DE2023117A1 - Fail-safe control system for the transmission of digital information - Google Patents

Description

Fail-safe control system for the transmission of digital information The invention relates to a modularly constructed fail-safe control system for the transmission of digital information between a digital computer and with this process peripheral devices coupled in on-line operation within one Automation system in which the device has several data processing levels having control system initiates the process of information transmission from the computer steers in both directions.

Such a control system is required for use in an automation system for controlling and monitoring industrial processes, Manufacturing and movement processes of all kinds. In all applications there is one direct (on-line) connection between the automation system and the one to be automated Plant, so that changes in the operational status or the requirements on the plant can be quickly recorded, evaluated and converted into tax actions, That The control system, also known as the traffic distributor, has the task of providing information between the process computer and the peripheral devices word by word in both directions to transport. All facilities are counted as peripheral devices9 record the data and measured values in one process and the information and control commands to the process or to its supervisory bodies. Also peripheral devices in this context are all facilities that are involved in the process Allow information to be exchanged between humans and process computers, such as B. light indicators, Keyboards, teletypewriters and log typewriters.

Due to its expansion, the control system must easily perform a specific task can be customized; that is, it should be modularly structured9 and the type and The number of modules used must be freely combinable the effort for control and addressing with small expansion stages can be small and may only increase accordingly with larger expansion stages.

The control system is program-controlled with the process computer Input / output channel connected; therefore the computer determines the type and direction of the The control system transports information through input / output commands that it contains in its running program found.

An input / output operation through the control system requires processing a sequence of several I / O commands from the computer, each command being a specific one Performs micro-operations, such as information input, output, state test an addressed control system assembly and error messages.

The control system that receives the I / O commands decodes them and uses it to control the internal information and control signal transports. Output information and address are also saved there, as is the input information kept ready for input into the computer. Are such tax systems in a safe automation system used for control purposes, for example and monitoring of nuclear power plants, chemical industrial plants, vehicles and whose safety devices are used in the transport sector, in which an error occurs catastrophic results, putting human life at risk or major property damage may be caused, so will be increased demands on security and Availability provided.

The conditions are defined as follows: a) By a single failure of a component, a signal connection or a peripheral device (e.g.

defective sensor), no incorrect data output or Control commands are caused.

b) The automation system must continue to work without restriction and continue to be fully available, c) The error must be indicated to the operating personnel the system at the earliest possible point in time - during operation - to be able to repair.

With the simultaneous occurrence of two independent Errors or with the occurrence of another error before the first one is repaired is not calculated as the probability of this is sufficiently low. In this case, no conditions are placed on security.

The object of the present invention is therefore to provide a modular structure fail-safe control system for the transmission of digital information between a digital computer and process peripheral devices coupled to it in on-line operation specify within an automation system that meets the aforementioned security requirements Fulfills. According to the invention, this object is achieved by a structure of the control system from three identical, independent information processing channels, in which the same data is processed isochronously and within the channels between the data processing levels implemented in integrated circuit technology Switched on minority and error monitoring circuits from intrinsically safe logic modules for the regeneration and display of faulty signals caused by errors within or occur outside the tax system.

All necessary for the functioning of the fail-safe control system Signal processing is available three times in identical channels. Every channel is Functional on its own, so it has its own power supply also its own periphery. Whether each channel has its own input output one single secure computer (polymorphic computer) or to one of three existing computers (triple computers) are connected for the control system irrelevant for the construction of the majority and error monitoring circuits intrinsically safe logic modules used have already been proposed and in the patent applications P 19 33 713.4, P 19 50 330.1, P 19 50 331029 P 2o 14 135o9 and P 20 14 110.0 It is an alternating current logic, in which in each module Depending on the input logic, an alternating voltage is generated by an oscillator will. A central clock is therefore not required for the entire system.

The logic signals L and 0 are defined as follows: a) The L signal is represented by the envelope of an alternating voltage.

b) The 0 signal means no alternating voltage.

The following conditions apply to the intrinsically safe modular system: 1.) Leads a logic module according to its logical function and the connected input signals at the output a 0 signal, if an internal error occurs (Component failure etc.) no L signal appears at the output.

2.) If the module carries an L signal at the output according to its logical one Function and the applied input signals, the output must occur when an internal error to switch to O-signal and also if the input signals Change again, continue to output an O signal.

3.) In the event of a line interruption or a short circuit in the output line of a safe logic module, all connected inputs should have an O signal (no AC voltage).

Each input of the safe AC modules consists of one potential-free primary winding of an alternating current transformer. The exit line a unit is looped through all input windings to be linked, the The end of the last input winding must be connected to + UB (operating voltage). This type of wiring applies to logical alternating current components (dyn. Circuits). It has the advantage that in the event of a wire break, the input circuits connected in series no input receives an L signal for control.

The invention is illustrated below with reference to that shown in FIGS. 1-3 Basic circuit diagrams explained in more detail.

1 shows a block diagram of the entire control system, Fig. 2 is a block diagram of the majority logic arrangement; and Fig. 3 is a block diagram of the fault monitoring circuits.

The block diagram of Fig. 1 shows the overall structure of the control system, in terms of device technology, it consists of three in conventional, integrated circuit technology constructed data processing levels D I, D II and D III and from two in between arranged majority and error monitoring levels Ü I and U II, which consist of intrinsically safe Logic modules are built up.

The modules 11-16 of the monitoring level Ü 1 regenerate and monitor the data traffic on the program-controlled input and output channels in both directions between the central unit lo of the process computer, which the Data processing level D I and the data processing level D II. The data processing level D II comprises control units 20, 21 and 22, group controls 23, 24 and 25 and block controls 26, 27 and 28 for channels K 1 - K 3, respectively, which correspond to the in fulfill the tasks mentioned in the introduction to the description. On their way of working however, it is not discussed in greater detail here, since this is necessary for the understanding of the invention Tax system is not required.

The assemblies 30-35, 40-45 and 50-55 of the majority and error monitoring level U II regenerate and monitor the traffic in both directions between the data processing level D II and the data processing level D III, which the I / O blocks 60, 70 and 80 includes. These I / O blocks include the interrupt input block 6o, the digital input block 70 (spontaneous input) and the analog input block 80. The respectively associated output blocks are not shown in FIG. 1, Of the three-channel interrupt input block 60 (interrupt input block) the task of signal changes that occur at one or more inputs, the Process computer lo via a collective interrupt signal on lines 61, 62 and 63 to be communicated regardless of the current program.

With the three-channel digital input block 70, digital Information transmitted at many input points as electronic signals or as Contact positions are present, can be read into the process computer. Multiple entry points are combined into one input word that is used within a digital input operation must be addressed by the computer and its information then as a computer double word is brought into the computer. The digital input block thus contains facilities for address decoding, for conjunctive linking of each input word with the associated address signal and for the disactive summary of the different Input words coming information signals.

The also three-channel analog input block 80 is used for Input of analog measured variables that are available as electrical voltages or currents, in the process computer lo. It consists of an analog-to-digital converter, which is one of the analog measured value corresponding binary number is generated, a preamplifier, the small one Analog voltages are amplified to the value required for the analog-to-digital converter, one or more input blocks, the measuring point switch for switching through the desired analog input points, and a control unit that controls the temporal The sequence of the analog input processes determines the addressing of the input blocks and controls the transport of information from the analog-to-digital converter.

The entire control system is set up using assemblies in such a way that that three independent channels K 1, K 2 and K 3 arise. Majority switching ML and fault monitoring circuits FÜ are within the monitoring levels il I and Ü II for each channel K 1, K 2 and K 3 and for each data direction (input / output) available separately. So z.

in the monitoring level U I for the channel K 1 the blocks 11, 12, for channel K 2, blocks 13, 14 and for channel K 3, blocks 15, 16. In the monitoring level U II blocks 30-35, 40-45 and 50-55. Each block contains majority and error monitoring circuits ML and FU. Your structure is in Figs. 2 and 3 described in more detail. The output lines of the fault control circuits FUs are not shown in the block diagram of FIG. 1 for the sake of a better overview been.

An error message is issued by an error monitoring circuit so that a specific interchangeable assembly is indicated. This assembly can then during the operation of the system by not shown in FIG Switches can be bridged and replaced without affecting the signal flow when disconnected Assembly is interrupted.

Fig. 2 shows the structure and arrangement of the majority circuits ML within the monitoring level U II, which is between the data processing level D II and the data processing level D III is arranged, using the example of the analog input block 80 of FIG. 1 for one data direction.

The task of the majority circuit is to generate the three parallel data processing channels K 1 - $ 3 of the data processing level D II (they correspond to the block controls 26, 27 and 28 of Fig. 1) output signals a 1 - an b 1 - bn, c 1 - cn also in the event of a channel failure, three-channel to the other three-channel data processing level D III, formed here by the analog input block 80, to be passed on. The whole Majority switching the monitoring level is U II, like all structural units of the control system according to the invention, from three identical circuits in the blocks 50, 52 and 54 and outputs α1 output signals from each of these circuits - αn, ß1 - ßn, γ1 -γb ab, the majority of their associated input signals al - an, b1 - bn, cl - cn correspond (e.g. two of three channel signals each the data processing level D II). With the output signals of each of the three concerned Majority circuits 50, 52 and 54 become one channel each. K1 K2, K3 of the data processing level D III controlled.

The individual circuits are made from intrinsically safe logic modules built on the basis of an alternating current logic and require them at their inputs Signal converters that convert static signals into dynamic signals, converter PD 561-566, and converters at their outputs, which send the signals in the opposite direction implement, converter PS 571-576.

The converters PD 561 - 566 marked with an asterisk are for the majority circuits ML and common for the error monitoring circuits FU Converter (see also Fig. 3).

All intrinsically safe logic modules are marked with a black triangle shown on the lower right edge of the block icon.

The conditions for the output signals α1, ß1, tV1 of the majority circuits 50, 52 and 54 are identical and their shape corresponds to the conditions for α2, ß2, γ2 to αn, ßn, γn.

α1 = ß1 = γ1 = a1 # bi + a1 # c1 + b1 # c1 Realized this condition is achieved by intrinsically safe OR / AND gates. Two of these gates each, z. B. 501 and 502 in channel K 1, 521 and 522 in channel K 2 and 541 and 542 in channel K 3 form a majority element. Each majority circuit 50, 52 and 54 includes according to their input signals al - an, b1 - bn, c1 - cn n-majority elements.

If there is an error in the data processing level D II, the work three channels of the data processing level D III without restriction. Another mistake this time in level D III therefore does not lead to a failure of the tax system. By the relatively small levels and frequent involvement of the majority circuits will be the Overall reliability of the control system increased while maintaining reliability of the individual elements.

Independent of the majority circuits shown in FIG ML, which allows the control system to continue working even after an error has occurred error monitoring circuits FU are necessary. These will too how the majority circuits ML are connected downstream of each data processing level and are supposed to detect incorrect processing by comparing each individual channel Detect output signal with the corresponding of the other two channels and to Bring a report. Depending on the logical degree of combination of the individual error signals is a more precise or less precise localization of the fault from the display possible. In general, it will be sufficient to have as many error signals as there are pluggable ones and thus easily interchangeable assemblies are available.

In Fig. 3, the signals a 1, b 1, c 1, etc. are with those in the Fig. 2 is identical, since the error monitoring circuit FU with the majority circuit ML must always be connected in parallel to the same output lines. Additionally be negated output signals a 1, b 1, c 1 etc. are required, which are transmitted by converter PD 581 - 586 can be generated.

For the error signals FK 1.1, i. H. Output line 1 error (a 1) in channel 1, FK 2.1, d. H. Error on output line 1 (b 1) in channel 2 and FK 3.1, d. H. Errors on output line 1 (c 1) in channel 3 are obtained for those involved Signal lines a 1, b 1, c 1 from the three data processing channels, the carry identical signals in undisturbed operation, following truth table: Signal states 0 # Error a1 b1 c1 FK 1.1 FK 2.1 FK 3.1 L L L L L L L L O L L O L O L L O L L O 0 O L L O L L O L L O L O L O L O O L L L O 0 0 O L L L One obtains in the appropriate Maxtermform FK 1.1 = (a1 + b1 + c1) (a1 + b1 + c1) FK 2.1 = (a1 + b1 + c1) (a1 + b1 + c1) FK 3.1 = (a1 + b1 + c1) (a1 + b1 + c1) For the functionally related Signal outputs a2, b2, c2 up to an, bn, cn can be used for corresponding logic functions derive. The circuit derived from the aforementioned conditions can therefore be im Are often used and therefore forms the from an OR / AND gate, z. B. 503, 523, 543, existing basic element for the construction of the error monitoring circuits in blocks 50, 52 and 54. Corresponding to the number of signals n there are n-FU elements present in each of the drive circuits 50, 52 and 54 for each channel.

The individual error signals FK 1.1 to FK 1.n; FK 2.1 to FK 2.n and FK 3.1 to FK 3.n are disjunctive with total error signals FK 1, FK 2 and FK 3 combined safe logic modules. Since an error signal with an O signal appears, will used for the combination AND gates 504, 524 and 544, which are used for signals the Deliver disjunction.

Quiescent current operated signal lights are provided for the visual display. A disjunctive combination of all error signals can trigger an acoustic message. It is also possible via an interrupt to detect an error in the operating log to print out.

Claims (3)

P a t e n t a n s p r ü c h e: 1. Modular fail-safe control system for transmission of digital information between and on-line with a digital computer Operation of coupled process peripheral devices within an automation system, in which the control system, which has several data processing levels in terms of equipment initiates the process of information transfer in both directions from the computer controls, characterized by the structure of the control system from three identical, mutually independent information processing channels in which the same data are processed isochronously and within the channels between the integrated Circuit technology implemented data processing levels switched on majority and Error monitoring circuits from intrinsically safe logic modules for regeneration and display of faulty signals caused by errors inside or outside of the tax system. 2. Control system according to claim 1, characterized by the arrangement separate majority and fault monitoring circuits within monitoring levels for each channel and for each data direction. 3. Control system according to claim 1 and 2, characterized by a Structure of the majority and error monitoring circuits from building blocks of an alternating current logic.