JP7379932B2 - Control device, user program execution control method, and system program - Google Patents

Description

The present invention relates to a control device that executes a user program to control a controlled object, a method for controlling execution of a user program in the control device, and a system program for realizing the control device.

Control devices such as PLCs (Programmable Logic Controllers) have been introduced at various manufacturing sites. Such a control device is a type of computer, and includes a volatile memory such as a RAM (Random Access Memory) and a processor such as a CPU (Central Processing Unit). The volatile memory stores a user program designed according to the manufacturing device or manufacturing equipment. A processor sequentially reads instructions constituting a user program stored in volatile memory and executes them sequentially.

When executing a user program stored in a volatile memory, the data of the user program may be destroyed bit by bit due to the influence of radiation, and a soft error may occur in the volatile memory. In this way, data in the user program may be destroyed and soft errors may occur, so it is desired that the control device be provided with a function to detect and correct the detected soft errors. .

Japanese Unexamined Patent Application Publication No. 2004-220580 (Patent Document 1) discloses a system that includes, in addition to a user program memory in which a user program is stored, a backup memory in which data having the same contents as the user program stored in the user program memory is stored. A programmable controller unit is disclosed. This programmable controller unit detects an abnormality by comparing the contents of the backup memory and user program memory, and when an abnormality is detected, the user program stored in the user program memory is changed based on the data stored in the backup memory. and repair it.

Japanese Patent Application Publication No. 2004-220580

The error detection method disclosed in Patent Document 1 detects errors by comparing two memories with each other, so there is a problem that it takes time to obtain a comparison result.

An object of the present invention is to shorten the time required to detect and restore errors occurring in memory.

According to an example of the present disclosure, a control device for controlling a controlled object is provided. The control device includes an instruction execution unit that sequentially executes instructions included in the user program, a volatile memory that stores the user program, and a backup user program that has the same content as the user program stored in the volatile memory. It includes a backup memory and an access control section that reads instructions included in the user program from the volatile memory and provides them to the instruction execution section according to a predetermined execution order. Volatile memory stores data with error detection information added, and in response to a read request, reads data based on the data in a specified area and the error detection information corresponding to the specified area. The device is configured to respond with the presence or absence of an error in the determined designated area. When reading an instruction from volatile memory, if the volatile memory responds that an error has occurred in the area where the read instruction was stored, the access control unit reads the area where the error has occurred. The controller is configured to reload the data from the backup memory to the volatile memory and read the instructions again from the volatile memory.

According to the present disclosure, since the presence or absence of an error in a specified area is determined based on error detection information, compared to the case where the occurrence of an error is detected by comparing memories, The time required for processing can be shortened.

In the above disclosure, the volatile memory may be configured to respond by parity check as to whether an error has occurred. According to this configuration, errors in 1-bit units can be detected.

In the above disclosure, the access control unit reads data stored in the volatile memory in a predetermined order at a predetermined timing, in addition to reading for the purpose of providing instructions to the instruction execution unit. When the volatile memory responds that an error has occurred in the area where the read data was stored, the data including instructions stored in the backup memory is reloaded from the backup memory to the volatile memory. .

According to this disclosure, error detection and error recovery are periodically performed on data related to instructions that are called extremely infrequently, depending on the execution order of the instructions.

In the above disclosure, the backup memory may be a memory that non-volatilely stores a backup user program. In this case, the user program stored in volatile memory is loaded from backup memory.

According to this disclosure, since the power-off memory can be used as a backup memory, there is no need to separately prepare a backup memory, and the memory capacity can be reduced.

In the above disclosure, the backup memory may be a memory that volatilely stores a backup user program. The access control unit rewrites the data stored in the volatile memory and the data stored in the backup memory when it is necessary to rewrite the data stored in the volatile memory due to execution of an instruction.

According to this disclosure, by rewriting data stored in a backup memory in addition to data stored in a volatile memory, it is possible to cope with soft errors in user programs that include instructions that cause data to be rewritten.

According to another example of the present disclosure, a method for controlling execution of a user program in a control device for controlling a controlled object is provided. The control device includes a volatile memory that stores a user program, and a backup memory that stores a backup user program having the same content as the user program stored in the volatile memory. Volatile memory stores data with error detection information added, and in response to a read request, reads data based on the data in a specified area and the error detection information corresponding to the specified area. The device is configured to respond with the presence or absence of an error in the determined designated area. A user program execution control method includes the steps of reading instructions included in a user program from volatile memory according to a predetermined execution order, and when reading instructions from volatile memory, the instructions are stored in the area where the read instructions were stored. When the volatile memory responds that an error has occurred, the steps of reloading the data in the area where the error has occurred from the backup memory to the volatile memory and rereading the instructions from the volatile memory; and executing the instructions read from the physical memory.

According to this disclosure, since the presence or absence of an error in a specified area is determined based on error detection information, compared to the case where the occurrence of an error is detected by comparing memories, The time required for processing can be shortened.

According to yet another example of the present disclosure, a system program for realizing a control device for controlling a controlled object is provided. The control device includes a volatile memory that stores a user program, and a backup memory that stores a backup user program having the same content as the user program stored in the volatile memory. Volatile memory stores data with error detection information added, and in response to a read request, reads data based on the data in a specified area and the error detection information corresponding to the specified area. The device is configured to respond with the presence or absence of an error in the determined designated area. The system program requires the processor of the control device to read the instructions included in the user program from volatile memory according to a predetermined execution order, and when the instructions are read from volatile memory, the area where the read instructions were stored. When the volatile memory responds that an error has occurred, reloading the data in the area where the error has occurred from the backup memory to the volatile memory, and rereading the instruction from the volatile memory; and executing the instructions read from the volatile memory.

According to this disclosure, since the presence or absence of an error in a specified area is determined based on error detection information, compared to the case where the occurrence of an error is detected by comparing memories, The time required for processing can be shortened.

According to the present invention, the time required for detecting and restoring errors occurring in memory can be shortened.

FIG. 2 is a diagram schematically illustrating an application example of the present disclosure. 1 is a diagram schematically showing the configuration of a control device 100. FIG. 3 is a flowchart for explaining an example of processing executed by the processor 102. FIG. A modification of the processing executed by the processor 102 is shown. FIG. 5 is a schematic diagram of reading/writing/restoring data when the process shown in FIG. 4 is executed. It is a figure showing an example of log data.

Hereinafter, each embodiment according to the present invention will be described with reference to the drawings. In the following description, the same parts and components are given the same reference numerals. Their names and functions are also the same. Therefore, detailed explanations thereof will not be repeated. Note that the embodiments and modifications described below may be selectively combined as appropriate.

§1. Application Example An example of a situation where the present invention is applied will be described with reference to FIG. FIG. 1 is a diagram for schematically explaining an application example of the present disclosure. Referring to FIG. 1, a control device 100X according to the present disclosure corresponds to, for example, an industrial controller called a PLC (programmable controller), and controls various manufacturing equipment and machines (not shown). In the control by the control device 100X, necessary information is acquired using sensors, etc., and predetermined control calculations are executed using the acquired information according to the program executed by the control device 100X. , calculate the control output.

The control device 100X includes an instruction execution unit 202X, a volatile memory 106X, a backup memory 110X, and an access control unit 204X.

The instruction execution unit 202X sequentially executes instructions included in the user program 114. The user program 114 is a program created for the purpose of controlling a controlled object, and is a program that is created for the purpose of controlling a controlled object, and is a program that is created for the purpose of controlling a controlled object. This is a program for implementing any application, such as a program for sending and receiving data.

The access control unit 204X reads instructions included in the user program 114 from the main memory 106 and provides them to the instruction execution unit 202 in accordance with a predetermined execution order.

The instruction execution unit 202X and the access control unit 204X are functions realized, for example, by the processor of the control device 100 executing a system program for realizing the basic functions of the control device. Note that some or all of the functions of the instruction execution unit 202X and the access control unit 204X may be implemented using a dedicated hardware circuit (for example, an ASIC (Application Specific Integrated Circuit) or an FPGA (Field-Programmable Gate Array)). You may. For example, the function of the instruction execution unit 202X may be implemented using a dedicated hardware circuit, and the function of the access control unit 204X may be realized by the processor of the control device 100X executing a system program.

The volatile memory 106X stores the user program 114 in a volatile manner. The user program 114 stored in the volatile memory 106X is a program for execution and is user data 140.

The backup memory 110X stores backup data 160, which is a backup user program 114 having the same content as the user program 114 stored in the volatile memory 106X. Backup memory 110X may be volatile memory or nonvolatile memory.

The backup data 160 is used to restore the user data 140 when the user data 140 is destroyed. For example, if the user data 140 is destroyed by cosmic ray neutrons or the like, the destroyed data is restored by reloading the backup data 160 into the volatile memory 106X.

The volatile memory 106X is a memory equipped with an error detection function, and specifically, when storing the data 142, it adds error detection information (detection information 144X) to the data 142 and stores it. . Further, when the volatile memory 106X outputs data in a designated area in response to a read request, it also outputs whether or not an error has occurred in the designated area. Whether or not an error has occurred is determined based on the detection information 144X. Whether or not an error has occurred is determined, for example, according to a conventionally known parity check.

When the volatile memory 106X responds that an error has occurred in the area where the read instruction was stored, the access control unit 204X transfers the data in the area where the error has occurred from the backup memory 110X to the volatile memory 110X. Reload the data into the physical memory 106X. After reloading, the access control unit 204X reads the instruction again from the volatile memory 106X.

In this way, the presence or absence of an error in a specified area is determined based on the error detection information, so the processing is faster than when detecting an error by comparing memories. The time required can be shortened.

Further, volatile memories equipped with a function of detecting data errors are generally available on the market. The control device 100X according to the present disclosure utilizes such a generally available volatile memory 106X and causes the processor to execute a process of re-reading instructions from the volatile memory 106X when an error occurs. It is possible to easily realize this by just configuring it so as to make it happen.

Furthermore, there are memories that have a function of detecting and correcting data errors using hardware, but such memories are expensive. The control device 100X according to the present disclosure can be realized by using a memory that only has an error detection function, so it can be realized at low cost.

Note that the volatile memory 106X may be a memory having a function of detecting and correcting data errors using hardware. In this case, for example, even if data cannot be corrected by the memory, the correction function provided by the memory can be supplemented by configuring the data to be reloaded as a processor process.

Furthermore, since the control device 100X according to the present disclosure reloads data before executing an instruction, it is possible to prevent the instruction from being executed according to incorrect data.

Further, when reloading erroneous data after executing an instruction, it is desirable to back up the input/output data that is updated by executing the instruction according to the erroneous data. In contrast, since the control device 100X according to the present disclosure reloads erroneous data before executing an instruction, it is not necessarily necessary to back up input/output data, and memory can be reduced. I can do it.

Furthermore, in response to the data read request, the control device 100X according to the present disclosure responds to the presence or absence of an error. Therefore, data errors can be discovered earlier than in the case of checking whether an error has occurred after executing the entire user program 114.

Note that the timing for restoring data may be when a response indicating whether an error has occurred is received, or after a response indicating whether an error has occurred, an instruction for the data related to whether an error has occurred may be executed. It may be time to do so.

Further, if an error has occurred, only the data in which the error has occurred may be reloaded from the backup memory 110X, or the data may be reloaded from the backup memory 110X in units of read instructions. Alternatively, data in which an error has occurred may be reloaded by reloading the entire user program 114.

Note that when reloading when an error has occurred, it is better to read only the data where the error has occurred or the data related to the read instruction when reloading the entire user program 114. The time required for restoration can be reduced compared to

§2. Specific example <A. Configuration of control device 100>
FIG. 2 is a diagram schematically showing the configuration of the control device 100. In FIG. 2, a part of the configuration that performs central processing of the control device 100 is shown.

Referring to FIG. 2, control device 100 includes a processor 102, main memory 106, and flash memory 108. The processor 102, the main memory 106, and the flash memory 108 may be provided in the control device 100 in the form of being mounted on a one-chip microcomputer, or may be provided in the control device 100 in the form of being individually mounted. You can leave it there.

By directly executing the system program 112 stored in the flash memory 108, the processor 102 expands the user program 114 into the main memory 106 and sequentially executes it. The processor 102 reads the user program 114, expands it to the main memory 106, and executes it, thereby realizing control over the controlled object. Note that the system program 112 may be configured to be expanded to the main memory 106 and executed, but the control device 100 may be implemented by directly executing the system program 112 without being expanded to the main memory 106. It is possible to prevent important programs that are needed for the program from being corrupted by the effects of radiation such as cosmic rays and neutrons.

The flash memory 108 is a non-volatile memory and holds various programs including a system program 112 and a user program 114, and various parameters used by the various programs. In the present embodiment, the flash memory 108 functions as a backup memory that stores backup data 160 that is a user program 114 having the same content as the user program 114 for execution developed in the main memory 106 .

The system program 112 is firmware and is a program for realizing the control device 100. The user program 114 is a program other than the system program 112, for example, other devices that can be communicated with a program created for the purpose of controlling the control object, a database, other control device (for example, a database, other control device. , HMI, etc.).

Note that data such as the system program 112 and the user program 114 other than the system program 112 may be stored in different nonvolatile memories. In this case, the system program 112 that is executed directly without being expanded to the main memory 106 may be stored in a high-speed flash memory, and data such as the user program 114 that is frequently rewritten may be stored in another non-volatile memory. good.

Main memory 106 is a volatile memory and holds user data 140 for execution when processor 102 executes user program 114 .

Although not shown in FIG. 2, the control device 100 includes an interface for communicating with other devices, and an internal bus controller for exchanging data with functional units connected via an internal bus. It is equipped with a memory card interface for reading and writing data stored in the memory card.

Functional units connected to the control device 100 may include an I/O (Input Output) unit, a safety I/O unit, a communication unit, a motion controller unit, a temperature adjustment unit, a pulse counter unit, and the like.

Further, the control device 100 may be a safety unit that executes control calculations for realizing safety functions related to a controlled object.

<B. Functional configuration of processor and main memory>
The functional configuration of processor 102 and main memory 106 will be described with reference to FIG. 2. Processor 102 includes an instruction execution unit 202, an access control unit 204, a register 206, and an access interface 220.

The instruction execution unit 202 is an arithmetic unit, and is composed of one or more arithmetic circuits. The instruction execution unit 202 executes instructions read from the main memory 106.

The access control unit 204 is a function realized by executing the system program 112, and controls the access interface 220 to exchange data between the processor 102, flash memory 108, and main memory 106. Under the control, instructions included in the user program 114 are read from the main memory 106 and provided to the instruction execution unit 202 in accordance with a predetermined execution order.

Registers 206 may include an error address register 208, an error status register 210, and an instruction register 212. Processor 102 may further include other types of registers.

The error address register 208 holds an area (address) in the main memory 106 where a soft error has occurred.

The error status register 210 holds that a soft error has occurred in the main memory 106.

The instruction register 212 holds instructions executed by the instruction execution unit 202. Processor 102 may include multiple instruction registers 212.

The access interface 220 is controlled according to instructions from the access control unit 204 and exchanges data between the main memory 106 and the flash memory 108.

Main memory 106 includes address decoder 602, memory cells 604, read/write circuit 606, and parity check circuit 610.

Address decoder 602 is connected to processor 102 via address bus 402. The address decoder 602 specifies the address by decoding the signal output on the address bus 402, and activates the cell at the specified address among the memory cells 604. The result decoded by address decoder 602 is output to parity check circuit 610.

Memory cell 604 stores user data 140, which is user program 114 for execution. Data 142 is stored in memory cell 604 with parity bit 144 added as information for error detection.

Read/write circuit 606 is connected to processor 102 via control bus 404 and data bus 406. Read/write circuit 606 reads or writes data to memory cell 604 in response to a control signal from control bus 404 .

Read/write circuit 606 has parity generation circuit 608. Parity generation circuit 608 generates parity bits 144 from data 142 transmitted via data bus 406 . When writing data, the read/write circuit 606 adds a parity bit 144 generated by the parity generation circuit 608 to the cell activated by the address decoder 602 and sends the cell via the data bus 406. Data 142 is stored.

When reading data, read/write circuit 606 reads data (data 142 and parity bit 144) stored in cells activated by address decoder 602 and outputs it to data bus 406. Further, read/write circuit 606 outputs the read data (data 142 and parity bit 144) to parity check circuit 610. Note that the read/write circuit 606 may output only the data 142 to the data bus 406.

Parity check circuit 610 is connected to processor 102 via error bus 408. Parity check circuit 610 checks whether an error has occurred in the data output from read/write circuit 606 by performing a parity check. For example, if the data 142 at the time of writing is destroyed by cosmic ray neutrons or the like, it will be destroyed bit by bit. Since it is unlikely that two or more bits of the data 142 to which the parity bit 144 has been added will be destroyed by cosmic ray neutrons, it is possible to detect whether the data 142 has been destroyed by cosmic ray neutrons by performing a parity check. Note that since the parity check method is a conventional technique, a detailed explanation will be omitted.

The parity check circuit 610 outputs to the error bus 408 whether or not a data error has occurred and the address output from the address decoder 602 (the address of the cell subjected to the parity check). Note that the parity check circuit 610 may output the occurrence of a data error and the address to the error bus 408 only when a data error has occurred.

Note that the configuration shown in FIG. 2 is an example, and the configuration is not limited to that shown in FIG. 2 as long as the volatile memory has a circuit for detecting data errors. Furthermore, the method for detecting data errors is not limited to parity checking, and any method can be applied.

Processor 102 and flash memory 108 are connected via address bus 410, control bus 412, and data bus 414. Processor 102 executes system programs 112 via these buses. Further, the processor 102 appropriately loads programs from the flash memory 108 into the main memory 106 via these buses, and executes the user program 114.

<Processor processing>
FIG. 3 is a flowchart for explaining an example of processing executed by the processor 102. Hereinafter, a step will be simply written as "S". The flowchart shown in FIG. 3 is realized by the processor 102 executing the system program 112. The flowchart shown in FIG. 3 is executed when power is supplied to the control device 100.

In S102, the processor 102 loads the user program 114 into the main memory 106. Through the process of S102, the data 142 with the parity bit 144 added is stored in the memory cell 604 of the main memory 106.

In S104, the processor 102 fetches an instruction to be executed from the main memory 106. More specifically, the access interface 220 outputs an address in which data corresponding to an instruction to be executed is stored to the address bus 402 according to instructions from the access control unit 204, and sends a signal requesting readout to the control bus 404. Output.

The main memory 106 responds to the read request from the processor 102 by outputting data 142 at a designated address and a parity check result for the data 142 at the designated address. Specifically, address decoder 602 activates the cell of the address output to address bus 402 and outputs the address to parity check circuit 610. Read/write circuit 606 receives a signal requesting reading and outputs data 142 and parity bit 144 of activated cells to data bus 406 and parity check circuit 610. Parity check circuit 610 checks data 142 for errors based on data 142 and parity bit 144, and outputs the check result and the address of checked data 142 to error bus 408.

Data 142 sent via data bus 406 is stored in instruction register 212. The address of the checked data 142 of the data sent via the error bus 408 is stored in the error address register 208. The check results of the data sent via the error bus 408 are stored in the error status register 210.

In S106, the processor 102 determines whether there is an error. Specifically, the processor 102 makes the determination based on the check result stored in the error status register 210.

If it is determined that there is an error (YES in S106), the processor 102 restores the data in S108. Specifically, the access control unit 204 controls the access interface 220 to reload the data at the address stored in the error address register 208 from the flash memory 108 to the main memory 106.

For example, based on the address stored in the error address register 208, the access control unit 204 identifies the address in the flash memory 108 where data at the address is stored. The access interface 220 outputs the specified address to the address bus 410 and a read request signal to the control bus 412 in accordance with instructions from the access control unit 204.

Then, the access interface 220 writes the address where the data 142 to be restored is stored to the address bus 402 and the data output by the flash memory 108 in response to the read request to the data bus 406 in accordance with the instruction from the access control unit 204. A signal requesting the same is output to the control bus 404, respectively.

Main memory 106 receives a write request signal from processor 102 and writes data 142 and parity bit 144 sent via data bus 406 to an address specified via address bus 402 . As a result, the erroneous data will be restored.

In S110, the processor 102 clears the data in the error address register 208 and error status register 210. After executing the process in S110, the processor 102 executes the processes in S104 and S106 again, and confirms that the parity error has been resolved by restoring the data.

In the example shown in FIG. 3, the processes of S108 and S110 are repeated until it is determined that there is no error. Note that when the processes of S108 and S110 are repeatedly executed a predetermined number of times, the execution of the user program 114 may be stopped and the error may be notified to the user.

Further, in this embodiment, data sent via the error bus 408 is stored in the error address register 208 and the error status register 210. Note that it is also possible to determine whether or not there is an error based on the data sent via the error bus 408, and to store the data in the error address register 208 and error status register 210 if there is an error. good.

If it is determined that there is no error (NO in S106), the processor 102 executes the fetched instruction in S112. Specifically, the instruction execution unit 202 of the processor 102 executes the instruction indicated by the data 142 stored in the instruction register 212.

In S114, the processor 102 determines whether the user program 114 has been executed for one cycle. If it is determined that the user program 114 has not been executed for one cycle (NO in S114), the processor 102 switches the process to S126.

If it is determined that the user program 114 has been executed for one cycle (YES in S114), the processor 102 fetches dummy data 142 from the main memory 106 in S116.

The processing in S118, 120, and 122 is the same as the processing in S106, 108, and 110, so the description thereof will be omitted.

If it is determined in S118 that there is no error, or after the processes in S120 and S122 are executed, in S124, the processor 102 updates the dummy read address. Specifically, the processor 102 sequentially updates the addresses regardless of the instruction execution result and repeats the processing from S118 to S124, so that when the user program 114 is executed for multiple cycles, all of the memory cells 604 are updated. The data 142 is read out at least once. That is, the processor 102 updates the dummy read address so that the data stored in the memory cell 604 is read out in a predetermined order.

In S126, the processor 102 identifies the address where the next instruction to be executed is stored, depending on the result of the instruction executed in S112. The processor 102 executes the user program 114 by repeating the processing from S104 to S126.

Some of the instructions making up the user program 114 are executed less frequently. If the processes from S116 to S124 are not executed, data for executing instructions that are executed infrequently will not be checked for a long period of time. Furthermore, parity check can only detect a 1-bit error. Therefore, if two or more bits are destroyed due to being left unchecked for a long period of time, the destruction cannot be detected.

In this embodiment, by repeatedly executing steps S116 to S124, the data 142 stored in the main memory 106 is read out at least once. can be prevented from being left unchecked for a long period of time.

Note that the timing at which data is read separately from the instruction execution is after the user program 114 has been executed for one cycle (S116), but is not limited to this. The timing for reading data separately from the execution of an instruction may be, for example, after the user program 114 has been executed for a plurality of cycles, or after a plurality of instructions have been executed. Further, when the control device 100 is equipped with a plurality of processors, the timing for reading data separately from the execution of instructions may be during the execution of the user program 114. Further, the amount of data read in S116 is arbitrary and not limited.

<Modified example>
(Modification 1)
In the embodiment described above, the memory that holds the backup data 160 used for restoring data is the flash memory 108, which is a nonvolatile memory. That is, in the embodiment described above, data for maintaining power outage stored in a nonvolatile memory such as the flash memory 108 is used as backup data. Therefore, there is no need to newly prepare data for backup, and memory can be reduced.

Note that the backup data 160 may be held separately from the data for holding power outage. For example, backup data 160 may be stored separately from user data 140 in volatile memory, such as main memory 106. By storing the backup data 160 in a volatile memory that is faster to access from the processor 102 than the flash memory 108, the time required for restoration can be shortened. Backup data 160 may be stored in main memory 106 or may be stored in another volatile memory different from main memory 106.

Note that when the memory that holds the backup data 160 is a volatile memory, the processor 102 also reads the user program 114 into the memory that holds the backup data 160 when expanding the user program 114 to the main memory 106.

<Modification 2>
In the above embodiments, no mention was made of updating the data of the user program 114 with the execution of instructions. Note that depending on the user program 114, the data of the user program 114 may change dynamically as instructions are executed. In such a case, it is preferable to configure the backup data 160 to be updated in the same way as the execution data.

When updating data as the user program 114 is executed, the number of accesses to the backup data 160 increases. Therefore, when the user program 114 changes dynamically, it is preferable to store the backup data 160 in a volatile memory separately from the data for maintaining power outage.

FIG. 4 shows a modification of the processing executed by the processor 102. In FIG. 4, common step numbers are assigned to processes common to those in FIG. 3. The process shown in FIG. 4 differs from the process shown in FIG. 3 in that the processes in S103, S113-1, and S113-2 are newly executed, and the processes in S108' and S120' are newly executed in place of S108 and S120. Below, processing that is different from the processing shown in FIG. 3 will be mainly explained.

In S103, the processor 102 stores the backup data 160 in the main memory. That is, the processor 102 stores the user data 140 and the same backup data 160 as the user data 140 in the memory cell 604 of the main memory 106 .

The processing in S108' differs from the processing in S108 in that the data referred to when reloading is not the data stored in the flash memory 108 but the backup data 160 stored in the main memory 106. (See Figure 5). The difference between the processing at S120' and the processing at S120 is the same as the difference between the processing at S108' and the processing at S108.

In S113-1, the processor 102 determines whether there is a change in data. If there is a change in data, it is necessary to rewrite the data. That is, by determining whether there is a change in the data, it is determined whether the data needs to be rewritten. Specifically, the processor 102 determines whether data has been changed as a result of the instruction executed in S112.

If there is a data change (YES in S113-1), that is, if the data needs to be rewritten, the processor 102 rewrites the user data 140 and backup data 160 in S113-2. If there is no data change (NO in S113-1), that is, if there is no need to rewrite the data, the processor 102 executes the processes from S114 onwards without executing the process of S113-2.

FIG. 5 is a schematic diagram of data read/write/restore when the process shown in FIG. 4 is executed. The memory cell 604 stores user data 140 for execution and backup data 160, respectively. At the time of writing, data is written to both the user data 140 and the backup data 160 (S113-2 in FIG. 4). When restoring data, the user data 140 is restored using the backup data 160 (S108', S120' in FIG. 4). Furthermore, when reading data, it is read from the user data 140 and not from the backup data 160 (S104 in FIG. 4).

Although it is possible that the backup data 160 may be destroyed, the probability that common data between the user data 140 and the backup data 160 will be destroyed is extremely low. Therefore, there is little need to consider that the backup data 160 will be destroyed.

Note that although an example has been shown in which the backup data 160 and the user data 140 are stored in the common main memory 106, a volatile memory for storing the backup data 160 may be provided separately.

Furthermore, by executing the processes of S116 to S124, only the user data 140 may be checked separately from the execution of the command, or the backup data 160 may also be checked in addition to the user data 140. .

Further, when restoring data in S108' and S120', the processor 102 also checks the data in the backup data 160, and if there is an error, notifies the user that the data cannot be restored. It may be configured as follows.

<Modification 3>
In the above embodiment, if an error occurs as a result of the parity check, the data is simply restored, but the processor 102 may leave error information as a log.

FIG. 6 is a diagram showing an example of log data. When an error occurs, the processor 102 records the date on which the error was detected, the address where the data in error is stored, the data 142 before restoration, and the data 142 after restoration as log data 180. .

Note that even if an error is detected for data for which the backup data 160 is not left, the processor 102 stores the date and time when the error was detected, the data in which the error occurred, and the address where the data is stored. may be left as log data.

By leaving the log data 180 in this way, the user can analyze the frequency of occurrence of parity check errors, the cause of their occurrence, etc. by checking the log data 180.

<Other variations>
In the above embodiment, the method for determining whether an error has occurred is a parity check method. Volatile memories with error detection functions on the market often use a parity check to determine whether an error has occurred, so parity is an example of a method for determining whether an error has occurred. The method of checking was mentioned. Note that the method for determining whether an error has occurred is not limited to this. Note that in consideration of cost, it is preferable that the control device 100 be provided with a volatile memory with a parity check function that is generally available on the market.

In the embodiment described above, an example was shown in which only the user program 114 is stored as the backup data 160. Note that the backup data 160 may include data other than the user program 114, such as parameters necessary for executing the user program 114.

§3. Supplementary Notes As described above, the above embodiments and modifications include the following disclosures.

<Configuration 1>
A control device (100, 100X) for controlling a controlled object,
an instruction execution unit (202, 202X) that sequentially executes instructions included in the user program;
a volatile memory (106, 106X) that stores the user program;
a backup memory (108, 110X, 106) that stores a backup user program having the same content as the user program stored in the volatile memory;
an access control unit (204, 204X) that reads instructions included in the user program from the volatile memory and provides them to the instruction execution unit according to a predetermined execution order;
The volatile memory stores data (142) with error detection information (144, 144 It is configured to respond with the presence or absence of an error in the specified area determined based on the corresponding error detection information (606, 608, 610),
When the access control unit reads an instruction from the volatile memory, if the volatile memory responds that an error has occurred in the area where the read instruction was stored, the access control unit determines whether an error has occurred. The control device is configured to reload data in an area from the backup memory to the volatile memory, and read out the instruction again from the volatile memory (S104, S106, S108, S108').

<Configuration 2>
The control device according to configuration 1, wherein the volatile memory is configured to respond whether or not an error has occurred through a parity check (610).

<Configuration 3>
The access control unit reads data stored in the volatile memory in a predetermined order at a predetermined timing, in addition to reading data for the purpose of providing instructions to the instruction execution unit. When the volatile memory responds that an error has occurred in the area where the read data was stored, the data including the instruction stored in the backup memory is transferred from the backup memory to the volatile memory. (S116, S118, S120, S120', S124), the control device according to Configuration 1 or Configuration 2.

<Configuration 4>
The backup memory is a memory (108) that stores the backup user program in a non-volatile manner,
The control device according to any one of configurations 1 to 3, wherein the user program stored in the volatile memory is loaded from the backup memory (S102).

<Configuration 5>
The backup memory is a memory that volatilely stores the backup user program (106),
The access control unit rewrites the data stored in the volatile memory and the data stored in the backup memory when it is necessary to rewrite the data stored in the volatile memory due to execution of the instruction. S113-1, S113-2), the control device according to any one of configurations 1 to 3.

<Configuration 6>
A method for controlling execution of a user program in a control device for controlling a controlled object, the method comprising:
The control device (100, 100X) is
a volatile memory (106, 106X) that stores the user program;
A backup memory (108, 110X, 106) for storing a backup user program having the same content as the user program stored in the volatile memory,
The volatile memory stores data (142) with error detection information (144, 144 It is configured to respond with the presence or absence of an error in the specified area determined based on the corresponding error detection information (606, 608, 610),
reading instructions included in the user program from the volatile memory according to a predetermined execution order (S104);
When an instruction is read from the volatile memory, if the volatile memory responds that an error has occurred in the area where the read instruction was stored, the data in the area where the error has occurred is reloading the instruction from the backup memory to the volatile memory and rereading the instruction from the volatile memory (S104, S106, S108, S108');
A method for controlling execution of a user program, the method comprising: executing an instruction read from the volatile memory (S112).

<Configuration 7>
A system program for realizing a control device for controlling a controlled object,
The control device (100, 100X) is
volatile memory (106, 106X) for storing user programs;
A backup memory (108, 110X, 106) for storing a backup user program having the same content as the user program stored in the volatile memory,
The volatile memory stores data (142) with error detection information (144, 144 It is configured to respond with the presence or absence of an error in the specified area determined based on the corresponding error detection information (606, 608, 610),
The system program causes the processor (102) of the control device to:
reading instructions included in the user program from the volatile memory according to a predetermined execution order (S104);
When an instruction is read from the volatile memory, if the volatile memory responds that an error has occurred in the area where the read instruction was stored, the data in the area where the error has occurred is reloading the instruction from the backup memory to the volatile memory and rereading the instruction from the volatile memory (S104, S106, S108, S108');
A system program that executes a step (S112) of executing an instruction read from the volatile memory.

The embodiments disclosed this time should be considered to be illustrative in all respects and not restrictive. The scope of the present invention is indicated by the claims rather than the above description, and it is intended that all changes within the meaning and range equivalent to the claims are included. Further, the inventions described in the embodiments and each modification are intended to be implemented alone or in combination to the extent possible.

100, 100X control device, 102 processor, 106 main memory, 106X volatile memory, 108 flash memory, 110X backup memory, 112 system program, 114 user program, 140 user data, 142 data, 144 parity bit, 144X detection information, 160 backup data, 180 log data, 202, 202X instruction execution unit, 204, 204X access control unit, 206 register, 208 error address register, 210 error status register, 212 instruction register, 220 access interface, 402, 410 address bus, 404 , 412 control bus, 406, 414 data bus, 408 error bus, 602 address decoder, 604 memory cell, 606 read/write circuit, 608 parity generation circuit, 610 parity check circuit.

Claims (6)

A control device for controlling a controlled object,
an instruction execution unit that sequentially executes instructions included in the user program;
a volatile memory that stores the user program;
a backup memory that stores a backup user program having the same content as the user program stored in the volatile memory;
an access control unit that reads instructions included in the user program from the volatile memory and provides the instructions to the instruction execution unit according to a predetermined execution order;
The volatile memory stores data with error detection information added thereto, and also stores data in a specified area and error detection information corresponding to the specified area in response to a read request. The system is configured to respond with the presence or absence of an error in the specified area determined based on the
The access control unit includes:
When an instruction is read from the volatile memory, if the volatile memory responds that an error has occurred in the area where the read instruction was stored, the data in the area where the error has occurred is is reloaded from the backup memory to the volatile memory, the instruction is read again from the volatile memory, and it is determined that no error has occurred in the area where the read instruction was stored in the volatile memory. When a response is received from the instruction execution unit, the instruction execution unit is configured to provide the instruction to the instruction execution unit to execute the instruction, and to specify the instruction to be executed next according to the execution result of the instruction.
In addition to reading for the purpose of providing instructions to the instruction execution unit , each time a predetermined condition is satisfied between the execution of the instruction and the identification of the next instruction to be executed , the volatile When data in a specified area of the data stored in the volatile memory is read out and a response is received from the volatile memory that an error has occurred in the area where the read data was stored, the data in the backup memory is read out. The data containing the instruction stored in the read data is reloaded from the backup memory to the volatile memory, and a response is received from the volatile memory indicating that no error has occurred in the area where the read data was stored. Then, the device is configured to perform a series of processing to specify an area to be read when the predetermined condition is satisfied next time so that the data stored in the volatile memory is read in a predetermined order. ,Control device. 2. The control device according to claim 1, wherein the volatile memory is configured to respond by parity check as to whether an error has occurred. The backup memory is a memory that stores the backup user program in a non-volatile manner,
3. The control device according to claim 1, wherein the user program stored in the volatile memory is loaded from the backup memory. The backup memory is a memory that volatilely stores the backup user program,
The access control unit rewrites the data stored in the volatile memory and the data stored in the backup memory when it is necessary to rewrite the data stored in the volatile memory due to execution of the instruction. The control device according to claim 1 or claim 2. A method for controlling execution of a user program in a control device for controlling a controlled object, the method comprising:
The control device includes:
a volatile memory that stores the user program;
comprising a backup memory for storing a backup user program having the same content as the user program stored in the volatile memory;
The volatile memory stores data with error detection information added thereto, and also stores data in a specified area and error detection information corresponding to the specified area in response to a read request. The system is configured to respond with the presence or absence of an error in the specified area determined based on the
The user program execution control method is as follows:
reading instructions included in the user program from the volatile memory according to a predetermined execution order;
When an instruction is read from the volatile memory, if the volatile memory responds that an error has occurred in the area where the read instruction was stored, the data in the area where the error has occurred is reloading the instruction from the backup memory to the volatile memory and rereading the instruction from the volatile memory ;
When the volatile memory responds that no error has occurred in the area storing the read instruction, executing the instruction read from the volatile memory;
identifying an instruction to be executed next according to the execution result of the instruction;
In addition to reading for the purpose of executing an instruction, a method for storing information in the volatile memory that is executed every time a predetermined condition is satisfied between the execution of the instruction and the identification of the instruction to be executed next. When the volatile memory responds that an error has occurred in the area where the read data was stored, the data stored in the backup memory is read. The data including the instruction is reloaded from the backup memory to the volatile memory, and when the volatile memory responds that no error has occurred in the area where the read data was stored, the volatile memory a series of steps of specifying an area to be read when the predetermined condition is satisfied next time so that the data stored in the storage memory is read in a predetermined order. . A system program for realizing a control device for controlling a controlled object,
The control device includes:
volatile memory for storing user programs;
comprising a backup memory for storing a backup user program having the same content as the user program stored in the volatile memory;
The volatile memory stores data with error detection information added thereto, and also stores data in a specified area and error detection information corresponding to the specified area in response to a read request. The system is configured to respond with the presence or absence of an error in the specified area determined based on the
The system program causes the processor of the control device to
reading instructions included in the user program from the volatile memory according to a predetermined execution order;
When an instruction is read from the volatile memory, if the volatile memory responds that an error has occurred in the area where the read instruction was stored, the data in the area where the error has occurred is reloading the instruction from the backup memory to the volatile memory and rereading the instruction from the volatile memory;
When the volatile memory responds that no error has occurred in the area storing the read instruction, executing the instruction read from the volatile memory ;
specifying the next instruction to be executed according to the execution result of the instruction ;
The system program causes the processor to
In addition to reading for the purpose of executing an instruction, data stored in the volatile memory is read every time a predetermined condition is satisfied between the execution of the instruction and the identification of the next instruction to be executed. When data in a specified area is read out from the volatile memory, and the volatile memory responds that an error has occurred in the area where the read data was stored, the instruction stored in the backup memory is read out. is loaded from the backup memory to the volatile memory, and when the volatile memory responds that no error has occurred in the area where the read data was stored, the volatile memory A system program that executes a series of steps of specifying an area to be read when the predetermined condition is satisfied next time so that data stored in the computer is read out in a predetermined order.

Images