WO2011074147A1 - Redundant control device - Google Patents

Redundant control device Download PDF

Info

Publication number
WO2011074147A1
WO2011074147A1 PCT/JP2010/002917 JP2010002917W WO2011074147A1 WO 2011074147 A1 WO2011074147 A1 WO 2011074147A1 JP 2010002917 W JP2010002917 W JP 2010002917W WO 2011074147 A1 WO2011074147 A1 WO 2011074147A1
Authority
WO
WIPO (PCT)
Prior art keywords
diagnosis
control
self
performs
actual
Prior art date
Application number
PCT/JP2010/002917
Other languages
French (fr)
Japanese (ja)
Inventor
飯田烈弘
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to JP2011545926A priority Critical patent/JPWO2011074147A1/en
Priority to CN2010800568611A priority patent/CN102656528A/en
Publication of WO2011074147A1 publication Critical patent/WO2011074147A1/en

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/16Error detection or correction of the data by redundancy in hardware
    • G06F11/20Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements
    • G06F11/202Error detection or correction of the data by redundancy in hardware using active fault-masking, e.g. by switching out faulty elements or by switching in spare elements where processing functionality is redundant

Definitions

  • the present invention relates to a plant control device used in, for example, a power plant.
  • a self-diagnosis is performed to detect an abnormality of the control apparatus.
  • This self-diagnosis is performed by making a judgment based on an abnormality of the hardware or software of the own system, an upper / lower limit error of the input signal, an abnormality of the calculation result, or the like.
  • system switching is generally performed when an abnormality is detected in any of the duplex control systems.
  • Patent Document 1 describes a dual system control device based on such a switching condition (for example, Patent Document 1).
  • the present invention has been made to solve the above-described problems, and even during control, it is possible to diagnose a region where conventional self-diagnosis was not possible, and to shorten the self-diagnosis cycle.
  • An object of the present invention is to provide a dual system control device with a high safety level.
  • the dual system control device is a control device having a duplex configuration including a control system having a self-diagnosis function and another control system that is duplexed with the control system and has a self-diagnosis function,
  • a control system having a self-diagnosis function When one of the two control systems operates as an actual control system, the other operates as a system that performs self-diagnosis, the system that performs actual control and the system that performs self-diagnosis are alternately switched, and both systems alternate. Self-diagnosis is performed.
  • the dual system control apparatus when one of the two control systems operates as a real control system, the other operates as a system that performs self-diagnosis, and performs self-diagnosis with a system that performs actual control. Since the systems are alternately switched and the two systems alternately perform self-diagnosis, it is possible to perform self-diagnosis of the area, which could conventionally be diagnosed only offline, during operation of the entire system. As a result, the range of self-diagnosis is expanded and the period of self-diagnosis can be shortened, so that the safety level is improved.
  • Embodiment 1 of the dual-system control apparatus concerning this invention. It is a conceptual diagram which shows the operation
  • FIG. 1 is a schematic configuration diagram of a dual system control apparatus according to Embodiment 1 of the dual system control apparatus according to the present invention.
  • the dual system control device is configured in a duplex manner by a system A that is a control system and a system B that is another control system.
  • These control systems A and B are respectively connected to the CPUs 1A and 1B for performing arithmetic processing and the like, memories 2A and 2B connected to these CPUs, and the respective CPUs, and input information from the control target is input to these control systems A and B.
  • Input control units 3A and 3B that transmit to the CPU and output control units 4A and 4B that control output information to the output control device 7 are provided.
  • the input control units 3A and 3B and the output control units 4A and 4B are connected to the switching device 5 that performs system switching by a system switching instruction signal.
  • output information of either the A system or the B system is not illustrated.
  • Output to the controlled object via the output device 7, and input information from the controlled object is input to either the A system or the B system via the input device 6.
  • FIG. 2 is a conceptual diagram showing an outline of operation in the first embodiment of the dual control apparatus according to the present invention.
  • the A system is a system that performs actual control at the time series start point (hereinafter referred to as an actual control system)
  • the B system is a system that performs self diagnosis at the time series start point (hereinafter referred to as a self diagnosis system).
  • the actual control or self-diagnosis is performed.
  • system switching is performed at the same time.
  • FIG. 3 is a flowchart showing in detail the operation of both the A and B systems.
  • a description will be given with reference to FIG. As in FIG.
  • the A system will be described as an actual control system at the start, and the B system will be described as a self-diagnosis system at the start.
  • the B system performs a series of controls as an actual control system (S01)
  • the B system performs a self diagnosis as a self diagnosis system (S03).
  • the B system issues a system switching instruction (S06), and system switching is performed (S02 and S04).
  • the system A which is the actual control system, confirms the system switching instruction (S07), switching is performed (S02 and S04), and the system A starts self-diagnosis as a self-diagnosis system (S03).
  • FIG. 4 is a schematic configuration diagram of a dual system control apparatus according to the second embodiment.
  • a data communication line 8 connected between the CPUs 1A and 1B is provided.
  • the diagnosis status of the self-diagnosis system is referred to between the A and B systems via this data communication line.
  • the self-diagnosis system sets a flag as “diagnosis completed” when the diagnosis is completed, and “diagnostic” when the diagnosis is being performed.
  • FIG. 5 is a conceptual diagram showing an outline of the operation in the second embodiment of the dual control apparatus according to the present invention.
  • the first difference from FIG. 2 is that the actual control system refers to the state of the self-diagnosis system.
  • the second difference is that when the self-diagnosis system completes the self-diagnosis, it stands by.
  • the third difference is that the system is switched when the actual control system completes a series of control processes and refers to the state of the self-diagnosis system, and the self-diagnosis system is on standby.
  • the A system starts a series of control processes as an actual control system (S01), and the B system starts a self diagnosis as a self diagnosis system (S03).
  • the A system refers to the diagnosis status of the B system (S201). If the diagnosis is in progress, the system switching is not performed and the control processing is continued sequentially (S01).
  • the B system waits until there is a system switching instruction (S203).
  • the system A completes a series of control processing, refers to the diagnosis state of the system B (S201), and if the diagnosis is completed, issues a system switching instruction (S202) and performs system switching (S02 and S04).
  • the A system starts as a self-diagnosis system (S03).
  • the B system receives an instruction for system switching (S203), and when system switching (S02 and S04) is performed, actual control is started as an actual control system (S01).
  • system switching is repeatedly performed, and the A system and the B system perform self-diagnosis alternately.
  • FIG. 7 is a flowchart in the third embodiment of the dual control apparatus according to the present invention.
  • the difference from FIG. 6 is that when the self-diagnosis system detects an abnormality by self-diagnosis, the abnormality is notified to the actual control system. That is, the B system that performs the self-diagnosis as the self-diagnosis system issues an abnormality notification to the A system that is the actual control system via the data communication line 8 when the abnormality of the own system is detected by the self-diagnosis (S302). (S303).
  • the system A completes a series of control processes and refers to the operating state of the system B, but if an abnormality is detected, the system switching instruction is not performed and the control processes are continued sequentially (S01).
  • the abnormality is resolved in the B system, the self diagnosis is performed again (S03).
  • the B system confirms normality by self-diagnosis (S302), it waits until there is a system switching instruction (S203).
  • the A system refers to the operating state of the B system (S301).
  • the diagnosis state of the B system is referred to (S201).
  • a system switching instruction is issued (S202), and the system switching (S02 and S04) is performed. Thereafter, self-diagnosis is started as a self-diagnosis system (S03).
  • the standby B system receives the system switching instruction (S203), and after system switching (S02 and S04) is performed, actual control is started as the actual control system (S01).
  • This configuration and operation can achieve the intended purpose, and even if a failure occurs in the self-diagnosis system, the entire system can be operated continuously.
  • FIG. 8 is a flowchart in the fourth embodiment of the dual control apparatus according to the present invention.
  • the self-diagnosis system can issue a system switching instruction by interrupt processing. That is, the B system that performs self-diagnosis as the self-diagnosis system refers to the operation state of the A system that is the actual control system via the data communication line 8 in parallel with the self-diagnosis process by the interrupt process (S401) ( S402).
  • the B system stops the self-diagnosis process, issues a system switching instruction (S403), and after system switching (S02 and S04) is performed, actual control is started as the actual control system (S01).
  • S403 system switching instruction
  • S02 and S04 system switching
  • actual control is started as the actual control system (S01).
  • the system A starts as a self-diagnosis system (S03), and after system switching (S02 and S04) is performed through the same steps (S302, S203) as in the third embodiment.
  • S03 self-diagnosis system
  • S02 and S04 is performed through the same steps (S302, S203) as in the third embodiment.
  • S01 a series of control is started (S01).
  • system switching is repeated, and both A and B systems perform self-diagnosis alternately.
  • This configuration and operation can achieve the intended purpose, and even if a failure occurs in the actual control system, the entire system can be operated continuously.
  • FIG. 9 is a flowchart in the fifth embodiment of the dual control apparatus according to the present invention.
  • the actual control system transmits the past input / output information sent and received and the current own resource information (hereinafter referred to as control information) to the self-diagnosis system immediately before the system switching. It is a point to do. That is, the system A, which is the actual control system, transmits control information to the system B via the data communication line 8 before the system switching instruction (S501), and issues a system switching instruction (S202).
  • S501 system switching instruction
  • S202 system switching instruction
  • the system B which is a self-diagnosis system, receives control information (S502). After completion of reception, system switching is performed (S02 and S04), the A system starts self-diagnosis as a self-diagnosis system (S03), and the B system starts actual control as an actual control system (S01).
  • system switching is repeatedly performed, and both A and B systems perform self-diagnosis alternately.
  • This configuration and operation can also achieve the intended purpose, and the B system has the effect of being able to continuously control the controlled object as a control system having the same contents as the A system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • Safety Devices In Control Systems (AREA)
  • Hardware Redundancy (AREA)

Abstract

Disclosed is a redundant control device, comprising a control assembly (A) further comprising an auto-diagnostic function; and another control assembly (B), further comprising an auto-diagnostic function, and which is made redundant with the control assembly (A). When one of the two control assemblies operates in an actual control assembly mode upon an object to be controlled, the other control assembly operates in an assembly mode that carries out auto-diagnostics, and the actual control assembly and the assembly carrying out auto-diagnostics are mutually interchanged such that both assemblies respectively carry out auto-diagnostics and diagnose regions whereupon auto-diagnostics could not otherwise be carried out when operating in control assembly mode.

Description

二重系制御装置Dual system controller
 本発明は、例えば発電所等に利用されるプラント制御装置に関するものである。 The present invention relates to a plant control device used in, for example, a power plant.
 一般に、従来の待機冗長構成のプラント制御装置では、制御装置の異常を検出するための自己診断が行われている。この自己診断は、自系のハードウェアやソフトウェアの異常、入力信号の上下限異常、演算結果異常等で判断することで行われる。特に、二重化構成の制御装置において、系切替は、図10に示すように、二重化されている制御系のいずれかにおける異常検知を契機として実施されることが一般的である。特許文献1においては、このような切替条件を前提とした、二重系制御装置が記載されている(例えば、特許文献1)。 Generally, in a conventional standby redundant configuration plant control apparatus, a self-diagnosis is performed to detect an abnormality of the control apparatus. This self-diagnosis is performed by making a judgment based on an abnormality of the hardware or software of the own system, an upper / lower limit error of the input signal, an abnormality of the calculation result, or the like. In particular, in a control device having a duplex configuration, as shown in FIG. 10, system switching is generally performed when an abnormality is detected in any of the duplex control systems. Patent Document 1 describes a dual system control device based on such a switching condition (for example, Patent Document 1).
特開平8-123503公報(第3頁、第2図)JP-A-8-123503 (page 3, FIG. 2)
 従来の二重系制御装置では、プラントの制御を行いながら自己診断を実施するため、メインメモリ等、自己診断ができない領域が残り、その箇所は定期メンテナンス時などのオフラインでしか診断できないという課題があった。 In conventional dual system control devices, since self-diagnosis is performed while controlling the plant, there is a problem that areas such as main memory where self-diagnosis cannot be performed remain, and that location can only be diagnosed offline during regular maintenance. there were.
 本発明は、上記のような課題を解決するためなされたものであって、制御中であっても、従来自己診断ができなかった領域の診断が可能で、自己診断の周期短縮が可能な、安全度水準の高い二重系制御装置を提供することを目的とする。 The present invention has been made to solve the above-described problems, and even during control, it is possible to diagnose a region where conventional self-diagnosis was not possible, and to shorten the self-diagnosis cycle. An object of the present invention is to provide a dual system control device with a high safety level.
 本発明にかかる二重系制御装置は、自己診断機能を有する制御系と、この制御系とともに二重化され、自己診断機能を有するもう一つの制御系とを備えた二重化構成の制御装置であって、上記両制御系の一方が制御対象を実制御系として動作するとき、他方は自己診断を行う系として動作し、実制御を行う系と自己診断を行う系が交互に切り替えられ、両系が交互に自己診断を行うものである。 The dual system control device according to the present invention is a control device having a duplex configuration including a control system having a self-diagnosis function and another control system that is duplexed with the control system and has a self-diagnosis function, When one of the two control systems operates as an actual control system, the other operates as a system that performs self-diagnosis, the system that performs actual control and the system that performs self-diagnosis are alternately switched, and both systems alternate. Self-diagnosis is performed.
 本発明にかかる二重系制御装置は、上記両制御系の一方が制御対象を実制御系として動作するとき、他方は自己診断を行う系として動作し、実制御を行う系と自己診断を行う系が交互に切り替えられ、両系が交互に自己診断を行うものなので、従来はオフラインでしか診断できなかった領域の自己診断を、システム全体が動作中に実施することが可能になる。この結果、自己診断の範囲が拡大し、自己診断の周期短縮が可能になるため、安全度水準が向上するという効果が得られる。 In the dual system control apparatus according to the present invention, when one of the two control systems operates as a real control system, the other operates as a system that performs self-diagnosis, and performs self-diagnosis with a system that performs actual control. Since the systems are alternately switched and the two systems alternately perform self-diagnosis, it is possible to perform self-diagnosis of the area, which could conventionally be diagnosed only offline, during operation of the entire system. As a result, the range of self-diagnosis is expanded and the period of self-diagnosis can be shortened, so that the safety level is improved.
本発明にかかる二重系制御装置の実施の形態1における概略構成図である。It is a schematic block diagram in Embodiment 1 of the dual-system control apparatus concerning this invention. 本発明にかかる二重系制御装置の実施の形態1における動作概要を示す概念図である。It is a conceptual diagram which shows the operation | movement outline | summary in Embodiment 1 of the dual-system control apparatus concerning this invention. 本発明にかかる二重系制御装置の実施の形態1におけるフロー図である。It is a flowchart in Embodiment 1 of the dual-system control apparatus concerning this invention. 本発明にかかる二重系制御装置の実施の形態2における二重系制御装置の概略構成図である。It is a schematic block diagram of the dual system control apparatus in Embodiment 2 of the dual system control apparatus concerning this invention. 本発明にかかる二重系制御装置の実施の形態2における動作概要を示す概念図である。It is a conceptual diagram which shows the operation | movement outline | summary in Embodiment 2 of the dual-system control apparatus concerning this invention. 本発明にかかる二重系制御装置の実施の形態2におけるフロー図である。It is a flowchart in Embodiment 2 of the dual-system control apparatus concerning this invention. 本発明にかかる二重系制御装置の実施の形態3におけるフロー図である。It is a flowchart in Embodiment 3 of the dual-system control apparatus concerning this invention. 本発明にかかる二重系制御装置の実施の形態4におけるフロー図である。It is a flowchart in Embodiment 4 of the dual-system control apparatus concerning this invention. 本発明にかかる二重系制御装置の実施の形態5におけるフロー図である。It is a flowchart in Embodiment 5 of the dual-system control apparatus concerning this invention. 従来の二重系制御装置における動作概要を示す概念図である。It is a conceptual diagram which shows the operation | movement outline | summary in the conventional dual type | system | group control apparatus.
実施の形態1.
 以下、本発明にかかる二重系制御装置の実施の形態1を図に基づいて説明する。図1は、本発明にかかる二重系制御装置の実施の形態1における二重系制御装置の概略構成図である。図1において、二重系制御装置は、制御系であるA系ともう一つの制御系であるB系によって二重化構成されている。これらの制御系A及びBは、各々、演算処理等を行うCPU1A・1Bと、これらのCPUに接続されたメモリ2A・2Bと、それぞれのCPUに接続され、制御対象からの入力情報をこれらのCPUに伝達する入力制御部3A・3Bと、出力制御装置7への出力情報を制御する出力制御部4A・4Bを備えている。これらの入力制御部3A及び3B並びに出力制御部4A・4Bを系切替指示信号により系切替を行う切替装置5に接続することによって、A系またはB系のいずれか一方の出力情報が、図示しない制御対象に出力装置7を介して出力され、制御対象からの入力情報が、入力装置6を介してA系またはB系のいずれか一方に入力される。 Embodiment 1 FIG.
Hereinafter, a dual system control apparatus according to a first embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a schematic configuration diagram of a dual system control apparatus according to Embodiment 1 of the dual system control apparatus according to the present invention. In FIG. 1, the dual system control device is configured in a duplex manner by a system A that is a control system and a system B that is another control system. These control systems A and B are respectively connected to the CPUs 1A and 1B for performing arithmetic processing and the like, memories 2A and 2B connected to these CPUs, and the respective CPUs, and input information from the control target is input to these control systems A and B. Input control units 3A and 3B that transmit to the CPU and output control units 4A and 4B that control output information to the output control device 7 are provided. By connecting the input control units 3A and 3B and the output control units 4A and 4B to the switching device 5 that performs system switching by a system switching instruction signal, output information of either the A system or the B system is not illustrated. Output to the controlled object via the output device 7, and input information from the controlled object is input to either the A system or the B system via the input device 6.
 次に、二重系制御装置の動作について説明する。図2は本発明にかかる二重系制御装置の実施の形態1における動作概要を示す概念図である。図2において、便宜上、A系は時系列の起点時において実制御を行う系(以下、実制御系という)、B系は時系列の起点時において自己診断を行う系(以下、自己診断系)として各々実制御又は自己診断を行うものとしている。図2に示す通り、実施の形態1においては、系切替が同時点で行われる。図3はA・B両系の動作を詳細に示したフロー図である。以下、図3を用いて説明する。なお、図2同様、便宜上、A系をスタート時における実制御系、B系をスタート時における自己診断系として説明する。A系が実制御系として一連の制御を行うとき(S01)、B系は自己診断系として自己診断を行う(S03)。B系は自系の自己診断の完了を確認すると(S05)、系切替指示を発し(S06)、系切替が行われる(S02及びS04)。一方、実制御系であるA系が、系切替の指示を確認すると(S07)、切替が行われ(S02及びS04)、A系は自己診断系として自己診断を開始し(S03)、B系は実制御系として実制御を開始する(S01)。 Next, the operation of the dual system control device will be described. FIG. 2 is a conceptual diagram showing an outline of operation in the first embodiment of the dual control apparatus according to the present invention. In FIG. 2, for the sake of convenience, the A system is a system that performs actual control at the time series start point (hereinafter referred to as an actual control system), and the B system is a system that performs self diagnosis at the time series start point (hereinafter referred to as a self diagnosis system). The actual control or self-diagnosis is performed. As shown in FIG. 2, in the first embodiment, system switching is performed at the same time. FIG. 3 is a flowchart showing in detail the operation of both the A and B systems. Hereinafter, a description will be given with reference to FIG. As in FIG. 2, for convenience, the A system will be described as an actual control system at the start, and the B system will be described as a self-diagnosis system at the start. When the A system performs a series of controls as an actual control system (S01), the B system performs a self diagnosis as a self diagnosis system (S03). Upon confirming the completion of the self-diagnosis of the own system (S05), the B system issues a system switching instruction (S06), and system switching is performed (S02 and S04). On the other hand, when the system A, which is the actual control system, confirms the system switching instruction (S07), switching is performed (S02 and S04), and the system A starts self-diagnosis as a self-diagnosis system (S03). Starts actual control as an actual control system (S01).
 このように、実制御系及び自己診断系が交互に切り替えられA・B両系が交互に自己診断を行うことにより、従来はオフラインでしか実行できなかったメインメモリ等領域の自己診断をシステム全体が動作中に実施することが可能になる。この結果、自己診断の範囲が拡大し、自己診断の周期短縮が可能になるため、安全度水準が向上するという効果が得られる。 In this way, the actual control system and the self-diagnosis system are alternately switched, and both the A and B systems perform self-diagnosis alternately. Can be implemented during operation. As a result, the range of self-diagnosis is expanded and the period of self-diagnosis can be shortened, so that the safety level is improved.
実施の形態2.
 以下、本発明にかかる二重系制御装置の実施の形態2を図に基づいて、実施の形態1と異なる部分を中心に説明する。図4は実施の形態2における二重系制御装置の概略構成図である。実施の形態1の構成に加え、CPU1A及び1Bとの間に接続されたデータ通信線8を備えている。このデータ通信線を介して、A・B両系間において、自己診断系の診断状態の参照が行われる。この診断状態は、診断完了の場合「診断完了」として、診断中の場合は「診断中」として、自己診断系がフラグを立てる。 Embodiment 2. FIG.
Hereinafter, a second embodiment of the dual control apparatus according to the present invention will be described with reference to the drawings, focusing on parts different from the first embodiment. FIG. 4 is a schematic configuration diagram of a dual system control apparatus according to the second embodiment. In addition to the configuration of the first embodiment, a data communication line 8 connected between the CPUs 1A and 1B is provided. The diagnosis status of the self-diagnosis system is referred to between the A and B systems via this data communication line. The self-diagnosis system sets a flag as “diagnosis completed” when the diagnosis is completed, and “diagnostic” when the diagnosis is being performed.
 次に、二重系制御装置の動作について実施の形態1と異なる部分を中心に説明する。図5は、本発明にかかる二重系制御装置の実施の形態2における動作概要を示す概念図である。図2と第1に異なる点は、実制御系が自己診断系の状態を参照している点である。第2に異なる点は、自己診断系が自己診断を完了すると、待機している点である。第3に異なる点は、実制御系が一連の制御処理を完了して自己診断系の状態を参照し、自己診断系が待機になっている場合、系切替が行われる点である。これらの相違点について、以下、図6を用いて詳細に説明する。図6は、本発明にかかる二重系制御装置の実施の形態2におけるフロー図である。A系は実制御系として、一連の制御処理を開始し(S01)、B系は自己診断系として自己診断を開始する(S03)。A系は、一連の制御処理が完了すると、B系の診断状態を参照するが(S201)、診断中の場合は、系切替を行わず、順次制御処理を継続する(S01)。一方、B系は、自己診断が完了すると、系切替指示があるまで待機する(S203)。A系は一連の制御処理が完了し、B系の診断状態を参照し(S201)、診断完了であれば、系切替指示を発し(S202)、系切替が行われる(S02及びS04)。その後、A系は自己診断系として、自己診断を開始する(S03)。一方、B系は系切替の指示を受信し、(S203)、系切替(S02及びS04)が行われると、実制御系として、実制御を開始する(S01)。この結果、実施の形態1同様、系切替えが繰り返し行われ、A系とB系が交互に自己診断を行う。 Next, the operation of the dual system control device will be described focusing on the differences from the first embodiment. FIG. 5 is a conceptual diagram showing an outline of the operation in the second embodiment of the dual control apparatus according to the present invention. The first difference from FIG. 2 is that the actual control system refers to the state of the self-diagnosis system. The second difference is that when the self-diagnosis system completes the self-diagnosis, it stands by. The third difference is that the system is switched when the actual control system completes a series of control processes and refers to the state of the self-diagnosis system, and the self-diagnosis system is on standby. These differences will be described in detail below with reference to FIG. FIG. 6 is a flowchart in the second embodiment of the dual control apparatus according to the present invention. The A system starts a series of control processes as an actual control system (S01), and the B system starts a self diagnosis as a self diagnosis system (S03). When the series of control processing is completed, the A system refers to the diagnosis status of the B system (S201). If the diagnosis is in progress, the system switching is not performed and the control processing is continued sequentially (S01). On the other hand, when the self-diagnosis is completed, the B system waits until there is a system switching instruction (S203). The system A completes a series of control processing, refers to the diagnosis state of the system B (S201), and if the diagnosis is completed, issues a system switching instruction (S202) and performs system switching (S02 and S04). Thereafter, the A system starts as a self-diagnosis system (S03). On the other hand, the B system receives an instruction for system switching (S203), and when system switching (S02 and S04) is performed, actual control is started as an actual control system (S01). As a result, as in the first embodiment, system switching is repeatedly performed, and the A system and the B system perform self-diagnosis alternately.
 このように、実制御系が系切替の指示を行っても、所期の目的を達成し得るほか、制御シーケンスに影響を与えることなく系切替を行うことが可能となる効果がある。 In this way, even if the actual control system issues a system switching instruction, the intended purpose can be achieved, and system switching can be performed without affecting the control sequence.
実施の形態3.
 以下、本発明にかかる二重系制御装置の実施の形態3を図に基づいて、実施の形態2と異なる部分を中心に説明する。図7は本発明にかかる二重系制御装置の実施の形態3におけるフロー図である。図6との相違点は、自己診断系が自己診断で異常を検知した場合、実制御系に異常を通知する点である。即ち、自己診断系として自己診断を行うB系は、自己診断で自系の異常を検知したとき(S302)、データ通信線8を介して、実制御系であるA系に異常の通知を発する(S303)。A系は一連の制御処理を完了し、B系の動作状態を参照するが、異常の場合は系切替指示を行わず、順次制御処理を継続する(S01)。B系は異常が解消されると、再び自己診断を行う(S03)。B系は自己診断で正常を確認すると(S302)、系切替指示があるまで待機する(S203)。一方、A系は一連の制御処理が完了すると、B系の動作状態を参照する(S301)。B系の動作状態が正常である場合は、B系の診断状態を参照し(S201)、診断完了であれば、系切替指示を発し(S202)、系切替(S02及びS04)が行われた後、自己診断系として、自己診断を開始する(S03)。待機していたB系は、系切替の指示を受信し、(S203)、系切替(S02及びS04)が行われた後、実制御系として、実制御を開始する(S01)。この結果、自己診断系において異常が発生した場合であっても、実施の形態2と同様、系切替えが繰り返し行われ、A系とB系が交互に自己診断を行う。 Embodiment 3 FIG.
Hereinafter, a dual system control device according to a third embodiment of the present invention will be described with reference to the drawings, centering on differences from the second embodiment. FIG. 7 is a flowchart in the third embodiment of the dual control apparatus according to the present invention. The difference from FIG. 6 is that when the self-diagnosis system detects an abnormality by self-diagnosis, the abnormality is notified to the actual control system. That is, the B system that performs the self-diagnosis as the self-diagnosis system issues an abnormality notification to the A system that is the actual control system via the data communication line 8 when the abnormality of the own system is detected by the self-diagnosis (S302). (S303). The system A completes a series of control processes and refers to the operating state of the system B, but if an abnormality is detected, the system switching instruction is not performed and the control processes are continued sequentially (S01). When the abnormality is resolved in the B system, the self diagnosis is performed again (S03). When the B system confirms normality by self-diagnosis (S302), it waits until there is a system switching instruction (S203). On the other hand, when the series of control processing is completed, the A system refers to the operating state of the B system (S301). When the operation state of the B system is normal, the diagnosis state of the B system is referred to (S201). When the diagnosis is completed, a system switching instruction is issued (S202), and the system switching (S02 and S04) is performed. Thereafter, self-diagnosis is started as a self-diagnosis system (S03). The standby B system receives the system switching instruction (S203), and after system switching (S02 and S04) is performed, actual control is started as the actual control system (S01). As a result, even if an abnormality occurs in the self-diagnosis system, the system switching is repeatedly performed as in the second embodiment, and the A system and the B system perform self-diagnosis alternately.
 この構成と動作によっても、所期の目的を達成し得るほか、自己診断系に故障が発生しても、システム全体は継続して動作できるという効果がある。 This configuration and operation can achieve the intended purpose, and even if a failure occurs in the self-diagnosis system, the entire system can be operated continuously.
実施の形態4.
 以下、本発明にかかる二重系制御装置の実施の形態4を図に基づいて、実施の形態3と異なる部分を中心に説明する。図8は本発明にかかる二重系制御装置の実施の形態4におけるフロー図である。図7との相違点は、割り込み処理によって、自己診断系が系切替指示を行うことができる点である。つまり、自己診断系として自己診断を行うB系は、割り込み処理により(S401)、自己診断処理に並行して、データ通信線8を介して実制御系であるA系の動作状態を参照する(S402)。異常の場合、B系は自己診断処理を中止し、系切替指示を発し(S403)、系切替(S02及びS04)が行われた後、実制御系として、実制御を開始する(S01)。異常が解消すると、A系は自己診断系として、自己診断を開始し(S03)、実施の形態3と同様のステップ(S302、S203)を経て、系切替(S02及びS04)が行われた後、実制御系として、一連の制御を開始する(S01)。この結果、実施の形態3と同様、系切替えが繰り返し行われ、A・B両系が交互に自己診断を行う。 Embodiment 4 FIG.
Hereinafter, a dual system control device according to a fourth embodiment of the present invention will be described with reference to the drawings, focusing on differences from the third embodiment. FIG. 8 is a flowchart in the fourth embodiment of the dual control apparatus according to the present invention. The difference from FIG. 7 is that the self-diagnosis system can issue a system switching instruction by interrupt processing. That is, the B system that performs self-diagnosis as the self-diagnosis system refers to the operation state of the A system that is the actual control system via the data communication line 8 in parallel with the self-diagnosis process by the interrupt process (S401) ( S402). In the case of an abnormality, the B system stops the self-diagnosis process, issues a system switching instruction (S403), and after system switching (S02 and S04) is performed, actual control is started as the actual control system (S01). When the abnormality is resolved, the system A starts as a self-diagnosis system (S03), and after system switching (S02 and S04) is performed through the same steps (S302, S203) as in the third embodiment. As a real control system, a series of control is started (S01). As a result, as in the third embodiment, system switching is repeated, and both A and B systems perform self-diagnosis alternately.
 この構成と動作によっても、所期の目的を達成し得るほか、実制御系に故障が発生しても、システム全体は継続して動作できるという効果がある。 This configuration and operation can achieve the intended purpose, and even if a failure occurs in the actual control system, the entire system can be operated continuously.
実施の形態5.
 以下、本発明にかかる二重系制御装置の実施の形態5を図に基づいて、実施の形態4と異なる部分を中心に説明する。図9は本発明にかかる二重系制御装置の実施の形態5におけるフロー図である。図8との相違点は、実制御系が、制御対象と送受した過去の入出力情報及び現在の自系の資源情報(以下、制御情報という)を、系切替直前に、自己診断系に送信する点である。つまり、実制御系であるA系は、系切替指示の前に、データ通信線8を介して、B系に制御情報を送信し(S501)、系切替指示を発する(S202)。一方、自己診断系であるB系は、制御情報を受信する(S502)。受信完了後、系切替が実施され(S02及びS04)、A系は自己診断系として自己診断を開始し(S03)、B系は実制御系として実制御を開始する(S01)。この結果、実施の形態4と同様、系切替えが繰り返し行われ、A・B両系が交互に自己診断を行う。 Embodiment 5 FIG.
Hereinafter, a fifth embodiment of the dual control apparatus according to the present invention will be described with reference to the drawings, focusing on parts different from the fourth embodiment. FIG. 9 is a flowchart in the fifth embodiment of the dual control apparatus according to the present invention. The difference from FIG. 8 is that the actual control system transmits the past input / output information sent and received and the current own resource information (hereinafter referred to as control information) to the self-diagnosis system immediately before the system switching. It is a point to do. That is, the system A, which is the actual control system, transmits control information to the system B via the data communication line 8 before the system switching instruction (S501), and issues a system switching instruction (S202). On the other hand, the system B, which is a self-diagnosis system, receives control information (S502). After completion of reception, system switching is performed (S02 and S04), the A system starts self-diagnosis as a self-diagnosis system (S03), and the B system starts actual control as an actual control system (S01). As a result, as in the fourth embodiment, system switching is repeatedly performed, and both A and B systems perform self-diagnosis alternately.
 この構成と動作によっても、所期の目的を達成し得るほか、B系はA系と同一の内容の制御系として制御対象を継続して制御することが可能となる効果がある。 This configuration and operation can also achieve the intended purpose, and the B system has the effect of being able to continuously control the controlled object as a control system having the same contents as the A system.
 尚、本発明の実施の形態は、上述の実施例にのみ限定されるものではなく、本発明の要旨を逸脱しない範囲内において種々変更を加え得ることは勿論である。 It should be noted that the embodiment of the present invention is not limited to the above-described embodiments, and it is needless to say that various modifications can be made without departing from the gist of the present invention.

Claims (7)

  1.  自己診断機能を有する制御系と、
    この制御系とともに二重化され、自己診断機能を有するもう一つの制御系とを備え、制御対象の制御を行う二重化構成の制御装置であって、
    上記両制御系の一方が制御対象の実制御を行う系として動作するとき、他方は自己診断を行う系として動作し、実制御を行う系と自己診断を行う系が交互に切り替えられ、両系が交互に自己診断を行う二重系制御装置。     A control system having a self-diagnosis function;
    This control system is duplicated with this control system, and is equipped with another control system having a self-diagnosis function.
    When one of the two control systems operates as a system that performs actual control of the controlled object, the other operates as a system that performs self-diagnosis, and the system that performs actual control and the system that performs self-diagnosis are alternately switched, and both systems Dual system control device that performs self-diagnosis alternately.
  2.  上記自己診断を行う系は、自己診断が完了したとき、系切替を行う請求項1に記載の二重系制御装置。 The dual system control device according to claim 1, wherein the system performing the self-diagnosis performs system switching when the self-diagnosis is completed.
  3.  上記両制御系間には、診断状態を送受するデータ通信線が備えられ、
    上記実制御を行う系は上記データ通信線を介して上記自己診断を行う系の自己診断状態を参照し、上記実制御を行う系の一連の制御が完了し、かつ、上記自己診断を行う系の自己診断が完了したとき、系切替を行う請求項1に記載の二重系制御装置。     Between the two control systems, a data communication line for sending and receiving a diagnostic state is provided,
    The system that performs the actual control refers to the self-diagnosis state of the system that performs the self-diagnosis via the data communication line, completes a series of control of the system that performs the actual control, and performs the self-diagnosis. The dual system control device according to claim 1, wherein the system switching is performed when the self-diagnosis is completed.
  4.  上記自己診断を行う系は、自己診断で異常を発見したときは、自系の異常を上記データ通信線を介して上記実制御を行う系に通知し、通知を受けた上記実制御を行う系は、上記異常を確認したとき、上記系切替を行わずに制御対象の制御を続ける請求項3に記載の二重系制御装置。 The system that performs the self-diagnosis, when an abnormality is found in the self-diagnosis, notifies the system that performs the actual control via the data communication line, and performs the actual control that has received the notification. 4. The dual system control device according to claim 3, wherein when the abnormality is confirmed, control of the controlled object is continued without performing the system switching.
  5.  上記自己診断を行う系は、上記データ通信線を介して上記実制御を行う系を参照し、上記実制御を行う系の異常を検知したときは、自己診断を中止し、上記系切替を行う請求項3に記載の二重系制御装置。 The system performing the self-diagnosis refers to the system that performs the actual control via the data communication line. When an abnormality is detected in the system that performs the actual control, the self-diagnosis is stopped and the system switching is performed. The dual system control device according to claim 3.
  6.  上記自己診断を行う系は、上記データ通信線を介して上記実制御を行う系を参照し、上記実制御を行う系の異常を検知したときは、自己診断を中止し、上記系切替を行う請求項4に記載の二重系制御装置。 The system performing the self-diagnosis refers to the system that performs the actual control via the data communication line. When an abnormality is detected in the system that performs the actual control, the self-diagnosis is stopped and the system switching is performed. The dual system control device according to claim 4.
  7.  上記両制御系間には、上記制御対象と制御のために送受した、実制御を行う系の過去の入出力情報と実制御を行う系の現在の資源情報を送受するデータ通信線が備えられ、
    このデータ通信線を介して、上記実制御を行う系は、制御に必要な情報を、上記自己診断を行う系に送信する請求項1乃至請求項6のいずれか1項に記載の二重系制御装置。     Between the two control systems, a data communication line is provided for transmitting and receiving the control target and the past input / output information of the system that performs the actual control and the current resource information of the system that performs the actual control. ,
    The duplex system according to any one of claims 1 to 6, wherein the system that performs the actual control transmits information necessary for the control to the system that performs the self-diagnosis via the data communication line. Control device.
PCT/JP2010/002917 2009-12-16 2010-04-22 Redundant control device WO2011074147A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2011545926A JPWO2011074147A1 (en) 2009-12-16 2010-04-22 Dual system controller
CN2010800568611A CN102656528A (en) 2009-12-16 2010-04-22 Redundant control device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2009285257 2009-12-16
JP2009-285257 2009-12-16

Publications (1)

Publication Number Publication Date
WO2011074147A1 true WO2011074147A1 (en) 2011-06-23

Family

ID=44166921

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/002917 WO2011074147A1 (en) 2009-12-16 2010-04-22 Redundant control device

Country Status (4)

Country Link
JP (1) JPWO2011074147A1 (en)
CN (1) CN102656528A (en)
TW (1) TWI434159B (en)
WO (1) WO2011074147A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5058398B1 (en) * 2011-12-12 2012-10-24 三菱電機株式会社 Train information management apparatus and train information management method

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017013785A1 (en) * 2015-07-23 2017-01-26 三菱電機株式会社 Duplexing process control device
CN108051998B (en) * 2017-11-16 2020-11-13 中国航空工业集团公司西安飞机设计研究所 Redundant system synchronization and monitoring judgment method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03139736A (en) * 1989-10-26 1991-06-13 Oki Electric Ind Co Ltd System switching method in information processing system
JPH06139088A (en) * 1992-10-30 1994-05-20 Fujitsu Ltd Duplex processor system
JPH1115502A (en) * 1997-06-24 1999-01-22 Mitsubishi Electric Corp Digital controller
JP2005285018A (en) * 2004-03-30 2005-10-13 Fuji Electric Systems Co Ltd Duplex controller system, method for switching operation/standby thereof

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1288757A1 (en) * 2001-08-07 2003-03-05 Siemens Aktiengesellschaft Method and process control system for operating a technical installation
JP4776374B2 (en) * 2005-12-27 2011-09-21 株式会社東芝 Redundant supervisory control system and redundant switching method for the same system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH03139736A (en) * 1989-10-26 1991-06-13 Oki Electric Ind Co Ltd System switching method in information processing system
JPH06139088A (en) * 1992-10-30 1994-05-20 Fujitsu Ltd Duplex processor system
JPH1115502A (en) * 1997-06-24 1999-01-22 Mitsubishi Electric Corp Digital controller
JP2005285018A (en) * 2004-03-30 2005-10-13 Fuji Electric Systems Co Ltd Duplex controller system, method for switching operation/standby thereof

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5058398B1 (en) * 2011-12-12 2012-10-24 三菱電機株式会社 Train information management apparatus and train information management method
WO2013088491A1 (en) * 2011-12-12 2013-06-20 三菱電機株式会社 Train information management device and train information management method
US9515944B2 (en) 2011-12-12 2016-12-06 Mitsubishi Electric Corporation Train information management apparatus and train information management method

Also Published As

Publication number Publication date
TWI434159B (en) 2014-04-11
CN102656528A (en) 2012-09-05
TW201122745A (en) 2011-07-01
JPWO2011074147A1 (en) 2013-04-25

Similar Documents

Publication Publication Date Title
KR101179738B1 (en) Safety control device
JP4054509B2 (en) Field device control system and computer-readable storage medium
CN101609421B (en) Duplexed operation processor control system, and duplexed operation processor control method
JP5554292B2 (en) Redundant controller
EP2917836B1 (en) Redundancy device unit and method for determining fault in industrial control system, industrial control system and industrial system comprising redundancy device unit
WO2011074147A1 (en) Redundant control device
WO2013111240A1 (en) Duplex control system and control method therefor
JP2019219894A (en) Switching scheme of plc dual system, switching method of plc dual system
JP2016192158A (en) Abnormality determination device, abnormality determination method, and abnormality determination program
US9003067B2 (en) Network and method for operating the network
JP2018160710A (en) Vehicle controller
JP2008009794A (en) Programmable electronic controller, and communication control method for programmable electronic apparatus
WO2016170614A1 (en) Programmable logic controller, slave device, and duplex system
JP4541241B2 (en) Plant control system
JP7489183B2 (en) Arithmetic device, redundancy system and program, and method for constructing a redundancy configuration
JP7035511B2 (en) Programmable controller and duplex system
JP2013254333A (en) Multiple system control system and control method therefor
JP5924616B2 (en) Redundant radio control system
JP5459117B2 (en) Data transmission apparatus and data transmission method
JP2017220842A (en) Duplex switching system
JP2013025365A (en) Method for notifying of fault of standby device in dual system
JP4566531B2 (en) Serial communication dual system controller
JP2018136810A (en) IO device and control system using the same
JP2006344023A (en) Control unit
JP4844813B2 (en) Redundant control system

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201080056861.1

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10837185

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2011545926

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10837185

Country of ref document: EP

Kind code of ref document: A1