Patent Application
20190171535
The invention relates to a system and a method for transmitting data between computation units having safe signaling technology.
The term “having safe signaling technology” is intended to be understood within the context of the present invention to be concordant with the corresponding term in railway technology. The reference used can be the EN 50129 standard, for example. “Having safe signaling technology” fundamentally means that the probability of defined risk occurring is below a prescribed threshold value. Safe signaling technology is normally produced by virtue of calculations being performed redundantly. Preferably, the calculations are performed in diversely redundant fashion. The terms “redundant” and “multichannel” are used synonymously below. In this regard, a computation unit can contain a first piece of hardware and a different, i.e. diverse, second piece of hardware, for example. A calculation is then performed on the first hardware and on the second hardware each time and the respective results are compared. Only if the results are in accord is the calculation deemed correct and is further processing performed. Alternatively, the first and second hardware may also be in identical form. Diversity is then introduced at the level of the software, for example by virtue of a calculation being performed redundantly on the basis of different programs, which are in different programming languages, for example, on the first and the second hardware. Diversity can also be implemented at the level of the hardware and at the level of the software. Redundancy is not restricted to the use of just two channels in this case.
The prior art is illustrated schematically in
A computation unit 10, which has safe signaling technology as set out above, e.g. a main computer 10 having safe signaling technology, in this case comprises a clock 16 having safe signaling technology and is configured to execute a data link protocol 18 for data transmission on the basis of safe signaling technology, just like any application 12. A clock having safe signaling technology is moreover designed such that this clock operates strictly monotonously, i.e. does not stop and always runs only in one direction. Data 14 produced by the application 12 can then be forwarded, as data 20 protected by means of the data link protocol 18 and provided with a timestamp of the safe clock 16, via an input and output memory 22, e.g. DP-RAM or FIFO, to an input and output module 24 that does not have safe signaling technology, for the purpose of transmission via a data line 26, e.g. a bus, a LAN, etc., to an analogously configured computation unit (not depicted in
The input and output module can in this case be provided, by way of example, as a serial UART, as an Ethernet controller or as a small computer, e.g. on a Linux basis. The input and output module normally used is conventional, mass-produced components (what are known as COTS “commercial off-the-shelf” components), which do not have safe signaling technology. The signal integrity is provided in the main computer, which has safe signaling technology.
An example of a main computer having safe signaling technology is a Simis TCC series computer from Siemens. The data link protocol used for data transmission can be the “Safe Link Layer” protocol based on UNISIG Subset 057, for example. An input and output module as described above can either be permanently connected on a board as a circuit component to a computer having safe signaling technology (such as e.g. a SIMIS FM computer from Siemens) or can be plugged in as a communication assembly in an assembly frame (such as e.g. as a PNET5 assembly within the context of the aforementioned Simis TCC).
The object of the present invention is to simplify a system for data transmission based on safe signaling technology.
According to the invention, to this end an input and output module for sending and receiving data via a data line is made available. The input and output module comprises a protocol state machine for a data link protocol for data transmission and a clock. As a result, the input and output module is configured to protect data to be transmitted by means of the data link protocol and to process received data protected by means of the data link protocol. Moreover, the input and output module is configured to provide outgoing, protected data with a timestamp, on the basis of the clock, and to compare timestamps of incoming data with the present time indicated by the clock. Instructions regarding clock processing and the protocol state machine are stored as hard sequence control in a read only memory of the input and output module in this case. An operating system therefore becomes dispensable in the input and output module.
The inventive method for transmitting data between computation units having safe signaling technology comprises the following steps: a main computer having safe signaling technology is provided. Moreover an inventive input and output module of the type described above that is couplable to the main computer is provided.
According to a first preferred embodiment, signal integrity of transmitted and received data can be ensured by virtue of the protocol state machine of the input and output module being in redundant form as a protocol state machine having safe signaling technology, and by virtue of the clock of the input and output module being in redundant form as a clock having safe signaling technology.
Preferably, the input and output module in this case is in the form of a system on chip component. Such an input and output module can then be provided in the form of a COTS component.
According to a second preferred embodiment, signal integrity of transmitted data can be ensured by virtue of an input and output assembly being provided instead of a multichannel input and output module having safe signaling technology. This input and output assembly comprises a first inventive input and output module, not necessarily having safe signaling technology, and a second inventive input and output module, not necessarily having safe signaling technology. The first input and output module is in this case in diverse form in comparison with the second input and output module. In this manner, i.e. production of diverse redundancy by combining the first and second input and output modules, it is possible for safe signaling technology to be produced.
A main computer having safe signaling technology and coupled to the input and output assembly can then additionally comprise a comparison chip configured to compare data received from the first input and output module with data received from the second input and output module.
The first and second input and output modules of the input and output assembly can also be in the form of a system on chip component and/or can be provided in the form of a COTS component.
The invention affords a series of advantages:
A main computer having safe signaling technology is relieved of load by virtue of the tasks of timestamping by means of the clock having safe signaling technology and protocol protection for outgoing data and protocol processing for incoming data being relocated to the inventive separate input and output module. This reduces project-specific integration costs for the main computer having safe signaling technology, since the data link protocol and the safe clock no longer need to be provided in the main computer. The integration costs now arise only as a one off, during the development of the inventive input and output module. For the first time, an input and output module having safe signaling technology is now available that is available as a system on chip component and comprises a protocol state machine for a data link protocol and also a clock hard-encoded in a manner based on safe signaling technology.
A further substantial advantage of the invention is that timestamping of outgoing data and checking of a timestamp of incoming data are now performed directly at hardware level in the input and output module, and not at application level in the main computer, as previously. Timestamps produced in this manner and measured propagation delays of transmitted data are much more precise than previously, since delays that previously arose as a result of propagation delays from the application level for a protocol stack to the input and output module (or vice versa) are now no longer produced. Values below one millisecond are now achievable. This is advantageous in particular in connection with realtime applications.
The relocation of the clock to the input and output module also distinctly simplifies synchronization of the clocks of the computation units involved in a data transmission. In particular, timestamps used for synchronizing the clocks are now determined by clocks having safe signaling technology.
The embodiment in which an input and output assembly having two input and output modules that do not necessarily have safe signaling technology but are diverse are used instead of a multichannel input and output module having safe signaling technology affords the advantage that what are known as “common mode” errors, e.g. in the event of power failure, can be prevented. Failure of an input and output module of the assembly can also result in a data transmission at least still being performed in a manner that is not based on safe signaling technology.
In summary, the invention can improve transmission technology for data between computation units having safe signaling technology in regard to clock calibration and loss-free data communication in real time.
According to the embodiment of the input and output module in which the protocol state machine is in redundant form as a protocol state machine having safe signaling technology and the clock is in redundant form as a clock having safe signaling technology, it is possible according to one preferred variant for the protocol state machine to be in diversely redundant form. Alternatively of additionally, the clock can be in diversely redundant form. These two measures increase the signaling safety of the input and output module each time.
In a first embodiment of a system for transmitting data between computation units having safe signaling technology, at least one computation unit having safe signaling technology comprises a main computer having safe signaling technology, i.e. a multichannel or redundant, preferably diversely redundant, main computer, and an inventive multichannel input and output module having safe signaling technology that is coupled to the main computer.
In a second embodiment of a system for transmitting data between computation units having safe signaling technology, one computation unit having safe signaling technology comprises a main computer having safe signaling technology, an input and output assembly of the type described above that is coupled to the main computer and a comparison chip configured to compare data received from the first input and output module with data received from the second input and output module.
The properties, features and advantages of this invention that are described above and the manner in which they are achieved will become clearer and more distinctly comprehensible in connection with the description of the exemplary embodiments that follows, which are explained in more detail in connection with the drawings, in which:
In
Said computation unit having safe signaling technology comprises a main computer 11 having safe signaling technology. Said main computer is configured to execute the application 12 on the basis of safe signaling technology and to forward data 14 produced by the application 12 to an input and output memory 22. In contrast to
Since the input and output module 50 has only a known and dedicated scope of functions, the instructions for clock processing and the protocol state machine 118 can be available in a read only memory 17 of the input and output module 50 in hard-encoded fashion. Various programming languages can be used for programming, such as e.g. C, assembler, or—in the case of FPGAs without a CPU core—e.g. VHDL.
The input and output module 50 having safe signaling technology can comprise two physically separate FPGA chips or microcontroller chips, for example, which are present with parallel redundancy and are loosely (cyclically) or permanently (lockstep) coupled to one another. In this manner, the clock 16 having safe signaling technology and the protocol state machine 18 having safe signaling technology can be provided in an input and output module 50. Each of the two physically separate chips can provide one channel of a multichannel architecture in this case.
The integration in this case can be performed based on EN 50129 SIL4 and delivers a validation report along with evidence of safety. The result of the integration at the bottommost level is then a COTS component having safe signaling technology. According to the embodiment shown in
The main difference over the embodiment shown in
Each of the input and output modules 152, 154 comprises a clock 116, 216 and a protocol state machine 218, 318 for executing a data link protocol 18. The instructions for clock processing and the protocol state machine 218, 318 are, as claimed in connection with
In a certain respect, the input and output assembly 150 shown in
In combination, the first 152 and the second 154 input and output modules can be regarded as an input and output assembly having safe signaling technology. This applies at least if the main computer 111 comprises a comparison chip 30 configured to compare input data received from the two input and output modules 152, 154.
Protected and timestamped data 120, 220 leaving the computation unit 210 in redundant fashion are compared at the level of the application data 14, 14′ by a comparison chip of a receiving signal-oriented computation unit (not shown) that likewise needs to support the data link protocols implemented by the protocol state machines 218, 318. In the receiving computation unit, the respective timestamps are also checked for whether the clocks 116, 216 are in sync within prescribed limits, only run forward and have not stopped.
The input and output modules 152, 154 can also be produced in the form of system on chip components and provided as COTS components.
The method comprises the following steps:
In step S1, a main computer having safe signaling technology is provided.
Moreover, in step S2, an input and output module of the type described above that is couplable to the main computer is provided that comprises a protocol state machine for a data link protocol for data transmission and a clock, wherein instructions for clock processing and the protocol state machine are stored as hard sequence control in a read only memory of the input and output module.
According to a first embodiment, a main computer 11 and an input and output module 50 having safe signaling technology as shown in
According to a second embodiment, a main computer 111 and an input and output assembly 150 as shown in
Although the invention has been illustrated and described in more detail by means of preferred exemplary embodiments, the invention is not limited by the disclosed examples, and other variations can be derived therefrom by a person skilled in the art without departing from the scope of protection of the invention.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10 2016 213 554.6 | Jul 2016 | DE | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/EP2017/065637 | 6/26/2017 | WO | 00 |
