JP4340669B2 - INPUT / OUTPUT CONTROL DEVICE, INPUT / OUTPUT CONTROL METHOD, PROCESS CONTROL DEVICE, AND PROCESS CONTROL METHOD - Google Patents

Description

  The present invention relates to an input / output control device, an input / output control method, a process control device, and a process control method, and more particularly to an erroneous input / output of an output value for a plurality of input / output devices in a control device aimed at highly reliable control. More specifically, the present invention relates to an apparatus for preventing erroneous input / output in cooperation with software having a plurality of input / output areas.

  In a control computer applied to a device control apparatus, it is necessary to appropriately protect both hardware and software so as not to cause a dangerous operation due to a failure of a component or a bug in a control program. In particular, an access control means for protecting a shared resource such as a memory in which programs and data are stored or an input / output device from unintended access due to the above-described failure and bug is one of the most important functions. Regarding the implementation of access control means, there is a known method for protecting a memory area by using an address translation mechanism so that the processor does not accidentally access an important area in the memory due to a bug in the control program. . In the memory management unit (MMU) built into the processor, only information on the memory area that is allowed to be accessed from the program is registered, and an access violation exception is generated for access to other areas. By doing so, erroneous access to a memory area that should not be accessed is prevented.

  In addition, in the memory access protection device disclosed in Japanese Patent Laid-Open No. 6-75861 (Patent Document 1), an example of controlling access to a predetermined memory area by monitoring an address output on the bus is disclosed.

Japanese Patent Laid-Open No. 6-75861

  The required reliability elements are availability and safety. Availability is important for device control, and safety is important for device protection. There are many contradictory parts of the means for realizing these two elements.

  If the configuration is divided into a partial device responsible for availability and a partial device responsible for safety, this not only complicates the equipment, but duplication and complication of operation and maintenance work may lead to a decrease in the reliability of human factors. was there.

  Here, the high safety includes not only a case where an erroneous access occurs from a control task executed by a processor to a shared resource such as a memory or an input / output device, but also a memory or an input / output device due to a failure of the input / output device itself. It is desirable to configure such that even when erroneous access to other input / output devices occurs, they can be suppressed.

  Access control that uses the address translation function of the MMU is effective for erroneous access from the processor due to a bug in the control program. However, the processor does not intervene and the data between the memory and the PI / O input / output device is transferred. When transferring, it is not enough.

  In addition, an access control information table is provided to protect access to only specific addresses in the operation mode and task unit, and fine-tuned control is performed for each of dozens of input / output devices in the system. For such applications, hardware resources increase and performance decreases.

  When considering general control and safety control for the purpose of equipment protection on the same control computer, the control tasks corresponding to each mode and the corresponding input / output devices Each of them will be mixed in the same computer system. At this time, of course, it is necessary to switch the access control state for access to the shared resource from the processor when the normal control mode and the safety control mode are switched. For such systems, erroneous input / output protection is required for each individual input / output device.

  An object of the present invention is to solve at least one of such problems or requirements.

  In order to achieve the above object, according to the present invention, input / output values for the processor to operate in a mode having a relatively high safety requirement are stored in the first storage area, and the processor has a relatively safety requirement. The input / output value for calculation in the low mode is stored in the second storage area, and the transfer to the first storage area, the transfer from the first storage area, the second according to the mode related to the safety requirement level Transfer to the storage area or transfer from the second storage area is limited.

  According to the present invention, it is possible to prevent erroneous output of input / output due to malfunction.

  Embodiments of the present invention will be described below with reference to the drawings.

  In the following embodiments, two control modes, i.e., a general control mode and a safety control mode, are used as control modes of the input / output control device. However, in carrying out the present invention, it is not necessary to limit the control mode to the above two.

  For example, regarding safety control, several safety levels may be provided depending on the degree of influence on the control target, and a restriction mode may be assigned to each of them.

  Also, the criteria for dividing the control mode are not necessarily based on safety. For example, when a plurality of control operations having different purposes are performed, a control mode may be assigned to each purpose.

  FIG. 1 shows the overall configuration of an input / output control apparatus according to a first embodiment of the present invention.

  The processor 1 calculates an application program that performs an operation based on input information from the input devices 72 and 74 from the I / O bus 6 and gives an instruction to the plant 8 via the output devices 71 and 73 of the I / O bus 6. Execute.

  The memory 5 holds input / output data.

  The input / output device 7 is a device that performs state inputs 82 and 84 and instruction outputs 81 and 83 of the plant 8, and there are two types of general control 71 and 72 and safety control 73 and 74.

  The control unit 3 exists between the processor 1, the memory 5 and the input / output device 7, and is connected by the processor bus 2, the memory bus 4, and the I / O bus 6, and controls the input / output of data. . In particular, between the input / output device 7 and the memory 5, according to the initial setting information, information collection from the input devices 72 and 74 and processing for transferring the memory information to the output devices 71 and 73 are automatically and periodically performed. Data transfer "function.

  The processor I / F unit 31, the memory I / F unit 33, and the input / output bus I / F unit 32 in the control unit 3 are connected by control unit internal signals 36, 37, and 38, respectively. Then, it receives access from the processor 1 and connects to the memory I / F unit 33.

  Similarly, the input / output bus I / F unit 32 has a function of periodically transferring data between the memory 5 and the input / output device 7 without any program according to the initial setting (from the processor to the input / output device). This is also passed through the I / F unit during direct access.)

  The memory I / F unit 33 performs read / write control on the memory 5 and mode-to-memory area mismatch detection 331.

Description of Basic Operation The processor 1 performs initial setting for the control unit 3.

  The initial setting instruction sets parameters for data transfer from the processor 1 by a microprogram or an application program.

  After starting the application program, the operating mode (safe or general) is set in the operating mode register 311 by the operating system (OS), and then the application program is executed to perform input / output processing.

  At this time, erroneous input / output to / from the input / output device 7 subject to access prohibition by the application program is prevented.

  A detailed embodiment will be described below with reference to FIG.

  FIG. 2 shows the entire configuration of FIG. 1 in more detail with a memory at the center.

  The processor 1 performs initial setting in accordance with system configuration information registered in advance in the transfer permission / prohibition setting register 321 in the control unit.

  The transfer enable / disable setting register 321 sets whether or not data can be transmitted / received to / from the input / output device 7 in slot units. Thereafter, a data transfer cycle is set and a transfer start instruction is issued.

  Here, as the contents of the transfer permission / inhibition setting register 321, a circle indicates that the transfer is performed. Further, the mark “X” means that the image is not transferred. For example, in the general I / O area 51, the transfer destination setting register 321 of the output destination of the address number 1 (general output) is marked with ◯. This is because the address number 1 (general in the general I / O area 51) When data is written to (output), it means that the written data is transferred to slot number 1 (71) (general output) of the input / output device 7 by the transfer permission / prohibition setting register 321. Similarly, for example, the transfer permission / non-transfer setting register 321 of the address number 7 (safety output) of the general I / O area 51 is marked with “x”, but this is the address number of the general I / O area 51. This means that even if data is written to 7 (safety output), the written data is not transferred to the slot number 7 (73) (general output) of the input / output device 7 by the transfer enable / disable setting register 321.

  The transfer availability setting register 321 linking the output destination of the slot number 4 (72) (general input) of the input / output device 7 and the address number 4 (general input) of the safety I / O area 52 is marked with a circle. The transfer permission / prohibition setting register 321 linking the output destination of the slot number 10 (74) (safety input) of the input / output device 7 and the address number 10 (safety input) of the general I / O area 51 is marked with a circle. These can be set to x by the initial setting. That is, the data written in the slot number 4 (72) (general input) of the input / output device 7 is not transferred to the address number 4 (general input) of the safety I / O area 52 by the initial setting. The transfer enable / disable setting register 321 can be set so that data written in the slot number 10 (74) (safety input) of the apparatus 7 is not transferred to the address number 10 (safety input) of the general I / O area 51. It is.

  After receiving the transfer start instruction, the input / output bus I / F unit 32 automatically performs data transmission / reception between the memory 5 and the input / output device 7 for each set period.

  The memory 5 has two surfaces, a general I / O area 51 and a safety I / O area 52, and has two input / output areas for one input / output device. Data is output from the corresponding area according to the operation mode register 311. The general output device 71 outputs from the general I / O area 51, and the safety output device 73 outputs from the safety I / O area 52.

  During the application program operation, the OS sets the general control mode or the safety control mode, either the operation mode, in the control mode register 311 and then executes the application program. The application program performs the input / output processing 100.

  The application program refers to input data existing in the memory 5 and performs a control operation. In addition, the control-calculated output data is written to the data output area on the memory 5 (100, 101).

  The data written in the output area is transmitted to the output device by the data transfer 60 to 69, and output to the plant and data input from the plant are performed.

  The mode / memory area mismatch detection unit 331 limits the input / output range in accordance with the contents 361 of the set operation mode register. Only the access 101 permitted by the mode-to-memory area mismatch detection unit 331 can access the memory 5.

  In the example of FIG. 2, the outputs can be only the general output 200 in the general control mode and only the safety output 206 in the safety control mode. The safety output 202 in the general mode and the general output 204 in the safety mode are not allowed.

  Therefore, when operating in the general mode, even if there is an output instruction 202 (memory write) to the safety output in the general I / O area 51, the data transfer 66 to the safety output device 73 is not performed.

  At this time, the fact that there was an output to an area where output is not permitted is checked separately from the data transfer cycle, writing to the memory where output is not permitted is detected, and an error report 38 is performed ( Error interrupt 21 and reflection to status register 312).

Further, when operating in the general mode, an output instruction 204 to the safety I / O area 52,
When there is an access instruction to the non-permitted part 206 (memory write), the mode / memory area mismatch detection part 331 compares the current operation mode with the access address, and an output instruction 206 to the safety I / O area ( At the time of memory write), an error report 362 is made (interrupt 21, reflected in the status register 312, etc.).

  This prevents and detects erroneous output by the application program.

  In this example, the input data can always be written 201, 205, 203, 207 in the areas (two places) of both modes of the memory.

  This is to prevent unauthorized input data from being received and erroneously calculated even in the case of erroneous access such as reading 203 data from the safety input device 74 from the general I / O area 51 and performing 203. It is treatment of. Also in this case, an error report 362 for access to the non-permitted part is performed (interrupt 21, reflected in the status register 312).

  An outline of the above operation is shown in a table in FIG.

  When the processor 1 performs an operation in the general mode, the general input and the general output are valid.

  Therefore, if safety input or safety output is performed in the general mode, an error report 38 is issued as an abnormal operation.

  Similarly, when the processor 1 performs the calculation in the safety mode, only the safety input and the safety output are valid.

  Therefore, if general input or general output is performed in the safe mode, an error report 38 is issued as an abnormal operation.

  Further details will be described. In FIG. 3, for example, in the general mode, the processor 1 can write to address number 1 (general output) of the general I / O area 51. In this case, the written data outputs the set value. . Similarly, in the general mode, the processor 1 can read the data written in the address number 4 (general input) of the general I / O area 51. In this case, the written data is read into the processor 1. Become.

  In FIG. 3, in the general I / O area 51, the safety input when the operation mode is the general mode is described as “Δ (read by setting and alarm report [38])”. Indicates that either reading and alarm reporting [38] can be set.

  That is, as shown in FIG. 2, in the transfer permission / prohibition setting register 321 linking the output destination of the slot number 10 (74) (safety input) of the input / output device 7 and the address number 10 (safety input) of the general I / O area 51. In the case where ○ is attached, “○ (read input value)” is set, while slot number 10 (74) (safety input) of the input / output device 7 and address number 10 of the general I / O area 51 are set. When “x” is added to the transfer permission / prohibition setting register 321 connecting the output destinations of (safety input), it indicates that “× (output impossible, alarm report [38])” is set.

  Similarly, in the safety I / O area 52, the general input when the operation mode is the safety mode is described as “Δ (read by setting and alarm report [38])”. , Reading and alarm reporting [38] can be set.

  That is, as shown in FIG. 2, in the transfer permission / prohibition setting register 321 linking the output destination of the slot number 10 (74) (safety input) of the input / output device 7 and the address number 10 (safety input) of the general I / O area 51. In the case where it is marked, “O (read input value)” is set, while slot number 10 (74) (safety input) of the input / output device 7 and address number 10 (general I / O area 51) When “x” is added to the transfer permission / prohibition setting register 321 connecting the output destinations of “safety input”, it indicates that “× (output impossible, alarm report [38])” is set.

  In the example of FIG. 2, even when the processor 1 erroneously inputs safety in the general mode or performs general input in the safety mode, a normal value can be read from the data.

  This requires a certain amount of time until the interrupt 21 is generated by the error report 38, and the processor 1 keeps moving during that time. Therefore, this is a measure for preventing an erroneous operation due to returning erroneous data.

  Here, by defining “Δ” as a new restriction mode, it is possible to return data when access is made and to turn on the error report 38.

  In addition, as a usage that further improves the availability, the mode-to-memory area mismatch detection unit 331 reports an alarm 362 as an abnormality only in the general mode, and the general I / O area 51 and the safety I / O area 52 are in the safe mode. Both can be accessible.

  By using this method, the memory areas 51 and 52 can be separated, so that reliable protection with a simple configuration is possible.

  The validity of the system can be ensured by judging that the operation mode declared by the software and the access address are normal only.

  In the first embodiment, the control mode is instructed by the OS, and the location where the mode / memory area mismatch detection unit 331 of the processor IF unit 31 performs the determination is matched with the control mode using the MMU function of the processor. It is also possible to change the MMU information, switch between write prohibition and release, and perform access protection to the safety I / O area.

  The same function is realized by using a physical memory as one surface and automatically adding an offset corresponding to the mapping change in hardware according to the operation mode register in the control unit.

  In the initial setting from the processor 1 to the transfer enable / disable setting register 321, the setting of the input / output device actually connected is not performed at the time of system initialization immediately after the power is turned on. It is also possible to read the information and set it automatically according to the slot and device type installed.

  As described above, in each embodiment, multiple input / output areas are provided in the input / output device, and the software is dedicated when the software operates in the safety mode or in the general mode. On the other hand, by setting the input / output executable level, it is possible to restrict access from the program to the input / output of each input / output device.

  As a result, input / output protection according to each program operation mode is possible, and erroneous output of the input / output device due to program malfunction can be prevented.

  As a result, the programmer can access the safe input / output data only by changing the offset of the input / output address, and the program can be easily changed.

  The embodiment is described on the premise of a transfer method that is more difficult to realize when compared with direct access to an input / output device from a processor. The same protection can be achieved by using the present invention even in a direct access system.

1 is an overall configuration of an input / output control apparatus according to a first embodiment of the present invention. The figure showing detailed composition focusing on memory. A table showing the outline of operation.

Explanation of symbols

3... Control unit, 5... Memory, 7.

Claims (7)

A general storage area for storing an input / output value for the processor to calculate in the general mode, and an input / output value for the processor to calculate in the safety mode, which is a mode having a higher safety requirement than the general mode. Have a safe storage area,
The general storage area includes a first area for outputting information to the general area of the input / output device, and a second area for inputting information from the general area of the input / output device;
The safety storage area includes a third area for outputting information to the safety area of the input / output device, and a fourth area for inputting information from the safety area of the input / output device,
No information is output from the first area to the safety area of the input / output device, no information is output from the third area to the general area of the input / output device,
The input / output device is configured such that information can be input from the safety area of the input / output device to the general storage area, or information can be input from the general area of the input / output device to the safety storage area. Control device.   2. The transfer permission / prohibition setting register according to claim 1, wherein the transfer restriction between the general storage area and the safety storage area and the input / output device is made with reference to the contents of the transfer permission / rejection setting register. An input / output control device.   3. The input / output control apparatus according to claim 2, further comprising a status register, wherein a mode related to the safety requirement level is determined with reference to contents of the status register.   2. The input / output control according to claim 1, further comprising means for restricting an access area of the safety storage area and the general storage area in accordance with a mode related to a safety requirement level, and reporting an abnormality at an unauthorized access to the restriction. apparatus. In a plant control apparatus having a processor that calculates plant control information based on plant information and an input / output unit that inputs and outputs to the processor,
The input / output unit includes a general storage area for storing input / output values for the processor to perform operations in the general mode, and a processor for performing operations in the safety mode, which is a mode having a higher safety requirement than the general mode. It has a safe storage area for storing input / output values,
The general storage area includes a first area for outputting information to the general area of the input / output device, and a second area for inputting information from the general area of the input / output device;
The safety storage area includes a third area for outputting information to the safety area of the input / output device, and a fourth area for inputting information from the safety area of the input / output device,
No information is output from the first area to the safety area of the input / output device, no information is output from the third area to the general area of the input / output device,
The plant control is configured such that information can be input from the safety area of the input / output device to the general storage area, or information can be input from the general area of the input / output device to the safety storage area. apparatus. Input / output values for the processor to calculate in the general mode are stored in the general storage area, and input / output values for the processor to calculate in the safety mode, which is a relatively higher safety requirement mode than the general mode, are safely stored. Remember in the area,
The general storage area includes a first area for outputting information to the general area of the input / output device, and a second area for inputting information from the general area of the input / output device;
The safety storage area includes a third area for outputting information to the safety area of the input / output device, and a fourth area for inputting information from the safety area of the input / output device,
No information is output from the first area to the safety area of the input / output device, no information is output from the third area to the general area of the input / output device,
An input / output control method that operates so that information can be input from the safety area of the input / output device to the general storage area or information can be input from the general area of the input / output device to the safety storage area. Storing the input and output values for the processor to the operation of the plant control in normal mode in the general storage area, the operation of the plant control processor in a secure mode said generally mode high mode a relatively safe demanding than To store the input / output values for
The general storage area includes a first area for outputting information to the general area of the input / output device, and a second area for inputting information from the general area of the input / output device;
The safety storage area includes a third area for outputting information to the safety area of the input / output device, and a fourth area for inputting information from the safety area of the input / output device,
No information is output from the first area to the safety area of the input / output device, no information is output from the third area to the general area of the input / output device,
A plant control method that operates so that information can be input from the safety area of the input / output device to the general storage area or information can be input from the general area of the input / output device to the safety storage area.

Images