CN115509181A - Safety control method, system and device for multiple voting fault-tolerant structure - Google Patents
Safety control method, system and device for multiple voting fault-tolerant structure Download PDFInfo
- Publication number
- CN115509181A CN115509181A CN202110695790.XA CN202110695790A CN115509181A CN 115509181 A CN115509181 A CN 115509181A CN 202110695790 A CN202110695790 A CN 202110695790A CN 115509181 A CN115509181 A CN 115509181A
- Authority
- CN
- China
- Prior art keywords
- voting
- fault
- tolerant
- double
- card
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM]
- G05B19/41865—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by job scheduling, process planning, material flow
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/32—Operator till task planning
- G05B2219/32252—Scheduling production, machining, job shop
Abstract
The invention provides a safety control method, a system and a device of a multi-voting fault-tolerant structure, belonging to the field of petrochemical engineering safety production. The method comprises the following steps: inputting three same signals obtained from the same site into each channel of the three parallel channels of the first double fault-tolerant voting, executing two-out-of-three fault-tolerant voting operation on each channel, and outputting a first double voting result; inputting the first double voting result into each channel of the N parallel channels of the second double fault-tolerant voting, executing two-out-of-three fault-tolerant voting operation on each channel, and outputting a second double voting result; and inputting the second voting result into each of the M parallel channels of the third triple fault-tolerant voting, executing triple-out-of-two fault-tolerant voting operation on each channel, and outputting the third voting result as a final voting result. The scheme of the invention can realize multiple two-out-of-three fault-tolerant processing of signals, remarkably improve the redundant fault-tolerant capability and reduce the dangerous failure rate and the error shutdown rate of the system.
Description
Technical Field
The invention relates to the field of petrochemical engineering safety production, in particular to a safety control method of a multiple voting fault-tolerant structure, a safety control system of the multiple voting fault-tolerant structure and a safety control device of the multiple voting fault-tolerant structure.
Background
The safety control system is one of the most important devices for ensuring the safety production of petrochemical industry, and is used for monitoring potential dangers in the industrial process, sending alarm information in time or automatically executing a preset protection function, preventing the dangerous events of the petrochemical industry process from happening or slowing down the consequences of the dangerous events, and ensuring the safety of personnel, equipment and the surrounding environment of a factory.
With the development of safety control systems and the intensive research on fault tolerance and voting techniques, redundant voting structures are increasingly used in safety control interlock systems. Because the system redundancy technology can ensure the real-time performance and the reliability of the system, a multi-mode redundancy structure is mostly adopted in the safety interlocking system, and a two-out-of-one structure, a two-out-of-two structure, a three-out-of-two structure and the like are common.
In the two-in-one structure, the device can be shut down as long as one loop detects danger, so if one channel fails dangerously, the other channel works normally, and the system can still be in a safe state. The two-taking structure reduces the dangerous failure probability of the system, but the false shutdown rate is higher than that of a simple system, which is not beneficial to the continuity and the maintainability of the production process.
The two-out-of-two structure requires that two channels must act simultaneously, that is, if any one of the channels has a dangerous failure, the system loses all safety functions, although the rate of the wrong shutdown is lower, the dangerous failure rate is higher than that of a simple system, and thus the requirement of a safety control system cannot be met.
The two-out-of-three structure is the most common fault-tolerant design, when the system adopts the two-out-of-three structure, the three modules simultaneously execute the same operation, synchronously acquire the same input information, and serve as the final output of the system in a two-out-of-three voting mode. Although fault tolerance can be realized by the two-out-of-three structure, a general two-out-of-three system still has defects in the aspects of detection and operation speed, that is, if a single channel fails, the system may fail to detect, which may cause the failure not to be discovered in time, and because the operation speed is slow, the system reaction lags, which has certain potential safety hazard.
Disclosure of Invention
To solve the above problems, an object of an embodiment of the present invention is to provide a multiple voting fault-tolerant structure security control method, a multiple voting fault-tolerant structure security control system, and a multiple voting fault-tolerant structure security control device.
In order to achieve the above object, a first aspect of the present invention provides a safety control method for a multiple voting fault-tolerant structure, which is used for petrochemical safety control, and comprises:
inputting three same signals obtained from the same site into each of three parallel channels of the first double fault-tolerant voting, executing a first double-triple-double fault-tolerant voting operation on each channel, and outputting a first double-triple-double fault-tolerant voting result;
inputting the first double-triple-double fault-tolerant voting result into each of N parallel channels of the second double fault-tolerant voting, executing second double-triple-double fault-tolerant voting operation on each channel, and outputting a second double-triple-double fault-tolerant voting result, wherein N is more than or equal to 3 and is more than or equal to 2;
and inputting the second triple two-out-of-three fault-tolerant voting result into each channel of the M parallel channels of the third triple fault-tolerant voting, executing a third triple two-out-of-three fault-tolerant voting operation on each channel, and outputting a third triple two-out-of-three fault-tolerant voting result as a final voting result, wherein M is more than or equal to 3 and is more than or equal to 1.
Optionally, the first double-triple-double fault-tolerant voting operation and the second double-triple-double fault-tolerant voting operation are implemented by using a computer program instruction, and the third triple-double fault-tolerant voting operation is implemented by using a hardware triple-double fault-tolerant voting circuit.
Optionally, the three channels of the first double fault-tolerant voting adopt different processors to perform a first double-triple-double fault-tolerant voting operation, and the N channels of the second double fault-tolerant voting adopt different processors to perform a second double-triple-double fault-tolerant voting operation.
A second aspect of the present invention provides a multiple voting fault-tolerant architecture security control system for implementing the above security control method, where the security control system includes:
the first fault-tolerant voting module comprises three channels connected in parallel and a voting operation module arranged on each channel;
the second fault-tolerant voting module comprises N channels connected in parallel and a voting operation module arranged on each channel, wherein N is more than or equal to 3 and is more than or equal to 2;
each voting operation module comprises a memory and a processor, wherein the memory stores program instructions of software two-out-of-three voting operation, and the processor is used for executing the program instructions in the memory;
the third fault-tolerant voting module comprises M channels connected in parallel and a hardware two-out-of-three voting circuit which is arranged on each channel and is used for realizing hardware two-out-of-three voting, wherein M is more than or equal to 3 and is more than or equal to 1;
the input module is used for inputting three same signals obtained from the same site into the first double fault-tolerant voting module;
the first communication module is used for inputting the two-out-of-three fault-tolerant voting result output by the first double fault-tolerant voting module into the second double fault-tolerant voting module;
and the second communication module is used for inputting the two-out-of-three fault-tolerant voting result output by the second fault-tolerant voting module into the third fault-tolerant voting module.
Optionally, the input module includes: the system comprises three input channels, an input quantity detector, a first safety barrier and an input terminal daughter board, wherein the input quantity detector, the first safety barrier and the input terminal daughter board are arranged on each input channel;
the input quantity detector is connected with the first safety barrier and is used for detecting field signals;
the first safety barrier is connected with an input terminal board and is used for signal transmission safety energy limitation;
the input terminal board is connected with the first double fault-tolerant voting module and is used for dividing the same path of signals into three paths of signals and inputting the three paths of signals to each channel of the first double fault-tolerant voting module.
Optionally, the first communication module includes three LVDS communication cards connected in parallel, each LVDS communication card is connected to the voting operation module of the corresponding channel in the first double fault-tolerant voting module, and is configured to receive the first double-triple-double fault-tolerant voting result output by the voting operation module of the channel, and input the first double-triple-double fault-tolerant voting result into each channel of the second double fault-tolerant voting module.
Optionally, the second communication module includes three channels connected in parallel, and each channel of the second communication module is connected in series with an LVDS communication card and an output card;
the LVDS communication card of each channel of the second communication module is connected with the voting operation module of the corresponding channel of the second double fault-tolerant voting module, and the voting operation module is used for receiving a second double-out-of-three fault-tolerant voting result output by the voting operation module and inputting the second double-out-of-three fault-tolerant voting result into an output card connected with the LVDS communication cards in series;
each output card of the second communication module is connected with each channel of the third triple fault-tolerant voting module and is used for inputting a second triple-out-of-two fault-tolerant voting result received by the output card into each channel of the third triple fault-tolerant voting module.
Optionally, each channel of the first re-fault-tolerant voting module further includes an input card, configured to receive a signal input to the channel, and convert and output the signal input to the channel;
and the voting operation module on each channel of the first double fault-tolerant voting module is a CPU card.
Optionally, the voting operation module on each channel of the second double fault-tolerant voting module is a TMCR card, and each TMCR card includes three mutually independent CPU modules.
Optionally, an output terminal board is arranged on each channel of the third triple fault-tolerant voting module, and a hardware triple-two voting circuit for realizing hardware triple-two voting is built in each output terminal board.
Optionally, output cards on three parallel channels of the second communication module output voting signals received by the output cards in pairs by using output contacts, where the output cards on the three parallel channels are an output card a, an output card B, and an output card C, respectively;
wherein the content of the first and second substances,
the voting signals output by the output card A are voting signals A1 and voting signals A2;
the voting signals output by the output card B are voting signals B1 and voting signals B2;
the voting signals output by the output card C are voting signal C1 and voting signal C2.
Optionally, the two-out-of-three hardware voting circuit includes six switch terminals, which are respectively a first switch terminal, a second switch terminal, a third switch terminal, a fourth switch terminal, a fifth switch terminal and a sixth switch terminal, where the first to sixth switch terminals are respectively controlled by a voting signal A1, a voting signal B2, a voting signal B1, a voting signal C2, a voting signal C1 and a voting signal A2;
the first switch terminal and the second switch terminal are connected in parallel to form a first parallel circuit, the third switch terminal and the fourth switch terminal are connected in parallel to form a second parallel circuit, and the fifth switch terminal and the sixth switch terminal are connected in parallel to form a third parallel circuit;
the first parallel circuit is connected with the second parallel circuit in series, and the second parallel circuit is connected with the third parallel circuit in series to form a hardware two-out-of-three voting circuit;
and the first to sixth switch terminals are in a normally open state, and when the voting signal of the control switch terminal is an effective signal, the switch terminal is triggered to be closed, so that the hardware voting circuit is conducted and the effective voting signal is output.
Optionally, the input card and/or the output card are both dual cards, and are used for implementing redundant processing when a single card of the input card and/or the output card fails.
The third aspect of the present invention provides a safety control device with a multiple voting fault-tolerant structure, wherein the device is implemented based on the above safety control system, and comprises: p TMCR chassis, three I/O chassis and M output terminal boards, wherein P is more than or equal to 2 and is more than or equal to 1, and M is more than or equal to 3 and is more than or equal to 1;
each TMCR case consists of two identical parts to form a redundant configuration, each part comprises a plurality of slot positions into which card pieces are inserted, and each card piece comprises a TMCR card and an LVDS communication card;
each I/O case comprises a plurality of slot positions inserted with card pieces, wherein the card pieces comprise a CPU card, an LVDS communication card, an input card and an output card;
each I/O case and each TMCR case realize two-way high-speed communication through LVDS communication cards;
each output terminal board is connected with the output card of each I/O chassis.
Optionally, the safety control device further includes: the device comprises an input quantity detector, a first safety barrier, an input terminal board, a second safety barrier and an actuator;
the input quantity detector is connected with the first safety barrier and is used for signal acquisition;
the first safety barrier is connected with an input terminal board and is used for safety energy limitation;
the input terminal board is connected with the input card of each I/O case of the three I/O cases, is used for dividing signals into three paths of same signals and respectively sends the three paths of same signals to the input card of each I/O case of the three I/O cases;
the second safety barrier is connected with the output terminal board and used for receiving the hardware voting signal output by the output terminal board and inputting the hardware voting signal to the actuator.
By the technical scheme, multiple three-out-of-two fault-tolerant processing is performed on a plurality of signals from the same site on each redundant channel, so that the redundant fault-tolerant capability of the system is remarkably improved, and the dangerous failure rate and the error shutdown rate of the system are effectively reduced.
Additional features and advantages of embodiments of the invention will be set forth in the detailed description which follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the embodiments of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the embodiments of the invention and do not limit the embodiments. In the drawings:
FIG. 1 is a block diagram of a safety control system with a multiple voting fault-tolerant architecture according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a safety control system with a multiple voting fault-tolerant architecture according to an embodiment of the present invention;
FIG. 3 is a block diagram of a two-out-of-three voting circuit of a multi-voting fault-tolerant architecture security control system according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an I/O enclosure of a multiple voting fault-tolerant architecture security control device according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a TMCR case of a multiple voting fault-tolerant architecture security control device according to an embodiment of the present invention;
fig. 6 is a structural diagram of a cabinet of a safety control device with a multiple voting fault-tolerant structure according to an embodiment of the present invention.
Description of the reference numerals
100-groove position; 200-a first component; 300-a second component;
201-TMCR card; 202-a first LVDS communication card; 203-second LVDS communication card.
Detailed Description
The following detailed description of embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
Example one
One embodiment of the present invention provides a safety control method for a multiple voting fault-tolerant structure, which is used for petrochemical safety control, and comprises the following steps:
inputting three same signals obtained from the same site into each channel of the three parallel channels of the first double fault-tolerant voting, executing a first double-triple-double fault-tolerant voting operation on each channel, and outputting a first double-triple-double fault-tolerant voting result;
inputting the first double-triple-double fault-tolerant voting result into each of N parallel channels of the second double fault-tolerant voting, executing second double-triple-double fault-tolerant voting operation on each channel, and outputting a second double-triple-double fault-tolerant voting result, wherein N is more than or equal to 3 and is more than or equal to 2;
and inputting the second double-out-of-three fault-tolerant voting result into each of M parallel channels of the third triple fault-tolerant voting, executing a third double-out-of-three fault-tolerant voting operation on each channel, and outputting a third double-out-of-three fault-tolerant voting result as a final voting result, wherein 3 is more than or equal to M and more than or equal to 1.
The first-in-three-out-of-two fault-tolerant voting operation of the safety control method is respectively carried out on three mutually redundant parallel channels, and a first-in-three-out-of-two fault-tolerant voting result is output, so that the fault tolerance of three signals from the same site is realized. And the second double-out-of-three two fault-tolerant voting operation is respectively carried out on the N parallel channels which are mutually redundant, and a second double-out-of-three two fault-tolerant voting result is output, so that the fault tolerance of the first double-out-of-three two fault-tolerant voting result is realized. And the third two-out-of-three fault-tolerant voting operation is respectively carried out on the M parallel channels which are mutually redundant, and a third two-out-of-three fault-tolerant voting result is output, so that the fault tolerance of the second two-out-of-three fault-tolerant voting result is realized.
The voting mechanism of the two-out-of-three fault-tolerant voting takes the majority of the same signals as the correct output of the two-out-of-three fault-tolerant voting, namely when two of the three signals are effective signals, the effective signals are output as the voting result of the two-out-of-three fault-tolerant voting. By the aid of the multiple two-out-of-three fault-tolerant processing method, the redundant fault-tolerant capability of the system is remarkably improved, when one channel of one two-out-of-three fault-tolerant operation fails, other channels can still work, the system is still in a normal state, and the dangerous failure rate and the error shutdown rate of the system are effectively reduced.
Further, the first double-triple-double fault-tolerant voting operation and the second double-triple-double fault-tolerant voting operation are realized by adopting a computer program instruction, and the third triple-double fault-tolerant voting operation is realized by adopting a hardware triple-double fault-tolerant voting circuit. And the voting signal output by the hardware two-out-of-three fault-tolerant voting circuit is a final control signal.
Furthermore, the three parallel channels of the first double fault-tolerant voting adopt different processors to execute the first double-triple-double fault-tolerant voting operation, so that signals from the same site at the same time are in the same voting period when the first double-triple-double fault-tolerant voting is performed, and the synchronization of the results of the first double-triple-double fault-tolerant voting operation is realized. The N parallel channels of the second double fault-tolerant voting adopt different processors to execute second double-out-of-three fault-tolerant voting operation, so that three voting results from the first double-out-of-three fault-tolerant voting at the same time are in the same voting period when the second double-out-of-three fault-tolerant voting is carried out, and the synchronization of the second double-out-of-three fault-tolerant voting operation results is realized. The first double-three-out-of-two fault-tolerant voting and the second double-three-out-of-two fault-tolerant voting adopt different processing to execute the double-three-out-of-two fault-tolerant voting, so that the calculation load of a processor executing each double-three-out-of-two fault-tolerant voting operation is reduced, the calculation speed is increased, and the overall response of the system is quicker.
Example two
An embodiment of the present invention provides a multiple voting fault-tolerant structure security control system for implementing the above-described security control method, where the security control system includes:
the first fault-tolerant voting module comprises three channels connected in parallel and a voting operation module arranged on each channel;
the second fault-tolerant voting module comprises N channels connected in parallel and a voting operation module arranged on each channel, wherein N is more than or equal to 3 and is more than or equal to 2;
each voting operation module comprises a memory and a processor, wherein the memory stores a program instruction of software two-out-of-three voting operation, and the processor is used for executing the program instruction in the memory to realize software two-out-of-three voting;
the third fault-tolerant voting module comprises M channels connected in parallel and a hardware two-out-of-three voting circuit which is arranged on each channel and used for voting the hardware two-out-of-three, is used for voting the hardware two-out-of-three and outputting a voting signal voted by the hardware two-out-of-three as a final control signal, wherein M is more than or equal to 3 and is more than or equal to 1;
the input module is used for inputting three same signals obtained from the same site into the first double fault-tolerant voting module;
the first communication module is used for inputting the two-out-of-three fault-tolerant voting result output by the first double fault-tolerant voting module into the second double fault-tolerant voting module;
and the second communication module is used for inputting the two-out-of-three fault-tolerant voting result output by the second re-fault-tolerant voting module into the third re-fault-tolerant voting module.
FIG. 1 is a block diagram of a safety control system with a multiple voting fault-tolerant architecture according to an embodiment of the present invention. As shown in fig. 1, the input module includes: the system comprises three input channels, an input quantity detector, a first safety barrier and an input terminal daughter board, wherein the input quantity detector, the first safety barrier and the input terminal daughter board are arranged on each input channel;
the input quantity detector is connected with the first safety barrier and is used for detecting field signals;
the first safety barrier is connected with an input terminal board and is used for signal transmission safety energy limitation;
the input terminal board is connected with the first double fault-tolerant voting module and is used for dividing the same path of signal into three paths of signals and inputting the three paths of signals to each channel of the first double fault-tolerant voting module;
three input quantity detectors on the three input channels acquire signals of the same field, and the input quantity detectors comprise digital quantity detectors or analog quantity detectors.
Further, as shown in fig. 1, the first communication module includes three LVDS communication cards connected in parallel, each LVDS communication card is connected to the voting operation module of the corresponding channel in the first double fault-tolerant voting module, and is configured to receive the first double-triple-double fault-tolerant voting result output by the voting operation module of the channel, and input the first double-triple-double fault-tolerant voting result into each channel of the second double fault-tolerant voting module. The first double fault-tolerant voting module and the second double fault-tolerant voting module realize rapid communication through the LVDS communication card in the first communication module.
Further, as shown in fig. 1, the second communication module includes three channels connected in parallel, and each channel of the second communication module is connected in series with an LVDS communication card and an output card.
The LVDS communication card of each channel of the second communication module is connected with the voting operation module of the corresponding channel of the second double fault-tolerant voting module, and the voting operation module is used for receiving the second double-out-of-three fault-tolerant voting result output by the voting operation module and inputting the second double-out-of-three fault-tolerant voting result into the output card connected with the LVDS communication cards in series.
And each output card of the second communication module is connected with each channel of the third triple fault-tolerant voting module, and the hardware triple-two-out-of-three voting circuit is used for converting a second triple-two-out fault-tolerant voting result received by the output card and inputting the result to each channel of the third triple fault-tolerant voting module.
Further, as shown in fig. 1, each channel of the first re-fault-tolerant voting module further includes an input card, configured to receive a signal input to the channel, convert and output the signal input to the channel. The input card comprises a digital input DI card or an analog input AI card.
FIG. 2 is a schematic diagram of a safety control system with a multiple voting fault-tolerant structure according to an embodiment of the present invention.
As shown in fig. 2, the input module of the safety control system includes three parallel input channels, and each input channel is provided with a digital quantity detector, a first safety barrier, and an input terminal board.
As shown in fig. 2, the first re-fault-tolerant voting module of the security control system comprises three channels connected in parallel, and a digital input DI card and a CPU card connected in series on each channel. The first communication module comprises three LVDS communication cards connected in parallel. The second fault-tolerant voting Module comprises two parallel channels and a TPU Module Configuration Register (TMCR) card arranged on each channel. The second communication module comprises three parallel channels, and each channel is connected with an LVDS communication card and a digital quantity output DO card in series. The third fault-tolerant voting module comprises two parallel channels and an output terminal board arranged on each channel, and a hardware two-out-of-three voting circuit for realizing hardware two-out-of-three fault-tolerant voting is arranged in each output terminal board.
Further, as shown in fig. 2, the voting operation module on each channel of the first double fault-tolerant voting module is a CPU card. The voting operation module on each channel of the second double fault-tolerant voting module is a TMCR card, each TMCR card comprises three mutually independent CPU modules and is used for realizing the time synchronization of the first double fault-tolerant voting result output by the three parallel channels of the first double fault-tolerant voting module and executing the second double-out-of-three fault-tolerant voting operation. The TMCR card is added to execute the second-time-of-three-time two-out fault-tolerant voting operation, so that the calculation load of the multiple-time-of-three-time two-out fault-tolerant voting operation is shared, the calculation processing speed of the system is greatly improved, and the TMCR card can load large-scale complex user programs, can contain complex calculation processes, and has a wide application field. In addition, the TMCR card also has strong processing capacity and communication networking capacity, and provides an isolation port for realizing an OPC UA communication function.
As shown in fig. 2, each input terminal board divides the signal into three identical signals, and inputs the three identical signals to each digital input DI card on three parallel channels of the first double fault-tolerant voting module, each digital input DI card converts each received signal into a signal value that can be identified by a computer, and sends the signal value into a CPU card connected in series with the digital input DI card to perform a software two-out-of-three voting operation, and outputs a first double-out-of-three fault-tolerant voting operation result. And the first double-third-second fault-tolerant voting operation result output by each CPU card is sent to the TMCR card of the second double fault-tolerant voting module through the corresponding LVDS communication card in the first communication module, the TMCR card carries out second software double-third-second voting operation, and a second double-third-second fault-tolerant voting result is output. And the digital output DO card converts the received second double-out-of-three fault-tolerant voting result into a signal which can be received by a hardware double-out-of-three voting circuit in the third triple fault-tolerant voting module and inputs the signal into the hardware double-out-of-three voting circuit of each output terminal board in the third triple fault-tolerant voting module. And the output terminal board executes hardware two-out-of-three voting, outputs a third two-out-of-three fault-tolerant voting result as a control signal, and sends the control signal to the actuator through the second safety barrier.
Furthermore, the input card and/or the output card are both double cards and are used for realizing redundant processing when a single card of the input card and/or the output card fails. As shown in fig. 2, the digital input DI card and/or the digital output DO card are dual cards, and are used to implement redundancy processing when a single digital input DI card and/or a single digital output DO card fails, and when one of the dual cards fails, the system can still be guaranteed to operate normally by using the other card of the dual cards.
Furthermore, output cards on three parallel channels of the second communication module output voting signals received by the output cards in pairs through output contacts, wherein the output cards on the three parallel channels are an output card A, an output card B and an output card C respectively; wherein, the first and the second end of the pipe are connected with each other,
the voting signals output by the output card A are voting signals A1 and voting signals A2;
the voting signals output by the output card B are voting signals B1 and voting signals B2;
the voting signals output by the output card C are voting signal C1 and voting signal C2.
Fig. 3 is a block diagram of a two-out-of-three voting circuit of a hardware safety control system with a multiple voting fault-tolerant structure according to an embodiment of the present invention. As shown in fig. 3, an embodiment of the present invention provides a hardware two-out-of-three voting circuit for a safety control system, including six switch terminals, which are a first switch terminal, a second switch terminal, a third switch terminal, a fourth switch terminal, a fifth switch terminal, and a sixth switch terminal, respectively, where the first to sixth switch terminals are controlled by a voting signal A1, a voting signal B2, a voting signal B1, a voting signal C2, a voting signal C1, and a voting signal A2, respectively;
the first switch terminal and the second switch terminal are connected in parallel to form a first parallel circuit, the third switch terminal and the fourth switch terminal are connected in parallel to form a second parallel circuit, and the fifth switch terminal and the sixth switch terminal are connected in parallel to form a third parallel circuit;
the first parallel circuit, the second parallel circuit and the third parallel circuit are sequentially connected in series, namely the first parallel circuit is connected with the second parallel circuit in series, and the second parallel circuit is connected with the third parallel circuit in series to form a hardware two-out-of-three voting circuit;
and the first to sixth switch terminals are in a normally open state, and when the voting signal of the control switch terminal is an effective signal, the switch terminal is triggered to be closed, so that the hardware voting circuit is conducted and the effective voting signal is output.
EXAMPLE III
An embodiment of the present invention provides a safety control device with a multiple voting fault-tolerant structure, which is implemented based on the safety control system of the second embodiment, and includes: p TMCR chassis, three I/O chassis and M output terminal boards, wherein P is more than or equal to 2 and is more than or equal to 1, and M is more than or equal to 3 and is more than or equal to 1;
each TMCR case consists of two identical parts to form a redundant configuration, each part comprises a plurality of slot positions into which a card is inserted, and the card comprises a TMCR card and an LVDS communication card;
each I/O case comprises a plurality of slot positions into which card pieces are inserted, wherein the card pieces comprise a CPU card, an LVDS communication card, an input card and an output card;
each I/O case and each TMCR case realize two-way high-speed communication through LVDS communication cards;
each output terminal board is connected with the output card of each I/O case.
FIG. 4 is a schematic diagram of an I/O enclosure of a multi-voting fault-tolerant architecture security control device according to an embodiment of the present invention. As shown in fig. 4, a typical I/O chassis includes fifteen slots 100 into which cards are inserted. The first slot 100 on the leftmost side is fixed as a controller CPU card, and the other slots 100 can be freely configured. A typical I/O chassis is configured such that LVDS communication cards are inserted into the second slot 100 and the third slot 100, digital input DI cards are inserted into the fourth slot 100 to the ninth slot 100, analog input AI cards are inserted into the tenth slot 100 and the eleventh slot 100, and digital output DO cards are inserted into the twelfth slot 100 to the fifteenth slot 100.
FIG. 5 is a schematic diagram of a TMCR case of a multiple voting fault-tolerant architecture security control device according to an embodiment of the present invention. A typical TMCR chassis is divided into left and right identical parts, as shown in fig. 5, comprising a first part 200 and a second part 300. Each part includes four slots into which the cards are inserted, the two parts constituting a redundant configuration. As shown in fig. 5, the first component 200 includes a TMCR card 201, which is composed of three identical CPU modules independent of each other, a first LVDS communication card 202, and a second LVDS communication card 203. The TMCR card has two slot positions, and the first LVDS communication card is used for fast communication with the LVDS communication card of the I/O case. The second LVDS communication card is used for being in charge of communication with the I/O chassis of the second cabinet when the system capacity is large and two cabinets need to be configured.
Fig. 6 is a structural diagram of a cabinet of a security control apparatus according to an embodiment of the present invention. As shown in fig. 6, a typical security control device is composed of three identical I/O chassis and one TMCR chassis, as shown in fig. 4, the three I/O chassis are I/O chassis a, I/O chassis B, and I/O chassis C, respectively, and one TMCR chassis is TMCR chassis M. Three I/O chassis and one TMCR chassis are placed inside one cabinet of length x width x height =800 x 2000 mm. As shown in fig. 6, the I/O chassis and the TMCR chassis respectively implement bidirectional high-speed communication through the LVDS communication card.
As shown in fig. 6, the TMCR chassis inputs the first double-triple-double fault-tolerant voting result output by the CPU card in the I/O chassis, and the TMCR chassis outputs the second double-triple-double fault-tolerant voting result calculated and output by the TMCR card in the first unit 200 and the second unit 300 to the digital output DO card of each I/O chassis, and outputs the result to the output terminal board through the digital output DO card of the I/O chassis.
When the device needs to output, the three I/O chassis can output voting signals corresponding to the second two-out-of-three fault-tolerant voting result through the I/O pins respectively. Each I/O chassis outputs two identical voting signals when the I/O chassis is operating normally. When the output of one I/O case has a fault, the I/O case with the fault has no output due to the fault, and under the condition, the other two I/O cases without the fault can still work normally and output normally.
Further, the safety control device further includes: the device comprises an input quantity detector, a first safety barrier, an input terminal board, a second safety barrier and an actuator;
the input quantity detector is connected with the first safety barrier and is used for signal acquisition;
the first safety barrier is connected with an input terminal board and is used for safety energy limitation;
the input terminal board is connected with the input card of each I/O case of the three I/O cases, is used for dividing signals into three paths of same signals and respectively sends the three paths of same signals to the input card of each I/O case of the three I/O cases;
the second safety barrier is connected with the output terminal board and used for receiving the hardware voting signal output by the output terminal board and inputting the hardware voting signal to the actuator.
Those skilled in the art will appreciate that all or part of the steps in the method for implementing the above embodiments may be implemented by a program, which is stored in a storage medium and includes several instructions to enable a single chip, a chip, or a processor (processor) to execute all or part of the steps in the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Although the embodiments of the present invention have been described in detail with reference to the accompanying drawings, the embodiments of the present invention are not limited to the specific details of the above embodiments, and various simple modifications can be made to the technical solution of the embodiments of the present invention within the technical idea of the embodiments of the present invention, and these simple modifications all belong to the protection scope of the embodiments of the present invention. It should be noted that the various features described in the foregoing embodiments may be combined in any suitable manner without contradiction. In order to avoid unnecessary repetition, the embodiments of the present invention will not be described separately for the various possible combinations.
In addition, any combination of various embodiments of the present invention may be made, and the same should be considered as what is disclosed in the embodiments of the present invention as long as it does not depart from the spirit of the embodiments of the present invention.
Claims (15)
1. A safety control method of a multi-voting fault-tolerant structure is used for petrochemical engineering safety control, and is characterized by comprising the following steps:
inputting three same signals obtained from the same site into each of three parallel channels of the first double fault-tolerant voting, executing a first double-triple-double fault-tolerant voting operation on each channel, and outputting a first double-triple-double fault-tolerant voting result;
inputting the first double-three-two fault-tolerant voting result into each channel of N parallel channels of second fault-tolerant voting, executing second double-three-two fault-tolerant voting operation on each channel, and outputting a second double-three-two fault-tolerant voting result, wherein N is more than or equal to 3 and is more than or equal to 2;
and inputting the second double-out-of-three fault-tolerant voting result into each of M parallel channels of the third triple fault-tolerant voting, executing a third double-out-of-three fault-tolerant voting operation on each channel, and outputting a third double-out-of-three fault-tolerant voting result as a final voting result, wherein 3 is more than or equal to M and more than or equal to 1.
2. The safety control method according to claim 1, wherein the first double-triple-double fault-tolerant voting operation and the second double-triple-double fault-tolerant voting operation are implemented by using computer program instructions, and the third triple-double fault-tolerant voting operation is implemented by using a hardware triple-double fault-tolerant voting circuit.
3. The security control method of claim 2, wherein the three channels of the first double fault-tolerant voting use different processors to perform a first double fault-tolerant voting operation, and the N channels of the second double fault-tolerant voting use different processors to perform a second double triple double fault-tolerant voting operation.
4. A multi-voting fault-tolerant architecture security control system that implements the security control method of any one of claims 1 to 3, the security control system comprising:
the first fault-tolerant voting module comprises three channels connected in parallel and a voting operation module arranged on each channel;
the second fault-tolerant voting module comprises N channels connected in parallel and a voting operation module arranged on each channel, wherein N is more than or equal to 3 and is more than or equal to 2;
each voting operation module comprises a memory and a processor, wherein the memory stores program instructions of software two-out-of-three voting operation, and the processor is used for executing the program instructions in the memory;
the third fault-tolerant voting module comprises M channels connected in parallel and a hardware two-out-of-three voting circuit which is arranged on each channel and is used for realizing hardware two-out-of-three voting, wherein M is more than or equal to 3 and is more than or equal to 1;
the input module is used for inputting three same signals obtained from the same site into the first double fault-tolerant voting module;
the first communication module is used for inputting the two-out-of-three fault-tolerant voting result output by the first double fault-tolerant voting module into the second double fault-tolerant voting module;
and the second communication module is used for inputting the two-out-of-three fault-tolerant voting result output by the second fault-tolerant voting module into the third fault-tolerant voting module.
5. The safety control system of claim 4, wherein the input module comprises: the system comprises three input channels, an input quantity detector, a first safety barrier and an input terminal daughter board, wherein the input quantity detector, the first safety barrier and the input terminal daughter board are arranged on each input channel;
the input quantity detector is connected with the first safety barrier and is used for detecting field signals;
the first safety barrier is connected with an input terminal board and is used for signal transmission safety energy limitation;
the input terminal board is connected with the first double fault-tolerant voting module and used for dividing the same path of signal into three paths of signals and inputting the three paths of signals to each channel of the first double fault-tolerant voting module.
6. The safety control system according to claim 5, wherein the first communication module includes three parallel LVDS communication cards, each LVDS communication card connects to the voting operation module of the corresponding channel in the first re-fault-tolerant voting module, and is configured to receive the first re-two-out-of-three fault-tolerant voting result output by the voting operation module of the channel, and input the first re-two-out-of-three fault-tolerant voting result into each channel of the second re-fault-tolerant voting module.
7. The security control system of claim 6, wherein the second communication module comprises three parallel channels, and each channel of the second communication module is connected in series with an LVDS communication card and an output card;
the LVDS communication card of each channel of the second communication module is connected with the voting operation module of the corresponding channel of the second double fault-tolerant voting module, and the voting operation module is used for receiving a second double-out-of-three fault-tolerant voting result output by the voting operation module and inputting the second double-out-of-three fault-tolerant voting result into an output card connected with the LVDS communication cards in series;
each output card of the second communication module is connected with each channel of the third triple fault-tolerant voting module and is used for inputting a second double-out-of-triple fault-tolerant voting result received by the output card into each channel of the third triple fault-tolerant voting module.
8. The safety control system according to claim 7, wherein each channel of the first re-fault-tolerant voting module further comprises an input card for receiving a signal input to the channel, converting and outputting each signal input to the channel;
and the voting operation module on each channel of the first double fault-tolerant voting module is a CPU card.
9. The safety control system of claim 8, wherein the voting operation module on each channel of the second re-fault-tolerant voting module is a TMCR card, and each TMCR card comprises three mutually independent CPU modules.
10. The safety control system according to claim 9, wherein an output terminal board is arranged on each channel of the third triple fault-tolerant voting module, and a hardware two-out-of-three voting circuit for realizing the voting of two-out-of-three hardware is arranged in each output terminal board.
11. The safety control system according to claim 10, wherein the output cards on the three parallel channels of the second communication module output the voting signals received by the output card in pairs by adopting output contacts, and the output cards on the three parallel channels are output card a, output card B and output card C;
wherein the content of the first and second substances,
the voting signals output by the output card A are voting signals A1 and voting signals A2;
the voting signals output by the output card B are voting signals B1 and voting signals B2;
the voting signals output by the output card C are voting signal C1 and voting signal C2.
12. The safety control system according to claim 11, wherein the two-out-of-three hardware voting circuit comprises six switch terminals, namely a first switch terminal, a second switch terminal, a third switch terminal, a fourth switch terminal, a fifth switch terminal and a sixth switch terminal, and the first to sixth switch terminals are respectively controlled by a voting signal A1, a voting signal B2, a voting signal B1, a voting signal C2, a voting signal C1 and a voting signal A2;
the first switch terminal and the second switch terminal are connected in parallel to form a first parallel circuit, the third switch terminal and the fourth switch terminal are connected in parallel to form a second parallel circuit, and the fifth switch terminal and the sixth switch terminal are connected in parallel to form a third parallel circuit;
the first parallel circuit is connected with the second parallel circuit in series, and the second parallel circuit is connected with the third parallel circuit in series to form a hardware two-out-of-three voting circuit;
and the first to sixth switch terminals are in a normally open state, and when the voting signal of the control switch terminal is an effective signal, the switch terminal is triggered to be closed, so that the hardware voting circuit is conducted and the effective voting signal is output.
13. The safety control system according to any one of claims 8 to 12, wherein the input card and/or the output card are both dual cards for redundancy in case of a single-card failure of the input card and/or the output card.
14. A multiple voting fault tolerant architecture security control arrangement, said arrangement being implemented based on a security control system according to any one of claims 4 to 13, comprising: p TMCR chassis, three I/O chassis and M output terminal boards, wherein P is more than or equal to 2 and is more than or equal to 1, and M is more than or equal to 3 and is more than or equal to 1;
each TMCR case consists of two identical parts to form a redundant configuration, each part comprises a plurality of slot positions into which a card is inserted, and the card comprises a TMCR card and an LVDS communication card;
each I/O case comprises a plurality of slot positions into which card pieces are inserted, wherein the card pieces comprise a CPU card, an LVDS communication card, an input card and an output card;
each I/O case and each TMCR case realize two-way high-speed communication through LVDS communication cards;
each output terminal board is connected with the output card of each I/O case.
15. The safety control device according to claim 14, characterized by further comprising: the device comprises an input quantity detector, a first safety barrier, an input terminal board, a second safety barrier and an actuator;
the input quantity detector is connected with the first safety barrier and is used for signal acquisition;
the first safety barrier is connected with an input terminal board and used for safety energy limitation;
the input terminal board is connected with the input card of each I/O case of the three I/O cases, and is used for dividing signals into three paths of same signals and respectively sending the signals to the input card of each I/O case of the three I/O cases;
the second safety barrier is connected with the output terminal board and used for receiving the hardware voting signal output by the output terminal board and inputting the hardware voting signal to the actuator.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110695790.XA CN115509181A (en) | 2021-06-23 | 2021-06-23 | Safety control method, system and device for multiple voting fault-tolerant structure |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110695790.XA CN115509181A (en) | 2021-06-23 | 2021-06-23 | Safety control method, system and device for multiple voting fault-tolerant structure |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115509181A true CN115509181A (en) | 2022-12-23 |
Family
ID=84500066
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110695790.XA Pending CN115509181A (en) | 2021-06-23 | 2021-06-23 | Safety control method, system and device for multiple voting fault-tolerant structure |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115509181A (en) |
-
2021
- 2021-06-23 CN CN202110695790.XA patent/CN115509181A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1573407B1 (en) | Method to increase the safety integrity level of a control system | |
| US20180211734A1 (en) | Reactor protection-processor-to-reactor-trip breaker interface and method for operating the same | |
| Hadjicostis et al. | Power system monitoring using Petri net embeddings | |
| US9952579B2 (en) | Control device | |
| CN110293999B (en) | Safe LKJ brake control mode | |
| CN115509181A (en) | Safety control method, system and device for multiple voting fault-tolerant structure | |
| EP2626788B1 (en) | Control device and nuclear power plant control system | |
| CN110767338A (en) | DCS (distributed control system) architecture for nuclear power reactor | |
| CN115237064A (en) | Safety control method, system and device | |
| CN112506169B (en) | DCS real-time health degree assessment method based on state supervision | |
| Huang | ICONE23-1563 RESEARCH ON CONCEPTUAL DESIGN OF SIMPLIFIED NUCLEAR SAFETY INSTRUMENT AND CONTROL SYSTEM | |
| CN114280919B (en) | Redundancy control device | |
| JPH04133615A (en) | Protective relay equipment | |
| CN211529626U (en) | DCS (distributed control system) architecture for nuclear power reactor | |
| CN112152094B (en) | Cross power supply structure of man-machine interface equipment of control room of nuclear power station | |
| CN113839827B (en) | Data monitoring system, equipment and method | |
| Li et al. | Design and development of HTR-PM reactor protection system | |
| Lo et al. | General version of reconfiguration N modular redundancy system | |
| EP4102370A1 (en) | Information processing device, control method, and program | |
| KR920011078B1 (en) | Path faulting detecting device of space division switching | |
| CN116506082A (en) | Two-in-two system applied to transponder transmission module | |
| JPH01142809A (en) | Diagnostic device for digital input circuit | |
| JP2022190740A (en) | communication module | |
| Lee et al. | Virtual Modular Redundancy of Processor Module in the PLC | |
| Paula et al. | Operational failure experience of fault-tolerant digital control systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |