation result manifestations do not compare, disabling said computer system in response to one or more of said self test fault manifestations, providing a manifestation over said data link to indicate to said another computer system the fact of said computer system being disabled, registering the fact of said another computer system being disabled if provided thereto over said data link, by-passing the portion of said program for comparing calculations with said another computer system in response to a registered manifestation indicating that said another computer system has disabled itself, and forcing a disabled status in said computer system and said another computer system via said disable connection in response to said error manifestation concurrently with the absence of a registered manifestation indicating that said another computer system has disabled itself, whereby, if one computer system senses disagreement with another nondisabled computer system, such one computer system will disable itself and such another computer system. - View Dependent Claims (2)
-
- 3. A selective disablement, fial-operational, and fail-safe multi-computer process control system, comprising a plurality of computer systems, and a data connection between each computer system, and another of said computer systems, each computer system having its own inputs indicative of parameters used as the basis for controlling said process, each computer system having outputs by means of which control over the process is effected, each having a data communication link for communicating, via said data connection, with another one of said computer systems, each of said computer systems operating under a program of instructions which provides self test routines for the related computer system, recognition of failures of the self test routine in therelated computer system, and establishment of a disabled mode in response to self test failure, the program of instructions in each computer rendering it capable of providing to another of said computers, over said data communication link, values indicative of the inputs to said computer, results of calculations performed by said computer, and indications of the status of said computer when in the disabled mode, said program of instructions providing for duplex operation including comparison in each computer system of its input with the input of another one of said computer systems provided thereto over said data communication link and comparing of related calculated results in each computer system with the corresponding calculated results provided thereto over said data communication link by said another one of said computer systems in the event said another computer system is not disabled, and establishment of the disabled mode of operation in said computer system and said another computer system if the comparison of calculated results in said computer system indicates a failure of comparison, whereby, if one computer system senses disagreement with another nondisabled computer system, such one computer system will disable itself and such another computer system.
-
5. A selective disablement, fail-operational and fail-safe multiple computer process control system comprising:
-
a plurality of computer systems, each providing a data link between it and another of said computer systems, said data link capable of being placed in a temporary wraparound mode; a plurality of inputs, one group of inputs relating and communicating directly with the corresponding one of said computer systems, said inputs providing data relating to the process being controlled by said computer systems; a plurality of outputs for performing distinct functions in the control of said process, there being an output related to each function corresponding to each of said computer systems; each of said computer systems operating in response to program control means for providing a link test in which each computer system sends known data to another one of said computer systems for comparison in each computer system with similar known data for the purpose of testing the data link between each computer system and said another computer system, for manifesting in each computer system the failure of such link test by each computer system, for providing, in response to a failure of said data link test, a wraparound link test in which each computer system tests its portion of the data link itself, for assuming a disabled mode if its wraparound link test fails, for communicating its disabled mode status to said another computer system by means of said data link, for assuming and for forcing said another computer system to assume, said disabled mode on concurrence of it determining that it did not fail its wraparound data link test and said another computer system has not provided it with a status indication of said another computer system having assumed the disabled mode, whereby, if one computer system senses disagreement with another nondisabled computer system, such one computer system will disable itself and such another computer system.
-
Specification