CN115664588A - Self-error correction method for acquisition execution unit device - Google Patents
Self-error correction method for acquisition execution unit device Download PDFInfo
- Publication number
- CN115664588A CN115664588A CN202211115604.1A CN202211115604A CN115664588A CN 115664588 A CN115664588 A CN 115664588A CN 202211115604 A CN202211115604 A CN 202211115604A CN 115664588 A CN115664588 A CN 115664588A
- Authority
- CN
- China
- Prior art keywords
- message
- plug
- starting
- relay
- self
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The invention discloses a self-error correction method for an acquisition execution unit device, wherein messages sent by a line protection device and an element protection device are respectively input into a first CPU plug-in unit and a second CPU plug-in unit; outputting a message containing Ethernet CRC (cyclic redundancy check) by the message in each plug-in through the MAC (media access control) of the Ethernet, and respectively transmitting the message to N sub-modules of the FPGA; each submodule adds a checksum containing Ethernet CRC to the message, then carries out CRC on the message, and transmits the message passing the verification to a core of a corresponding MCU; each check message is checked, verified and analyzed, and then starting and exit logic operation is carried out to respectively generate starting state messages and exit state messages; and the N two-out module respectively acquires the messages output by each core, determines the final starting state and the final exit state, and respectively controls the starting relay of the DI plug-in and the exit relay of the DO plug-in. The method and the device can avoid the unplanned shutdown of the power equipment.
Description
Technical Field
The invention belongs to the technical field of relay protection, and relates to a self-error correction method for an acquisition execution unit device.
Background
The acquisition execution unit device is an acquisition control unit of equipment on a spacer layer and a station control layer of a digital substation, acquires voltage and current alternating current signals of a transmission line or a transformer of the substation, converts the voltage and current alternating current signals into SV messages, acquires remote signaling signals of the transmission line or the transformer, converts the remote signaling signals into GOOSE messages, and transmits the two messages to the protection device through an optical fiber Ethernet. After receiving the real-time message information, the protection device judges the fault, if the system is judged to have a fault, the protection device sends a trip GOOSE command to the acquisition execution unit device through the optical fiber Ethernet, and after receiving the trip GOOSE command, the acquisition execution unit device controls the interval circuit breaker to trip through closing the relay, so that the fault point is quickly cut off and isolated from the power system, and the safe operation of the whole power system is prevented from being influenced. The process logic diagram is shown in fig. 1.
The collection execution unit device is very important to the correctness of circuit breaker control, and once refusing to operate, the accident can be enlarged, the voltage of a full transformer station can be lost when the accident is serious, and once misoperation occurs, normal operation equipment can be cut by mistake. Both of these cases cause a huge economic loss. If the acquisition execution unit device is abnormal, the acquisition execution unit device is caused to exit the operation, and the protection of all the protection devices of the acquisition execution unit device is forced to exit. According to the operation rule of the power system, once the protection device exits, the protected equipment (transformer or line) needs to be shut down, which causes the unplanned shutdown of the power equipment, thereby generating great economic loss, and simultaneously, the collection device is not allowed to be restarted, the restart of the existing collection execution unit device needs about 5-10 seconds to receive the GOOSE message, the power equipment loses the protection function within 5-10 seconds, and once the fault occurs in the period, the power failure in a larger range is caused.
Because the acquisition execution unit devices of the transformer substation are configured at intervals, DI plug-ins are generally adopted to acquire remote communication quantity, and DO plug-ins are adopted to control the output of the relay. The internal connection diagram of the acquisition execution unit device is shown in fig. 2, wherein the internal block diagram of the main CPU plug-in is shown in fig. 3, and the operation logic is as follows: protection device-protection action signal- > optical fiber- > photoelectric converter- > MAC of FPGA. The FPGA receives a GOOSE message of a protection action and sends the GOOSE message to the MCU, the MCU analyzes the GOOSE message, if the GOOSE message is a tripping message, a closing starting relay command is sent to the DI plug-in unit through the CAN network to provide 24V for a tripping relay coil, a closing tripping relay command is sent to the DO plug-in unit to provide ground potential for a tripping relay, a tripping relay node is closed, and the breaker is triggered to trip.
The acquisition execution unit device starts the transformation and the operation of an intelligent transformer substation from a 2010 national power grid for 12 years till now, and the following defects exist in the operation process:
defect 1: the GOOSE message is received through the Ethernet, the Ethernet message is subjected to CRC, the checksum is generally checked on the MAC of the Ethernet, the GOOSE message is read from the MAC by the FPGA module after the checksum passes, and then is transmitted to the MCU, and the MCU analyzes the message. MCU does not possess the condition of carrying out the verification to the message, and the condition that GOOSE message was falsified easily appears in the data transmission process. And module programs of the FPGA are stored in the RAM and can be influenced by the SEU, so that program zone bits of the FPGA are turned over, the programs are tampered, the GOOSE messages can be tampered, the MCU obtains wrong GOOSE messages, the MCU misjudges are caused, and an error command for jumping the breaker is sent to the DO plug-in unit in a misway.
Defect 2: since the program of the MCU is stored in the RAM and also affected by the SEU, the program location of the MCU may be reversed and the program may be tampered with, which may cause the following abnormal phenomena: (1) Analyzing the state error of the GOOSE message, and sending a breaker tripping command to the DO plug-in unit by mistake, which may cause misoperation; (2) Errors in resolving the GOOSE message format may result in direct discarding of the GOOSE message, resulting in a rejection.
Defect 3: because the program of the FPGA also runs in the RAM, once the receiving program of the FPGA is overturned by the SEU memory, the program of the FPGA fails, and the GOOSE message received by the Ethernet is also abnormal. The MCU receives the abnormal GOOSE message, and the risk of mistakenly sending an error command of jumping the breaker to the DO plug-in unit directly exists.
Defect 4: because the device uses a single CPU plug-in, once the hardware of the CPU plug-in is abnormal, the GOOSE message of protection tripping cannot be received, and all related protections cannot be exported. Because most of the existing transformer substations are unattended, the maintenance of the device needs several hours or longer, so that the power equipment is in an unprotected state for a long time, and once the device breaks down, override tripping can occur, so that larger-scale power failure is caused.
Each of the above defects may cause all different protection function GOOSE commands to be unable to be executed reliably, resulting in abnormal action behaviors of all protection devices. The existing acquisition execution unit device runs for many years, and takes different countermeasures for the defects on the basis of continuous improvement. For defects 1-3, it is common practice to take real-time CRC checks for the program area and the important constant value area, and automatically restart the software once the checks are abnormal. However, as the program RAM area is large, the CRC check requires overhead of MCU resources and time, and the acquisition execution unit still outputs abnormal output during the period from the program failure due to the memory inversion to the detection of CRC error. Meanwhile, the time for restarting the acquisition execution unit device is 3-5 seconds to receive the GOOSE trip message, so that the protected power equipment is not protected during the restart of the acquisition execution unit device.
Disclosure of Invention
In order to solve the deficiency existing in the prior art, the invention provides a method for correcting errors by oneself used for gathering the execution unit apparatus, FPGA reads GOOSE message from MAC, add the checksum (the checksum includes CRC of the Ethernet) to GOOSE message immediately, carry on CRC to GOOSE message again, if CRC of the Ethernet checks correctly, the checksum calculated before is correct, because CRC checks and spends a large amount of MCU time, but FPGA can check CRC fast, because there is intersection with CRC, MCU only checks the checksum after receiving GOOSE message, in this way, time to save MCU and process and check the message correctness is saved; and the error trip message is eliminated by adopting the principle of taking two out of N, and the correct trip message can be sent even if 1 kernel fails, so that the protection is not lost in a short time. Meanwhile, once a core with a program failure is found, the system can be restarted immediately and can be recovered to normal operation, and a GOOSE message can be normally received during the restarting; unplanned outages of electrical equipment can be avoided.
In order to achieve the above purpose, the invention adopts the following technical scheme:
a self-error-correction method for an acquisition execution unit device is realized based on a self-error-correction system, and is characterized in that:
the self-error correction method comprises the following steps:
step 1, GOOSE messages sent by a line protection device and an element protection device are respectively input into a first CPU plug-in unit and a second CPU plug-in unit, and the first CPU plug-in unit and the second CPU plug-in unit operate independently;
step 2, in each CPU plug-in, the GOOSE message is output through the MAC of the Ethernet and comprises the GOOSE message of the Ethernet CRC, and the message is respectively transmitted to N sub-modules of the FPGA through N independent transmission paths;
step 3, each submodule of the FPGA adds a checksum containing Ethernet CRC to the GOOSE message, then carries out CRC on the GOOSE message, and transmits the GOOSE message passing the verification to a core of the MCU corresponding to the submodule;
step 4, checking and verifying and analyzing the GOOSE message by each MCU check, then performing starting and export logic operation, and finally respectively generating starting state and export state messages;
and 5, respectively acquiring the starting state and the exit state messages output by the N cores of the MCU by the N-taking-two module, determining the final starting state and the final exit state by adopting an N-taking-two principle, and respectively controlling the starting relay of the DI plug-in and the exit relay of the DO plug-in.
The invention further comprises the following preferred embodiments:
preferably, the self-error correction system comprises a first CPU card, a second CPU card, a DI card and a DO card;
the first CPU plug-in and the second CPU plug-in respectively and independently control a starting relay of the DI plug-in and an outlet relay of the DO plug-in;
the first CPU plug-in and the second CPU plug-in adopt the same self-error correction structure;
the self-error-correcting structure comprises an Ethernet port, an FPGA, an MCU and an N-out-of-two module;
the FPGA is provided with N sub-modules, and the MCU is provided with N cores;
the Ethernet port receives a GOOSE message of the protection device, the output of the GOOSE message is respectively input into N sub-modules of the FPGA, and the output of the N sub-modules of the FPGA is respectively input into N cores of the MCU;
the outputs of the N cores of the MCU are all input to the N-taking-two module, and the outputs of the N-taking-two module are respectively input to the DI plug-in and the DO plug-in.
Preferably, the first CPU card and the second CPU card receive GOOSE messages sent by the line protection device and the element protection device, respectively;
the first CPU plug-in and the second CPU plug-in respectively and independently control a starting relay of the DI plug-in and an outlet relay of the DO plug-in through an internal CAN network;
each core of the MCU respectively analyzes the GOOSE message by adopting 2 different modules of starting and exporting, performs respective starting and exporting logic operation, and outputs a starting state message and an export state message;
the N-taking two module is an N-taking two module of the CPLD;
n is an integer greater than or equal to 3.
Preferably, each submodule of the FPGA adopts the same logic and program, but different submodules are distributed in different address areas;
each core of the MCU uses the same logic and program, but different cores are distributed in different address regions.
Preferably, in step 4, the process of checking, checking and analyzing the GOOSE packet by the MCU includes:
step 4.1: checking the checksum of the GOOSE message, if the checksum passes the step 4.2, otherwise, discarding the checksum;
and 4.2: a starting module and an exit module of a core of the MCU respectively analyze GOOSE messages at the same time;
the starting module is combined with the starting real-time database to carry out logical judgment on the starting relay, if the starting relay state is judged to be changed, the CAN network message of the starting relay is organized, the starting CAN network message is sent to the N-out-of-two module, and if not, the analysis process is executed again after the next GOOSE message arrives;
and if the exit relay state is judged to be changed, the CAN network message of the exit relay is organized, the exit CAN network message is sent to the N-out-of-two module, and otherwise, the checking and analyzing process is executed again after the next GOOSE message arrives.
Preferably, each core of the MCU has program self-check, constant value and constant area self-check, and hardware self-check functions, and once the self-check is abnormal, the core is restarted, and if the logic state of any one core is inconsistent with the states of other cores, the inconsistent core is restarted.
Preferably, in step 5, the N-out-of-two module first determines whether the CRC check of the message is correct, discards the message if the CRC check is incorrect, and performs valid and latest message screening if the CRC check is correct;
and respectively comparing the starting state message and the exit state message of the latest effective message of each core, if the two cores and the more than two cores are consistent, if the two cores are the starting state messages, sending a 24V power state message for controlling a relay coil to the DI, if the two cores are the exit state messages, and sending a power state message for controlling the relay coil by the DO.
Preferably, in the N-binary module, the independent survival time of each frame of received message is counted, and once the survival time exceeds the set time, the message is set as an invalid message and does not participate in controlling the relay N to perform binary logic judgment.
Preferably, in the two-out-of-N module, if the number of frames of messages received by the same core to control the same relay reaches 2 frames or more within a set time, the previous messages are discarded, and the latest message is taken.
Preferably, in step 5, the DI plug-in and the DO plug-in adopt an or logic mode, that is, if any 1 of the two plug-ins is 1, the egress relay node is closed, and if all 2 of the two plug-ins are 0, the egress relay node is withdrawn, so as to realize the control of the egress relay.
Compared with the prior art, the invention has the beneficial effects that:
(1) The received GOOSE message is divided into 3 independent transmission paths from the MAC output of the Ethernet and is transmitted to 3 cores for independent processing;
because the program of FPGA runs in RAM, the SEU memory turns over and causes the FPGA program to fail, but the address that takes place is random, input to 3 independent FPGA submodules separately after the MAC output of Ethernet, 3 submodules logic and procedure are identical, distribute in different address areas, when the FPGA program fails, can't make mistakes in the same logical position of 3 different areas, 3 submodules processed the result and carry on GOOSE message analysis to the kernel of 3 MCU separately; similarly, the program and real-time data of the MCU are also in the RAM, the problem of MCU program and data failure caused by SEU memory inversion exists, 3 cores cannot detect the same failure problem, and the possibility of opening rejection or misoperation caused by program failure caused by SEU memory inversion can be effectively prevented by adopting the method (1).
(2) When reading the message output by the MAC, the FPGA submodule carries the CRC of the Ethernet in the message, the FPGA calculates the checksum of the CRC contained in the whole frame of the message firstly, then carries out the CRC check on the whole frame of the message, and sends the whole frame of the message to each core if the checksum is correct;
since it takes a lot of time to calculate CRC in C language, each core only performs checksum judgment. Due to intersection of the check sum and the CRC check, errors before the CRC check of the FPGA are detected by the FPGA, and errors before the CRC check of the FPGA and the check sum before the kernel is reported are detected by the kernel. The method has no dead zone for detecting the message correctness.
(3) Each core is divided into 2 different program modules for starting and exiting to analyze GOOSE messages, each core carries out logic operation and outputs starting state and exiting state messages according to respective logic structures so as to respectively control a starting relay and an exiting relay;
as 2 different MCU functional plug-ins are adopted to respectively control the ground and the power supply of the outlet relay coil voltage to be 24V, each core is divided into 2 different program areas to complete respective functions after obtaining the GOOSE message;
the starting program finishes analyzing the GOOSE message, and starts logic and organizes a CAN network message of the control starting relay to send a control starting relay message to an N two-out module of the CPLD; the action program finishes analyzing the GOOSE message, and an outlet logic and organization control action relay CAN network message sends a message for controlling a corresponding action relay to an N two-out module of the CPLD;
although the functions are similar, a common subprogram can be adopted, but in order to prevent the common subprogram from failing and causing the same problem, and the starting and the export act simultaneously, the method adopts completely independent program segments, so that 2 functional program segments do not have any intersection.
(4) An N-taking-two module of the CPLD acquires 3 core starting state and exit state messages, and respectively controls a starting relay and an exit relay by adopting an N-taking-two principle;
the 24V power supply of the contact control outlet relay of the starting relay, because the source that GOOSE receives is Ethernet, it is the same, FPGA processing speed is very fast, 3 kernels almost obtain GOOSE message to be processed at the same time, for CPLD N gets correctness and rapidity of two logics, take the following measures:
1) Each message contains CRC check, CPLD judges whether CRC check is correct or not at first, if not, the CRC check is discarded;
in order to ensure the timeliness of each core, the received GOOSE message, the processed GOOSE message, the start logic and the export logic are all processed in 500us interruption, 3 cores are mutually independent, the CPLD senses that the action behaviors of the 3 cores are earliest and latest different and cannot exceed the set time of 3ms, the CPLD counts the independent survival time of each frame of action message, and once the survival time exceeds 3ms, the message is set as an invalid message and does not participate in the logic judgment of controlling the relay N to take two;
2) If the message of the same core controlling the same relay is received within 3ms and the frame is 2 or more, discarding the former message and taking the latest message;
3) Comparing the exit states of the latest effective message of each core, and sending a 24V power state message of a control relay coil to the DI or sending a power state message of the control relay coil to the DO if the two or more cores are consistent;
4) Because 3 cores run the same logic function, the device adopts a scheme of taking two out of N, the action logic of the whole device cannot be influenced during the restart or exception of any one core, each core of the device has the functions of program self-check, fixed value and constant area self-check and hardware self-check, and once the self-check is abnormal, the core is automatically restarted. If the logic state of any core is inconsistent with the states of other cores, firstly, the core is tried to be restarted;
although in the prior art, error prevention measures are generally taken for program failure caused by memory overturn, whether the checksum of a program area and an important data area is correct or not is generally detected, and if the checksum is incorrect, the device is restarted. If the operation is recovered, the operation is normal, and if the operation is not recovered, the alarm can be given, and the field operation personnel is informed to maintain.
(5) The method comprises the steps that double CPU plug-ins are adopted, GOOSE messages for receiving bus protection and interval protection are respectively connected into the respective CPU plug-ins, 2 plug-ins are mutually independent, a starting relay of a DI plug-in and an outlet relay of a DO plug-in CAN be independently controlled through an internal CAN network, and an OR logic mode (any 1 logic of the two plug-ins is 1, a relay node is closed, and 2 logic of the two plug-ins is 0, the relay node is withdrawn) is adopted for realizing outlet relay control.
Drawings
FIG. 1 is a logic diagram of a process for fault point isolation by an acquisition execution unit device;
FIG. 2 is a diagram of the internal connection of the acquisition execution unit device;
FIG. 3 is an internal block diagram of a main CPU plug-in for the acquisition execution unit device;
FIG. 4 is a schematic diagram of a self-error correction system for an acquisition execution unit apparatus according to the present invention;
fig. 5 is a process of checking, verifying and analyzing GOOSE messages by the MCU according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. The embodiments described herein are only some embodiments of the invention, and not all embodiments. All other embodiments obtained by a person skilled in the art without any inventive step based on the spirit of the present invention are within the scope of the present invention.
As shown in fig. 4, embodiment 1 of the present invention provides a self-error-correction method for an acquisition execution unit device, which is implemented based on a self-error-correction system, and in a preferred but non-limiting implementation manner of the present invention, the self-error-correction system includes a first CPU plug-in, a second CPU plug-in, a DI plug-in, and a DO plug-in;
the first CPU plug-in and the second CPU plug-in respectively and independently control a starting relay of the DI plug-in and an outlet relay of the DO plug-in;
the first CPU plug-in and the second CPU plug-in adopt the same self-error correction structure;
further preferably, the first CPU plug-in and the second CPU plug-in respectively receive GOOSE messages sent by the line protection device and the element protection device;
the first CPU plug-in and the second CPU plug-in respectively and independently control a starting relay of the DI plug-in and an outlet relay of the DO plug-in through an internal CAN network;
the self-error-correcting structure comprises an Ethernet port, an FPGA, an MCU and an N-out-of-two module;
the FPGA is provided with N sub-modules, and the MCU is provided with N cores;
the Ethernet port receives a GOOSE message of the protection device, the output of the GOOSE message is respectively input into N sub-modules of the FPGA, and the output of the N sub-modules of the FPGA is respectively input into N cores of the MCU;
the outputs of the N cores of the MCU are all input to the N-taking-two module, and the outputs of the N-taking-two module are respectively input to the DI plug-in and the DO plug-in.
Further preferably, each core of the MCU adopts 2 different modules for starting and exiting to perform GOOSE message parsing, perform respective starting and exiting logical operations, and output starting status and exiting status messages;
n is an integer greater than or equal to 3;
the N two-taking module is an N two-taking module of the CPLD.
As shown in fig. 5, a self-error correction method for an acquisition execution unit device specifically includes the following steps 1 to 5:
step 1, GOOSE messages sent by a line protection device and an element protection device are respectively input into a first CPU plug-in unit and a second CPU plug-in unit, and the first CPU plug-in unit and the second CPU plug-in unit operate independently;
step 2, in each CPU plug-in, the GOOSE message is output through the MAC of the Ethernet and comprises the GOOSE message of the Ethernet CRC, and the message is respectively transmitted to N sub-modules of the FPGA through N independent transmission paths;
step 3, each submodule of the FPGA adds a checksum containing Ethernet CRC to the GOOSE message, then carries out CRC on the GOOSE message, and transmits the GOOSE message passing the verification to a core of the MCU corresponding to the submodule;
the specific checking process is as follows: the CRC value is calculated by an operation formula of CRC from the first byte of the message to the end of the message (not including the CRC value), and is compared with the CRC value in the message (generally placed in the last 2 bytes of the message) to be equal, so that no error code is generated in the transmission process of the message, and the check is passed.
Further preferably, each submodule of the FPGA adopts the same logic and program, but different submodules are distributed in different address areas;
step 4, checking and verifying and analyzing the GOOSE message by each MCU check, then performing starting and export logic operation, and finally respectively generating starting state and export state messages;
it is further preferred that each core of the MCU employs the same logic and procedures, but that different cores are distributed in different address regions.
As shown in fig. 5, the process of checking, verifying and analyzing GOOSE messages by the MCU includes:
step 4.1: checking the checksum of the GOOSE message, if the checksum passes the step 4.2, otherwise discarding the GOOSE message, if 10 frames are continuously discarded, indicating that the hardware has a problem, and then alarming;
the checking process comprises the following steps: the accumulated sum code value is calculated from the first byte of the message to the end of the message (not including the checksum value) through an operation formula of accumulated sum check, if the accumulated sum code value is equal to the checksum value (generally placed in the last 2 bytes of the message) in the message, the message is indicated to have no error code in the transmission process, and the check is passed.
Step 4.2: a starting module and an exit module of a core of the MCU respectively analyze GOOSE messages at the same time;
the starting module is combined with the starting real-time database to carry out logical judgment on the starting relay, if the starting relay state is judged to be changed, the CAN network message of the starting relay is organized, the starting CAN network message is sent to the N-out-of-two module, and if not, the analysis process is executed again after the next GOOSE message arrives;
and if the exit relay state is judged to be changed, the CAN network message of the exit relay is organized, the exit CAN network message is sent to the N-out-of-two module, and otherwise, the checking and analyzing process is executed again after the next GOOSE message arrives.
Further preferably, each core of the MCU has program self-check, constant value and constant region self-check, and hardware self-check functions, and once the self-check is abnormal, the core is restarted, and if the logic state of any one core is inconsistent with the states of other cores, the inconsistent core is restarted.
And 5, respectively acquiring the starting state and the exit state messages output by the N cores of the MCU by the N-taking-two module, determining the final starting state and the final exit state by adopting an N-taking-two principle, and respectively controlling a starting relay of the DI plug-in and an exit relay of the DO plug-in, wherein the DI plug-in directly controls the starting relay, and the starting relay controls 24V of an exit relay coil of the DO plug-in.
Further preferably, the N-out-of-two module first determines whether the CRC check of the message is correct, and if not, discards the message, and if correct, performs the following valid and latest message screening: and 3, checking that the FPGA receives an external Ethernet message, and 5, generating a starting or tripping and closing message for the MCU in the device, so that the N-out-of-two module needs to be checked, and error codes can be prevented from occurring in the transmission process.
Counting the independent survival time of each received frame of message, and setting the message as an invalid message once the survival time exceeds the set time, and not participating in the logic judgment of taking two of the control relay N;
if the number of the received message frames of the same core for controlling the same relay reaches 2 frames or more within the set time, discarding the former message and taking the latest message;
and respectively comparing the starting state message and the exit state message of the latest effective message of each core, if the two cores and the more than two cores are consistent, if the two cores are the starting state messages, sending a 24V power state message for controlling a relay coil to the DI, if the two cores are the exit state messages, and sending a power state message for controlling the relay coil by the DO.
And when the starting state of the DI plug-in unit receiving any one of the two CPU plug-in units is 1, and the state of the DO plug-in unit receiving any one of the two CPU plug-in units is 1, closing the outlet relay to realize the control of the outlet relay.
The beneficial effects of the invention are that compared with the prior art:
(1) The received GOOSE message is divided into 3 independent transmission paths from the MAC output of the Ethernet and is transmitted to 3 cores for independent processing;
because the program of FPGA runs in RAM, the SEU memory turns over and causes the FPGA program to fail, but the address that takes place is random, input to 3 independent FPGA submodules separately after the MAC output of Ethernet, 3 submodules logic and procedure are identical, distribute in different address areas, when the FPGA program fails, can't make mistakes in the same logical position of 3 different areas, 3 submodules processed the result and carry on GOOSE message analysis to the kernel of 3 MCU separately; similarly, the program and real-time data of the MCU are also in the RAM, the problem of MCU program and data failure caused by SEU memory inversion exists, 3 cores cannot detect the same failure problem, and the possibility of opening rejection or misoperation caused by program failure caused by SEU memory inversion can be effectively prevented by adopting the method (1).
(2) When reading the message output by the MAC, the FPGA submodule carries the CRC of the Ethernet in the message, the FPGA calculates the checksum of the CRC contained in the whole frame of the message firstly, then carries out the CRC check on the whole frame of the message, and sends the whole frame of the message to each core if the checksum is correct;
since it takes a lot of time to calculate CRC in C language, each core only performs checksum judgment. Due to intersection of the check sum and the CRC check, errors before the CRC check of the FPGA are detected by the FPGA, and errors before the CRC check of the FPGA and the check sum before the kernel is reported are detected by the kernel. The method has no dead zone for detecting the message correctness.
(3) Each core is divided into 2 different program modules for starting and exiting to analyze GOOSE messages, each core carries out logic operation and outputs starting state and exiting state messages according to respective logic structures so as to respectively control a starting relay and an exiting relay;
as 2 different MCU functional plug-ins are adopted to respectively control the ground and the power supply of the outlet relay coil voltage to be 24V, each core is divided into 2 different program areas to complete respective functions after obtaining the GOOSE message;
the starting program finishes analyzing the GOOSE message, and starts logic and organizes a CAN network message of the control starting relay to send a control starting relay message to an N two-out module of the CPLD; the action program finishes analyzing the GOOSE message, and an outlet logic and organization control action relay CAN network message sends a message for controlling a corresponding action relay to an N two-out module of the CPLD;
although the functions are similar, a common subprogram can be adopted, but in order to prevent the common subprogram from failing and causing the same problem, so that the starting and the export act simultaneously, the method adopts completely independent program segments, and ensures that 2 functional program segments do not intersect.
(4) An N-taking-two module of the CPLD acquires 3 core starting state and exit state messages, and respectively controls a starting relay and an exit relay by adopting an N-taking-two principle;
the 24V power supply of the contact control outlet relay of the starting relay, because the source that GOOSE receives is the Ethernet, it is the same, FPGA processing speed is very fast, 3 cores almost obtain GOOSE message to be processed at the same time, for CPLD N gets correctness and rapidity of two logics, take the following measures:
1) Each message contains CRC, CPLD first judges whether CRC is correct, if not, it is discarded;
in order to ensure the timeliness of each core, the received GOOSE message, the processed GOOSE message, the start logic and the export logic are all processed in 500us interruption, 3 cores are mutually independent, the CPLD senses that the action behaviors of the 3 cores are earliest and latest different and cannot exceed the set time of 3ms, the CPLD counts the independent survival time of each frame of action message, and once the survival time exceeds 3ms, the message is set as an invalid message and does not participate in the logic judgment of controlling the relay N to take two;
2) If the message of the same core controlling the same relay is received within 3ms and the frame is 2 or more, discarding the former message and taking the latest message;
3) Comparing the exit states of the latest effective message of each core, and sending a 24V power state message of a control relay coil to the DI or sending a power state message of the control relay coil to the DO if the two or more cores are consistent;
4) Because 3 cores run the same logic function, the device adopts a scheme of taking two out of N, the action logic of the whole device cannot be influenced during the restart or exception of any one core, each core of the device has the functions of program self-check, fixed value and constant area self-check and hardware self-check, and once the self-check is abnormal, the core is automatically restarted. If the logic state of any core is inconsistent with the states of other cores, firstly, the core is tried to be restarted;
although in the prior art, error prevention measures are generally taken for program failure caused by memory overturn, whether the checksum of a program area and an important data area is correct or not is generally detected, and if the checksum is incorrect, the device is restarted. If the operation is recovered, the operation is normal, and if the operation is not recovered, the alarm can be given, and the field operation personnel is informed to maintain.
(5) The method comprises the steps that double CPU plug-ins are adopted, GOOSE messages for receiving bus protection and interval protection are respectively connected into the respective CPU plug-ins, 2 plug-ins are mutually independent, a starting relay of a DI plug-in and an outlet relay of a DO plug-in CAN be independently controlled through an internal CAN network, and an OR logic mode (any 1 logic of the two plug-ins is 1, a relay node is closed, and 2 logic of the two plug-ins is 0, the relay node is withdrawn) is adopted for realizing outlet relay control.
The terms in this application are explained as follows:
GOOSE message: a generic object oriented substation event complying with the IEC61850-81 Specific Communication Service Mapping (SCSM) Mappings to MMS and to ISO/IEC 8802-3 specification;
MCU: the Micro Control Unit (MCU) is a computer with a chip level formed by properly reducing the frequency and specification of a Central Processing Unit (CPU) and integrating peripheral interfaces such as a memory (memory), a counter (Timer), a USB, an a/D converter, a UART, a PLC, a DMA, etc., and even an LCD driving circuit on a single chip, and performing different combination control for different applications.
SEU (Single Event Upset): the method is characterized in that a large amount of high-energy particle radiation exists in the space, and a single high-energy particle enters a sensitive area (such as a microprocessor, a semiconductor memory or a power transistor) of a semiconductor device to cause a bit flip (namely, the content is changed from 0 to 1 or from 1 to 0) of a storage unit, so that the system is disordered and a catastrophic accident can happen in a serious case. The logical errors caused by SEUs are not permanent and are also referred to as soft errors.
CRC check code: cyclic Redundancy Check (crc) is one of the most commonly used error checking codes in the field of data communications.
CPLD: a (Complex Programmable Logic Device) is a short for Complex PLD, a more Complex Logic element than PLD. The CPLD is a digital integrated circuit in which a user constructs logic functions according to his or her own needs.
The present disclosure may be systems, methods, and/or computer program products. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied thereon for causing a processor to implement various aspects of the present disclosure.
The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media as used herein is not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission medium (e.g., optical pulses through a fiber optic cable), or electrical signals transmitted through electrical wires.
The computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to a respective computing/processing device, or to an external computer or external storage device via a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage in a computer-readable storage medium in the respective computing/processing device.
The computer program instructions for carrying out operations of the present disclosure may be assembler instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, the electronic circuitry that can execute the computer-readable program instructions implements aspects of the present disclosure by utilizing the state information of the computer-readable program instructions to personalize the electronic circuitry, such as a programmable logic circuit, a Field Programmable Gate Array (FPGA), or a Programmable Logic Array (PLA).
Various aspects of the present disclosure are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer-readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer-readable program instructions may also be stored in a computer-readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer-readable medium storing the instructions comprises an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.
Claims (10)
1. A self-error-correction method for an acquisition execution unit device is realized based on a self-error-correction system, and is characterized in that:
the self-error correction method comprises the following steps:
step 1, GOOSE messages sent by a line protection device and an element protection device are respectively input into a first CPU plug-in unit and a second CPU plug-in unit, and the first CPU plug-in unit and the second CPU plug-in unit operate independently;
step 2, in each CPU plug-in, the GOOSE message is output through the MAC of the Ethernet and comprises the GOOSE message of the Ethernet CRC, and the message is respectively transmitted to N sub-modules of the FPGA through N independent transmission paths;
step 3, each submodule of the FPGA adds a checksum containing Ethernet CRC to the GOOSE message, then carries out CRC on the GOOSE message, and transmits the GOOSE message passing the verification to a core of the MCU corresponding to the submodule;
step 4, checking and verifying and analyzing the GOOSE message by each MCU check, then performing starting and export logic operation, and finally respectively generating starting state and export state messages;
and 5, respectively acquiring the starting state and the outlet state messages output by the N cores of the MCU by an N-out-of-two module, determining the final starting state and the final outlet state by adopting an N-out-of-two principle, and respectively controlling a starting relay of the DI plug-in and an outlet relay of the DO plug-in.
2. The self-error correction method for the acquisition execution unit device according to claim 1, characterized in that:
the self-error-correcting system comprises a first CPU plug-in, a second CPU plug-in, a DI plug-in and a DO plug-in;
the first CPU plug-in and the second CPU plug-in respectively and independently control a starting relay of the DI plug-in and an outlet relay of the DO plug-in;
the first CPU plug-in and the second CPU plug-in adopt the same self-error correction structure;
the self-error-correcting structure comprises an Ethernet port, an FPGA, an MCU and an N-out-of-two module;
the FPGA is provided with N sub-modules, and the MCU is provided with N cores;
the Ethernet port receives a GOOSE message of the protection device, the output of the GOOSE message is respectively input into N sub-modules of the FPGA, and the output of the N sub-modules of the FPGA is respectively input into N cores of the MCU;
the outputs of the N cores of the MCU are all input to the N-taking-two module, and the outputs of the N-taking-two module are respectively input to the DI plug-in and the DO plug-in.
3. The self-error correction method for the acquisition execution unit device according to claim 2, characterized in that:
the first CPU plug-in and the second CPU plug-in respectively receive GOOSE messages sent by a line protection device and an element protection device;
the first CPU plug-in and the second CPU plug-in respectively and independently control a starting relay of the DI plug-in and an outlet relay of the DO plug-in through an internal CAN network;
each core of the MCU respectively analyzes the GOOSE message by adopting 2 different modules of starting and exporting, performs respective starting and exporting logic operation, and outputs a starting state message and an export state message;
the N-taking two module is an N-taking two module of the CPLD;
n is an integer greater than or equal to 3.
4. The self-error correction method for the acquisition execution unit device according to claim 1, characterized in that:
each submodule of the FPGA adopts the same logic and program, but different submodules are distributed in different address areas;
each core of the MCU uses the same logic and program, but different cores are distributed in different address regions.
5. The self-error correction method for the acquisition execution unit device according to claim 1, characterized in that:
in step 4, the process of checking and verifying and analyzing the GOOSE message by the MCU includes:
step 4.1: checking the checksum of the GOOSE message, if the checksum passes the step 4.2, otherwise, discarding the checksum;
step 4.2: a starting module and an exit module of a core of the MCU respectively analyze GOOSE messages at the same time;
the starting module is combined with the starting real-time database to carry out logical judgment on the starting relay, if the starting relay state is judged to be changed, the CAN network message of the starting relay is organized, the starting CAN network message is sent to the N-out-of-two module, and if not, the analysis process is executed again after the next GOOSE message arrives;
and if the exit relay state is judged to be changed, the CAN network message of the exit relay is organized, the exit CAN network message is sent to the N-out-of-two module, and otherwise, the checking and analyzing process is executed again after the next GOOSE message arrives.
6. The self-error correction method for the acquisition execution unit device according to claim 1, characterized in that:
each core of the MCU has the functions of program self-check, constant value and constant area self-check and hardware self-check, once the self-check is abnormal, the core is restarted, and if the logic state of any one core is inconsistent with the states of other cores, the inconsistent core is restarted.
7. The self-error correction method for the acquisition execution unit device according to claim 1, characterized in that:
in step 5, the N-out-of-two module firstly judges whether the CRC check of the message is correct or not, if not, the CRC check is discarded, and if correct, effective and latest message screening is carried out;
and respectively comparing the starting state message and the exit state message of the latest effective message of each core, if the two cores and the more than two cores are consistent, if the two cores are the starting state messages, sending a 24V power state message for controlling a relay coil to the DI, if the two cores are the exit state messages, and sending a power state message for controlling the relay coil by the DO.
8. The self-error correction method for the acquisition execution unit device according to claim 7, characterized in that:
and in the N-taking-two module, counting the survival time of each received frame of message independently, and once the survival time exceeds the set time, setting the message as an invalid message and not participating in the logic judgment of controlling the relay N to take two.
9. The self-error correction method for the acquisition execution unit device according to claim 7, characterized in that:
in the N-out-of-two module, if the number of the message frames received by the same core to control the same relay reaches 2 frames or more within the set time, the former message is discarded, and the latest message is taken.
10. The self-error correction method for the acquisition execution unit device according to claim 1, characterized in that:
in step 5, the DI plug-in and the DO plug-in adopt an OR logic mode, namely, if any 1 logic of the DI plug-in and the DO plug-in is 1, the outlet relay node is closed, and if 2 logic of the DI plug-in and the DO plug-in is 0, the outlet relay node is withdrawn, so that the outlet relay control is realized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211115604.1A CN115664588A (en) | 2022-09-14 | 2022-09-14 | Self-error correction method for acquisition execution unit device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211115604.1A CN115664588A (en) | 2022-09-14 | 2022-09-14 | Self-error correction method for acquisition execution unit device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115664588A true CN115664588A (en) | 2023-01-31 |
Family
ID=84983686
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211115604.1A Pending CN115664588A (en) | 2022-09-14 | 2022-09-14 | Self-error correction method for acquisition execution unit device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115664588A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116643081A (en) * | 2023-05-23 | 2023-08-25 | 南京国电南自电网自动化有限公司 | High-reliability relay protection device sampling system and method |
-
2022
- 2022-09-14 CN CN202211115604.1A patent/CN115664588A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116643081A (en) * | 2023-05-23 | 2023-08-25 | 南京国电南自电网自动化有限公司 | High-reliability relay protection device sampling system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105429094B (en) | A kind of apparatus and method for ensureing intelligent substation trip protection reliability | |
| CN109728943B (en) | Fault simulator and computer interlocking CAN bus communication fault testing method | |
| MX2012011006A (en) | Apparatus, system, and method for creating one or more slow-speed communications channels utilizing a real-time communication channel. | |
| CN110007663A (en) | The output switch parameter dynamic diagnostics system and method for nuclear safe level DCS | |
| CN115664588A (en) | Self-error correction method for acquisition execution unit device | |
| CN113572576B (en) | Sampling data verification method and device, relay protection device and storage medium | |
| CN105974245B (en) | A kind of combining unit device of full redundancy | |
| CN107991550A (en) | A kind of protective device check method based on analysis with fault wave recorder | |
| EP3249855A1 (en) | Invalid frame handling method, invalidity detection electronic-control unit and vehicle-mounted network system | |
| US20220147410A1 (en) | Method of Detecting Faults in Intelligent Electronic Devices | |
| CN104104542B (en) | RS 485-based real-time intelligent obstacle removing method | |
| CN111313555B (en) | Full-redundancy intelligent terminal device for intelligent substation | |
| CN112714173A (en) | Platform door controller cloud platform system and control method | |
| CN108053332A (en) | A kind of fault-tree auto-synthesis method and system based on configuration file | |
| JPH04208023A (en) | Digital protective relay device | |
| CN104882964B (en) | Substation information based on information redundancy verification error correction method | |
| US11973680B2 (en) | Real-time digital data degradation detection | |
| CN110112745B (en) | Power grid information physical system protection method, device, equipment and storage medium | |
| CN104391756B (en) | Chain type SVG failure sorted fault-tolerance processing methods based on multi-channel serial communication | |
| Zimmerman et al. | A practical approach to line current differential testing | |
| US20220327015A1 (en) | Method and device for executing a time-critical process in non-real-time operating system | |
| Zhu et al. | Evidence theory-based fake measurement identification and fault-tolerant protection in digital substations | |
| KR101782261B1 (en) | Digital output system | |
| Xu et al. | A Goal Oriented Reliability Assessment of System Protection Devices | |
| CN115202921B (en) | Fault diagnosis signal indicating device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |