CN115237064A - Safety control method, system and device - Google Patents
Safety control method, system and device Download PDFInfo
- Publication number
- CN115237064A CN115237064A CN202110442592.2A CN202110442592A CN115237064A CN 115237064 A CN115237064 A CN 115237064A CN 202110442592 A CN202110442592 A CN 202110442592A CN 115237064 A CN115237064 A CN 115237064A
- Authority
- CN
- China
- Prior art keywords
- voting
- signal
- output
- hardware
- signal channel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 230000006854 communication Effects 0.000 claims abstract description 27
- 238000004891 communication Methods 0.000 claims abstract description 27
- 238000004519 manufacturing process Methods 0.000 claims abstract description 11
- 230000005540 biological transmission Effects 0.000 claims abstract description 10
- 230000007246 mechanism Effects 0.000 claims abstract description 8
- 238000012545 processing Methods 0.000 claims description 33
- 230000004888 barrier function Effects 0.000 claims description 16
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 230000001960 triggered effect Effects 0.000 claims description 3
- 230000008054 signal transmission Effects 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 12
- 238000005516 engineering process Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000001514 detection method Methods 0.000 description 3
- 230000007175 bidirectional communication Effects 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 101000879673 Streptomyces coelicolor Subtilisin inhibitor-like protein 3 Proteins 0.000 description 1
- 230000002411 adverse Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
- G05B19/4185—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by the network communication
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/31—From computer integrated manufacturing till monitoring
- G05B2219/31088—Network communication between supervisor and cell, machine group
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Manufacturing & Machinery (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Safety Devices In Control Systems (AREA)
Abstract
The invention provides a safety control method, a safety control system and a safety control device, and belongs to the field of petrochemical engineering safety production. The method comprises the following steps: respectively inputting signals obtained from the same site into four signal channels, wherein an inter-channel information transmission communication mechanism is established among the four signal channels; executing multiple software two-out-of-four voting operation on each signal channel, and outputting a software voting result; and inputting the software voting result output by the last double-voting operation of the four signal channels into a hardware voting circuit for hardware voting, and outputting the hardware voting result as a control signal. The safety control method, the system and the device carry out multiple two-out-of-four software voting on the signals from the same site on four mutually redundant signal channels, and when one or two signal channels have faults, the safety control can still be realized. The safety control method, the system and the device can effectively reduce the safety failure rate and the error shutdown rate.
Description
Technical Field
The invention relates to the field of petrochemical engineering safety production, in particular to a safety control method, a safety control system and a safety control device.
Background
The safety control system is one of the most important devices for ensuring the safety production of petrochemical industry, and is used for monitoring potential dangers in the industrial process, sending alarm information in time or automatically executing a preset protection function, preventing the dangerous events of the petrochemical industry process from happening or slowing down the consequences of the dangerous events, and ensuring the safety of personnel, equipment and the surrounding environment of a factory.
At present, petrochemical industry production enterprises often adopt a safety control system, and on the premise of meeting the overall demand and ensuring the reliability index of the system, the Safety Integrity Level (SIL) of the system is improved, and the single channel of the safety control system reaches the SIL3 level. And the hardware fault margin refers to the number of hardware failures that the safety instrument system can maintain and continue to operate without overall failure. In order to minimize the impact on the system due to common cause failure, it is generally required that the hardware fault margin of the safety control system is greater than or equal to 1. A hardware fault margin of 1 means that there are two devices, the structural constraint of which is that a dangerous failure of one of the two components or subsystems cannot prevent the triggering of a safety action.
At present, the system structure which can achieve the hardware fault margin of 1 and is widely applied mainly comprises: two takes one (1 oo 2), three takes two (2 oo 3), two times two takes two structures. The two-out-of-one architecture is commonly used in two independent controllers, each with its own independent I/O. If one channel is in fault and is in dangerous failure, the other channel works normally, and the system can still be in a safe state. Although the two-out-of-two structure improves the hardware fault margin, the structure does not change any output state or output vote, so that the safety failure score of the structure is low, and therefore, the whole safety function is difficult to achieve a high safety integrity level. The two-out-of-three structure is composed of three parallel sub-channels, and the three sub-channels carry out two-out-of-three voting at the output end. The two-out-of-three system has high safety, fault tolerance can be achieved, namely, the normal safety function of the system cannot be influenced by single safety failure, but the general two-out-of-three system still has defects in the aspects of detection and operation speed, if a single channel fails, the situation that the system cannot detect can exist, so that the fault cannot be found in time, the architecture is complex, and the implementation cost is high. The two-by-two structure comprises two subsystems consisting of four CPUs, each subsystem is provided with a comparison output unit, and the subsystems are switched by adopting a dual-system hot standby mode, so that the real-time performance and the availability of the system are influenced to a great extent, and if data loss is caused by switching, the system is also stopped by mistake, and the safety, the reliability and the availability of the system are not high.
In addition, current safety control systems have shifted from early full-scale based on analog technology to digital technology. The digitalized system realizes the safety logic function by means of software programming, and is a common cause failure because a software failure mechanism is different from a hardware random failure, wherein the common cause failure refers to the simultaneous failure of two or more units in one system due to a common reason, so that a single cause or failure has adverse effects on multiple components or multiple parts of the system.
Disclosure of Invention
In order to solve the above problems, embodiments of the present invention provide a safety control method, system and device.
In order to achieve the above object, a first aspect of the present invention provides a safety control method for petrochemical production safety control, the method comprising:
respectively inputting signals obtained from the same site into four signal channels, wherein an inter-channel information transmission communication mechanism is established between the four signal channels;
executing a two-out-of-four voting operation of multiple software on each signal channel, and outputting a software voting result;
and inputting the software voting result output by the last double-voting operation of the four signal channels into a hardware voting circuit for hardware voting, and outputting the hardware voting result as a control signal.
Optionally, the executing multiple software two-out-of-four voting operations on each signal channel includes: two-out-of-four voting operations are performed in duplicate software on each signal channel.
Optionally, the executing multiple software two-out-of-four voting operations on each signal channel includes: the four signal channels adopt different processors to execute multiple software two-out-of-four voting operations.
Optionally, the executing of the multiple software two-out-of-four voting operation includes:
when voting operation is carried out on two out of four of each piece of software, fault judgment is carried out on input signals, fault signals are eliminated, and then signal voting output is carried out.
The invention provides a safety control system based on the safety control method, which is used for petrochemical production safety control and comprises the following components:
each signal channel is provided with an input module, a logic processing module and an output module;
the input module is used for signal input;
the logic processing module is connected with the input module and comprises a communication module, a memory and a microprocessor; the communication module is used for acquiring signal values among signal channels, the memory stores program instructions of multiple software two-out-of-four voting operation, and the microprocessor is used for executing the program instructions in the memory;
the output module is connected with the logic processing module and is used for outputting a software voting result output by the last block operation of the signal channel;
and the hardware voting module is internally provided with a hardware voting circuit, is connected with the output module of each signal channel, and is used for performing hardware voting and signal output control on four software voting results output by the last double-block operation of the four signal channels.
Optionally, the input module includes an input card, which is used to implement conversion and transmission of the signal channel input signal; the output module comprises an output card and is used for converting a software voting result output by the last double-voting operation of the signal channel and outputting a voting signal of the signal channel; the input card and the output card are implemented based on a microprocessor.
Optionally, the hardware voting module includes an output terminal board, the output terminal board is connected to the output card of each signal channel, and a hardware voting circuit is built in the output terminal board, and is configured to perform hardware voting on a voting signal output by the last double-block operation of the four signal channels and output a control signal.
Optionally, the four signal channels are a signal channel a, a signal channel B, a signal channel C and a signal channel D, respectively;
the hardware voting circuit consists of a first one-out-of-two hardware voting circuit and a second one-out-of-two hardware voting circuit which are connected in parallel;
the first one-out-of-two hardware voting circuit is controlled by voting signals output by the signal channel A and the signal channel B, and is conducted and outputs an effective voting signal under the condition that one voting signal is an effective signal in the voting signals output by the signal channel A and the signal channel B;
the second one-out-of-two hardware voting circuit is controlled by voting signals output by the signal channel C and the signal channel D, and the second one-out-of-two hardware voting circuit is conducted and outputs an effective voting signal when one voting signal is an effective signal in the voting signals output by the signal channel C and the signal channel D.
Optionally, the output card of each signal channel outputs the voting signal of the signal channel by adopting the output contact pair; wherein, the first and the second end of the pipe are connected with each other,
voting signals output by the output card of the signal channel A are a voting signal A1 and a voting signal A2;
voting signals output by the output card of the signal channel B are voting signals B1 and voting signals B2;
voting signals output by the output card of the signal channel C are voting signals C1 and voting signals C2;
the voting signals output by the output card of the signal channel D are voting signals D1 and voting signals D2.
Optionally, the hardware voting circuit includes eight switch terminals, which are a first switch terminal, a second switch terminal, a third switch terminal, a fourth switch terminal, a fifth switch terminal, a sixth switch terminal, a seventh switch terminal, and an eighth switch terminal, respectively, where the first to eighth switch terminals are controlled by a voting signal A1, a voting signal B2, a voting signal A2, a voting signal C1, a voting signal D2, and a voting signal C2, respectively;
the first switch terminal and the second switch terminal are connected in parallel to form a first parallel circuit; the third switch terminal and the fourth switch terminal are connected in parallel to form a second parallel circuit; the fifth switch terminal is connected with the sixth switch terminal in parallel to form a third parallel circuit; the seventh switch terminal and the eighth switch terminal are connected in parallel to form a fourth parallel circuit;
the first parallel circuit and the second parallel circuit are connected in series to form the first one-out-of-two hardware voting circuit; the third parallel circuit and the fourth parallel circuit are connected in series to form a second one-out-of-two hardware voting circuit;
and the first to eighth switch terminals are in a normally open state, and when the voting signal of the control switch terminal is an effective signal, the switch terminal is triggered to be closed, so that the hardware voting circuit is conducted and the effective voting signal is output.
Optionally, the types of the microprocessor of the input card, the microprocessor of the output card and the microprocessor of the logic processing module in each signal channel are different from each other.
Optionally, the types of the microprocessor in the signal channel a and the microprocessor in the signal channel B are different from each other, and the types of the microprocessor in the signal channel C and the microprocessor in the signal channel D are different from each other.
A third aspect of the present invention provides a safety control device provided with the above safety control system, the safety control device comprising:
the voting system comprises four voting cabinets and hardware voting output devices connected with the four voting cabinets;
the voting machine box comprises a plurality of slot positions into which clamping pieces are inserted, wherein the clamping pieces comprise an input card, a CPU card, an output card and a communication card;
the CPU card is used for storing and executing a two-out-of-four voting operation program instruction of the multiple software;
the four cases are communicated through the communication card.
Optionally, the safety control device further includes: the device comprises an input quantity detector, a first safety barrier, an input terminal board, a second safety barrier and an actuator;
the input quantity detector is connected with the first safety barrier and is used for signal acquisition;
the first safety barrier is connected with an input terminal board and used for safety energy limitation;
the input terminal board is connected with the input cards of the four cases, and is used for dividing signals into four paths of same signals and respectively sending the signals to the input cards of the four cases;
the second safety barrier is connected with the hardware voting output device and is used for receiving the hardware voting signal output by the hardware voting output device and inputting the hardware voting signal to the actuator.
Through the technical scheme, the signals from the same site are subjected to multiple two-out-of-four software voting on the four signal channels, and when one or two signal channels break down, safety control can still be realized, so that the safety failure rate and the false shutdown rate can be effectively reduced. The method solves the problems that the existing hardware redundancy voting technology can only achieve performance improvement on one aspect of safety failure rate or false shutdown rate, and cannot overall raise safety and reliability.
Additional features and advantages of embodiments of the invention will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the embodiments of the invention and do not limit the embodiments. In the drawings:
FIG. 1 is a schematic diagram of a safety control method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a safety control system provided in accordance with an embodiment of the present invention;
FIG. 3 is a block diagram of a safety control system provided in one embodiment of the present invention;
FIG. 4 is a schematic diagram of a hardware voting circuit of a safety control system according to an embodiment of the present invention;
FIG. 5 is a diagram of a security control device cabinet configuration according to one embodiment of the present invention;
fig. 6 is a schematic diagram of a voting cabinet of a security control device according to an embodiment of the present invention.
Description of the reference numerals
1-slot position.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
Example one
Fig. 1 is a schematic diagram of a safety control method according to an embodiment of the present invention. As shown in fig. 1, an embodiment of the present invention provides a safety control method for petrochemical production safety control, including:
respectively inputting signals obtained from the same site into four signal channels, wherein an inter-channel information transmission communication mechanism is established between the four signal channels;
executing a two-out-of-four voting operation of multiple software on each signal channel, and outputting a software voting result;
and inputting the software voting result output by the last double-voting operation of the four signal channels into a hardware voting circuit for hardware voting, and outputting the hardware voting result as a control signal.
Specifically, a detection signal from a site, that is, an input signal, is divided into four identical input signals and respectively input into four mutually redundant signal channels, that is, one signal is correspondingly input into one signal channel, and the signal is converted into a signal value which can be recognized by a computer on each channel. An inter-channel information transmission communication mechanism is established between every two signal channels of the four signal channels and is used for acquiring information between the signal channels.
And executing multiple software two-out-of-four voting operations on each signal channel, and outputting a software voting result. The operation rule of the multiple software two-out-of-four voting operation is that a signal value of a signal input by each signal channel or a voting result of the two-out-of-four voting operation of the previous software is obtained through an inter-channel information transmission communication mechanism established among the signal channels and serves as an input of the corresponding two-out-of-four voting operation of the heavy software, the four input signal values are judged, and when at least two of the four input signal values indicate effective signals, the effective signal value is output by the two-out-of-four voting operation of the heavy software and serves as a voting result of the two-out-of-four voting operation of the heavy software.
And inputting the software voting result output by the last double-software two-out-of-four voting operation of the four signal channels into a hardware voting circuit for hardware voting, and outputting the hardware voting result as a control signal.
By the safety control method, multiple two-out-of-four software voting is carried out on the signals from the same site on four mutually redundant signal channels, when one or two signal channels break down, the other two signal channels can still work normally, safety control can still be realized at the moment, and the safety failure rate and the false shutdown rate can be effectively reduced. The method solves the problems that the existing hardware redundancy voting technology can only achieve performance improvement of one aspect of safety failure rate or false shutdown rate, and cannot comprehensively secure safety and reliability.
Optionally, the executing multiple software two-out-of-four voting operations on each signal channel includes: two software two-out-of-four voting operations are performed on each signal channel.
Optionally, the executing multiple software two-out-of-four voting operations on each signal channel includes: the four signal channels adopt different processors to execute multiple software two-out-of-four voting operation. By adopting different processors to execute the two-out-of-four voting operation of the multiple software on each signal channel, the synchronization of the two-out-of-four operation processing of the multiple software among the signal channels can be achieved.
Optionally, the executing of the multiple software two-out-of-four voting operation includes:
when voting operation is carried out on two out of four of each piece of software, fault judgment is carried out on input signals, fault signals are eliminated, and then signal voting output is carried out. When each piece of software calculates two out of four, whether the four input signals have fault signals or not is judged by analyzing the four input signal values, and if the four input signals have the fault signals, the fault signals are removed and effective signal values are used for voting and outputting. And the source of the fault signal can know that the processing module outputting the fault signal is unavailable due to fault, and can prompt the fault module to check.
Example two
Fig. 2 is a schematic diagram of a safety control system according to an embodiment of the present invention. As shown in fig. 2, an embodiment of the present invention provides a safety control system based on the safety control method according to the first embodiment, for controlling safety of petrochemical production, the safety control system including:
each signal channel is provided with an input module, a logic processing module and an output module;
the input module is used for signal input;
the logic processing module is connected with the input module and comprises a communication module, a memory and a microprocessor; the communication module is used for acquiring signal values among signal channels, a program instruction of the multi-software two-out-of-four voting operation is stored in the memory, and the microprocessor is used for executing the program instruction in the memory;
the output module is connected with the logic processing module and is used for outputting a software voting result output by the last voting operation of the signal channel;
and the hardware voting module is internally provided with a hardware voting circuit, is connected with the output module of each signal channel, and is used for performing hardware voting and signal output control on four software voting results output by the last double-block operation of the four signal channels.
Specifically, as shown in fig. 2, the system includes: signal path a, signal path B, signal path C, and signal path D. The signal channel A is provided with an input module A, a logic processing module A and an output module A; the signal channel B is provided with an input module B, a logic processing module B and an output module B; the signal channel C is provided with an input module C, a logic processing module C and an output module C; and the signal channel D is provided with an input module D, a logic processing module D and an output module D.
The same signal from the same field sensor is respectively input into a signal channel A, a signal channel B, a signal channel C and a signal channel D, passes through an input module, a logic processing module and an output module of each signal channel, then passes through a unified hardware voting module, and finally a final control signal is output.
As shown in fig. 2, an inter-channel information transmission communication mechanism is established between the logic processing module a, the logic processing module B, the logic processing module C, and the logic processing module D, so that information transmission between signal channels can be realized.
The signal channel A, the signal channel B, the signal channel C and the signal channel D are mutually redundant, when one or two signal channels are in fault and cannot output effective signals or cannot output signals, the other two channels can normally work, and the system can still realize safety control.
Preferably, the input/output module, the logic processing module and the output module are provided with a self-checking loop, which can detect whether the module itself fails, and if the module fails, label the signal value output by the module, if the output signal value is labeled as 0, it indicates that the module outputs the failed signal value.
For example, when the input module of a certain signal channel detects failure, the data output by the input module is marked with invalidity. When the logic processing module carries out the two-out-of-four voting operation processing, the output of the failed input module is ignored or eliminated if the output of the failed input module is inconsistent with the effective signal values of the other three channels, and the voting result can be normally output by taking any two of the other three channels. In this case, the logic module at the lower stage of the input module with the failed signal channel can still receive other normal input data and the data comes from the input module of the redundant other signal channel, so that the whole system can still continue to work, and the system is still in an available state and still has the capability of executing safety control.
Further, the input module comprises an input card for realizing conversion and transmission of the signal channel input signal; the output module comprises an output card and is used for converting a software voting result output by the last double-voting operation of the signal channel and outputting a voting signal of the signal channel; the input card and the output card are implemented based on a microprocessor.
Furthermore, the hardware voting module comprises an output terminal board, the output terminal board is connected with the output card of each signal channel, and a hardware voting circuit is arranged in the output terminal board and is used for carrying out hardware voting on the voting signal output by the last double-block operation of the four signal channels and outputting a control signal.
Fig. 3 is a block diagram of a safety control system according to an embodiment of the present invention. As shown in fig. 3, the input module in each signal channel includes a microprocessor-based input card, the logic processing module includes a microprocessor-based controller CPU card, and the output module includes a microprocessor-based output card. The hardware voting module comprises an output terminal board with a built-in hardware voting circuit.
The input cards comprise digital quantity input cards and analog quantity input cards.
The input card is used for converting the signals input by each signal channel into signal values which can be processed by a computer and inputting the signal values into the CPU card of the controller of the logic processing module in the signal channel. And the CPU card of the controller on the channel stores a user logic program for carrying out the voting operation of two out of four of multiple software. And the output card is used for carrying out signal conversion on the output signal value and outputting the signal value to the hardware voting module.
As shown in fig. 3, the field detection signal (i.e., the input signal) transmitted through the input amount detector and the first safety fence is divided into four identical input signals by the input terminal block, and the four identical input signals are transmitted to the four signal channels, respectively. The logic processing modules of the four signal channels realize high-speed isolated bidirectional communication between every two controller CPU cards of each signal channel through the communication cards, and obtain signal values of other channels. When the safety control system works, firstly, the controller CPU card of each signal channel carries out first-double-software four-out-of-two voting operation on four input signals from the same site and the same part, so that fault tolerance of the input signal channel is realized. And secondly, the logic processing modules of the four signal channels obtain the voting result of the four-out-of-two voting operation of the previous software of the CPU cards of the other channel controllers through the communication card again, and carry out the four-out-of-two voting on the voting result of the next software, so that the fault tolerance of the voting result of the four-out-of-two voting operation of the CPU card of each controller is realized. And finally, after the CPU card of each signal channel controller carries out the voting operation of the four-out-of-two of the multiple software, the output voting result is sent to an output terminal board through an output card to carry out hardware voting. And the result of hardware voting output by the output terminal board is sent to the actuator after passing through a second safety barrier.
When one signal channel input module, logic processing module or output module in the safety control system fails, other modules or other signal channels of the channel can still work normally, the system can still output correct control commands after multiple two-out-of-four voting, the action rejection probability and the action error probability of the system are improved, and the overall availability and the reliability of the system are improved.
As shown in fig. 3, the logic processing modules of the four signal channels adopt different controller CPU cards, and high-speed isolated bidirectional communication between every two controller CPU cards of each signal channel is realized through the communication card, so that synchronous processing of four-channel operation results can be realized.
As shown in fig. 3, signal path a includes: the input card I-A1, the controller CPU card CPU-A1 and the output card O-A1, the signal channel B comprises: the input card I-B2, the controller CPU card CPU-B2 and the output card O-B2, the signal channel C comprises: the input card I-C1, the controller CPU card CPU-C1 and the output card O-C1, the signal channel D comprises: an input card I-D2, a controller CPU card CPU-D2 and an output card O-D2.
Furthermore, the models of the microprocessor of the input card, the microprocessor of the output card and the microprocessor of the logic processing module in each signal channel are different from each other. For example, the microprocessors in the input card I-A1, the controller CPU card CPU-A1 and the output card O-A1 in the signal channel A adopt microprocessors of different models of the same manufacturer or different manufacturers.
Furthermore, the type of the microprocessor in the signal channel A is different from that of the microprocessor in the signal channel B, and the type of the microprocessor in the signal channel C is different from that of the microprocessor in the signal channel D. For example, the input card I-A1, the controller CPU card CPU-A1 and the output card O-A1 in the signal channel A, and the input card I-C1, the controller CPU card CPU-C1 and the output card O-C1 in the signal channel C are realized by a microprocessor of a microprocessor manufacturer; the input card I-B2, the controller CPU card CPU-B2 and the output card O-B2 in the signal channel B and the input card I-D2, the controller CPU card CPU-D2 and the output card O-D2 in the signal channel D are realized by a microprocessor of another microprocessor manufacturer.
Due to the fact that different types of microprocessing are adopted, the input cards I-A1, I-B2, I-C1 and I-D2 in the safety control system form various input cards. The controller CPU card CPU-A1, the controller CPU card CPU-B2, the controller CPU card CPU-C1 and the controller CPU card CPU-D2 form a diversity controller CPU card. The output cards O-A1, O-B2, O-C1 and O-D2 form a diversity output card. Therefore, the safety control system has the diversity of different signal channels and the diversity of different execution modules in the same signal channel. When a certain type of microprocessor fails, because the types of other microprocessors are different, the probability of the same problem failure is extremely low, so that the other types of microprocessors can work normally, and the safety control system can further work normally. Through the diversity of different signal channel and the setting of the diversity of the inside different execution module of same signal channel, can reduce the system risk that digital system common cause became invalid and cause to compromise reliability and usability, be favorable to promoting control circuit's safety and integrity, guarantee system safety and stability and move, further guarantee that safety control system accords with IEC61508 international safety standard.
EXAMPLE III
The hardware voting circuit of the safety control system provided by the embodiment of the invention consists of a first one-out-of-two hardware voting circuit and a second one-out-of-two hardware voting circuit which are connected in parallel.
The first one-out-of-two hardware voting circuit is controlled by voting signals output by the signal channel A and the signal channel B, and is conducted and outputs an effective voting signal under the condition that one voting signal is an effective signal in the voting signals output by the signal channel A and the signal channel B;
the second one-out-of-two hardware voting circuit is controlled by voting signals output by the signal channel C and the signal channel D, and the second one-out-of-two hardware voting circuit is conducted and outputs an effective voting signal under the condition that one voting signal is an effective signal in the voting signals output by the signal channel C and the signal channel D.
Further, the output card of each signal channel adopts output contacts to output voting signals of the signal channels in pairs; wherein the content of the first and second substances,
voting signals output by the output card of the signal channel A are voting signals A1 and voting signals A2;
voting signals output by the output card of the signal channel B are voting signals B1 and voting signals B2;
voting signals output by the output card of the signal channel C are voting signals C1 and voting signals C2;
the voting signals output by the output card of the signal channel D are voting signals D1 and voting signals D2.
Fig. 4 is a schematic diagram of a hardware voting circuit of a safety control system according to an embodiment of the present invention. As shown in fig. 4, the hardware voting circuit includes eight switch terminals, which are a first switch terminal, a second switch terminal, a third switch terminal, a fourth switch terminal, a fifth switch terminal, a sixth switch terminal, a seventh switch terminal, and an eighth switch terminal. The first to eighth switch terminals are respectively controlled by a voting signal A1, a voting signal B2, a voting signal A2, a voting signal C1, a voting signal D2 and a voting signal C2.
As shown in fig. 4, the first switch terminal controlled by the voting signal A1 is connected in parallel with the second switch terminal controlled by the voting signal B1 to form a first parallel circuit; the third switch terminal controlled by the voting signal B2 and the fourth switch terminal controlled by the voting signal A2 are connected in parallel to form a second parallel circuit; the fifth switch terminal controlled by the voting signal C1 is connected in parallel with the sixth switch terminal controlled by the voting signal D1 to form a third parallel circuit; and the seventh switch terminal controlled by the voting signal D2 is connected with the eighth switch terminal controlled by the voting signal C2 in parallel to form a fourth parallel circuit.
As shown in fig. 4, the first parallel circuit and the second parallel circuit are connected in series to form a first one-out-of-two hardware voting circuit; the third parallel circuit and the fourth parallel circuit are connected in series to form a second one-out-of-two hardware voting circuit; the first one-out-of-two hardware voting circuit is connected with the second one-out-of-two hardware voting circuit in parallel.
And the first to eighth switch terminals are in a normally open state, and when the voting signal of the control switch terminal is an effective signal, the switch terminal is triggered to be closed, so that the hardware voting circuit is conducted and the effective voting signal is output.
Example four
An embodiment of the present invention provides a safety control device configured with the safety control system according to the above embodiment, including:
the voting system comprises four voting cabinets and hardware voting output devices connected with the four voting cabinets;
the voting machine box comprises a plurality of slot positions 1 inserted with clamping pieces, wherein the clamping pieces comprise an input card, a CPU card, an output card and a communication card;
the CPU card is used for storing and executing a multiple software two-out-of-four voting operation program instruction;
the four cases are communicated through the communication card.
Fig. 5 is a configuration diagram of a safety control device cabinet according to an embodiment of the present invention.
As shown in fig. 5, a typical security control device consists of four voting boxes (voting box a, voting box B, voting box C, and voting box D). Each chassis forms a signal channel, and four chassis are placed in a cabinet with the length, width and height =800x800x2000 mm. And the controller CPU card of each voting case is in point-to-point bidirectional isolation high-speed communication with the controller CPU cards in other cases through the communication card in the case. And the output card of each case is connected with the hardware voting output device.
Fig. 6 is a schematic diagram of a voting cabinet of a security control device according to an embodiment of the present invention. As shown in fig. 6, one voting chassis is composed of fifteen slot positions 1, and a corresponding card is inserted into each slot position 1. The other slot 1 can be freely configured except that the first slot 1 on the leftmost side is fixed as a controller CPU card. For example, the second slot 1, the third slot 1 are communication cards, the fourth slot 1 to the ninth slot 1 are digital input cards, the tenth slot 1 and the eleventh slot 1 are analog input cards, and the twelfth slot 1 to the fifteenth slot 1 are digital output cards. When the system capacity is large and two cabinets need to be configured, the communication card of the third slot position 1 is responsible for communication with the chassis of the second cabinet. When only one cabinet needs to be configured, the third slot 1 may be configured as an input card or an output card.
Further, the safety control device further includes: the device comprises an input quantity detector, a first safety barrier, an input terminal board, a second safety barrier and an actuator;
the input quantity detector is connected with the first safety barrier and is used for signal acquisition;
the first safety barrier is connected with an input terminal board and is used for safety energy limitation;
the input terminal board is connected with the input cards of the four cases, and is used for dividing signals into four paths of same signals and respectively sending the signals to the input cards of the four cases;
and the second safety barrier is connected with the hardware voting output device and is used for receiving the hardware voting signal output by the hardware voting output device and inputting the hardware voting signal to the actuator.
Wherein the input quantity detector comprises a digital quantity detector and an analog quantity detector.
Those skilled in the art can understand that all or part of the steps in the method for implementing the above embodiments may be implemented by a program, where the program is stored in a storage medium and includes several instructions to enable a single chip, a chip, or a processor (processor) to execute all or part of the steps in the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
While the embodiments of the present invention have been described in detail with reference to the accompanying drawings, the embodiments of the present invention are not limited to the details of the above embodiments, and various simple modifications can be made to the technical solution of the embodiments of the present invention within the technical idea of the embodiments of the present invention, and the simple modifications are within the scope of the embodiments of the present invention. It should be noted that the various features described in the above embodiments may be combined in any suitable manner without departing from the scope of the invention. In order to avoid unnecessary repetition, the embodiments of the present invention will not be described separately for the various possible combinations.
In addition, any combination of the various embodiments of the present invention is also possible, and the same should be considered as disclosed in the embodiments of the present invention as long as it does not depart from the spirit of the embodiments of the present invention.
Claims (14)
1. A safety control method for petrochemical production safety control, the method comprising:
respectively inputting signals obtained from the same site into four signal channels, wherein an inter-channel information transmission communication mechanism is established among the four signal channels;
executing a two-out-of-four voting operation of multiple software on each signal channel, and outputting a software voting result;
and inputting the software voting result output by the last double-voting operation of the four signal channels into a hardware voting circuit for hardware voting, and outputting the hardware voting result as a control signal.
2. The safety control method according to claim 1, wherein the performing multiple software two-out-of-four voting operations on each signal channel comprises: two software two-out-of-four voting operations are performed on each signal channel.
3. The safety control method according to claim 1, wherein the performing multiple software two-out-of-four voting operations on each signal channel comprises: the four signal channels adopt different processors to execute multiple software two-out-of-four voting operation.
4. The safety control method according to any one of claims 1 to 3, wherein the performing multiple software two-out-of-four voting operations comprises:
and when carrying out voting operation of two out of four of each piece of software, carrying out fault judgment on the input signals, eliminating fault signals and then carrying out signal voting output.
5. A safety control system based on the safety control method of any one of claims 1 to 4, which is used for petrochemical production safety control, and is characterized by comprising:
each signal channel is provided with an input module, a logic processing module and an output module;
the input module is used for signal input;
the logic processing module is connected with the input module and comprises a communication module, a memory and a microprocessor; the communication module is used for acquiring signal values among signal channels, the memory stores program instructions of multiple software two-out-of-four voting operation, and the microprocessor is used for executing the program instructions in the memory;
the output module is connected with the logic processing module and is used for outputting a software voting result output by the last voting operation of the signal channel;
and the hardware voting module is internally provided with a hardware voting circuit, is connected with the output module of each signal channel, and is used for performing hardware voting and controlling signal output on four software voting results output by the last block operation of the four signal channels.
6. The safety control system of claim 5, wherein the input module comprises an input card for implementing conversion and transmission of signal channel input signals; the output module comprises an output card and is used for converting the software voting result output by the last double-block operation of the signal channel and outputting the voting signal of the signal channel; the input card and the output card are implemented based on a microprocessor.
7. The safety control system according to claim 6, wherein the hardware voting module comprises an output terminal board, the output terminal board is connected with the output card of each signal channel, and a hardware voting circuit is arranged in the output terminal board and used for performing hardware voting on the voting signal output by the last voting operation of the four signal channels and outputting a control signal.
8. The safety control system of claim 7, wherein the four signal channels are signal channel A, signal channel B, signal channel C, and signal channel D, respectively;
the hardware voting circuit consists of a first one-out-of-two hardware voting circuit and a second one-out-of-two hardware voting circuit which are connected in parallel;
the first one-out-of-two hardware voting circuit is controlled by voting signals output by the signal channel A and the signal channel B, and is conducted and outputs an effective voting signal under the condition that one voting signal is an effective signal in the voting signals output by the signal channel A and the signal channel B;
the second one-out-of-two hardware voting circuit is controlled by voting signals output by the signal channel C and the signal channel D, and the second one-out-of-two hardware voting circuit is conducted and outputs an effective voting signal under the condition that one voting signal is an effective signal in the voting signals output by the signal channel C and the signal channel D.
9. The safety control system according to claim 8,
the output card of each signal channel adopts output contacts to output voting signals of the signal channels in pairs; wherein, the first and the second end of the pipe are connected with each other,
voting signals output by the output card of the signal channel A are a voting signal A1 and a voting signal A2;
voting signals output by the output card of the signal channel B are voting signals B1 and voting signals B2;
voting signals output by the output card of the signal channel C are voting signals C1 and voting signals C2;
the voting signals output by the output card of the signal channel D are voting signals D1 and voting signals D2.
10. The safety control system of claim 9, wherein the hardware voting circuit comprises eight switch terminals, namely a first switch terminal, a second switch terminal, a third switch terminal, a fourth switch terminal, a fifth switch terminal, a sixth switch terminal, a seventh switch terminal, and an eighth switch terminal, wherein the first to eighth switch terminals are controlled by voting signal A1, voting signal B2, voting signal A2, voting signal C1, voting signal D2, and voting signal C2, respectively;
the first switch terminal and the second switch terminal are connected in parallel to form a first parallel circuit; the third switch terminal and the fourth switch terminal are connected in parallel to form a second parallel circuit; the fifth switch terminal is connected with the sixth switch terminal in parallel to form a third parallel circuit; the seventh switch terminal and the eighth switch terminal are connected in parallel to form a fourth parallel circuit;
the first parallel circuit and the second parallel circuit are connected in series to form a first one-out-of-two hardware voting circuit; the third parallel circuit and the fourth parallel circuit are connected in series to form a second one-out-of-two hardware voting circuit;
and the first to eighth switch terminals are in a normally open state, and when the voting signal of the control switch terminal is an effective signal, the switch terminal is triggered to be closed, so that the hardware voting circuit is conducted and the effective voting signal is output.
11. The security control system according to any one of claims 5 to 10, wherein the microprocessor of the input card, the microprocessor of the output card and the microprocessor of the logic processing module in each signal channel are different in model from each other.
12. The safety control system according to claim 11, wherein the microprocessor in the signal channel a and the microprocessor in the signal channel B are different in model from each other, and the microprocessor in the signal channel C and the microprocessor in the signal channel D are different in model from each other.
13. A safety control device characterized in that the device is provided with the safety control system according to any one of claims 5 to 12, the safety control device comprising:
the hardware voting output device is connected with the four voting machine boxes;
the voting machine box comprises a plurality of slot positions inserted with clamping pieces, wherein the clamping pieces comprise an input card, a CPU card, an output card and a communication card;
the CPU card is used for storing and executing a multiple software two-out-of-four voting operation program instruction;
the four cases are communicated through the communication card.
14. The safety control device according to claim 13, characterized in that the safety control device further comprises: the device comprises an input quantity detector, a first safety barrier, an input terminal board, a second safety barrier and an actuator;
the input quantity detector is connected with the first safety barrier and is used for signal acquisition;
the first safety barrier is connected with an input terminal board and is used for safety energy limitation;
the input terminal board is connected with the input cards of the four chassis and is used for dividing signals into four paths of same signals and respectively sending the signals to the input cards of the four chassis;
the second safety barrier is connected with the hardware voting output device and is used for receiving the hardware voting signal output by the hardware voting output device and inputting the hardware voting signal to the actuator.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110442592.2A CN115237064A (en) | 2021-04-23 | 2021-04-23 | Safety control method, system and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110442592.2A CN115237064A (en) | 2021-04-23 | 2021-04-23 | Safety control method, system and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115237064A true CN115237064A (en) | 2022-10-25 |
Family
ID=83666652
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110442592.2A Pending CN115237064A (en) | 2021-04-23 | 2021-04-23 | Safety control method, system and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115237064A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024094140A1 (en) * | 2022-11-04 | 2024-05-10 | 中国石油化工股份有限公司 | Remote measurement and control terminal, and safety control system |
-
2021
- 2021-04-23 CN CN202110442592.2A patent/CN115237064A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024094140A1 (en) * | 2022-11-04 | 2024-05-10 | 中国石油化工股份有限公司 | Remote measurement and control terminal, and safety control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR100808787B1 (en) | Plant Protection System | |
| US20180211734A1 (en) | Reactor protection-processor-to-reactor-trip breaker interface and method for operating the same | |
| US20040136487A1 (en) | Digital reactor protection system for preventing common-mode failures | |
| US7792594B2 (en) | Redundant automation system comprising a master and a standby automation device | |
| CN106527115B (en) | One kind two takes a redundancy control system and its multiple means of voting | |
| KR100848881B1 (en) | Digital Security System for Nuclear Power Plant | |
| US5920715A (en) | System architecture permitting verified and unverified programs to execute safely on one processor | |
| AU2003294628A1 (en) | Redundant automation system for controlling a technical device, and method for operating one such automation system | |
| US9952579B2 (en) | Control device | |
| CN112714173B (en) | Platform door controller cloud platform system and control method | |
| CN112383457B (en) | Safety slave station system based on CANopen protocol | |
| CN115237064A (en) | Safety control method, system and device | |
| CN111681792B (en) | ATWT control device and nuclear power equipment | |
| CN105607974A (en) | High-reliability multicore processing system | |
| CN102694365A (en) | Triple modular redundancy emergency trip protection system of steam turbine | |
| CN110767338A (en) | DCS (distributed control system) architecture for nuclear power reactor | |
| CN115509181A (en) | Safety control method, system and device for multiple voting fault-tolerant structure | |
| CN112052113A (en) | Communication link layer message single event effect fault tolerance method and device | |
| KR101245049B1 (en) | Nuclear power plant multiple structure adaptive control apparatus and method | |
| CN212318100U (en) | Steam turbine shutdown protection system | |
| CN210007366U (en) | stable control device for electric power system | |
| Zhao et al. | The Failure Analysis and Processing of Digital Reactor Protection System | |
| CN117170279A (en) | Design method based on dual-multi-core PSOC redundant flight control system | |
| CN114978874A (en) | Multiple hot standby redundancy system | |
| CN116300398A (en) | Nuclear turbine first-out alarm judging device and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |