JP2006003929A - Process controller and diagnosis method of control data of the same - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a process controller to perform self-diagnosis and self-repair of an error in control data, a self-repair method of a duplex system of the controller and a control data memory, and a self-repair program of the control data memory. <P>SOLUTION: A process controller 11 to perform control processing by a control program comprises a control RAM 11c to store the control data processed by a CPU 11a with a cycle unit for control; a tracking RAM 11d to store the control data with the cycle unit for control; and a RAM diagnosis program 11e1 to diagnose the error in the control data, repair it if the error has been detected, by using the control data stored in the RAM 11d, resume and process the control program, and also determine a degree of a failure in accordance with the number of times of trials of the repair. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to a process controller that monitors and controls a process facility such as a steel plant using a control program, and a method for diagnosing control data of the process controller.

  Generally, in a control digital process controller (hereinafter abbreviated as a controller) that controls various plants using a microprocessor, the RAS function is one of important functions.

  Among the RAS functions, the controller itself performs self-diagnosis in order to ensure reliability (reliability), and detects an abnormality of the controller itself.

  This prevents issuing a wrong control command to the plant, and when a serious error is detected, the operation state of the plant is shifted to the safe side.

  In addition, in order to ensure availability (usability), the severity of the detected error is determined, and the fault tolerance is improved so that the operation does not stop with a minor error.

  Furthermore, in order to ensure serviceability (maintenability), an error detected by self-diagnosis that has a significant effect on the operation of the controller is stored in the memory in the controller.

  According to this method, if an operator or maintenance staff learns that an abnormality has occurred in the controller due to an alarm or controller stoppage, the error data (hereinafter referred to as logging data) stored in this memory is referred to. It is possible to know the failure content, the location where the failure occurred, and the like.

  Based on this logging data, maintenance is improved by promptly performing necessary measures such as replacement of parts. When such a serious error is detected, the controller stores it in the memory as described above, and also notifies the operator and the operator of the occurrence of abnormality by lighting the alarm lamp and notifying the monitor device. .

  Also, the occurrence of an abnormality is notified to other devices in the same control system outside the controller and to higher-level systems. Furthermore, when it is determined that this error is an error that hinders plant operation, the system control operation is shifted to a safe direction by stopping the operation of the controller itself.

  On the other hand, in the above self-diagnosis, a transient error may be detected due to noise such as a short circuit or lightning strike entering the controller or an instantaneous fluctuation of the power supply, and this error may be judged as a serious error. is there.

  In this case, reacting immediately to this transient error and stopping the controller, or notifying the operator or equipment outside the controller of the occurrence of an abnormality will cause a mischievous disturbance in the plant or cause anxiety to the operator. May give.

  Therefore, in order to improve fault tolerance rather than reacting immediately after detecting an error first, self-diagnosis is performed again if necessary, and if this detected error is an actual error, retry (retry). To determine whether it is a transient error that can return to normal.

  Then, a method is used in which, when it is determined that a serious error has actually occurred as a result of the retry, an alarm is issued, and the result is stored in a memory.

However, since there is a possibility that an abnormality cannot be detected only by retrying, the serious error detected by self-diagnosis is log filed. For minor errors, the number of retries is compared with the judgment data to determine the severity of the error. There is a digital process controller for control (see, for example, Patent Document 1).
Japanese Patent No. 3040186

  As a memory for storing control data of a process controller mounted at a high integration density by a microprocessor or the like, a DRAM (Dynamic that can normally read and write data at any time, has a large storage capacity, and can read and write at high speed is provided. RAM, hereinafter referred to as RAM).

  The cause of the error in the control data stored in the RAM is that a process controller is installed in the vicinity of the plant having a strong electromagnetic field such as an error depending on the reliability of the highly integrated RAM itself and a motor. In some cases, there is an error due to electrical disturbance noise mixed in through the input / output lines, ground lines, and power supply lines of the process controller.

  As described above, in plant control, it is identified whether the error in the control data is a transient error such as disturbance noise or the error of the RAM itself that cannot be recovered by retrying, and it is necessary to stop the system. However, it is important to improve the usability to restore the error part and continue the operation without stopping the operation of the plant as much as possible.

  However, in the conventional method as described above, a serious error is detected and recorded by self-diagnosis for each module of the process controller, and for a minor error, the seriousness of the error is determined by the number of retries. There is no known method to continue operation by self-repairing the control data executed by the process controller in real time without stopping the process controller. .

  The present invention has been made to solve the above-mentioned problems, and self-diagnose process controller control data errors, and self-healing memory data storing control data for transient errors. If there is a failure in the memory that stores the memory, replace it with a standby system without stopping the operation of the plant. It aims to provide a method.

  In order to achieve the above object, a process controller according to claim 1 of the present invention includes a control memory for storing control data, a CPU module for processing the control data, and the processing performed by the CPU module. A tracking memory for copying and storing the control data; and a diagnosis processing means for diagnosing the control data stored in the control memory, wherein the diagnosis processing means stores the control data stored in the control memory. When an error is detected, the control data stored in the tracking memory is stored in the control memory, and then the control data stored in the control memory is diagnosed again.

  In order to achieve the above object, the process data diagnosis method for a process controller according to claim 5 of the present invention diagnoses the control data stored in the control memory, and an error is detected in the diagnosis step. In this case, the control data stored in the tracking memory is stored in the control memory, and if no error is detected in the data stored in the control memory, the data stored in the control memory is Storing in a tracking memory.

  According to the present invention, control data error check is executed by the control data diagnosis processing means of the control memory provided in the process controller, and if an error is detected, the data in the tracking memory that stores the control data is detected. To rewrite the control data in the control memory and continue the control process, so that the process controller can be stopped even if there is a failure in the memory that stores the control data or there is a transient abnormality in the control data It is possible to provide a process controller that can restore and operate the control data without any trouble, and a control data diagnosis method for the process controller.

  Embodiments of the present invention will be described below with reference to the drawings.

  The process controller according to the first embodiment of the present invention will be described below with reference to FIGS. FIG. 1 is a block diagram illustrating a configuration diagram of the process controller 100. The process controller 100 includes a controller unit 1, an I / O unit 3 including an input / output module 17 group connected to the plant 6, and a monitor tool 16 that displays information connected via the LAN 15.

  The controller unit 1 stores a control program for controlling the plant 6, a LAN interface module 12 connected to the monitor tool 16 via the LAN 15, and the I / O unit 3 via input / output lines. The I / O interface module 13 to be connected is connected to the CPU module 11 via a CPU bus 11f described later.

  Next, the configuration of the CPU module 11 will be described with reference to FIG. The CPU module 11 is constituted by a microcomputer, and is constituted by a CPU 11a that executes various operations and controls, and a nonvolatile memory such as a flash memory that stores an operating system (OS) used for controlling the hardware of the CPU module 11. OS ROM (Read Only Memory, hereinafter referred to as ROM) 11b, control RAM 11c for storing various control data for controlling the plant 6, and control data stored in the control RAM 11c for each control cycle Tc And a tracking RAM 11d for storing the control program, and a control program EEPROM (Electric Erasable and Programmable Read Only Rom) 11e for storing the control program for controlling the plant 6, which are connected to the CPU bus 11f. Connected .

  Next, the plant control process of the CPU module 11 will be described with reference to FIG.

  A series of plant control processes are started at the scan execution timing (s100). First, a batch input process (BIO1) s101 for collectively inputting data from various sensors (not shown) provided in the plant 6, this batch input is performed. An input process (LNZ1) s102 for converting various data as calculation data, an application program (TASK) s103 for controlling the plant 6, and an illustration provided in the plant 6 according to a control algorithm to obtain a predetermined control performance RAM processing for executing diagnosis of control data stored in the control RAM 11c and restoration of data after executing the above input processing and output processing (LNZ2) s104 for obtaining output to various operation terminals that are not performed ( DAG) s105, RAM diagnostic processing (DAG) s10), control RAM1 Collective output processing for collectively outputting the control data stored in the c (BIO2) s106, constructed from a control data stored in the control RAM11c tracking process of storing the tracking RAM11d and (TRK) s10).

  The control program composed of each of these program modules is periodically executed by the CPU 11a with a control cycle Tc of, for example, several tens of milliseconds to several hundreds of milliseconds required as a control response speed required from the controllability of the plant 6. The process is executed.

  Next, detailed processing of the RAM diagnosis processing (DAG) program of the process controller 100 configured as described above will be described with reference to FIG.

  The RAM diagnosis process (DAG) performs parity check on the control data subjected to the output process (LNZ2) to be stored in the control RAM 11c to diagnose the presence or absence of an error. If an error is detected, the RAM diagnosis process (DAG) The control data of the immediately preceding control cycle stored in the stored tracking RAM 11d is replaced and stored at the address (repair processing), and the control processing is continuously executed with the replaced control data.

  If an error is detected in the control data even after the next control cycle, the degree of failure is determined from the cumulative number of trials of the repair process and the number of trials per unit time.

  The repair process flow includes a memory error determination process (step 1), a memory repair process (step 2), a failure determination process (step 3), and an abnormal stop process (step 4).

  First, in the memory error determination process (step 1), an address at which control data to be diagnosed for the control RAM 11c to be controlled is taken out (s11), and a parity status bit for each control data check unit is initialized. (S12), the control data of the diagnostic address is read (s13), and it is determined whether an error has occurred due to the parity check (s14).

  As a result, if no error is detected, the process is terminated, and the process proceeds to a memory error determination process for the next address.

  Next, when an error is detected, the process proceeds to a memory repair process (step 2). First, a trial number counter (not shown) for repair is initialized (s21). Next, the parity status bit of the control data of the address where the error is detected is initialized (s22), the control data of the tracking RAM 11d is read, written to the control RAM 11c of the address, and corrected (s23).

  Next, the repaired result is confirmed, and the process proceeds to a failure determination process (step 3) in which the number of trials determines the degree of failure.

  The corrected control data of the control RAM 11c is read (s31), and a parity check is performed again to check whether there is an error after the error repair process (s32).

  As a result, if an error is detected, the trial number counter is counted up (s33). Next, it is determined whether or not the number of trials is N1 or more (s34). If the number of trials is less than N1, the process returns to step s22.

  If the number of trials is N1, it is determined that the fault is irreparable and is notified to the monitor tool 16 (s35).

  That is, since an error in the control data is detected even after a plurality of times of repair processing, it can be determined that there is a high possibility that the control RAM at the address has failed. For this reason, an abnormal stop process (s36) for stopping the operation of the process controller is executed.

  If no error is detected in step s32, the count value of the cumulative trial counter is incremented by 1 and updated (s37). It is determined whether or not the cumulative number of trials is a predetermined number N2 or less (s38). If the cumulative number of trials is less than or equal to the predetermined number N2, the time of occurrence and the address diagnosed are stored (s39).

  For example, the number of times of updating the cumulative number of trials per unit time from the present to the predetermined time (1 hour) (the cumulative number of trials per unit time), and the predetermined time to the predetermined time before The cumulative number of trials per unit time is calculated using the occurrence time data stored in step s39 (s40).

  Then, the increase rate of the cumulative number of trials per unit time is set to a value from the present to a predetermined time before (new cumulative number of trials per unit time) and a value from the predetermined time before the predetermined time (the previous unit). Judgment is made by comparing the cumulative number of trials per time (s41).

  For example, the increase rate is obtained by dividing the cumulative number of trials per unit time by the previous cumulative number of trials per unit time. If the increase rate of the cumulative number of trials per predetermined time is larger than the set value, it is determined that the failure is minor, the monitor tool 16 second system failure is displayed (s42), and the control data diagnosis of the next address is performed. .

  On the other hand, if the cumulative number of trials is equal to or greater than the predetermined number N2 (s38), it is determined that there is a minor failure, a minor failure is displayed on the monitor tool 16 (s42), and the control data diagnosis of the next address is started.

  In other words, a minor failure is diagnosed as a sign of failure based on an increase in the cumulative number of trials in a time longer than a preset control cycle Tc and the cumulative number of trials per unit time.

  Therefore, according to the present embodiment, in response to the error in the control RAM 11c, a transient control data error is repaired and the operation is continued, and a minor failure is detected and notified, and the control RAM 11 The operation can be stopped only in the case of a serious failure such as an element failure.

  A duplex system for process controllers according to Embodiment 2 of the present invention will be described below with reference to FIGS.

  FIG. 5 is a block diagram showing the configuration of the duplex system 200 of process controllers, and FIG. 6 is a detailed configuration diagram of the CPU module 11.

  In each part of the second embodiment, the same parts as those of the process controller 100 of the first embodiment are denoted by the same reference numerals, and the description thereof is omitted. The second embodiment is different from the first embodiment in that another standby process controller unit 2 is configured in parallel with the active process controller unit 1.

  Each of the process controller units 1 and 2 is provided with a tracking interface module 14, and as shown in FIG. 6, the RAM diagnostic program 11e1 provided in the CPU module 11 of the active process controller unit 1 controls the control cycle Tc. A function of transferring the control data of the control RAM 11c to the control RAM 11c of the standby process controller unit 2 via the tracking interface module 14 is provided.

  In FIG. 6, the active process controller unit 1 selects its own process controller unit by diagnosis, and selects and controls the I / O interface module 17 of the I / O unit 3 via the I / O interface module 13. Yes.

  However, when an error in the control data is detected from the control RAM 11c of the active CPU module 11, and the RAM diagnostic program 11e1 determines that a serious failure has occurred and self-diagnosis is impossible, the CPU 11a detects the tracking interface 14 and the process controller unit. 2 notifies the CPU 11a that the control right is to be transferred via the tracking interface 14, and stops the control of the process controller unit 2.

  In the next control cycle Tc, the CPU 11a of the standby process controller unit 2 starts control using the control data transferred from the active process controller 1.

  Therefore, a process controller duplex system capable of continuously executing control in any case where a transient error or a serious failure occurs in the control RAM 11c of the active process controller 2 Can be provided.

  The present invention is not limited to the embodiment described above, and the parity check described above may be another Hamming code check, and control data for restoring the control RAM 11c is stored in the tracking RAM 11d. In place of the data in the previous control cycle Tc, the data of the past control cycle may be averaged, or the value may be rewritten to a value obtained by an arbitrary arithmetic expression from the characteristics of the target control data. Various modifications can be made without departing from the spirit of the present invention.

The block diagram of the process controller which concerns on Example 1 of this invention. 1 is a configuration diagram of a CPU module according to Embodiment 1 of the present invention. The figure explaining the structure of the control program of this invention. The flowchart explaining operation | movement by the self-repair processing program of this invention. The block diagram of the duplication system of the process controller which concerns on Example 2 of this invention. The block diagram of the CPU module which concerns on Example 2 of this invention.

Explanation of symbols

1 Process controller unit (working system)
2 Process controller unit (standby system)
3 I / O unit 6 Plant 11 CPU module 11a CPU
11b ROM for OS
11c RAM for control
11d RAM for tracking
11e ROM for control program
11e1 RAM diagnostic program 12 LAN interface module 13 I / O interface module 14 Tracking interface module 15 LAN
16 Monitor tool 17 I / O module

Claims (6)

Control memory for storing control data;
A CPU module for processing the control data;
A tracking memory for copying and storing the control data processed by the CPU module;
Diagnostic processing means for diagnosing control data stored in the control memory,
In the case where an error is detected in the control data stored in the control memory, the diagnostic processing means stores the control data stored in the tracking memory in the control memory and then stores the control data in the control memory. A process controller characterized by rediagnosing stored control data.   The diagnosis processing means is configured to process a process when the control data stored in the tracking memory is stored in the control memory and detection of an error in the control data is repeated a predetermined number of times or more by diagnosis of the control data. The process controller according to claim 1, wherein the controller is stopped. A monitor tool for displaying information;
The diagnosis processing means performs control data diagnosis again after storing the control data stored in the tracking memory in the control memory and accumulates the number of times when no error is detected. 3. The process controller according to claim 1, wherein a minor failure is displayed on the monitor tool when the number of times becomes a predetermined number or more.   The diagnosis processing means performs control data diagnosis again after storing the control data in the control memory, and accumulates per unit time, which is the number of occurrences per unit time when no control data error is detected. 4. The process controller according to claim 1, wherein a minor failure is displayed on the monitor tool when the number of trials exceeds a predetermined condition. 5. Diagnosing control data stored in the control memory;
If an error is detected in the diagnosing step, storing the control data stored in the tracking memory in the control memory;
And a step of storing the data stored in the control memory in the tracking memory when no error is detected in the data stored in the control memory. Counting the number of times the control data stored in the tracking memory is stored in the control memory;
6. The process controller control data diagnosis method according to claim 5, further comprising a step of stopping the operation of the process controller when the counted number exceeds a predetermined number.

Images