CN113541672A - Risk degradation device and risk degradation method - Google Patents
Risk degradation device and risk degradation method Download PDFInfo
- Publication number
- CN113541672A CN113541672A CN202110753214.6A CN202110753214A CN113541672A CN 113541672 A CN113541672 A CN 113541672A CN 202110753214 A CN202110753214 A CN 202110753214A CN 113541672 A CN113541672 A CN 113541672A
- Authority
- CN
- China
- Prior art keywords
- output module
- output
- processor
- switch
- processing unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000015556 catabolic process Effects 0.000 title claims abstract description 102
- 238000006731 degradation reaction Methods 0.000 title claims abstract description 102
- 238000000034 method Methods 0.000 title claims abstract description 36
- 238000012545 processing Methods 0.000 claims abstract description 63
- 238000001514 detection method Methods 0.000 claims abstract description 48
- 238000004891 communication Methods 0.000 claims description 25
- 230000005284 excitation Effects 0.000 claims description 6
- 239000000126 substance Substances 0.000 claims description 6
- 238000007689 inspection Methods 0.000 claims description 3
- 238000012360 testing method Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 238000012423 maintenance Methods 0.000 description 4
- 238000003745 diagnosis Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000012552 review Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000000593 degrading effect Effects 0.000 description 2
- 238000012790 confirmation Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H03—ELECTRONIC CIRCUITRY
- H03K—PULSE TECHNIQUE
- H03K19/00—Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits
- H03K19/003—Modifications for increasing the reliability for protection
-
- H—ELECTRICITY
- H03—ELECTRONIC CIRCUITRY
- H03K—PULSE TECHNIQUE
- H03K19/00—Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits
- H03K19/007—Fail-safe circuits
-
- H—ELECTRICITY
- H03—ELECTRONIC CIRCUITRY
- H03K—PULSE TECHNIQUE
- H03K19/00—Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits
- H03K19/0175—Coupling arrangements; Interface arrangements
- H03K19/017509—Interface arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Hardware Redundancy (AREA)
Abstract
The application relates to a risk degradation device and a risk degradation method, wherein the risk degradation device comprises: the first output module comprises a first processing unit and a first main switch, and the second output module comprises a second processing unit and a second main switch; the control module is respectively connected with the first processing unit and the second processing unit; the first processing unit is connected with the controlled end of the second master switch, and the second processing unit is connected with the controlled end of the first master switch; the control module is used for detecting whether a fault output module exists according to the return detection signals of the output modules, and sending a first degradation control instruction to the corresponding redundant output module to indicate the redundant output module to disconnect the main switch of the fault output module under the condition that the fault output module is detected. The method and the device solve the problem that the system risk cannot be degraded due to the fact that the output channel cannot detect the fault or the risk degradation logic execution abnormity, and realize risk degradation.
Description
Technical Field
The present application relates to the field of risk control, and more particularly, to a risk degradation device and a risk degradation method.
Background
The automated safety instrumentation system is used for timely responding and protecting potential dangers or improper measures of production devices and equipment, so that the production devices and equipment enter a predefined safe parking condition (such as a cut-off switch), the risks are reduced to an acceptable degree, and the safety of the production devices, the equipment and the surrounding environment is guaranteed. Some critical components or functions are configured redundantly by human for reasons of system safety and reliability. When the system fails, the redundantly configured components can be used as backup and intervene in time to undertake the work of the failed components, so that the probability of system shutdown is reduced, the failure time of the system is reduced, and the availability of the system is improved.
In existing multiplexed redundant output architectures, each channel degrades itself through self-testing, e.g., opening an output switch to disconnect the load. The integrity of the self-checking capability of the channel is a precondition for correctly executing the degradation strategy, and when the channel has an undetected fault or the degradation logic executes abnormally, the system can output an error value, so that the field working condition is in a dangerous state.
Aiming at the problem that the system risk cannot be degraded due to the fact that the output channel has an undetected fault or the risk degradation logic executes abnormity in the related technology, no effective solution is provided at present.
Disclosure of Invention
The present embodiment provides a risk degradation apparatus and a risk degradation method, so as to solve the problem in the related art that the system risk cannot be degraded due to an undetected fault occurring in an output channel or an execution exception of risk degradation logic.
In a first aspect, there is provided in this embodiment a risk degradation apparatus, comprising: the control module, the first output module and the second output module which are redundant with each other, wherein the first output module comprises a first processing unit and a first general switch, and the second output module comprises a second processing unit and a second general switch; wherein the content of the first and second substances,
the control module is respectively connected with the first processing unit and the second processing unit;
one connecting ends of the first main switch and the second main switch are used for being connected with an excitation source, and the other connecting ends of the first main switch and the second main switch are used for being connected with a load;
the first processing unit is connected with the controlled end of the second master switch, and the second processing unit is connected with the controlled end of the first master switch;
the control module is used for detecting whether a fault output module exists according to the return detection signals uploaded by the output modules, and sending a first degradation control instruction to the processing unit of the corresponding redundant output module to instruct the processing unit of the redundant output module to disconnect the main switch of the fault output module under the condition that the fault output module is detected.
In some embodiments, the first output module includes a first output switch, a controlled end of the first output switch is connected with the first processing unit, a connection end of the first output switch is connected with the first general switch, and another connection end of the first output switch is used for connecting with the load; the second output module comprises a second output switch, a controlled end of the second output switch is connected with the second processing unit, a connecting end of the second output switch is connected with the second main switch, and the other connecting end of the second output switch is used for being connected with the load; wherein the content of the first and second substances,
the first processing unit is used for detecting whether a fault exists or not according to the return detection signal, and if so, the first processing unit controls the first output switch to be disconnected so as to cut off an electric path between the first main switch and the load;
the second processing unit is used for detecting whether a fault exists according to the return detection signal, and if the fault exists, the second processing unit controls the second output switch to be disconnected so as to cut off an electric path between the second main switch and the load.
In some embodiments, the feedback signal of the first output module includes an electrical signal flowing through a loop of the first output switch and an electrical signal driving the load, and the feedback signal of the second output module includes an electrical signal flowing through a loop of the second output switch and an electrical signal driving the load.
In some embodiments, the first processing unit comprises a first processor and a second processor, the first processor is connected in communication with the second processor, the first processor is connected to the controlled terminal of the second master switch, and the second processor is connected to the controlled terminal of the first output switch; the second processing unit comprises a third processor and a fourth processor, the third processor is connected with the fourth processor in a communication mode, the third processor is connected with the controlled end of the first main switch, and the fourth processor is connected with the controlled end of the second output switch; the first processor is in communication connection with the third processor; wherein the content of the first and second substances,
the second processor is used for acquiring a return detection signal and sending the return detection signal to the first processor, the first processor is used for generating a second degradation control instruction according to the return detection signal and sending the second degradation control instruction to the second processor so as to indicate the second processor to control the state of the first output switch according to the second degradation control instruction, and the first processor is also used for controlling the state of the second main switch under the control of the control module;
the fourth processor is used for acquiring a return detection signal and sending the return detection signal to the third processor, the third processor is used for generating a second degradation control instruction according to the return detection signal and sending the second degradation control instruction to the fourth processor so as to indicate the fourth processor to control the state of the second output switch according to the second degradation control instruction, and the third processor is further used for controlling the state of the first main switch under the control of the control module.
In some of these embodiments, the first processor and the second processor are electrically isolated from each other; the third processor and the fourth processor are electrically isolated from each other.
In a second aspect, in this embodiment, there is provided a risk degradation method applied to the risk degradation apparatus in the first aspect, the method including:
acquiring return inspection signals uploaded by a first output module and a second output module;
detecting whether a fault output module exists according to the return detection signal;
and in the case of detecting that a fault output module exists, sending a first degradation control instruction to a redundant output module without a fault to instruct the redundant output module to open a main switch of the fault output module.
In some of these embodiments, detecting the presence of a fault output module comprises:
comparing the return detection signals of the output modules with the output instructions, determining the output modules with inconsistent comparison results as the fault output modules, and determining the output modules with consistent comparison results as the redundant output modules.
In some of these embodiments, the method further comprises:
acquiring a redundant pairing state mark generated by the first output module after the in-place state of the second output module is detected, and acquiring a redundant pairing state mark generated by the second output module after the in-place state of the first output module is detected;
and judging whether the paired output modules are in the in-place state or not according to the redundant paired state marks generated by the output modules, and if the output modules which are not in the in-place state exist, sending an alarm prompt.
In some of these embodiments, after receiving a first redundant pair status flag indicating that the paired output module is in a non-on-bit state, the method further comprises:
starting overtime timing for a target output module reporting a redundancy pairing fault;
and when the timeout length reaches a preset condition, determining that the target output module is not maintained, and sending a second degradation control instruction to the target output module to instruct the target output module to disconnect an output switch of the target output module.
In some embodiments, in the case that the target output module detects that the paired output module is in an in-place state, the method further comprises:
acquiring a second redundant pairing state mark generated by the target output module, wherein the second redundant pairing state mark is used for indicating that the pairing output module is in an in-place state;
and stopping timing the overtime of the target output module according to the second redundant pairing state mark, and performing decrement processing on an overtime counter.
Compared with the related art, the risk degradation device and the risk degradation method provided by the embodiment solve the problem that the system risk cannot be degraded due to the fact that the output channel has an undetected fault or the risk degradation logic executes an abnormal state, and achieve effective degradation of the system risk.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a first schematic structural diagram of a risk degradation apparatus of the present embodiment;
FIG. 2 is a waveform diagram of the inching test signal of the present embodiment;
FIG. 3 is a flowchart of a control module detection failure output module of the present embodiment;
FIG. 4 is a second schematic structural diagram of the risk degradation apparatus of the present embodiment;
FIG. 5 is a schematic structural diagram of a risk degradation device of the present preferred embodiment;
FIG. 6 is a flow chart of the processing unit controlling the output switch of the preferred embodiment;
fig. 7 is a flowchart of the risk degradation method of the present embodiment.
Reference numerals: 100. a control module;
10. a first output module; 11. a first processing unit; 12. a first main switch; 13. a first output switch; 14. a first diode; 15. a first processor; 16. a second processor;
20. a second output module; 21. a second processing unit; 22. a second master switch; 23. a second output switch; 24. a second diode; 25. a third processor; 26. a fourth processor;
31. an excitation source; 32. and (4) loading.
Detailed Description
For a clearer understanding of the objects, aspects and advantages of the present application, reference is made to the following description and accompanying drawings.
Unless defined otherwise, technical or scientific terms used herein shall have the same general meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of this application do not denote a limitation of quantity, either in the singular or the plural. The terms "comprises," "comprising," "has," "having," and any variations thereof, as referred to in this application, are intended to cover non-exclusive inclusions; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or modules, but may include other steps or modules (elements) not listed or inherent to such process, method, article, or apparatus. Reference throughout this application to "connected," "coupled," and the like is not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference to "a plurality" in this application means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. In general, the character "/" indicates a relationship in which the objects associated before and after are an "or". The terms "first," "second," "third," and the like in this application are used for distinguishing between similar items and not necessarily for describing a particular sequential or chronological order.
In this embodiment, a risk degradation device is provided, fig. 1 is a schematic structural diagram of the risk degradation device of this embodiment, as shown in fig. 1, the risk degradation device includes:
the system comprises a control module 100, a first output module 10 and a second output module 20 which are redundant with each other, wherein the first output module 10 comprises a first processing unit 11 and a first master switch 12, and the second output module 20 comprises a second processing unit 21 and a second master switch 22; wherein, the control module 100 is respectively connected with the first processing unit 11 and the second processing unit 21; one connection ends of the first main switch 12 and the second main switch 22 are used for connecting with an excitation source 31, and the other connection ends are used for connecting with a load 32; the first processing unit 11 is connected to the controlled terminal of the second master switch 22, and the second processing unit 21 is connected to the controlled terminal of the first master switch 12.
In this embodiment, the first output module 10 and the second output module 20 are configured to receive an output instruction from the control module 100, and output a driving signal according to the output instruction to conduct an electrical path between the excitation source 31 and the load 32.
The control module 100 is configured to detect whether a faulty output module exists according to the return detection signals uploaded by the output modules, and make a risk degradation decision, where the risk degradation decision includes the following three cases:
(1) if neither the first output module 10 nor the second output module 20 has a fault, no risk degradation is performed on the first output module 10 and the second output module 20.
(2) If the first output module 10 fails and the second output module 20 fails, the second output module 20 is controlled to open the first main switch 12 of the first output module 10.
(3) And if the second output module 20 fails and the first output module 10 fails, the first output module 10 is controlled to open the second master switch 22 of the second output module 20.
In this embodiment, the main switch of each output module is controlled by the redundant output module, and in a normal working state, the main switch of each output module is in a closed state, and when a fault occurs, the redundant output module turns off the main switch of the faulty output module. In some cases, the output module may have an undetected failure or the risk degradation logic executes an exception, so that the output module cannot perform risk degradation (disconnect itself from the load 32) by itself. At this time, the control module 100 generates a first degradation control instruction and sends the first degradation control instruction to the redundant output module, and the redundant output module turns off the main switch of the failed output module, so that the risk of the failed output module can be effectively degraded.
In addition, since the main switch is a normally closed switch under normal operating conditions, the main switch of each output module is independently controlled by the redundant output module, that is, the control module 100 only controls the redundant output module to perform the turn-off (degradation) operation, even if the main switch is erroneously turned off due to a fault in the main switch control circuit, the system will be maintained in a safe turn-off state (the turn-off state is a preset safe state).
Through the embodiment, the problem that the system risk cannot be degraded due to the fact that the output channel has the undetected fault or the risk degradation logic execution exception is solved, and effective degradation of the system risk is achieved.
In some embodiments, when the control module 100 detects whether there is a faulty output module, the control module 100 may periodically perform a functionality test on a main switch of a single output module, and the control module 100 performs a jog test (pulse test) on a target output module through a redundant output module, where fig. 2 is a waveform diagram of a jog test signal of this embodiment, as shown in fig. 2, a pulse width of the jog test signal is 2ms, and the jog test is performed on the main switch every 15 minutes. Fig. 3 is a flowchart of the control module fault detection output module of the present embodiment, and as shown in fig. 3, the flowchart includes the following steps:
step S31, judging whether the system outputs ON signal; if yes, go to step S32; if not, the process returns to step S31.
And step S32, starting a test mode of a master switch of the target output module, and shielding an output signal sent by the output module to return to the detection function of the fault.
And step S33, receiving the return detection signal sent by the target output module.
Step S34, judging whether the return detection signal is consistent with the expected test logic; if yes, go to step S35; if not, step S36 is executed.
Step S35, determining that the main switch of the target output module is normal in function; step S37 is executed.
Step S36, determining that the main switch function of the target output module has a fault; step S38 is executed.
And step S37, exiting the main switch test mode of the current output module and preparing to test the main switch of the redundant output module.
And step S38, sending an alarm, starting fault overtime counting, and outputting a second degradation control instruction to all output modules after the counter is overtime.
In this embodiment, the master switch diagnostics of the two output modules are independent of each other and are not performed simultaneously.
The risk degradation device comprises two levels of risk degradation decisions:
a first stage: the output module uploads the return detection signal to the control module 100, the return detection signal is uniformly detected by the control module 100, and a risk degradation decision is made.
And a second stage: and the output module performs self-checking to generate a risk degradation decision by itself.
Where the first level risk degradation decision has been introduced in the above embodiments, embodiments of risk degradation means based on the second level risk degradation decision will be presented below.
Fig. 4 is a schematic structural diagram of a risk degradation apparatus of this embodiment, as shown in fig. 4, the first output module 10 includes a first output switch 13, a controlled terminal of the first output switch 13 is connected to the first processing unit 11, a connection terminal of the first output switch 13 is connected to the first general switch 12, and another connection terminal of the first output switch 13 is used for being connected to a load 32; the second output module 20 includes a second output switch 23, a controlled terminal of the second output switch 23 is connected to the second processing unit 21, a connection terminal of the second output switch 23 is connected to the second main switch 22, and another connection terminal of the second output switch 23 is used for connecting to the load 32.
In this embodiment, the output module detects whether there is a fault according to the self-read back detection signal, and if it detects that there is a fault, the output module controls the output switch to open to cut off the electrical path between itself and the load 32, so as to open the electrical path through which the excitation source 31 flows from itself to the load 32.
For example, each output module compares the return detection signal with the output command acquired from the control module 100, and if the comparison is inconsistent, it is determined that the output module has a fault.
The output module's return detection signal includes, among other things, the electrical signal flowing through the loop of the output switch and the electrical signal driving the load 32. For example, diodes (a first diode 14 and a second diode 24) are arranged between the output switch and the load 32, output signals of the output modules are output in parallel through the diodes, signals (LB1 and RB1) for driving the load 32 at the input end of the diodes are collected, output state signals (LB2 and RB2) at the output end of the diodes are collected, and two self-detection read-back values are collected to be used as the return detection signals.
In this embodiment, the first-level risk decision and the second-level risk decision are independent from each other and do not interfere with each other, and the fault output module can always achieve the purpose of risk degradation by actively turning off the output switch or passively turning off the main switch. And moreover, the accuracy of output end diagnosis is improved through the unified diagnosis strategy of 'output module self-checking + control module 100 diagnosis'.
In some embodiments, the control module 100 stores an output instruction, the first output module 10 and the second output module 20 generate a review signal after receiving the output instruction from the control module 100, and upload the review signal to the control module 100, the control module 100 compares the review signal of each output module with the output instruction, determines the output module with inconsistent comparison result as a faulty output module, and determines the output module with consistent comparison result as a redundant output module.
Referring to fig. 5, LB1 and LB2 are self-check readback signals of the first output module 10, RB1 and RB2 are self-check readback signals of the second output module 20, and each output module uploads the self-check readback signals to the control module 100 in real time for unified processing, and the control module 100 makes a risk degradation decision, which is specifically shown in table 1:
TABLE 1 second-level Risk degradation decision Table
Fig. 5 is a schematic structural diagram of the risk degradation device of the preferred embodiment, and as shown in fig. 5, in some embodiments, the first processing unit 11 includes a first processor 15 and a second processor 16, the first processor 15 is connected to the second processor 16 in communication, the first processor 15 is connected to the controlled terminal of the second main switch 22, and the second processor 16 is connected to the controlled terminal of the first output switch 13; the second processing unit 21 comprises a third processor 25 and a fourth processor 26, the third processor 25 is communicatively connected to the fourth processor 26, the third processor 25 is connected to the controlled terminal of the first main switch 12, and the fourth processor 26 is connected to the controlled terminal of the second output switch 23.
In this embodiment, the first processor 15 receives an output instruction from the control module 100 and passes the output instruction to the second processor 16 to control the first output switch 13. The second processor 16 collects the return detection signal and transmits the return detection signal to the first processor 15, the first processor 15 compares the return detection signal with the output instruction of the control module 100, and if the comparison is inconsistent, the second processor 16 sends a second degradation control instruction to turn off the first output switch 13.
The third processor 25 receives the output instruction from the control module 100 and passes the output instruction to the fourth processor 26 to control the second output switch 23. The fourth processor 26 collects the return detection signal and transmits the return detection signal to the third processor 25, the third processor 25 compares the return detection signal with the output instruction of the control module 100, and if the comparison is inconsistent, the second degradation control instruction is sent to the fourth processor 26 to turn off the second output switch 23.
In addition, the first processor 15 and the third processor 25 also upload their own check signals to the control module 100, the control module 100 compares the check signals of the output modules with the output instructions, if the check signals of the first output module 10 are not consistent with the output instructions, the control module 100 sends a first degradation control instruction to the second output module 20 to instruct the third processor 25 to turn off the first master switch 12, and if the check signals of the second output module 20 are not consistent with the output instructions, the control module 100 sends a first degradation control instruction to the first output module 10 to instruct the first processor 15 to turn off the second master switch 22.
In practice, the circuitry on the load 32 side is prone to failure, particularly the second processor 16 and the fourth processor 26. In this embodiment, if the second processor 16 fails, the first processor 15 may also execute the service logic normally, and if the fourth processor 26 fails, the third processor 25 may also execute the service logic normally. By providing a plurality of processors in the processing unit, the reliability of the risk degradation device can be enhanced.
In some embodiments, the first processor 15 and the second processor 16 are electrically isolated from each other; the third processor 25 and the fourth processor 26 are electrically isolated from each other. So configured, electrical isolation between the risk degrading device and the load 32 is achieved, thereby enhancing the safety of the risk degrading device.
In some preferred embodiments, the first processor 15 and the second processor 16 in the first processing unit 11 perform on-board communication and use data frame checking to ensure correctness, integrity and timeliness of the transferred data. When the first output module 10 fails to cause a communication failure between the first processor 15 and the second processor 16, the first processing unit 11 starts maintenance of a communication timeout counter after detecting the communication failure, and when the timeout counter exceeds a preset value, the first processing unit 11 controls the first output switch 13 to be in an off state. Fig. 6 is a specific flowchart of a process unit controlling an output switch, where fig. 6 is a flowchart of a process unit controlling an output switch according to the preferred embodiment, and the flowchart includes the following steps:
in step S51, the first processing unit establishes a communication connection with the control module and receives an output instruction from the control module.
Step S52, determining whether the communication is overtime; if yes, go to step S60; if not, step S52 is executed.
In step S53, the first processor receives the data frame and checks.
Step S54, determining whether or not there is a communication error; if yes, go to step S64; if not, step S55 is executed.
In step S55, the first processor and the second processor establish a communication connection, and forward the output instruction to the second processor.
Step S56, determining whether the communication is overtime; if yes, go to step S69; if not, step S57 is executed.
In step S57, the second processor receives the data frame and checks.
Step S58, determining whether or not there is a communication error; if yes, go to step S73; if not, step S59 is executed.
In step S59, the second processor controls the state of the first output switch according to the output command.
In step S60, the communication timeout counter counts.
Step S61, determining whether the counter is 0; if yes, return to step S51; if not, step S62 is executed.
Step S62, judging whether the counter exceeds a preset value; if yes, go to step S68; if not, step S63 is executed.
In step S63, the counter is maintained, and the process returns to step S61.
In step S64, the communication error counter counts.
Step S65, whether the off counter is 0; if yes, return to step S53; if not, step S66 is executed.
Step S66, judging whether the counter exceeds a preset value; if yes, go to step S68; if not, step S67 is executed.
In step S67, the counter is maintained, and the process returns to step S65.
In step S68, the first processor controls the first output switch to be turned off.
In step S69, the communication timeout counter counts.
Step S70, determining whether the counter is 0; if yes, return to step S55; if not, step S71 is executed.
Step S71, judging whether the counter exceeds a preset value; if yes, go to step S77; if not, step S72 is executed.
In step S72, the counter is maintained, and the process returns to step S70.
In step S73, the communication error counter counts.
Step S74, determining whether the counter is 0; if yes, return to step S57; if not, step S75 is executed.
Step S75, judging whether the counter exceeds a preset value; if yes, go to step S77; if not, step S76 is executed.
In step S76, the counter is maintained, and the process returns to step S74.
In step S77, the second processor controls the first output switch to be turned off.
Similarly, the second processing unit 21 and the first processing unit 11 have similar configurations, and are not described in detail herein.
In some embodiments, the first output module 10 and the second output module 20 interact with each other's on-site status through a communication link; the first output module 10 is configured to detect an in-place state of the second output module 20, maintain a redundant pairing state flag according to the in-place state, and upload the redundant pairing state flag to the control module 100; the second output module 20 is configured to detect an in-place status of the first output module 10, maintain a redundant pairing status flag according to the in-place status, and upload the redundant pairing status flag to the control module 100. For example, the redundant pairing status flag is 0, which represents that the pairing output module is in a non-in-place state, and the redundant pairing status flag is 1, which represents that the pairing output module is in an in-place state, the control module 100 may determine whether a fault output module exists according to the redundant pairing status flag, and if a fault output module exists, the control module 100 sends an alarm prompt to prompt a worker to repair the fault output module.
In some embodiments, the control module 100 is configured to start timeout timing for a target output module reporting a redundant pairing failure after receiving a redundant pairing status flag indicating that a paired output module is in a non-in-place state, determine that the target output module is not maintained when a length of the timeout reaches a preset condition, and send a second degradation control instruction to the target output module to instruct the target output module to disconnect its output switch.
For example, the control module 100 is provided with a timeout counter (timeout counter) corresponding to each output module, and the control module 100 maintains the timeout counter of each output module according to the redundant pairing status flag reported by each output module, where an initial value of the timeout counter of each output module is 0.
If the first output module 10 detects that the other party is not in place (redundant communication failure or disconnection), the redundancy pairing state flag of the first output module 10 starts to be set to 1, the control module 100 starts the timeout counter to count time, and if the timeout counter is greater than 0 and exceeds the predetermined maintenance time MTTR, the control module 100 issues a second degradation control instruction to the first output module 10 to instruct the first output module 10 to turn off the output switch of the first output module 10.
In this arrangement, if one of the output modules is in a non-on-position state (redundant communication failure or disconnection) in the pair of mutually redundant output modules, even if the other output module is currently in a normal operation state, it cannot be guaranteed that the output module is still in the normal operation state in the subsequent operation, and if the output module is also abnormal, the output switch may not be turned off automatically. In order to avoid the problem, in this embodiment, an overtime timer is started for the target output module reporting the redundant pairing fault, and if the target output module is overtime and is not maintained, a second degradation control instruction is issued to the target output module, and an output switch of the target output module is turned off in time, so that the system is ensured to be in a preset safe state.
In some embodiments, the first output module 10 is configured to update the redundant pairing status flag and upload the updated redundant pairing status flag to the control module 100 when detecting that the second output module 20 is in the on-position state; the second output module 20 is configured to update the redundant pairing status flag and upload the updated redundant pairing status flag to the control module 100 when detecting that the first output module 10 is in the in-position state; the control module 100 is configured to stop timing that the corresponding output module is in the non-in-place state and perform decrementing processing on the timeout counter according to the updated redundant pairing state flag.
For example, if the second output module 20 recovers to the on-bit state during the timeout period, the first output module 10 releases the pairing-lost fault, sets PairLst _ flag to 0, and the control module 100 processes the timeout counter according to the fault recovery confirmation principle of "+ 2, -1", that is, if the fault has 100 communication cycles, the timeout counter is added up to 200, 200 communication cycles need to be passed, the first output module 10 continuously sends PairLst _ flag to 0, and the timeout counter is decreased to 0.
According to the embodiment, the problem that a plurality of faults influence the correct output of the system can be solved, namely when a single fault occurs, the user is prompted to maintain through pairing loss alarm, if the user does not process the alarm fault within the set maintenance time, the system considers that the subsequent fault occurs again to cause the dangerous condition of system error output, and therefore the output switch of the target output module reporting the redundant pairing fault is actively turned off when the counting time exceeds.
In some embodiments, multiple risk downgrading devices may be connected in parallel in sequence to build a 2oo4d security system voting downgrading architecture, where the number 2 represents the number of channels needed to perform a security function and the number 4 represents the total number of channels available.
With reference to the risk degradation device of the foregoing embodiment, this embodiment further provides a risk degradation method applied to the risk degradation device of any one of the foregoing embodiments, fig. 7 is a flowchart of the risk degradation method of the embodiment of the present application, and as shown in fig. 7, the flowchart includes the following steps:
step S701, obtaining the return inspection signals uploaded by the first output module and the second output module.
Referring to fig. 1 to 6, the control module 100 acquires the return detection signals uploaded by the first output module 10 and the second output module 20.
Step S702, whether a fault output module exists is detected according to the return detection signal.
The control module 100 detects whether there is a fault in the first output module 100 according to the return detection signal of the first output module 10, and detects whether there is a fault in the second output module 20 according to the return detection signal of the second output module 20.
In some embodiments, the control module 100 stores an output instruction, before detecting whether there is a faulty output module, the control module 100 may issue the output instruction to each output module, compare the recheck signal with the output instruction after receiving the recheck signal fed back by each output module, determine the output module with inconsistent comparison result as the faulty output module, and determine the output module with consistent comparison result as the redundant output module.
Step S703, in the case that the existence of the faulty output module is detected, sending a first degradation control instruction to the redundant output module without fault to instruct the redundant output module to open the main switch of the faulty output module.
For example, when it is detected that the first output module 10 is faulty and the second output module 20 is not faulty, a first degradation control command is sent to the second output module 20 to instruct the second output module 20 to open the first main switch 12 of the first output module 10. When the second output module 20 fails and the first output module 10 is not failed, a first degradation control command is sent to the first output module 10 to instruct the first output module 10 to open the second master switch 22 of the second output module 20.
Through the embodiment, the problem that the system risk cannot be degraded due to the fact that the output channel has the undetected fault or the risk degradation logic execution exception is solved, and effective degradation of the system risk is achieved.
In some embodiments, the control module 100 obtains the redundant pairing status flag of the first output module 10 and obtains the redundant pairing status flag of the second output module 20, the control module 100 determines whether the paired output modules (the first output module 10 and the second output module 20 are paired output modules with each other) are in an in-place state according to the redundant pairing status flags generated by the output modules, and if there is an output module in a non-in-place state, an alarm prompt is sent.
In some embodiments, after receiving the first redundant pairing status flag indicating that the paired output module is in the non-in-place state, the control module 100 starts timeout for the target output module reporting the redundant pairing failure; when the timeout length reaches a preset condition, the control module 100 determines that the target output module is not maintained, and sends a second degradation control instruction to the target output module to instruct the target output module to disconnect its own output switch.
In some embodiments, in a case that the target output module detects that the paired output module is in an in-place state, the control module 100 obtains a second redundant pairing status flag generated by the target output module, where the second redundant pairing status flag is used to indicate that the paired output module is in the in-place state; the control module 100 stops timing the timeout of the target output module according to the second redundant pairing state flag, and performs decrement processing on the timeout counter.
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be derived by a person skilled in the art from the examples provided herein without any inventive step, shall fall within the scope of protection of the present application.
It is obvious that the drawings are only examples or embodiments of the present application, and it is obvious to those skilled in the art that the present application can be applied to other similar cases according to the drawings without creative efforts. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
The term "embodiment" is used herein to mean that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly or implicitly understood by one of ordinary skill in the art that the embodiments described in this application may be combined with other embodiments without conflict.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the patent protection. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. A risk degradation device, comprising: the control module, the first output module and the second output module which are redundant with each other, wherein the first output module comprises a first processing unit and a first general switch, and the second output module comprises a second processing unit and a second general switch; wherein the content of the first and second substances,
the control module is respectively connected with the first processing unit and the second processing unit;
one connecting ends of the first main switch and the second main switch are used for being connected with an excitation source, and the other connecting ends of the first main switch and the second main switch are used for being connected with a load;
the first processing unit is connected with the controlled end of the second master switch, and the second processing unit is connected with the controlled end of the first master switch;
the control module is used for detecting whether a fault output module exists according to the return detection signals uploaded by the output modules, and sending a first degradation control instruction to the processing unit of the corresponding redundant output module to instruct the processing unit of the redundant output module to disconnect the main switch of the fault output module under the condition that the fault output module is detected.
2. The risk degradation device of claim 1, wherein the first output module comprises a first output switch, a controlled terminal of the first output switch is connected to the first processing unit, a connection terminal of the first output switch is connected to the first general switch, and another connection terminal of the first output switch is used for connecting to the load; the second output module comprises a second output switch, a controlled end of the second output switch is connected with the second processing unit, a connecting end of the second output switch is connected with the second main switch, and the other connecting end of the second output switch is used for being connected with the load; wherein the content of the first and second substances,
the first processing unit is used for detecting whether a fault exists or not according to the return detection signal, and if so, the first processing unit controls the first output switch to be disconnected so as to cut off an electric path between the first main switch and the load;
the second processing unit is used for detecting whether a fault exists according to the return detection signal, and if the fault exists, the second processing unit controls the second output switch to be disconnected so as to cut off an electric path between the second main switch and the load.
3. The risk degradation device of claim 2, wherein the first output module return detection signal comprises an electrical signal flowing through the first output switch loop and an electrical signal driving the load, and the second output module return detection signal comprises an electrical signal flowing through the second output switch loop and an electrical signal driving the load.
4. The risk degradation device of claim 2, wherein the first processing unit comprises a first processor and a second processor, the first processor communicatively coupled to the second processor, the first processor coupled to the controlled terminal of the second master switch, the second processor coupled to the controlled terminal of the first output switch; the second processing unit comprises a third processor and a fourth processor, the third processor is connected with the fourth processor in a communication mode, the third processor is connected with the controlled end of the first main switch, and the fourth processor is connected with the controlled end of the second output switch; the first processor is in communication connection with the third processor; wherein the content of the first and second substances,
the second processor is used for acquiring a return detection signal and sending the return detection signal to the first processor, the first processor is used for generating a second degradation control instruction according to the return detection signal and sending the second degradation control instruction to the second processor so as to indicate the second processor to control the state of the first output switch according to the second degradation control instruction, and the first processor is also used for controlling the state of the second main switch under the control of the control module;
the fourth processor is used for acquiring a return detection signal and sending the return detection signal to the third processor, the third processor is used for generating a second degradation control instruction according to the return detection signal and sending the second degradation control instruction to the fourth processor so as to indicate the fourth processor to control the state of the second output switch according to the second degradation control instruction, and the third processor is further used for controlling the state of the first main switch under the control of the control module.
5. The risk degradation device of claim 4, wherein the first processor and the second processor are electrically isolated from each other; the third processor and the fourth processor are electrically isolated from each other.
6. A risk degradation method applied to the risk degradation device of any one of claims 1 to 5, wherein the method comprises:
acquiring return inspection signals uploaded by a first output module and a second output module;
detecting whether a fault output module exists according to the return detection signal;
and in the case of detecting that a fault output module exists, sending a first degradation control instruction to a redundant output module without a fault to instruct the redundant output module to open a main switch of the fault output module.
7. The risk degradation method of claim 6, wherein detecting whether a fault output module is present comprises:
comparing the return detection signals of the output modules with the output instructions, determining the output modules with inconsistent comparison results as the fault output modules, and determining the output modules with consistent comparison results as the redundant output modules.
8. The risk degradation method of claim 6, further comprising:
acquiring a redundant pairing state mark generated by the first output module after the in-place state of the second output module is detected, and acquiring a redundant pairing state mark generated by the second output module after the in-place state of the first output module is detected;
and judging whether the paired output modules are in the in-place state or not according to the redundant paired state marks generated by the output modules, and if the output modules which are not in the in-place state exist, sending an alarm prompt.
9. The risk degradation method of claim 8, wherein after receiving a first redundant pair status flag indicating that a pair output module is in a non-incumbent state, the method further comprises:
starting overtime timing for a target output module reporting a redundancy pairing fault;
and when the timeout length reaches a preset condition, determining that the target output module is not maintained, and sending a second degradation control instruction to the target output module to instruct the target output module to disconnect an output switch of the target output module.
10. The risk degradation method of claim 9, wherein in a case where the target output module detects that the paired output module is in an in-place state, the method further comprises:
acquiring a second redundant pairing state mark generated by the target output module, wherein the second redundant pairing state mark is used for indicating that the pairing output module is in an in-place state;
and stopping timing the overtime of the target output module according to the second redundant pairing state mark, and performing decrement processing on an overtime counter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110753214.6A CN113541672B (en) | 2021-07-02 | 2021-07-02 | Risk degradation device and risk degradation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110753214.6A CN113541672B (en) | 2021-07-02 | 2021-07-02 | Risk degradation device and risk degradation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113541672A true CN113541672A (en) | 2021-10-22 |
| CN113541672B CN113541672B (en) | 2024-04-23 |
Family
ID=78126670
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110753214.6A Active CN113541672B (en) | 2021-07-02 | 2021-07-02 | Risk degradation device and risk degradation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113541672B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114280919A (en) * | 2022-03-08 | 2022-04-05 | 浙江中控技术股份有限公司 | Redundancy control device |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR19990005390A (en) * | 1997-06-30 | 1999-01-25 | 윤종용 | Redundancy Device and Method of ATM Switch Board |
| KR19990066535A (en) * | 1998-01-30 | 1999-08-16 | 이종수 | Output redundancy and failure prevention circuit of PLC system |
| US6550018B1 (en) * | 2000-02-18 | 2003-04-15 | The University Of Akron | Hybrid multiple redundant computer system |
| US7870299B1 (en) * | 2008-02-06 | 2011-01-11 | Westinghouse Electric Co Llc | Advanced logic system |
| CN102096401A (en) * | 2010-12-22 | 2011-06-15 | 北京昊图科技有限公司 | Redundant and fault-tolerant safety instrument control system based on fieldbus and ARM (advanced RISC machines) |
| CN202421854U (en) * | 2011-12-22 | 2012-09-05 | 上海新华控制技术(集团)有限公司 | Triplex level redundancy switching value output module for DCS (data communication system) |
| CN103293949A (en) * | 2013-06-08 | 2013-09-11 | 杭州和利时自动化有限公司 | On-off output channel redundancy fault-tolerant control method and redundancy on-off output channels |
| CN203643761U (en) * | 2013-12-19 | 2014-06-11 | 上海新华控制技术集团科技有限公司 | Triple redundancy concurrent control module |
| FR3000322A1 (en) * | 2012-12-21 | 2014-06-27 | Schneider Electric Ind Sas | DEVICE FOR PROTECTING AN ELECTRONIC OVERCURRENT OF AT LEAST ONE ELECTRONIC SWITCHING BRANCH, A CONVERSION SYSTEM COMPRISING SUCH A PROTECTIVE DEVICE, AND A CONTROL METHOD THEREFOR |
| CN104407556A (en) * | 2014-09-26 | 2015-03-11 | 浙江中控技术股份有限公司 | Hot standby redundancy module switching device |
| CN111007713A (en) * | 2019-07-10 | 2020-04-14 | 沈阳中科一唯电子技术有限公司 | Heterogeneous redundant vehicle control unit conforming to functional safety |
| US20210066013A1 (en) * | 2019-09-03 | 2021-03-04 | Atom Power, Inc. | Solid-state circuit breaker with self-diagnostic, self-maintenance, and self-protection capabilities |
| CN112631256A (en) * | 2020-12-29 | 2021-04-09 | 浙江中控技术股份有限公司 | Switching value output module with safe function and diagnosis processing method |
-
2021
- 2021-07-02 CN CN202110753214.6A patent/CN113541672B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR19990005390A (en) * | 1997-06-30 | 1999-01-25 | 윤종용 | Redundancy Device and Method of ATM Switch Board |
| KR19990066535A (en) * | 1998-01-30 | 1999-08-16 | 이종수 | Output redundancy and failure prevention circuit of PLC system |
| US6550018B1 (en) * | 2000-02-18 | 2003-04-15 | The University Of Akron | Hybrid multiple redundant computer system |
| US7870299B1 (en) * | 2008-02-06 | 2011-01-11 | Westinghouse Electric Co Llc | Advanced logic system |
| CN102096401A (en) * | 2010-12-22 | 2011-06-15 | 北京昊图科技有限公司 | Redundant and fault-tolerant safety instrument control system based on fieldbus and ARM (advanced RISC machines) |
| CN202421854U (en) * | 2011-12-22 | 2012-09-05 | 上海新华控制技术(集团)有限公司 | Triplex level redundancy switching value output module for DCS (data communication system) |
| FR3000322A1 (en) * | 2012-12-21 | 2014-06-27 | Schneider Electric Ind Sas | DEVICE FOR PROTECTING AN ELECTRONIC OVERCURRENT OF AT LEAST ONE ELECTRONIC SWITCHING BRANCH, A CONVERSION SYSTEM COMPRISING SUCH A PROTECTIVE DEVICE, AND A CONTROL METHOD THEREFOR |
| CN103293949A (en) * | 2013-06-08 | 2013-09-11 | 杭州和利时自动化有限公司 | On-off output channel redundancy fault-tolerant control method and redundancy on-off output channels |
| CN203643761U (en) * | 2013-12-19 | 2014-06-11 | 上海新华控制技术集团科技有限公司 | Triple redundancy concurrent control module |
| CN104407556A (en) * | 2014-09-26 | 2015-03-11 | 浙江中控技术股份有限公司 | Hot standby redundancy module switching device |
| CN111007713A (en) * | 2019-07-10 | 2020-04-14 | 沈阳中科一唯电子技术有限公司 | Heterogeneous redundant vehicle control unit conforming to functional safety |
| US20210066013A1 (en) * | 2019-09-03 | 2021-03-04 | Atom Power, Inc. | Solid-state circuit breaker with self-diagnostic, self-maintenance, and self-protection capabilities |
| CN112631256A (en) * | 2020-12-29 | 2021-04-09 | 浙江中控技术股份有限公司 | Switching value output module with safe function and diagnosis processing method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114280919A (en) * | 2022-03-08 | 2022-04-05 | 浙江中控技术股份有限公司 | Redundancy control device |
| CN114280919B (en) * | 2022-03-08 | 2022-05-31 | 浙江中控技术股份有限公司 | Redundancy control device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113541672B (en) | 2024-04-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10229016B2 (en) | Redundant computer system utilizing comparison diagnostics and voting techniques | |
| AU2017221132B2 (en) | Fault current limiter and method thereof | |
| US4270715A (en) | Railway control signal interlocking systems | |
| US9182754B2 (en) | Method and apparatus for analogue output current control | |
| US6778079B2 (en) | Input/output methodology for control reliable interconnection of safety light curtains and other machine safety controls | |
| CN113541672A (en) | Risk degradation device and risk degradation method | |
| JPH0549190B2 (en) | ||
| US20120030524A1 (en) | High reliability method of data processing, and controller unit | |
| CN112147977B (en) | High-fidelity transmission test method for stability control system of direct-current transmission system | |
| US8274771B2 (en) | Safety switching device and modular failsafe control system | |
| CN114124032A (en) | System and method for testing filters in redundant signal paths | |
| JPH02501960A (en) | Monitoring method and circuit device for operating elements controlled by computer | |
| KR101960020B1 (en) | Plant Protection System and Reactor Trip Switchgear System | |
| EP3459152A2 (en) | Fault current limiter having fault checking system for power electronics and bypass circuit | |
| CN110737256B (en) | Method and device for controlling variable-frequency transmission system | |
| CN111650505A (en) | Contactor fault diagnosis method and device, storage medium and converter | |
| CN112666899A (en) | Control method and system of regulating valve group, electronic equipment and storage medium | |
| JP6738438B2 (en) | Monitoring device for monitoring safety device and method for monitoring safety device | |
| CN113466584B (en) | Fault diagnosis positioning method for tripping and closing monitoring | |
| CN213693237U (en) | Multifunctional safety relay device | |
| CN104793094A (en) | Detection circuit for electric heater, method and electric heating system | |
| CN212249666U (en) | Logic control circuit for subway platform door system and signal interface | |
| CN111401760B (en) | Safety and stability control device exception handling decision method and device | |
| KR20220084148A (en) | safety test equipment | |
| KR100402757B1 (en) | Signal Processing Method and Module for Reliable System Considering Safety |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |