GB2267984A - Multiplexing bus interface. - Google Patents
Multiplexing bus interface. Download PDFInfo
- Publication number
- GB2267984A GB2267984A GB9212796A GB9212796A GB2267984A GB 2267984 A GB2267984 A GB 2267984A GB 9212796 A GB9212796 A GB 9212796A GB 9212796 A GB9212796 A GB 9212796A GB 2267984 A GB2267984 A GB 2267984A
- Authority
- GB
- United Kingdom
- Prior art keywords
- data
- safety
- interface
- critical
- data bus
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 125000004122 cyclic group Chemical group 0.000 claims description 4
- 230000006870 function Effects 0.000 abstract description 17
- 230000005540 biological transmission Effects 0.000 description 9
- 230000011664 signaling Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0796—Safety measures, i.e. ensuring safe condition in the event of error, e.g. for controlling element
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B61—RAILWAYS
- B61L—GUIDING RAILWAY TRAFFIC; ENSURING THE SAFETY OF RAILWAY TRAFFIC
- B61L1/00—Devices along the route controlled by interaction with the vehicle or train
- B61L1/20—Safety arrangements for preventing or indicating malfunction of the device, e.g. by leakage current, by lightning
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/14—Handling requests for interconnection or transfer
- G06F13/36—Handling requests for interconnection or transfer for access to common bus or bus system
- G06F13/368—Handling requests for interconnection or transfer for access to common bus or bus system with decentralised access control
- G06F13/372—Handling requests for interconnection or transfer for access to common bus or bus system with decentralised access control using a time-dependent priority, e.g. individually loaded time counters or time slot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
- G06F13/38—Information transfer, e.g. on bus
- G06F13/40—Bus structure
- G06F13/4004—Coupling between buses
- G06F13/4022—Coupling between buses using switching circuits, e.g. switching matrix, connection or expansion network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/08—Error detection or correction by redundancy in data representation, e.g. by using checking codes
- G06F11/10—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Mechanical Engineering (AREA)
- Mathematical Physics (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Safety Devices In Control Systems (AREA)
- Bus Control (AREA)
Abstract
A bus interface (2) couples either a first portion (6) or a second portion (8) to a data bus (4). The state of the interface is controlled by the first portion, such that the second portion is only coupled to the data bus for predetermined periods. The apparatus is particularly suitable for use in systems having safety-critical functions, since it enables non-safety- critical functions of the system to be controlled by the first portion (6) and be re-programmable, whereas the second portion (8), which would not be re-programmable, may control safety-critical functions of the system. <IMAGE>
Description
DATA PROCESSING APPARATUS
This invention relates to a data processing apparatus, and more particularly to such an apparatus which may be used in a system having safety critical functions.
There are many instances of systems having both safetycritical and non safety-critical functions, such as traffic control or plant control systems. For example, in railway signalling systems, safety-critical functions include those which prevent danger to people or material, such as the control of signals for ensuring safe positioning of'rolling stock.
However, functions which relate to the train number or timing are not safety-critical so that, for example, a particular train may depart at a time which differs from that of the time-table without affecting safety.
In designing such systems having safety-critical aspects, considerable care must be taken to ensure that a failure in any component of the system cannot endanger the safety of the system.
Integrated circuits therefore undergo failure modes and effects analyses to ensure that any failures possible do not compromise the system, and programming associated with computers must be rigorously analysed to ensure that any errors in the input, or in the storage of the programme itself, cannot cause failures of the safety-critical aspects of the system.
Re-programmable computer systems are not normally suitable since it is possible that a new programme could be introduced that bypasses existing interlocks, and causes safety-related failures. These changes could be introduced deliberately, or by bit change errors in the computer memory which, since it is designed to be re-programmable, will be more susceptible to such changes than a non re-programmable memory system.
In the past, these constraints have led to safety systems being designed using custom ASICs, and other non programmable hardware. The increasing complexity and flexibility of modern safety systems, however, means that the special integrated circuits designed for these systems are becoming increasingly complex, and from an engineering viewpoint could be better implemented in a computer-like system.
Attempts have been made to produce a re-programmable apparatus for use in a system having safety-critical functions, which apparatus includes two components, namely a re-programmable computer component and a non-re-programmable safety-critical component. If the data is transmitted by a single medium, then to prevent confusion one of the components must have control over the data train. It is unsafe for the computer component to receive the data and send safety-related information to the safety-critical component, since it is possible that the computer will be re-programmed and send erroneous data to the safety-critical component, whilst replying to the data train to the effect that correct data has been transferred.
Conversely, the safety-critical component may receive the data, and send non-safety-related information to the computer component. The apparatus can be designed so that it is not possible for the computer to affect data in the safety-critical component, giving an apparatus which is both programmable and safe.
However, the safety-critical component must be designed to 'understand' and correctly respond when connected to the data transmission system. Where the data transmission system is inherently simple, this results in little overhead in hardware terms. But many safety-critical components are now required to be connected to complex data transmission systems, on which the protocol of transmission would result in considerable design overheads to the safety-critical component. This is undesirable, since it is a fundamental tenet of safety-critical component design that the component should be as simple as possible.
Past designs of safety-critical components have used simple data transmission systems to avoid this difficulty, but with the advent of requirements for interoperability, emphasis is now placed on the use of standard data transmission systems which, because of their required usage, must of necessity be more complex and capable than those systems used in the past.
Thus, if a complex data transmission system is required, with a computer in the safety-critical component capable of understanding the protocol used, it has been conventional to deny re-programmability of the computer.
It is an object of this invention to alleviate the problems outlined above.
According to the present invention, there is provided data processing apparatus having a first portion and a second portion each being capable of being coupled to a data bus via an interface, the interface having a first state in which the first portion is coupled to the data bus whilst the second portion is not, and a second state in which the second portion is connected to the data bus whilst the first portion is not, the first portion being arranged to switch the interface from the first state to the second state for a predetermined time interval during which data destined for the second portion is being transmitted, and then to switch the interface back to the first state.
The apparatus is particularly suitable for use in systems having safety-critical functions. In such a system, the first portion may control the non safety-critical functions of the system, whilst the second portion may control the safetycritical functions. The first portion is advantageously re-programmable by means of the data bus, the second portion not being re-programmable, enabling non-safety-critical functions of the system to be re-programmed, without any chance of a new programme affecting the safety-critical aspects, since the first and second portions cannot communicate with each other.
Preferably, the first and second portions include first and second interfaces respectively, each being capable of being coupled to the data bus via a bus interface. The bus interface may be capable of determining the clock rate of the incoming or outgoing data, and making it available to the first and second interfaces simultaneously. This allows the first portion to determine the time period for which the data bus should be connected to the second portion rather than to itself, and to control the bus interface accordingly.
The data destined for the second portion, which may be safety-critical data, is advantageously encoded, for example by a cyclic code having at least twenty parity bits. In this manner, if random data is transmitted to the second portion, for example due to the first portion erroneously connecting the data bus to the second portion, it is extremely unlikely that it could be observed as valid by the second portion. The second portion may alternatively be provided with other means for confirming correct reception of data.
In order that the invention may be more readily understood, reference will now be made, by way of example, to the accompanying drawing, which is a diagram showing data processing apparatus in accordance with the invention.
Referring to the drawing, a data processing apparatus for use in a system having safety-critical functions, such as a railway signalling system, comprises a bus interface 2 connected to a data bus 4 for transmitting and receiving data. The bus interface 2 is switchable between first and second states. In the first state, it connects the data bus 4 to a re-programmable first portion 6 for controlling non safety-critical functions of the system, and in the second state it couples the data bus 4 to a non re-programmable second portion 8 for controlling safetycritical functions. The coupling is achieved via first and second internal data interfaces respectively. The bus interface is controlled by the first portion 6 (as indicated by broken line 10).
In operation, the first portion 6 monitors the data being transmitted on the data bus 4. On receipt of appropriate codes, determined by the data transmission protocol, the first portion 6 may transmit and receive data applicable to itself and relating to non safety-critical aspects of the system.
The programming of the first portion 6 enables it to determine the position in the data train of safety-critical data destined for the second portion 8, such that it will operate the bus interface 2 for these time intervals only to connect the second portion 8 to the data bus 4. For example, the incoming data may be arranged to conform to a predetermined format in which a succession of synchronization words are each followed by a time frame, a first predetermined portion of which always contains data for the first component and a second predetermined portion of which always contains data for the second component.
In such a case the first component may be programmed to recognise the arrival of each synchronizing word and switch the interface to the second component for the duration of the second predetermined portion of the immediately-following time frame.
If the programming of the first portion 6 is affected by errors, it will be unable to communicate. This fact may readily by detected, and the system caused to fail safe, the first portion 6 being unable to affect the second portion 8 directly.
The safety-critical data is encrypted in such a manner that the possibility of random data being decrypted in the safety system as valid data is extremely unlikely. Thus if the first portion 6 connects the data bus 4 to the second portion 8 at an inappropriate time, the probability of the second portion being wrongly programmed is negligible. For example, the safetycritical data can be transmitted encoded by a cyclic code with 20 or more parity bits. With suitable coding, this would provide less than one in 10'6 probability that random data would be observed as valid. Cyclic coding is a relatively simple hardware function, and therefore adds little to the simplicity of the safety- critical second portion.
This invention therefore separates both the data and the hardware, such that it becomes possible to have a re-programmable computer placed in control of major functions and data transmission capabilities of the system, whilst retaining safety and allowing the safety system to communicate on the data bus.
Claims (6)
1. Data processing apparatus having a first portion and a second portion each being capable of being coupled to a data bus via an interface, the interface having a first state in which the first portion is coupled to the data bus whilst the second portion is not, and a second state in which the second portion is connected to the data bus whilst the first portion is not, the first portion being arranged to switch the interface from the first state to the second state for a predetermined time interval during which data destined for the second portion is being transmitted, and then to switch the interface back to the first state.
2. Data processing apparatus as claimed in claim 1, wherein the first portion is reprogrammable by means of the data bus whilst the second portion is not reprogrammable by means of the data bus.
3. Data processing apparatus as claimed in claims 1 or 2, wherein the interface is capable of determining the clock rate of data on the data bus, and making the clock rate available to the first and second portions simultaneously.
4. Data processing apparatus as claimed in any one of the preceding claims, wherein the data destined for the second portion is encoded.
5. Data processing apparatus as claimed in claim 4, wherein the data destined for the second portion is encoded by a cyclic code having at least twenty parity bits.
6. Data processing apparatus substantially as described herein, with reference to the drawing.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB9212796A GB2267984A (en) | 1992-06-16 | 1992-06-16 | Multiplexing bus interface. |
| FR9307190A FR2692380A1 (en) | 1992-06-16 | 1993-06-15 | Data processing apparatus. |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| GB9212796A GB2267984A (en) | 1992-06-16 | 1992-06-16 | Multiplexing bus interface. |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| GB9212796D0 GB9212796D0 (en) | 1992-07-29 |
| GB2267984A true GB2267984A (en) | 1993-12-22 |
Family
ID=10717210
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| GB9212796A Withdrawn GB2267984A (en) | 1992-06-16 | 1992-06-16 | Multiplexing bus interface. |
Country Status (2)
| Country | Link |
|---|---|
| FR (1) | FR2692380A1 (en) |
| GB (1) | GB2267984A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE4332609A1 (en) * | 1993-09-24 | 1995-03-30 | Esselte Meto Int Gmbh | Circuit arrangement for data input and output for a printer |
| EP0664514A1 (en) * | 1994-01-21 | 1995-07-26 | Advanced Micro Devices, Inc. | Apparatus and method for integrating bus master ownership of local bus load |
| US6295572B1 (en) | 1994-01-24 | 2001-09-25 | Advanced Micro Devices, Inc. | Integrated SCSI and ethernet controller on a PCI local bus |
| EP1396772A1 (en) * | 2001-05-31 | 2004-03-10 | Omron Corporation | Safety unit, controller system, controller concatenation method, controller system control method, and controller system monitor method |
| US7050860B2 (en) | 2001-06-22 | 2006-05-23 | Omron Corporation | Safety network system, safety slave, and communication method |
| US7065391B2 (en) | 2002-07-18 | 2006-06-20 | Omron Corporation | Communication system, communication apparatus, and communication control method |
| US7120505B2 (en) | 2001-06-22 | 2006-10-10 | Omron Corporation | Safety network system, safety slave, and safety controller |
| US7162311B2 (en) | 2001-05-31 | 2007-01-09 | Omron Corporation | Safety network system, safety slaves unit, safety controller and communication method and information collecting method and monitoring method for the safety network system |
| US7369902B2 (en) | 2001-05-31 | 2008-05-06 | Omron Corporation | Slave units and network system as well as slave unit processing method and device information collecting method |
| US7389390B2 (en) * | 2001-05-16 | 2008-06-17 | Continental Teves Ag & Co. Ohg | Method, microprocessor system for critical safety regulations and the use of the same |
| US7472106B2 (en) | 2001-06-22 | 2008-12-30 | Omron Corporation | Safety network system and safety slave |
| CN107273239A (en) * | 2017-07-03 | 2017-10-20 | 郑州云海信息技术有限公司 | A kind of protection system of startup of server code and guard method |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2162975A (en) * | 1983-06-23 | 1986-02-12 | Technopark Mine Co Ltd | Multiplexer |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| NL8500462A (en) * | 1985-02-19 | 1986-09-16 | Philips Nv | DEVICE FOR TRANSFER OF DIGITAL DATA. |
| DE3639788C1 (en) * | 1986-11-21 | 1988-03-03 | Licentia Gmbh | Method and arrangement for input of information into computer systems with secure signalling |
-
1992
- 1992-06-16 GB GB9212796A patent/GB2267984A/en not_active Withdrawn
-
1993
- 1993-06-15 FR FR9307190A patent/FR2692380A1/en not_active Withdrawn
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2162975A (en) * | 1983-06-23 | 1986-02-12 | Technopark Mine Co Ltd | Multiplexer |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE4332609A1 (en) * | 1993-09-24 | 1995-03-30 | Esselte Meto Int Gmbh | Circuit arrangement for data input and output for a printer |
| US5684931A (en) * | 1993-09-24 | 1997-11-04 | Esselte Meto International Gmbh | Label printer, such as a thermal printer for printing labels |
| EP0664514A1 (en) * | 1994-01-21 | 1995-07-26 | Advanced Micro Devices, Inc. | Apparatus and method for integrating bus master ownership of local bus load |
| US5611053A (en) * | 1994-01-21 | 1997-03-11 | Advanced Micro Devices, Inc. | Apparatus and method for integrating bus master ownership of local bus load by plural data transceivers |
| US5682483A (en) * | 1994-01-21 | 1997-10-28 | Advanced Micro Devices, Inc. | Apparatus and method for integrating bus master ownership of local bus load by plural data transceivers |
| US6295572B1 (en) | 1994-01-24 | 2001-09-25 | Advanced Micro Devices, Inc. | Integrated SCSI and ethernet controller on a PCI local bus |
| US7389390B2 (en) * | 2001-05-16 | 2008-06-17 | Continental Teves Ag & Co. Ohg | Method, microprocessor system for critical safety regulations and the use of the same |
| US7369902B2 (en) | 2001-05-31 | 2008-05-06 | Omron Corporation | Slave units and network system as well as slave unit processing method and device information collecting method |
| US7162311B2 (en) | 2001-05-31 | 2007-01-09 | Omron Corporation | Safety network system, safety slaves unit, safety controller and communication method and information collecting method and monitoring method for the safety network system |
| EP1396772A4 (en) * | 2001-05-31 | 2004-09-08 | Omron Tateisi Electronics Co | Safety unit, controller system, controller concatenation method, controller system control method, and controller system monitor method |
| EP1396772A1 (en) * | 2001-05-31 | 2004-03-10 | Omron Corporation | Safety unit, controller system, controller concatenation method, controller system control method, and controller system monitor method |
| US7430451B2 (en) | 2001-05-31 | 2008-09-30 | Omron Corporation | Safety unit, controller system, connection method of controllers, control method of the controller system and monitor method of the controller system |
| US7813813B2 (en) | 2001-05-31 | 2010-10-12 | Omron Corporation | Safety unit, controller system, connection method of controllers, control method of the controller system and monitor method of the controller system |
| US7050860B2 (en) | 2001-06-22 | 2006-05-23 | Omron Corporation | Safety network system, safety slave, and communication method |
| US7120505B2 (en) | 2001-06-22 | 2006-10-10 | Omron Corporation | Safety network system, safety slave, and safety controller |
| US7472106B2 (en) | 2001-06-22 | 2008-12-30 | Omron Corporation | Safety network system and safety slave |
| US7065391B2 (en) | 2002-07-18 | 2006-06-20 | Omron Corporation | Communication system, communication apparatus, and communication control method |
| CN107273239A (en) * | 2017-07-03 | 2017-10-20 | 郑州云海信息技术有限公司 | A kind of protection system of startup of server code and guard method |
Also Published As
| Publication number | Publication date |
|---|---|
| GB9212796D0 (en) | 1992-07-29 |
| FR2692380A1 (en) | 1993-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US3893072A (en) | Error correction system | |
| US5519603A (en) | Intelligent process control communication system and method having capability to time align corresponding data sets | |
| US7010612B1 (en) | Universal serializer/deserializer | |
| GB2267984A (en) | Multiplexing bus interface. | |
| US4897834A (en) | Bit oriented communications network | |
| US6754721B2 (en) | Method for configuring a station connected to a field bus | |
| US6704899B1 (en) | Method and device for secure transmission of data signals over a bus system | |
| AU552814B2 (en) | Connecting unit for a ring bus | |
| GB2028062A (en) | Data transmission system | |
| US20060187932A1 (en) | Method and system for transmitting telegrams | |
| US6963944B1 (en) | Method and device for the serial transmission of data | |
| KR20010024740A (en) | Communications interface for serially transmitting digital data, and corresponding data transmission method | |
| US7284078B2 (en) | Deterministic field bus and process for managing same such that when transmissions from one subscriber station are enabled transmissions from other subscriber stations are disabled | |
| FI102929B (en) | Remote control system and for this useful transmitter and receiver | |
| JP2648752B2 (en) | Device that guarantees accurate decoding of data information | |
| US5455921A (en) | Redundant MIL-STD-1153B modem | |
| EP0006325B1 (en) | Data transmission system for interconnecting a plurality of data processing terminals | |
| GB2174577A (en) | Digital communication system | |
| JPH0523095B2 (en) | ||
| US7509562B1 (en) | Maintaining data integrity for extended drop outs across high-speed serial links | |
| US20070076863A1 (en) | Device and method for communication with the aid of an encrypted code table | |
| US6574777B2 (en) | Dynamic parity inversion for I/O interconnects | |
| KR940007555B1 (en) | Td/bus interface method of network synchronous apparatus | |
| EP0400551B1 (en) | Coded transmission system with initializing sequence | |
| CA1172721A (en) | Synchronous time-shared data bus system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| WAP | Application withdrawn, taken to be withdrawn or refused ** after publication under section 16(1) |