CN202794885U - Safety control redundant system for fully-intelligent master control system - Google Patents
Safety control redundant system for fully-intelligent master control system Download PDFInfo
- Publication number
- CN202794885U CN202794885U CN2012203148929U CN201220314892U CN202794885U CN 202794885 U CN202794885 U CN 202794885U CN 2012203148929 U CN2012203148929 U CN 2012203148929U CN 201220314892 U CN201220314892 U CN 201220314892U CN 202794885 U CN202794885 U CN 202794885U
- Authority
- CN
- China
- Prior art keywords
- control
- template
- control template
- main control
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Hardware Redundancy (AREA)
Abstract
The utility model relates to a safety control redundant system for a fully-intelligent master control system, which belongs to the field of industrial control. The system is used for solving the problems that the accuracy of a control result is not fully taken into account and the self-recovery cannot be realized after the failure of a control scheme adopting a distributed control system (DCS) of a dual machine temperature backup control mode. According to the system, a repeated two-out-of-three voting manner is adopted for the acquisition and processing of data information in the system. The accuracy of system input is guaranteed through carrying out two-out-of-three voting on acquired data. The accuracy of system calculation is guaranteed through carrying out two-out-of-three voting on an operation result on control templates. A control template with the best health condition is guaranteed to serve as a master control template through dynamic master control template switching. The accuracy of the system is further improved. Thus, the aim of the safety control of the system is realized. The self-recovery of a failure condition of the control template is realized through the seamless reconstruction of the control template in failure, so that the continuity and stability of work of the control system are guaranteed.
Description
Technical field
The utility model belongs to industrial control field, relates to a kind of security control redundant system for complete intelligent master control system.
Background technology
Fault-tolerant technique is by to the redundancy utilization of resource and well-organized, increases to exchange for the technology of reliability and security exponential increase by the linearity of redundant resource.Having had a lot of people to pay close attention to aspect the Redundancy Design of fault-tolerant computer and research, also obtained a lot of achievements in research at present, as: two-shipper cold standby, two-shipper warm spare, two-node cluster hot backup and two-shipper comparison system.But all there is the shortcoming that Single Point of Faliure lost efficacy in the computer system of above-mentioned two-shipper (bimodulus) redundant fashion and is difficult to overcome, and when breaking down, all wants interrupt system to move, and real-time is not high enough, and can not repair online fault.And three-module redundant fault tolerant computer just can be eliminated these shortcomings, and it can eliminate Single Point of Faliure fully, and has the ability of online reparation fault, has improved security of system.
Triple-modular redundancy system is the most frequently used a kind of fault-tolerant design technique, utilize three mutually computer modules of redundancy, move simultaneously the handling procedure of identical function, synchronously gather identical input, get two voting formula as the correct output of this voting system by three, this employing method that the minority is subordinate to the majority makes fault detection mechanism have very high detection coverage rate.When equipment failure wrong output of possibility when (comprising the soft and hardware fault), because it is generally very little the probability of two kinds of same property mistakes to occur, therefore in the system only otherwise the identical situation of error result of two computer modules occurs, just can shield Single Point of Faliure, the correct output of assurance system, thus the safety and reliability of real time embedded system effectively improved.After any one computer module broke down, triple-modular redundancy system can be downgraded to the two-shipper mode of operation, still can export correct result without the normal operation of interrupt system, and can also be reconstructed recovery to the fault machine.After reconstruct is finished, the fault machine still can work, lower only the dual host fault tolerance system of export orientation safety value can be compared with nonserviceabling, it has not only guaranteed the security of system under single malfunction, has also guaranteed the continuity and stability of system works.
The utility model content
For the above-mentioned problems in the prior art, the purpose of this utility model be for solve a kind of control program that adopts the dcs (DCS) of two-shipper warm spare control mode do not consider fully control as a result accuracy and break down after can not realize self-healing problem, and a kind of security control redundant system and redundancy approach for complete intelligent master control system proposed.
Described a kind of security control redundant system for complete intelligent master control system, it is characterized in that comprising one group of control template and one group of I/O template, described control template and I/O template are by the CAN bus communication, described control template comprises the main control template and is separately positioned on two minutes control templates of main control template both sides, described main control template is passed through ethernet communication with a minute control template, described I/O template is provided with one group of I/O module, and each I/O module is provided with 3 I/O acquisition channels.
Described a kind of security control redundant system for complete intelligent master control system is characterized in that described CAN bus communication and ethernet communication all take two redundancy backup structures, consists of two networks by double procotol controller and paired cable.
Described a kind of security control redundancy approach for complete intelligent master control system is characterized in that described main control template, minute control template and I/O template are independently computer system, comprise power supply, CPU, internal memory, bus and interface logic.
Described a kind of security control redundancy approach for complete intelligent master control system is characterized in that comprising the steps:
1) control system powers on, and after system initialization was finished, the main control template was according to the collection period of each control variable, and the I/O template to each control variable place sends the polling request order successively;
2) after the I/O template receives the polling request order, read the sampled value of the corresponding I/O module of this control variable, the I/O template reads gets two voting formulas through three after the sampled value on connected 3 I/O acquisition channels and draws final sampled value, and it is sent to main control template and a minute control template by broadcast mode;
3) carry out tasks synchronization after main control template and a minute control template receive this sampled value simultaneously, and carry out identical control algorithm, draw operation result separately;
4) read minute operation result of control template by the main control template, three operation results are got two voting formulas by three draw final operation values;
5) by the main control template final operation values is sent to corresponding I/O template, and final operation values is sent to two minutes control templates as exact value.
Described a kind of security control redundancy approach for complete intelligent master control system, it is characterized in that described main control template all adopts point-to-point mode to the communication pattern of I/O template, minute control template, from the I/O template to the main control template, the communication pattern of minute control template adopts broadcast mode.
Described a kind of security control redundancy approach for complete intelligent master control system, it is characterized in that described three get two voting formulas based on the error correction principles that the minority is subordinate to the majority, get two principle by software by three, with the correct output of the identical output of majority as this voting system.
Described a kind of security control redundancy approach for complete intelligent master control system is characterized in that the sampled value that described I/O template collects comprises digital quantity, analog quantity and pulsed quantity.
Described a kind of security control redundancy approach for complete intelligent master control system, it is characterized in that in the step 4) in the voting process when one of them control template operation result and other two inconsistent other two not simultaneously, then this control template breaks down, described fault is divided into transient fault, catastrophic failure and permanent fault.
Described a kind of security control redundancy approach for complete intelligent master control system is characterized in that when control template when catastrophic failure occurring, and system is to its reconstruct of demoting, and described degradation reconstruct refers to by the main control template it be powered on and restarts; This control template rerun normal before, system is controlled simultaneously by other two control templates, system to its power-off restarting after, if it working properlyly recovers its working site data then again to its upgrading reconstruct, system reverts to the triplication redundancy control mode.
Described a kind of security control redundancy approach for complete intelligent master control system, it is characterized in that control template that described upgrading reconstruct refers to occur catastrophic failure restart normal after, again participate in control, make system recover the process of triplication redundancy control mode, by the main control template it is sent the working site data during upgrading reconstruct, make 3 control template state synchronized, in the upgrading restructuring procedure by the working site Organization of Data being become suitable Frame and to effective management of data field, working site, and only transmit the working site data in the free time that the main control template is carried out control task, make in the restructuring procedure system needn't interrupt normal tasks and continuous working.
By adopting above-mentioned technology, compared with prior art, the beneficial effects of the utility model are as follows: the utility model utilizes the triplication redundancy mode, for a kind of dcs (DCS), data information acquisition in its system three is got two voting formula with processing to have adopted repeatedly, simultaneously for adopting relatively three machine result of calculations of hardware voting module in traditional triplication redundancy mode, the mode of output voting result, in conjunction with this distributed system, employing realizes that by software mode three get two votings by the main control template, by three of image data being selected two voting formula guaranteed the accuracy of system's input, by three of control template operation result being selected two voting formula guaranteed the accuracy of system-computed, mode by dynamic switching main control template has guaranteed that the control template of health status optimum serves as the main control template, further improve system accuracy, realize the purpose of system security controls, by the seamless reconstruction to the fail-safe control template, realize the certainly recovery of control module fault situation, guaranteed the stability of control system work.
Description of drawings
Fig. 1 is circuit diagram of the present utility model;
Fig. 2 is the structural representation of the utility model part of data acquisition;
Fig. 3 is data exchange structure synoptic diagram of the present utility model;
Fig. 4 is the tasks synchronization structural representation of the utility model control template.
Among the figure: the 1-Ethernet, 2-controls template, 3-CAN bus, 4-I/O template, 5-I/O module, 6-I/O acquisition channel.
Embodiment
Below in conjunction with accompanying drawing the utility model is described further.
Shown in Fig. 1-4, a kind of security control redundant system for complete intelligent master control system, comprise one group of control template 2 and one group of I/O template 4, described control template 2 is communicated by letter by CAN bus 3 with I/O template 4, described control template 2 comprises main control template 202 and is separately positioned on two minutes control templates 201 of main control template 202 both sides, described main control template 202 is communicated by letter by Ethernet 1 with a minute control template 201, described I/O template 4 is provided with one group of I/O module 5, each I/O module 5 is provided with 3 I/O acquisition channels 6, each I/O module 5 corresponding control variable, 3 communications of CAN bus are communicated by letter with Ethernet 1 and are all taked two redundancy backup structures, consist of two networks by double procotol controller and paired cable, separately two hardware corridor hardware configuration in two kinds of communication modes are just the same, under normal circumstances, each network node can carry out transmitting-receiving work simultaneously by two buses, if wherein garble repeatedly occurs in a certain path, think that then this path breaks down, it is closed, isolation, all communication tasks are transformed into another path carries out, each control template 102 and I/O template 4 are computer systems independently, have independently power supply, CPU, internal memory, bus, interface logic.
Shown in Fig. 1-4, security control redundancy approach for complete intelligent master control system of the present utility model comprises that three of input information, input message got the exchange of two votings, control algorithm, operation result, Output rusults software three is got two votings, output control result.Comprise the steps: that specifically control system powers on, after system initialization was finished, main control template 202 was according to the collection period of each control variable, and the I/O template 4 to each control variable place sends the polling request order successively; After I/O template 4 receives the polling request order, read the sampled value of the corresponding I/O module 5 of this control variable, I/O template 5 reads gets two voting formulas through three after the sampled value on connected 3 I/O acquisition channels 6 and draws final sampled value, and it is sent to main control template 202 and a minute control template 201 by broadcast mode; Carry out tasks synchronization after main control template 202 and a minute control template 201 receive this sampled value simultaneously, and carry out identical control algorithm, draw operation result separately; Main control template 202 reads minute operation result of control template 201, three operation results is got two voting formulas by three draw final operation values; By main control template 202 final operation values is sent to corresponding I/O template 4, and with final operation values as exact value send to two minutes control template 201, adopt point-to-point mode from the communication pattern of main control template 202 to I/O templates 4 and minute control template 201, adopt broadcast mode from I/O template 4 to minute communication pattern of control template 102, each controls the image data of template 102 by receiving simultaneously I/O template 4 as the starting point of tasks synchronization, and is synchronous by the Ethernet 1 realization task level that intercom mutually again.
The voting mechanism of this security control redundancy approach " three get two voting formulas " is based on the error correction principles of " the minority is subordinate to the majority ", by the principle of software by " three get two ", with the correct output of the identical output of majority as this voting system, voting is for the voting of input data and the voting of output data.
As shown in Figure 2, system's input comprises the quantity of states such as analog quantity, digital quantity, pulsed quantity, and the data that I/O template 4 collects by three I/O acquisition channels 6 to each I/O module 5 are carried out three and got two votings, has shielded the Single Point of Faliure that gatherer process occurs.I/O template 4 was broadcast to main control template 202 and minute control template 201 with voting result by CAN bus 3 after voting was finished.If the data of system acquisition are analog quantitys, the voting of analog input adopts the method for truncation error to finish.By setting the voting precision, to the processing of putting to the vote of input data: when the data of three I/O acquisition channels 6 are all in the specified accuracy scope, with the mean value of three I/O acquisition channel 6 data as collection result; If have the data of an I/O acquisition channel 6 and the error of other two I/O acquisition channels 6 to exceed the precision allowed band, with the mean value of other two I/O acquisition channel 6 data as collection result; If error has all exceeded the precision regulation between three I/O acquisition channel 6 data, it is improper to think that then error arranges, the data value that also replaces the machine with the mean value of three I/O acquisition channel 6 data, when the data of needs voting are switching value or digital quantity, any error can not be arranged, when the state of three I/O acquisition channels, 6 collections is not quite identical, gets two votings by software three and obtain a result.
In Fig. 3, main control template 202 is after the sampling period of certain control variable arrives, the I/O template 4 corresponding to this variable sends polling request, after I/O template 4 is received request command, the sampling voting result that this variable is corresponding sends to main control template 202 and two other minute control template 201 by broadcast mode, main control template 202, after dividing control template 201 to receive simultaneously the sampled data of I/O template 4, carry out identical control algorithm, after 202 computings of main control template are finished, read the control result to two other minute control template 201 successively, two other minute control template 201 sends the control result to main control template 202 after receiving request command, again by 202 pairs of three machines of main control template control result carry out three get two votings after, voting result be will control and I/O template 4 and two other minute control template 201 sent to, controlling result's three herein, to get two votings be to calculate the mistake bring in order to eliminate, to control voting result and send to other two minutes control templates 201 as exact value, be in order to make the control template that breaks down continue to carry out under the correct data environment.
Finish in the whole process of control task in above-mentioned control system, main control template 202, minute control template 201 job are wanted synchronously, the basis of voting synchronously, only have through three machines synchronous, make and collect identical input signal, all main control templates 202, minute control template 201 data could really be finished the triplication redundancy function, the shielding Single Point of Faliure in the same voting cycle when simultaneously being controlled the result and decided by vote by main control template 202.If can not be well synchronous between the redundant module, the result who makes voting be in disorderly situation, the work that system can not normal reliable.
As shown in Figure 4, this programme is to make main control template 202 according to following methods, divide control template 201 to reach synchronous: in Fig. 4, task at the beginning, send polling request by main control template 202 to I/O template 4, I/O template 4 voting result of will sampling sends to CAN bus 3 by broadcast mode, so main control template 202, divide control template 201 can receive simultaneously identical input signal, carry out identical control algorithm, but the time of computing cost may be different, main control template 202, control template 201 was respectively at a in two minutes, b, c finishes control algorithm constantly, after finishing, 202 computings of main control template control template 201 Request Control operation results at moment d to dividing, divide control template 201 to receive the order of Request Control operation result at moment e, but this time-division control template 201 is not finished control algorithm, therefore temporarily will not respond, main control template 202 will be waited for its response in the maximum time restriction, if maximum time is restricted to and then abandons this time request, mark tasks synchronization abnormal information, with the operation result of main control template as Output rusults.Divide control template 201 after the moment, b finished control algorithm, send the control algorithm results at moment f to main control template 202.Main control template 202 moment g receive the control algorithm result return and at moment h to another minute control template 201 Request Control operation results, another minute control template 201 sends the control algorithm result at moment j to main control template 202 after moment i receives as a result request of control algorithm, main control template 202 is put to the vote to three machines control result receive the control algorithm result who returns at moment k after, and voting result sends to I/O template 4 and two other minute control template 201 at moment l.
The core concept of the utility model tasks synchronization is by the mutual wait between three machines, inserts certain stand-by period in moving controlling faster on the template of task, and three machines are realized synchronously.For three machine datas not in the situation in same voting cycle, now use a byte (0-255) to represent the residing cycle sequence number of current task, cycle sequence number in the control algorithm result that main control template 202 receives with oneself the cycle sequence number not simultaneously, as Output rusults, notify simultaneously the other side to change the cycle sequence number to the current cycle sequence number of main control template 202 with the operation result of main control template 202.
When there being a minute control template 201 can not accurate synchronization, voted data is incorrect or when not having the control algorithm result to respond, claim it to break down, the fault of this programme tolerable various durations, now divide the fault of controlling template 201 to be divided into transient fault by the harm size, catastrophic failure and permanent fault, transient fault refers to occur once in a while discrete fault, when finding a certain minute control template 201 fault, for avoid because of transient fault too early with its off-line, system supposes that at first this moment, what run into was transient fault, allowing this minute control template 201 to adopt through relatively being defined as correct data moves, if this minute controlled template 201 normal operations and good record reaches admissible threshold, determine that then fault is transient fault, system readmits this minute control template 201; Continue to send fault if find this minute control template 201, and when the accumulative total number of stoppages surpasses predefined value, think that this minute control template 201 runs into catastrophic failure, by main control template 202 it is powered on this moment and restart, before this minute control template 201 reruns normally, system automatically is downgraded to duplication redundancy by triplication redundancy and continues operation, system is controlled simultaneously by two other minute control template 201, under the duplication redundancy control model, when two-shipper result of calculation is inconsistent, should report to the police, exporting data this moment can be the data of main control template 202 according to the healthy control template of machine state selection, also can export and be forced to default safety value at once.When minute control template 201 of fault power on restart after, system's reconstruct of upgrading returns to the triplication redundancy control mode, sends the working site data by 202 pairs of fail-safe control templates of main control template, makes minute to control template 201 state synchronized.If fault can not normally be moved after dividing control template 201 to restart, then be called permanent fault, the artificial control template of repairing or more renewing that needs to report to the police, system keeps duplication redundancy control before the fail-safe control template is repaired.
Wherein system upgrade reconstruct mainly comprises the steps such as fault restoration, reconstruct identification, working site recovery, re-synchronization.
Fault divide control template 201 power on restart after, can be in Ethernet 1 broadcasting " I am alive " information, powering on separately that system initially powers on or the reconstruct of upgrading causes in order to distinguish this electrifying startup, if fault divides control template 201 to receive within a certain period of time the identical information of another minute control template 201 or main control template 202, then for initially powering on, do not apply for reconstruct; If receive within a certain period of time this information of another minute control template 201 or main control template 202, then for powering on separately, to another minute control template 201 or main control template 202 apply for reconstruct.
After recognizing the reconstruct request, system will enter the working site and return to form, and divides control template 201 to carry out the working site by 202 pairs of faults of main control template and resumes work.The recovery in machine state and internal storage data district is recovered to comprise in the working site, divide on the control template 201 to fault by current state and memory data copy with main control template 202, after making fault divide the state consistency of control template 201 and main control template 202, continue operation from current point.But this reset mode need to exchange a large amount of data between two-shipper, reconstitution time and two-shipper exchanges data speed and exchanges data amount are closely related, adopts 100M baud rate Fast Ethernet 1 in this programme.Common restoration methods is to carry out intensive data to recover, and namely system stops the operation of control task in the rejuvenation.In order to make system interrupt normal tasks at restructuring procedure, can continuous working, recognize after the reconstruct request, main control template 202 does not begin immediately to carry out the scene and recovers.After main control template 202 just arranges a remodeling, continue the task program of normal operation, treat that the fault of reconstruct divides 201 of templates of control to remain on the reconstruct waiting status.Only have the main control template 202 of working as to enter idle condition, and satisfy after the transmission time requires by the free time that the timeslice timer reads, just its critical data district and key state being sent to the fault that will recover by Ethernet 1 divides and controls template 201, after fault divided 201 pairs of receive datas of control template to carry out the correctness verification, the execution that recovers self with it was on-the-spot.When the 202 free times end of main control template, no matter whether reconstruct recovers all to finish, and all can withdraw from reconstruct rejuvenation, enters normal tasks carrying process.After the main control template enters free time again, just can restart the on-the-spot data transfer procedure that recovers.After the scene recovered to finish, fault divided control template 201 to reenter a normal synchronously waiting status, and the residing cycle sequence number of main control template 202 transmission current tasks is divided control template 201 to fault, then begins together the normal implementation of triplication redundancy.
202 pairs of faults of main control template divide control template 201 to carry out scene when recovery, first reconstruct are recovered the packet that data are divided into suitable size, make a packet finish transmission in general free time of main control template 202 scope.Main control template 202 judges first when transmitting whether free time satisfy the transmission time requirement, if remaining free time is not enough, then forbids the transmission of reconstruct data.So just can reduce as much as possible data under the reconstruct recovery pattern and transmit impact on system task so that the reconstruct data delivery time obtains controlling comparatively accurately, the free time that can maximally utilise again system simultaneously is reconstructed recovery.
The region of memory of wherein storing field data is called the critical data district, generally consisted of by significant datas such as global variable, static data and task stacks, and can be a continuous region of memory, also can be formed by a plurality of internal storage data pieces.By careful selection critical data district, the data conveying capacity in the time of can greatly reducing system reconfiguration reduces the requirement to the data exchange rate, effectively reduces the system reconfiguration time.
If in order field data is sent to minute control template 201 that the fault after restarting is divided control template 201 or increased newly from main control template 202 according to general method, some data changes after transmission in the critical data district, and the data that will cause reconstruct to recover are incorrect.
This programme adopts the single-track link table mode by update frequency critical chunk to be managed by formation.In reconfiguration program, for each critical chunk arranges a data block list item that comprises the contents such as data block address scope, recovering mark and updating mark, and they are ranked by the sequencing that adds.When data are recovered, from the head of the queue to the tail of the queue, recover successively all data blocks.When initial, the recovering mark of all list items is 0, and updating mark is 1.By the identification to recovering mark and updating mark, determine the state of notebook data piece, so that it is carried out different treatment measures.The key area data managing method is as follows:
When 1) beginning to recover a certain data block, recovering mark being set to 1, updating mark is set to 0, is clearly 0 with recovering mark again after recovering to finish.In the rejuvenation, if its updating mark becomes 1, think that then this data block is updated, stop immediately the recovery to it, recovering mark is set to 0 again, and it is moved to tail of the queue, go again to recover next data block.
When 2) a certain packet is updated, updating mark is set to 1, if recovering mark is not 1, illustrates that this data block recovered, also may also not take turns to recovery, no matter which kind of situation all moves to it formation end.
3) send before reconstruct the finish command frame, recovery routine need to reexamine the updating mark in all data block list items in the formation, only has when the updating mark of all data blocks is 0, can think that just data recover all to finish.If the updating mark of a certain data block is 1, need it is moved to tail of the queue, restart the recovery to it.
Utilize this method; the data block of frequent updating can be put into tail of the queue; postpone their release time; can effectively reduce the number of transmissions to the data block of frequent updating; thereby effectively save the time that reconstruct expends, the consistance of fault machine copies data and normal machines in the time of also reconstruct can being guaranteed.
System is in finishing the above-mentioned course of work, and who is that main control template 202 is not absolute in three control templates, and the ownership capable of dynamic switches.The number of stoppages that surpasses other two minutes control templates 201 when the number of stoppages of main control template 202; or after main control template 202 communication abnormalities or idle situation occurring; should switch ownership, serve as main control template 202 by minute control template 201 that the number of stoppages is minimum.In order to prevent the repeatedly switching of main control template 202, a buffering number of times also can be set, just namely current main control template 202 number of times that breaks down switched ownership when control template 201 number of stoppagess surpassed the buffering number of times than current the most healthy minute.
Claims (3)
1. security control redundant system that is used for complete intelligent master control system, it is characterized in that comprising one group of control template (2) and one group of I/O template (4), described control template (2) is communicated by letter by CAN bus (3) with I/O template (4), described control template (2) comprises main control template (202) and is separately positioned on two minutes control templates (201) of main control template (202) both sides, described main control template (202) is communicated by letter by Ethernet (1) with a minute control template (201), described I/O template (4) is provided with one group of I/O module (5), and each I/O module (5) is provided with 3 I/O acquisition channels (6).
2. a kind of security control redundant system for complete intelligent master control system according to claim 1, it is characterized in that described CAN bus (3) communication is communicated by letter with Ethernet (1) all takes pair redundancy backup structures, consists of two networks by double procotol controller and paired cable.
3. a kind of security control redundancy approach for complete intelligent master control system according to claim 1, it is characterized in that described main control template (202), minute control template (201) and I/O template (4) are independently computer system, comprise power supply, CPU, internal memory, bus and interface logic.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012203148929U CN202794885U (en) | 2012-07-02 | 2012-07-02 | Safety control redundant system for fully-intelligent master control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012203148929U CN202794885U (en) | 2012-07-02 | 2012-07-02 | Safety control redundant system for fully-intelligent master control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN202794885U true CN202794885U (en) | 2013-03-13 |
Family
ID=47822120
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012203148929U Expired - Lifetime CN202794885U (en) | 2012-07-02 | 2012-07-02 | Safety control redundant system for fully-intelligent master control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN202794885U (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102799104A (en) * | 2012-07-02 | 2012-11-28 | 浙江正泰中自控制工程有限公司 | Safety control redundant system and method for fully-intelligent master control system |
| CN108255123A (en) * | 2018-01-16 | 2018-07-06 | 广州地铁集团有限公司 | Train LCU control devices based on the voting of two from three software and hardware |
-
2012
- 2012-07-02 CN CN2012203148929U patent/CN202794885U/en not_active Expired - Lifetime
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102799104A (en) * | 2012-07-02 | 2012-11-28 | 浙江正泰中自控制工程有限公司 | Safety control redundant system and method for fully-intelligent master control system |
| CN108255123A (en) * | 2018-01-16 | 2018-07-06 | 广州地铁集团有限公司 | Train LCU control devices based on the voting of two from three software and hardware |
| CN108255123B (en) * | 2018-01-16 | 2021-08-24 | 广州地铁集团有限公司 | Train LCU control equipment based on two software and hardware voting |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102799104B (en) | Safety control redundant system and method for fully-intelligent master control system | |
| CN101807076B (en) | Duplication redundancy fault-tolerant high-reliability control system having synergistic warm standby function based on PROFIBUS field bus | |
| CN103199972B (en) | The two-node cluster hot backup changing method realized based on SOA, RS485 bus and hot backup system | |
| CN103647781B (en) | Mixed redundancy programmable control system based on equipment redundancy and network redundancy | |
| CN205539996U (en) | Redundant control system of controller, IO communication bus and communication module | |
| CN101788817B (en) | Fault recognition and processing method based on satellite-bone bus | |
| CN110361979A (en) | A kind of safety computer platform in railway signal field | |
| CN107634855A (en) | A kind of double hot standby method of embedded system | |
| CN106970857A (en) | A kind of restructural triple redundance computer system and its reconstruct down method | |
| CN106814603A (en) | A kind of dual redundant fault-tolerant system based on non-real time operating system | |
| CN101917285B (en) | Three-machine realization method for moonlet service host machine double-machine cooling structure | |
| CN103425553B (en) | Duplicated hot-standby system and method for detecting faults of duplicated hot-standby system | |
| CN103473156B (en) | Hot backup fault-tolerance method based on real-time operating systems and used for three satellite borne computers | |
| CN107347018A (en) | A kind of triple redundance 1553B bus dynamic switching methods | |
| CN109507866A (en) | A kind of double-machine redundancy system and method based on network address drift technology | |
| CN103853622A (en) | Control method of dual redundancies capable of being backed up mutually | |
| CN101916068B (en) | Computer control system based on 2-out-of-2 structure and implementation method thereof | |
| CN102508746A (en) | Management method for triple configurable fault-tolerant computer system | |
| CN103744753B (en) | A kind of data interactive method of dual systems and device | |
| CN106933145B (en) | A kind of spaceborne processing system and its control operation method | |
| CN102830647A (en) | Double 2-vote-2 device for fail safety | |
| CN104424680A (en) | Entrance guard redundancy control system | |
| CN108847879A (en) | Two-shipper fault detection and restoration methods based on bus control unit | |
| CN103309319A (en) | Distributive redundancy type automatic power distribution control system for airplane | |
| CN202794885U (en) | Safety control redundant system for fully-intelligent master control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20130313 |