JP2001202101A - Duplex control system and program maintenance method for the system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a duplex control device with which a program can be simply and easily maintained through an on line in plant operation so as not to obstruct the continuation of plant operation and a program maintenance method for the control device. SOLUTION: In a duplex control system, there are provided the duplex control device, a simulation test device connected to the control device and an exclusive maintenance device connected to the duplex control device and the simulation test device. The duplex control device is provided with two CPU system, either one of which is a normal system for controlling a plant and the other of which is a stand-by system and a process input/output(PIO) device for transmitting/ receiving data for plant control to/from the plant connected to the two CPU system. The test device executes a new program for plant control, and the maintenance device substitutes the new program for an old plant control program.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a dual control system for controlling the operation of a plant, such as a power plant, using two identical programs and a program maintenance method thereof. The present invention relates to a redundant control system capable of performing program maintenance and a program maintenance method thereof.

[0002]

2. Description of the Related Art A conventional duplex control device will be described with reference to FIG. FIG. 1 is a block diagram showing a control configuration of a plant using a conventional redundant control device.

As shown in FIG. 1, this control configuration comprises a redundant control device 1, a plant 4, a dedicated maintenance device 2, and a backup operation device 5.

The redundant control device 1 has a CPU-A system (normal side) 6 and a CPU-B system (standby side) 7, each of which executes the same program 8. This execution includes a control operation by data input from the plant 4 via the process input / output device (PIO) 3 in the redundant control device 1. The control based on the calculation result is performed on the plant 4 only from the CPU-A system 6 via the process input device (PIO) 3 in the redundant control device 1 as shown in the figure.

[0005] The dedicated maintenance device 2 is connected to the redundant control device 1 and performs maintenance of the program 8 executed by the CPU-A system 6 and the CPU-B system 7.

The backup operating device 5 is a CPU-A
When both the system 6 and the CPU-B system 7 fail, the system is an aggregate of devices having operation terminals for performing operations for preventing the plant 4 from stopping and for safely stopping the plant 4.

In such a redundant control device, the CPU-
Only when the program 8 executed by the A system 6 and the program 8 executed by the CPU-B system 7 is the same, it functions as a redundant control device. Therefore, when the program 8 is to be changed during the operation of the plant 4, the change is limited to a portion that does not hinder the continuation of the operation of the plant 4. This is because it is necessary to temporarily stop the control of the part to be changed in both systems.

Further, the parameter adjustment during the operation of the plant 4 is performed so that the plant 4 is not seriously affected.
The process is executed after a provisional measure (a change of another parameter or the like) for giving some restriction to the control output to the plant 4 affected by the parameter adjustment is performed.

Further, a CPU-A system 6 and a CPU-B system 7
If both of the systems have failed, the process input / output device 3 holds the output necessary for continuing the operation of the plant 4,
After that, the backup operating device 5 directly receives data input from the plant 4 and thereby operates the plant 4.

[0010]

Therefore, in such a redundant control device, as described above, when the program is changed during the operation of the plant, it is necessary to temporarily stop the plant control based on the changed portion in both systems. For this reason, there has been a problem that the changeable portion is limited to a portion that does not hinder the continuation of the plant operation.

[0011] In addition, the parameter adjustment during the operation of the plant is intended to prevent a serious influence on the plant.
Prior to the adjustment, it is necessary to limit the output of the control output which is likely to be affected by the coordinator so as not to adversely affect the plant. Such provisional measures (some measures such as changing another parameter) increase the number of such places as the scale of the plant increases, making management difficult.
Since the time required for the maintenance becomes enormous, there is a possibility that the operation of the plant itself may be hindered.

Further, the backup operating device has a problem in that the number of operating terminals increases as the scale of the plant increases, and the backup operating device also increases in size accordingly, so that the cost increases. .

SUMMARY OF THE INVENTION The present invention has been made in view of such circumstances, and a dual control apparatus for controlling the operation of a plant by two identical programs and a program maintenance method therefor, in particular, for maintaining the operation of the plant. It is an object of the present invention to provide a redundant control device and a program maintenance method thereof, which can easily and easily perform online program maintenance during plant operation so as not to cause trouble.

[0014]

In order to solve the above-mentioned problems, a redundant control system according to the present invention includes a redundant control device, a simulation test device connected to the redundant control device, the redundant control device, A dedicated maintenance device connected to a simulation test device, wherein the redundant control device executes a plant control program, one of which is a regular system for the plant control and the other is a standby system.
A system CPU system, and a process input / output device that is connected to the two CPU systems and exchanges data for the plant control between the plant. The simulation test device includes a new plant control system. The present invention is characterized by comprising means for executing a program, and wherein the dedicated maintenance device comprises means for replacing the plant control program with the new program (claim 1).

The test by the simulation test device is a confirmation test of a new program, and the result is confirmed according to the actual plant operation by being connected to the redundant control device.
A new program is replaced by connecting the dedicated maintenance device and the redundant control device.

Further, a duplicate control system according to the present invention includes a duplicate control device, a simulation test device connected to the duplicate control device, and a dedicated maintenance device connected to the duplicate control device and the simulation test device. The dual control device has two CPU systems that execute a plant control program, one of which is a regular system for the plant control and the other is a standby system, and the two CPU systems
A process input / output device for exchanging data for the plant control between the plant and the plant, wherein the simulation test device is connected to a standby side of the two CPU systems, and Means for acquiring output data from the plant among the data for online, and means for executing a new program of the plant control by the acquired output data, the dedicated maintenance device, Means for comparing the result of the new program with the result of the program executed by the CPU system on the standby side, and the CPU on the standby side of the new program when the result of the comparison is a desired result.
Means for instructing download to the system,
The present invention is characterized by comprising means for instructing switching of a regular right of a PU system, and means for instructing writing of the downloaded new program to the other CPU system (claim 2).

The process measurement value (transmission input value) is transferred from the control device to the simulation test device online on the operation of the dedicated maintenance device. Using the input values, perform a mock test of all new programs, take the output state into the dedicated maintenance device, and take in the state of the program currently being controlled from the control device into the dedicated maintenance device, and compare the computation states of each other. Check the differences with the new program. After the confirmation, the program under control of the control device is replaced with all new programs, and the plant is controlled with the new programs.

Further, in the dual control system according to the present invention, the program and the new program are composed of a plurality of dividable parts, and the corresponding parts are interchangeable. Instructs to download the dividable part as the new program to the CPU system on the standby side.
It is instructed to write to the PU system (claim 3).

The process measurement value (transmission input value) is transferred from the control device to the simulation test device on-line by the operation of the dedicated maintenance device. Using the input values, perform a mock test on a partially modified program, capture the output status into the dedicated maintenance device, and capture the status of the currently controlled program from the control device into the dedicated maintenance device, and compare the computation status with each other. Then, confirm the difference from the partially modified program. The program of the corresponding part under the control of the control device is replaced only by the part to be changed in the divided program, and is rewritten instantaneously to control the plant.

Further, a redundant control system according to the present invention includes a redundant control device, a control device connected to the redundant control device, and a dedicated maintenance device connected to the redundant control device. The device executes a plant control program, one of which is a normal system for the plant control and the other is a standby system. The other two systems are connected to the CPU system. A process input / output device for exchanging data for the plant control, the control device includes a CPU system capable of executing the plant control program, and the dedicated maintenance device includes the two systems of CPUs. Means for selecting any two CPU systems of the system and the CPU system as a normal system and a standby system for the plant control. Claim 4).

When a program is changed during plant operation or when one of the redundant control devices goes down, the program is copied to another control device and the other control device is used as a standby system of the redundant control device. , Continue operation of the plant in duplex. Further, a redundant control system according to the present invention includes a plurality of redundant control devices that can be connected to each other, and a dedicated maintenance device connected to the plurality of redundant control devices, and the plurality of redundant control devices includes a plant control device. The two programs are executed, one of which is a normal system for the plant control and the other is a standby system, and the two systems are connected to the CPU system for controlling the plant. And a process input / output device for exchanging data of the respective devices, wherein the dedicated maintenance device is a CPU of any of the redundant control devices.
Means for acquiring and holding a program for plant control from a system, means for writing the held program to a CPU system of any of the redundant control devices, and the plant by a CPU system for executing the written program Means for giving an instruction to guide data for control to any of the process input / output devices.

When a program is changed during the operation of the plant or when one system of the redundant control device goes down, the program is copied to a memory for storing the program of the dedicated maintenance device. Then, the program is copied to the standby system of another redundant controller, and the operation of the plant is continued by performing control instead of the redundant controller when both systems are down or when both systems cannot be used.

Further, a redundant control system according to the present invention has a redundant control device and a simple operation device connected to the redundant control device, and the redundant control device executes a plant control program and executes One of which is a regular system for the plant control and the other is a standby system 2
A system CPU system, and a process input / output device that is connected to the two CPU systems and exchanges data for plant control between the plant and the plant. Means for acquiring data for the plant control of the apparatus, means for generating data for operating the plant based on the acquired data, and transmitting the generated data to the process input / output device or the CPU system. And means for transcribing (claim 6).

A process input / output device for inputting / outputting data from / to a plant connected to the control device, a simple operation device combining, for example, a monitor device and an operation device main body, and a process input / output device and a control device, respectively. By connecting the operating device main body that has been read, the operating device main body that reads input / output values from the process input / output device, and the monitor device, an analog or binary output value is operated.

Further, a redundant control system according to the present invention has a redundant control device and a simple operation device connected to the redundant control device, and the redundant control device executes a plant control program and executes One of which is a regular system for the plant control and the other is a standby system 2
A system CPU system, and a process input / output device that is connected to the two systems of CPU systems and exchanges data for controlling the plant between the plant. The simple operation device includes the two systems of the two systems. Means for acquiring data for the plant control held in the process input / output device as an analog value when a CPU system is down,
Means for holding the acquired data, means for acquiring and updating output data from the plant as analog values among data for the plant control via the process input / output device, and Means for generating data for operating the plant while monitoring the output data, and means for writing the generated data to the process input / output device (claim 7).

When the redundancy of the control device goes down, the analog input / output value immediately before the downtime is held in the process input / output device, and the analog input / output value of the process input / output device coming up from the plant is issued by the simple operation device permission command. The input values are updated, the analog input / output values are read from the process input / output device to the simple operation device, and the read analog input / output values are monitored by the monitor device while each analog operation end panel of the simple operation device is used. The analog output value is manipulated, write permission is given by the simple operation device, each analog output value is written to the process input / output device, and a command is output to the plant. Also, each analog input / output value immediately before going down is stored as a backup in the operation device body.

[0027] Further, a redundant control system according to the present invention includes a redundant control device and a simple operation device connected to the redundant control device. The redundant control device executes a plant control program and executes any of the above. One of which is a regular system for the plant control and the other is a standby system 2
A system CPU system, and a process input / output device that is connected to the two CPU systems and exchanges data for plant control between the plant and the plant. Means for acquiring data for controlling the plant included in the apparatus, means for generating data for operating the plant based on the acquired data, and monitoring of the generated data so that the two CPU systems Means for giving permission to copy to the CPU system when returning from the function down, and means for copying the generated data to the CPU system based on the permission, the duplication control device further comprises: Data for controlling the plant is generated based on the transcribed data (claim 8).

After the duplexing recovers from the down state, for example, while monitoring with a monitor device, the control device that has returned from the simple operation device is given permission to rewrite the analog output value, and the simple operation device connected to the process input / output device is provided. Then, the analog output value used for control is written into the corresponding area of the control device, and the control device tracks the analog output value.

Further, a redundant control system according to the present invention includes a redundant control device and a simple operation device connected to the redundant control device, and the redundant control device executes a plant control program and executes One of which is a regular system for the plant control and the other is a standby system 2
A system CPU system, and a process input / output device that is connected to the two systems of CPU systems and exchanges data for controlling the plant between the plant. The simple operation device includes the two systems of the two systems. Means for acquiring binary data for the plant control held in the process input / output device when a CPU system has failed, means for holding the acquired data, and the process input / output device Means for acquiring and updating binary output data from the plant out of the data for the plant control via the CPU, and a means for operating the plant while monitoring the updated output data. Means for generating data consisting of values, and means for writing the generated data to the process input / output device. .

When the redundancy of the control device is down, the input / output value consisting of two values immediately before the downtime is held in the process input / output device, and the process input / output that comes up from the plant by the permission command of the simple operation device. Update the binary input value of the device. Read the two input / output values from the process input / output device to the simple operation device, and operate each output value on each digital operation end panel of the simple operation device while monitoring the read input / output values with the monitor device. Then, write permission is given from the simple operation device, and each output value is written to the process input / output device, and a command is output to the plant. Further, each input / output value consisting of two values immediately before the down operation is stored in the operation device main body as a backup.

Further, the redundant control system according to the present invention has a redundant control device and a device for simple operation connected to the redundant control device, and the redundant control device executes a plant control program and One of which is a regular system for the plant control and the other is a standby system 2
A system CPU system, and a process input / output device that is connected to the two CPU systems and exchanges data for plant control between the plant and the plant. Means for acquiring data for controlling the plant included in the apparatus, means for generating binary data for operating the plant based on the acquired data, and monitoring the generated data to generate the binary data. The duplication control device, comprising: means for giving permission to copy to the CPU system when the CPU system of the system returns from the function failure; and means to copy the generated data to the CPU system based on the permission. Generating data for the plant control based on the transcribed data (claim 10).

After the duplication recovers from the down state, the control device that has returned from the simple operation device while monitoring with the monitor device is
Permits rewriting of output values consisting of values. From the simple operation device connected to the process input / output device, the binary output value used for the control is written in the area of the corresponding control device, and the control device tracks the output value.

[0033] Further, in the program maintenance method for a redundant control system according to the present invention, in the redundant control system for performing plant operation, the parameters relating to the plant operation of the two CPU systems are stored in a predetermined storage portion and the two parameters are stored. A limit is set on the output value of the CPU system, and a new parameter is
When the output values of the two CPU systems based on the given new parameters fall within the limit, the limit is released to continue the plant operation with the new parameters, and When the output values of the two CPU systems based on the new parameters reach the limit, the parameters stored in the predetermined part are given back to the two CPU systems (claim 1).
1).

Since a limit value is set for the analog output when the control parameter is changed during the operation of the plant, it is possible to prevent undesirable effects on the plant and to save the parameter before the change, When the value reaches the value, the parameter before the change can be returned. In addition, the dual control system according to the present invention includes:
In a redundant control system that performs plant operation, a limit is set to the output value of a common one of the two CPU systems,
When a new parameter is given to the regular CPU system in place of the parameter related to the plant operation of the regular CPU system, and the output value of the regular CPU system according to the given new parameter falls within the limit, Release the restriction and replace the new parameter with the two CPs.
If the output of the service CPU system by the given new parameter reaches the limit, the two CPU systems are given to the standby system of the U system to continue the plant operation by the new parameter. And the parameter relating to the plant operation of the newly used CPU system is copied to the other CPU system (claim 12).

Since a limit value is set for the analog output when the control parameter is changed during the operation of the plant, it is possible to prevent undesirable effects on the plant, and the parameter before the change remains in one system of the redundant control device. Therefore, when the limit value is reached, the parameter before the change can be returned. Further, the redundant control system according to the present invention, in a redundant control system that performs plant operation, sets a limit on the output value of the standby CPU system of the two CPU systems and controls the plant operation of the standby CPU system. A new program is given to the standby CPU system instead of the program, and a simulation test of the standby CPU system is performed by the given new program,
If the output value in the implemented simulation test falls within the limit, the simulation test is terminated and the two Cs
Switching the regular use rights of the PU system and performing the plant operation,
When the output value of the newly used CPU system in the plant operation falls within the limit, the limit is released and the new program is copied to the other CPU system to continue the plant operation according to the new program. And
When the output value in the practice test performed reaches the limit, the test is terminated and the limit is released, and a program of a common one of the two CPU systems is copied to the standby CPU system. If the output value of the newly used CPU system in the plant operation reaches the limit, the right to use the two CPU systems is switched back, and the limit is released to release the two C lines.
A program included in a common PU system is copied to the standby CPU system.
3).

Since a limit value is set for the analog output when the program is changed during the operation of the plant, it is possible to prevent undesirable effects on the plant,
Since the program before the change remains in one system of the redundant control device, it is possible to return to the program before the change when the limit value is reached. Further, the redundant control system according to the present invention, in a redundant control system that performs plant operation, retains an output value consisting of two values of a standby one of the two CPU systems and controls the plant operation of the standby CPU system. A new program is provided to the standby CPU system in place of the program for performing the above operation, the plant is operated by switching the right of use of the two CPU systems, and the plant operation of the newly used CPU system is normal. If the range is within the range, the holding is released, and the new program is copied to the other CPU system to continue the plant operation according to the new program, and the plant operation of the newly used CPU system becomes normal. If it exceeds the range, the regular rights of the two CPUs are switched back, and the holding is released to release the two CPUs. Characterized by copying a program having those conventional among the CPU system of the stand (claim 14).

When the program is changed during the operation of the plant, the binary output is held, and the coordinator can check the operation of the plant. Since the program remains in one system of the redundant control device, if the coordinator determines that it is not desirable, the program can be returned to the program before the change.

[0038]

Embodiments of the present invention will be described below with reference to the drawings.

(First Embodiment) FIG. 1 is a block diagram for explaining a first embodiment of a redundant control system according to the present invention.

As shown in the figure, the configuration of this embodiment includes a simulation test device 14 in addition to a control device 10, a plant 19 and a dedicated maintenance device 16, and there is no backup operating device.

The control device 10 includes a CPU-A system (normal /
There are a standby (standby) 11 and a CPU-B system (standby / normal use) 12, each of which normally executes the same program 111. This execution includes a control operation by inputting data from the plant 19 via the process input / output device (PIO) 13 in the control device 10. As shown in the figure, the control based on the operation result is performed by using a process input device (PIO) 13 in the control device 10 from only one of the CPU-A system 11 and the CPU-B system 12 (CPU-A system 11 in this figure). Through the plant 19.

The dedicated maintenance device 16 is connected to the control device 10 and the simulation test device 14, and the CPU-A system 11 and the CP
The program 111 executed in the UB system 12 is maintained.

The simulation test apparatus 14 controls the C
It is connected to the PU-B system 12 and the dedicated processing device 16 and tests a new program.

Here, an operation for changing the program 111 currently used for the control during the operation of the plant 19 will be described.

First, all the new programs 115 (programs to be completely replaced with the programs 111) held in the dedicated maintenance device 16 are transferred to the simulation test device 14. The simulation test apparatus 14 receives data from the plant 19 via the CPU-B system 12 on-line by the operation thereof, inputs the data, and performs a simulation test of all the programs 115. The state subjected to the mock test is the dedicated maintenance device 16
Confirmed by.

At this time, at the same time, the status of the program 111 currently used for plant control in the CPU-B system 12 is also confirmed by the dedicated maintenance device 16.

Then, the dedicated maintenance device 16 compares these confirmations, and confirms the quality of all the new programs 115 while displaying the difference as a message.

If the result of the pass / fail confirmation is good, all the new programs 115 are downloaded from the dedicated maintenance device 16 or the simulation test device 14 to the CPU-B system 12,
The UB system 12 includes all downloaded programs 115
Start Then, the control right of the plant 19 is transferred from the CPU-A system 11 to the CPU
-Shift to the B system 12. As a result, the plant 19 is temporarily controlled by the new program 115.

If the pass / fail confirmation is negative, all programs 115 are recreated, and all reprogrammed programs 115 are recreated.
Thus, the operation up to here can be repeated.

If the pass / fail confirmation is good, then all new programs 115 are transferred from the CPU-B system 12 to the CPU-A system 11
Automatically from the dedicated maintenance device 16
Write to UA system 11. The CPU-A system 11 activates all the written programs 115 and shifts to a standby state for controlling the plant 19. By these, the program 11
1 is changed.

As described above, according to this embodiment, the program 111 can be changed without interfering with the other system in the control device 10, whereby the control of the plant 19 is not stopped. Therefore, the operation efficiency of the plant 19 can be improved.

(Second Embodiment) Next, a second embodiment of the present invention will be described with reference to FIG.

FIG. 9 is a block diagram for explaining a second embodiment of the duplex control system according to the present invention.

As shown in the drawing, the configuration of this embodiment includes a simulation test device 24 in addition to a control device 20, a plant 25, and a dedicated maintenance device 26.

The control device 20 includes a CPU-A system (normal /
There is a (standby) 21 and a CPU-B system (standby / normal use) 22, each of which normally executes the same program 28. This execution includes a control operation by inputting data from the plant 25 via the process input / output device (PIO) 23 in the control device 20. As shown in the figure, the control based on the calculation result is performed by using only one of the CPU-A system 21 and the CPU-B system 22 (CPU-A system 21 in this figure) and a process input device (PIO) 23 in the control device 20. Through the plant 25.

The dedicated maintenance device 26 is connected to the control device 20 and the simulation test device 24, and is connected to the CPU-A system 21 and the CP.
The program 28 executed by the UB system 22 is maintained.

The simulation test device 24 is provided with the C
It is connected to the PU-B system 22 and the dedicated processing device 26, and performs a test of a new program.

In this embodiment, the program 28 for controlling the plant 25 can be divided into a plurality of parts, each of which can be individually replaced with a new one, and can be started (program execution) for each divided part. It is built like that.

Here, an operation for changing the program 28 currently used for the control during the operation of the plant 25 will be described.

First, the new partial change program 214 held in the dedicated maintenance device 26 is transferred to the simulation test device 24. The simulation test device 24 is operated by the CPU-
The data from the plant 25 via the B system 22 is received online, and the data is input and a simulation test of the partially modified program 214 is performed. The state of the simulated test is confirmed by the dedicated maintenance device 26.

At this time, the state of the program 28 currently used for plant control in the CPU-B system 22 is also confirmed by the dedicated maintenance device 26.

Then, these confirmations are compared in the dedicated maintenance device 26, and the quality of the partially changed program 214 is confirmed while displaying the difference as a message.

If the result of the pass / fail check is good, the splittable change portion of the partial change program 214 is downloaded from the dedicated maintenance device 26 or the simulation test device 24 to the CPU-B system 22. This is done in a short time because it is only a part.), CPU-B system 22
Starts the downloaded and partially modified program (the same as the program 214). The control right of the plant 25 is changed to C by the command from the dedicated maintenance device 26.
The processing shifts from the PU-A system 21 to the CPU-B system 22. As a result, the plant 25 is temporarily controlled by the new program.

If the pass / fail is not confirmed, the dividable portion of the program 214 can be recreated, and the operations up to this point can be repeated by the recreated program 214.

If the pass / fail confirmation is good, then a changeable part of the partially changed program (same as the program 214) is automatically written from the CPU-B system 22 to the CPU-A system 21. , CPU from dedicated maintenance device 26
-Writing to the A system 21 (this writing is performed in a short time because it is only a part of the program). The CPU-A system 21 activates a program (same as the program 214) including the written portion, and shifts to a standby state for controlling the plant 25. Thus, the change of the program 28 ends.

As described above, according to this embodiment, the first
In the same manner as in the embodiment, the program 28 can be changed without hindering another system in the control device 20, whereby the control of the plant 25 is not stopped. Can be improved.

Further, since writing of a new program to the standby CPU system is performed in a shorter time, the possibility of temporary suspension of plant control caused when the function of the service CPU system goes down during the process is further reduced. It can be kept low.

(Third Embodiment) Next, a third embodiment of the present invention will be described with reference to FIG.

FIG. 11 is a block diagram for explaining a third embodiment of the redundant control system according to the present invention.

As shown in the figure, the configuration of this embodiment comprises a control device X31, a plant 34, a dedicated maintenance device 35
And a control device Y32.

The control device X31 has a CPU-XA system (common use) 36 and a CPU-XB system (standby) 37, each of which executes the same program. This execution includes a control operation by data input from the plant 34 via the process input / output device (PIO) 33 in the control device X31. The control based on the calculation result is performed by the CPU-XA system 36, the CPU-XB system 37,
Any of the YB systems 38 (CPU-XA system 3
6) to the process input device (PI) in the control device X31.
O) to plant 34 via 33.

The dedicated maintenance device 35 is connected to the control device X31, and performs maintenance of the programs executed by the CPU-XA system 36 and the CPU-XB system 37.

The control device Y32 operates as C in the control device X31.
In some cases, it functions as a standby system instead of the PU-XB system 36 or the CPU-XB system 37.

This embodiment is characterized in that a control device Y32 is added.
The program of the CPU-XA system 36 or the CPU-XB system 37 in the control device X31 can be changed during the operation of Step 4. Further, the CPU-XA system 36 or the CP
Even if the function of one of the U-XB systems 37 is down, the system operates as a redundant control system.

The operation when the program of the CPU-XA system 36 or the CPU-XB system 37 of the control device X31 is changed will be described.

Prior to the change of the program of the control device X31, the control device X is sent to the CPU-YA system 38 of the control device Y32.
Copy the program from 31. In the process input / output device 33, the standby CPU-XB of the control device X31
The standby system is switched from the system 37 to the CPU-YA 38 of the control device Y32. Thereafter, the program of the CPU-XB system 37 can be changed. This allows the plant 34 to continue operating as a redundant control system even during program change.

When one system of the control device X31 is down, the program is copied from the control device X31 to the CPU-YA system 38 of the control device Y32, and the standby system is down in the process input / output device 33. By switching from the system to the CPU-YA system 38 of the control device Y32, the plant 34 can continue operation as a redundant control system.

As a result, the operation of the plant 34 can more reliably obtain the reliability of the redundant control system.

(Fourth Embodiment) Next, a fourth embodiment of the present invention will be described with reference to FIG.

FIG. 14 is a block diagram for explaining a fourth embodiment of the redundant control system according to the present invention.

As shown in the figure, the configuration of this embodiment comprises a control device X41, a plant 44, a dedicated maintenance device 42
And a controller Z46.

The control device X41 includes a CPU-XA system (common use) 48 and a CPU-XB system (standby) 49, each of which executes the same program. This execution includes a control operation by inputting data from the plant 44 via the process input / output device (PIO) 43 in the control device X41. As shown in the drawing, the control based on the calculation result is performed by the control device X from only one of the CPU-XA system 48 and the CPU-XB system 49 (the CPU-XA system 48 in this figure).
The process is performed on a plant 44 via a process input device 43 in 41.

Also, in control device Z46, CPU
-ZA system (common use) 410, CPU-ZB system (standby) 41
1, the relationship between the process input / output device 47 and the plant 44 is usually the same as described above. Note that the control device X41 and the control device Z46 control the plant 44 by separate programs in normal times.

The dedicated maintenance device 42 is connected to the control device X41 and the control device Z46, copies a program executed by these, and temporarily stores the copy.

In this embodiment, an area for copying a program on the standby side is provided in the dedicated maintenance device 42 in order to change the program on the standby side. This is to temporarily use the system functioning as the standby side of the system.

Further, in this embodiment, the standby side functions as a standby side of another redundant control system in case that the standby side is down and the service side is performing control of the plant, and the function is down at the service side as well. This is to temporarily use the system you are using.

These operations will be described step by step.

Prior to the program change of the control device X41, the memory W for storing the program in the dedicated maintenance device 42
45, the program is copied from the control device X41. Here, the standby CPU-XB system 49 of the control device X41
Change the program.

If the other CPU-XA system 48 of the control device X41 goes down during the program change, the program is copied from the memory W45 to the standby CPU-ZB system 411 of another control device Z46. Standby CPU
Disconnect the output of the ZB system 411 from its process input / output device 47; At the same time, the output of the CPU-XA system 48 is disconnected from the process input / output device 43, and the process is switched so that the control from the CPU-ZB system 411 is transmitted to the process input / output device 43 instead. Further, switching is performed so that the process measurement value is transmitted from the process input / output device 43 to the CPU-ZB system 411.

Thus, the operation of the plant 44 can be continued.

After the control device X41 returns, the process input / output device 43 switches (returns) control from the CPU-ZB system 411 to the control device X41, and the plant 44 operates via the process input / output device 43 by the redundant control system. Return to. After the CPU-ZB system 411 is disconnected from the process input / output device 43, the control device Z46
The program is copied from the PU-ZA system 410 to the CPU-ZB system 411, and the process is returned to the process input / output device 47 by the redundant control system.

The above is the operation in the case of temporarily using the side functioning as the standby side of another redundant control system in case the service side goes down when the program on the standby side is changed.

Also, one system CPU-XB of the control device X41
When the function of the system 49 is down, the program is copied from the system CPU-XA system 48 during operation of the control device X41 to the memory W45. If the remaining CPU-XA system 48 of the control device X41 also goes down while the CPU-XB system 49 goes down, the standby CPU of another control device Z46
-Copy the program from the memory W45 to the ZB system 411, and disconnect the output of the standby CPU-ZB system 411 from the process input / output device 47. At the same time, the output of the service-side CPU-XA system 48 is disconnected from the process input / output device 43, and the process is switched so that the control from the CPU-ZB 411 is transmitted to the process input / output device 43 instead. Further, the process input / output device 43
-Switch so that the process measurement value is transmitted to the ZB system 411.

Thus, the operation of the plant 44 can be continued.

After the return of the control device X41, the process input / output device 43 switches (returns) the control from the CPU-ZB system 411 to the control device X41, and the plant 44 operates by the redundant control system via the process input / output device 43. Return to. After the CPU-ZB system 411 is disconnected from the process input / output device 43, the control device Z46
The program is copied from the PU-ZA system 410 to the standby CPU-ZB system 411, and the operation of the process input / output device 47 is returned to the operation by the redundant control system.

The above is a description of the case where the standby side is functioning as a standby side of another redundant control system in case the function is down and the service side is controlling the plant, in case the function of the service side is also down. This is an operation when temporarily using.

As described above, in this embodiment,
If both systems of a certain redundant control system malfunction, the standby system of another redundant control system can be temporarily used to continue the operation of the plant.

(Fifth Embodiment) Next, a fifth embodiment of the present invention will be described with reference to FIG.

FIG. 15 is a block diagram for explaining a fifth embodiment of the redundant control system according to the present invention.

As shown in the figure, the configuration of this embodiment includes a simple operation device 55 in addition to a control device 50 and a plant 54.

The control device 50 includes a CPU-A system (common use)
51 and a CPU-B system (standby) 52,
Execute the same program. This execution is performed by the control device 5
This includes a control operation based on data input from the plant 54 via the process input / output device (PIO) 53 within 0. In addition, the control based on the calculation result is normally performed by C
The processing is performed from one of the PU-A system 51 and the CPU-B system 52 (the CPU-A system 51 in this figure) to the plant 54 via the process input device 53 in the control device 50.

The simple operation device 55 is connected to the process input / output device 53 and the CPU-A system 51 (which may be the CPU-B system 52) in the control device 50, and has a monitor device as an internal configuration. 56, including an operating device main body 57. The monitor device 56 includes a plurality of operation terminals 512.

In this embodiment, both CPUs of the control device 50
If both systems fail, until recovery
The operation of the plant is temporarily performed by the simple operation device 55, and at this time, the control of the plant 54 is transferred (the transfer from the control device 50 to the simple operation device 55 and the transfer from the simple operation device 55 to the control device 50). (Transfer) smoothly, and the safe operation of the plant 54 is continued.

The operation when the functions of both CPU systems of the control device 50 are down will be described.

The process input / output device 53 includes a plant 54
Since the analog input / output from / to the plant 54 is performed every time, when both CPU systems of the control device 50 go down, the analog input / output values immediately before going down can be held. In the process input / output device 53,
The simple operation device 55 is connected, and the simple operation device 55
Reads the analog input / output value held in the process input / output device 53.

The simple operation device 55 follows the ever-changing analog input value rising from the plant 54 and issues a command to permit updating of the analog input value when down. The simple operation device 55 operates each analog output value while monitoring the analog input value read while being updated by the monitor device 56 (a plurality of operation terminals 512 are used for this). The changed analog output values thus obtained are written to the process input / output device 53 by giving write permission,
A command is output (operated) to the plant 54.

The simple operation device 55 can also store, as a backup, each analog input / output value immediately before the two systems are down, and in some cases, refer to it or return to this state. it can.

As described above, while the analog input / output value is updated to the latest by the permission command of the simple operation device 55 and the current plant state is monitored, the plant operation procedure and its monitoring are performed by the simple operation device 55. And are given safety. Thereby, using the plurality of operation terminals 512,
The plant 54 can be safely operated.

Further, when the control device 50 returns from the down state, the current analog output value from the simple operation device 55 is monitored by the monitor device 56 while monitoring the monitor device 56 in order to shift the plant control to the control device 50. Give permission to transcribe. That is, the analog output value that has been plant-controlled by the simple operation device 55 is written into the storage area of the corresponding control device 50 (the operation device main body 57).
→ CPU system 51).

As a result, the analog output value of the control device 50 is tracked to the analog output value that has been plant-controlled by the simple operation device 55, and a sudden command to the plant 54 can be prevented. The plant 54 can be safely controlled.

(Sixth Embodiment) Next, a sixth embodiment of the present invention will be described with reference to FIG.

FIG. 19 is a block diagram for explaining a sixth embodiment of the redundant control system according to the present invention.

As shown in the figure, the configuration of this embodiment includes a simple operation device 65 in addition to a control device 60 and a plant 64.

The control unit 60 includes a CPU-A system (common use)
61 and a CPU-B system (standby) 62.
Execute the same program. This execution is performed by the control device 6
This includes a control operation when data is input from the plant 64 via the process input / output device (PIO) 63 in 0. In addition, the control based on the calculation result is normally performed by C
The processing is performed from one of the PU-A system 61 and the CPU-B system 62 (CPU-A system 61 in this figure) to the plant 64 via the process input device 63 in the control device 60.

The simple operation device 65 is connected to the process input / output device 63 and the CPU-A system 61 (this may be the CPU-B system 62) in the control device 60, and has a CRT display as an internal configuration. 66, operation device body 6
7 inclusive. The CRT display 66 includes a plurality of operation terminals 612.

In this embodiment, similarly to the fifth embodiment, when the functions of both CPU systems of the control device 60 are down, the operation of the plant is temporarily performed by the simple operation device 65 until recovery. At this time, the control of the plant 64 is transferred (from the control device 60 to the simple operation device 65).
Transfer from the simple operation device 65 to the control device 60), and a safe plant 64
The operation of is continued.

It is also assumed that the input / output signal handled by the process input / output device 63 is a digital signal (a binary signal, that is, a signal indicating any one of opening and closing of a valve, starting and stopping of a motor, and the like). Things.

The operation when the functions of both CPU systems of the control device 60 are down will be described.

The process input / output device 63 includes a plant 64
The digital input / output from / to the plant 64 is performed every time, so that when both CPU systems of the control device 60 go down, the digital input / output values immediately before the system goes down can be held. A simple operation device 65 is connected to the process input / output device 63.
5 reads the digital input / output value held in the process input / output device 63.

The simple operation device 65 follows the ever-changing digital input value rising from the plant 64, and issues a command to permit updating of the digital input value when down. The simple operation device 65 controls each digital output value while monitoring the digital input value read while being updated on the CRT display 66 (this includes a plurality of operation terminals 612).
Is used).

The obtained digital output values are checked on the CRT display 66, and after being checked, the write permission is given to write them into the process input / output device 63 and output a command to the plant 64 ( Control).
This confirmation is performed to improve the safety of the plant control, and because there are only two types of digital signals, erroneous use may cause the plant to malfunction more greatly.

In this case, the simple operation device 65 can also store, as a backup, the digital input / output values immediately before both systems are down, and refer to or return to this state as the case may be. You can also.

As described above, while the digital input / output value is updated to the latest by the permission command of the simple operation device 65 and the current plant state is monitored, the plant operation procedure and its monitoring are performed by the simple operation device 65. And are given safety. Thus, the plant 64 can be safely operated by using the plurality of operation terminals 612.

Further, when the control device 60 returns from the down state, the current digital output value is output from the simple operation device 65 while monitoring the CRT display 66 in order to shift the plant control to the control device 60. Give permission to transcribe. That is, the digital output value that has been subjected to the plant control by the simple operation device 65 is written into the storage area of the corresponding control device 60 (operating device main body 67 → CPU system 61).

As a result, the digital output value of the control device 60 is tracked to the digital output value of the operation of the plant by the simple operation device 65, and a sudden command to the plant 64 can be prevented. Plant 6
4 can be safely controlled.

(Seventh Embodiment) Next, a seventh embodiment of the present invention will be described with reference to FIGS.

FIG. 7 is a block diagram for explaining a seventh embodiment of the program maintenance method of the redundant control system according to the present invention, and FIG. 8 is a flowchart showing the procedure of the program maintenance method.

As shown in FIG. 7, this embodiment can be used in the configuration of a control device 71, a plant 74, and a dedicated maintenance device 72.

The control device 71 includes a CPU-A system (common use)
76 and a CPU-B system (standby) 77.
Usually, the same program is executed. This execution includes a control operation by data input from a plant 74 via a process input / output device (PIO) 73 in the control device 71. As shown in the figure, the control based on the calculation result is performed only from one of the CPU-A system 76 and the CPU-B system 77 (CPU-A system 76 in this figure) via the process input device 73 in the control device 71. 74.

The dedicated maintenance device 72 is connected to the control device 71 and performs maintenance (including adjustment of parameters) of programs executed by the CPU-A system 76 and the CPU-B system 77. Further, a memory W75 for storing parameters is provided inside.

The operation procedure of this embodiment will be described with reference to FIG.

First, the coordinator inputs a parameter adjustment request from the dedicated maintenance device 72. The control device 72 confirms that there is a parameter adjustment request (step 80), and stores the current parameters in the memory W75 of the dedicated maintenance device 72 (step 81).

Next, the limit of the analog output value is set by the coordinator (step 82), and the dedicated maintenance device 72 adjusts the parameters of both the CPU systems 76 and 77 of the control device 71 (step 83). The control device 71 checks whether each analog output value is within the set limit value (step 84), and if it is within the range, cancels the analog output limit (step 85) and ends the parameter adjustment routine. .

When the limit value is reached, the parameters before adjustment stored in the memory W75 are used for both CPU systems 76, 7
7 (step 86), return to the state before the execution of the parameter adjustment, release the restriction on the analog output (step 87), and continue the operation of the plant 74. (Note that the parameter adjustment procedure can be performed again from the beginning.) This makes it possible to perform parameter adjustment by confirming the validity of parameter adjustment by actual plant control.

(Eighth Embodiment) Next, an eighth embodiment of the present invention will be described with reference to FIGS.

FIG. 9 is a block diagram for explaining an eighth embodiment of the program maintenance method for the redundant control system according to the present invention, and FIG. 10 is a flowchart showing the procedure of the program maintenance method.

As shown in FIG. 9, this embodiment can be used in the configuration of a control device 91, a plant 94, and a dedicated maintenance device 92.

The control device 91 includes a CPU-A system (common use)
96 and a CPU-B system (standby) 97.
Usually, the same program is executed. This execution includes a control operation by inputting data from the plant 94 via the process input / output device (PIO) 93 in the control device 91. As shown in the figure, the control based on the calculation result is performed only from one of the CPU-A system 96 and the CPU-B system 97 (CPU-A system 96 in this figure) via the process input device 93 in the control device 91. 94.

The dedicated maintenance device 92 is connected to the control device 91 and performs maintenance of the programs executed by the CPU-A system 96 and the CPU-B system 97 (this includes adjustment of parameters).

The operation procedure of this embodiment will be described with reference to FIG.

First, the coordinator inputs a parameter adjustment request from the dedicated maintenance device 92. The control device 91 confirms that there is a parameter adjustment request (step 150). Here, the limit value of the analog output is set from the dedicated maintenance device 92 (step 151), and the dedicated maintenance device 92 adjusts the parameters of the service-side CPU-A system 96 of the control device 97 (step 152).

Next, the control unit 91 checks whether each analog output value is within the range of the set limit value (step 153). If it is within the range, the restriction on the analog output is released (step 154), and the regular CPU-A system 96 is released.
Is copied to the standby-side CPU-B system 97 (step 155), and the parameter adjustment routine ends.

When the limit value is reached, the regular
The system is switched from the A-system 96 to the CPU-B system 97 (step 156), and the operation is continued by the CPU-B system 97.
Then, the restriction on the analog output is released (step 15).
7) Then, the parameters are copied from the CPU-B system 97 to the CPU-A system 96 (step 158), the state is returned to the state before the execution of the parameter adjustment, and the operation of the plant 94 is continued.
(Note that the parameter adjustment procedure can be performed again from the beginning.) As described above, according to this embodiment, it is possible to perform parameter adjustment by confirming the validity of parameter adjustment by actual plant control.

(Ninth Embodiment) Next, a ninth embodiment of the present invention will be described with reference to FIGS.

FIG. 11 is a block diagram for explaining a ninth embodiment of the program maintenance method for the redundant control system according to the present invention, and FIG. 12 is a flowchart showing the procedure of the program maintenance method.

As shown in FIG. 11, this embodiment comprises a control device 251, a plant 254, a dedicated maintenance device 252,
It can be used in the configuration of the simulation test apparatus 255.

The control device 251 includes a CPU-A system (normal use) 256 and a CPU-B system (standby) 257, each of which normally executes the same program. This execution is performed by a process input / output device (PIO) in the controller 251.
253 includes a control operation based on data input from the plant 254. The control based on the calculation result is performed by the CPU-A system 256 and the CPU-B system 2 as shown in the figure.
57 to the plant 254 via the process input device 253 in the control device 251 from only one of the devices 57 (CPU-A system 256 in this figure).

The dedicated maintenance device 252 is connected to the control device 251 and the simulation test device 255, and is connected to the CPU-A system 25.
6 and the programs executed by the CPU-B system 257 are maintained.

The simulation test apparatus 255 performs a simulation test on the plant 254 together with the CPU-B system 257 set in the simulation test mode.

In the present embodiment, the program is changed. What differs from the seventh and eighth embodiments in that the parameters in the program are simply adjusted is as follows.
Items and methods to be checked are different as described below.

The operation procedure of this embodiment will be described with reference to FIG.

First, the coordinator inputs a program change request from the dedicated maintenance device 252. The control device 251 confirms that there is a program change request (step 350). Here, the limit value of the analog output is set from the dedicated maintenance device 252 (step 351).
Change the program of system B 257 (step 35)
2).

Next, the dedicated maintenance unit 252 sends the CPU-B
The system 257 is switched to the simulation test mode (step 35).
3), the simulation test apparatus 255 is provided with the switched CPU-
It is connected to the B system 257 and the dedicated maintenance device 252, and performs a simulation test. In this simulation test, the control device 2
51 checks whether each analog output is within the set limit value (step 354). If it is within the range, the simulation test mode is canceled and the CPU-A system 256 to CPU-A
The regular right is switched to the B system 257 (step 355).

If the limit value has been reached, the simulation test mode is released and the restriction on analog output is released (step 359). Then, CPU-A system 256 to CPU-B
By copying the program to the system 257 (step 3
60), the control device 251 is returned to the state before the program change, and the operation of the plant 254 is continued. (Here, the program change procedure can be started again from the beginning.) Step 3
After 55, it is checked whether each analog output is within the set limit value (step 356), and if it is within the range, the analog output limit is released (step 35).
7) The program is copied from the CPU-B system 257 to the CPU-A system 256 (step 358), and the program change routine ends.

If the limit value is reached, the regular
By switching back from the -B system 257 to the CPU-A system 256 (step 361), the restriction on the analog output is released (step 359), and the program is copied from the CPU-A system 256 to the CPU-B system 257 (step 361). 360), the control device 251 is returned to the state before the execution of the program change, and the operation of the plant 254 is continued with the CPU-A system 256 as the normal system. (Note that the program change procedure can be started again from the beginning.) As described above, according to this embodiment, the program change can be performed by confirming the validity of the program change by actual plant control. .

(Tenth Embodiment) Next, a tenth embodiment of the present invention will be described.
Embodiment 0 will be described with reference to FIGS.

FIG. 13 is a block diagram for explaining a tenth embodiment of the program maintenance method for the redundant control system according to the present invention, and FIG. 14 is a flowchart showing the procedure of the program maintenance method.

As shown in FIG. 13, this embodiment can be used in the configuration of a control device 451, a plant 454, and a dedicated maintenance device 452.

The control device 451 has a CPU-A system (normal use) 456 and a CPU-B system (standby) 457, each of which normally executes the same program. This execution is performed by a process input / output device (PIO) in the controller 451.
453 includes a control operation based on data input from the plant 454. The control based on the calculation result is performed by the CPU-A system 456 and the CPU-B system
57 to the plant 454 via only the process input device 453 in the control device 451 from only one of the devices 57 (CPU-A system 456 in this figure).

The dedicated maintenance device 452 is connected to the control device 451 and performs maintenance of programs executed by the CPU-A system 456 and the CPU-B system 457.

This embodiment is a method of changing a program, and assumes that the data handled by the process input / output device 453 is a digital signal (a binary signal).

The operation procedure of this embodiment will be described with reference to FIG.

First, the coordinator inputs a program change request from the dedicated maintenance device 452. The control device 451 confirms that there is a program change request (step 550). Here, from the dedicated maintenance device 452 to the standby CP of the control device 451.
The program of the UB system 457 is changed (step 55).
1) Issue a regular right switching command.

Next, the control device 451 receives the service right switching command, holds the digital output at the current value (step 552), and switches the CPU-A system 456 to the CPU-B system 45.
The switching of the regular right is performed in step 7 (step 553). Here, the changer receives confirmation as to whether it is safe to release the digital output command under the control of the CPU-B system 457 (step 554).

When the safety is confirmed, the dedicated maintenance device 452 issues an operation permission command to the control device 451 (step 555). As a result, the control device 451 releases the holding of the digital output (step 556), and the CPU
The program is copied from the B system 457 to the CPU-A system 456 (step 557), and the program change routine ends.

If it is determined that it is not safe, C
Switching the right of use from the PU-B system 457 back to the CPU-A456 system (step 558), releasing the holding of the digital output (step 559), and copying the program from the CPU-A system 456 to the CPU-B system 457. (Step 560), the state before the program change is executed is returned, and the CPU-A system 456 is set to
Continue the operation of Step 4. (Here, the program change procedure can be restarted from the beginning.) As described above, according to this embodiment, when the signal handled by the process input / output device is a digital signal (binary signal), the program The program can be changed by confirming the validity of the change with actual plant control.

[0167]

As described above in detail, according to the first aspect of the present invention, the test by the simulation test device is a confirmation test of a new program, and the simulation test device is connected to the redundant control device. The result can be confirmed in accordance with the plant operation of the present invention, and the program can be replaced with a new program by connecting the dedicated maintenance device and the redundant control device.

According to the second aspect of the present invention, the dedicated maintenance device compares the result of the new program executed in the simulation test with the result of the program executed by the CPU system on the standby side. If the result is the desired result, download the new program to the standby CPU system;
Since it is instructed to switch the regular right of the CPU system of the system and to write the downloaded new program to the other CPU system, it is possible to change the program without disturbing another system in the control device, Thus, the control of the plant is not stopped, and the operation efficiency of the plant can be improved.

According to the third aspect of the present invention, similarly to the above, it is possible to change the program without disturbing another system in the control device, thereby stopping the control of the plant. And the operation efficiency of the plant can be improved.

Also, the program and the new program are:
It consists of a plurality of parts that can be divided and has interchangeability between the corresponding parts. The dedicated maintenance device instructs to download the part that can be divided as a new program to the CPU system on the standby side. Writing a new program to the standby CPU system is performed in a shorter time, and the possibility of temporary suspension of plant control caused when the function of the service CPU system goes down during the process can be reduced.

According to the fourth aspect of the present invention, the control device can execute a plant control program.
Equipped with a U system, the dedicated maintenance device has two CPU systems and C
Since any two CPU systems among the PU systems are selected as a normal system and a standby system for plant control, the operation of the plant can more reliably obtain the reliability of the redundant control system.

According to the fifth aspect of the present invention, the dedicated maintenance device obtains and holds a program for plant control from the CPU system of an arbitrary redundant control device, and stores the held program in an optional device. It writes to the CPU system of the redundant control device and instructs the CPU system that executes the written program to lead data for plant control to an arbitrary process input / output device, so both systems of a certain redundant control system malfunction. In the event of a failure, the operation of the plant can be continued by temporarily using the standby system of another redundant control system.

According to the sixth aspect of the present invention, the simple operation device acquires data for controlling the plant of the process input / output device and generates data for operating the plant based on the acquired data. Then, the generated data is copied to the process input / output device or the CPU system.
The plant can be operated to prevent sudden commands to the plant.

According to the seventh aspect of the present invention, the simple operation device converts the data for plant control held in the process input / output device when the two CPU systems fail in function into analog values. To obtain and update the output data from the plant as analog values among the data for plant control via the process input / output device, and operate the plant while monitoring the updated output data. Since the data is generated and the generated data is written to the process input / output device, the control of the plant can be smoothly shifted.

According to the eighth aspect of the present invention, the simple operation device transmits the generated data to the CP based on the permission.
The data is copied to the U system, and the redundant control device further generates data for plant control based on the copied data, so that the analog output value of the control device is the analog output value that was operated by the simple operation device. The value is tracked, and a sudden command to the plant can be prevented, and the plant can be safely controlled.

According to the ninth aspect of the present invention, the simple operation device comprises two values for plant control held in the process input / output device when the functions of the two CPU systems fail. Obtain data, obtain and update binary output data from the plant among data for plant control via the process input / output device, and control the plant while monitoring the updated output data. Is generated, and the generated data is written to the process input / output device, so that the control of the plant can be smoothly shifted.

Further, according to the present invention described in claim 10,
The simple operation device converts the generated data into C based on the permission.
The data is copied to the PU system, and the redundant control device further generates data for plant control based on the copied data, so that the digital output value of the control device is The value is tracked, and a sudden command to the plant can be prevented, and the plant can be safely controlled.

According to the eleventh aspect of the present invention,
The parameters relating to the plant operation of the two CPU systems are stored in a predetermined storage area, and the output values of the two CPU systems are set with restrictions, new parameters are given to the two CPU systems in place of the parameters, and the new If the output values of the two CPU systems based on the parameters fall within the limits, the restrictions are released and the plant operation is continued with the new parameters. Therefore, the validity of the parameter adjustment is confirmed by actual plant control and the parameter adjustment is performed. It becomes possible. Also, by storing the parameters before adjustment, when the limit value is reached, the parameters before adjustment can be restored.

Further, according to the present invention described in claim 12,
Setting a limit on the output value of the common one of the two CPU systems, and giving a new parameter to the common CPU system in place of the parameter relating to plant operation of the common CPU system,
If the output value of the regular CPU system based on the given new parameter falls within the limit, the limit is released and the new parameter is given to the standby one of the two CPU systems to continue the plant operation based on the new parameter. The parameter adjustment can be performed by confirming the validity of the parameter adjustment by actual plant control. Further, since the parameter before adjustment remains in one system of the redundant control device, when the limit value is reached, the parameter can be returned to the parameter before adjustment.

According to the thirteenth aspect of the present invention,
Setting a limit on the output value of the common one of the two CPU systems, and giving a new parameter to the common CPU system in place of the parameter relating to plant operation of the common CPU system,
If the output value of the regular CPU system based on the given new parameter falls within the limit, the limit is released and the new parameter is given to the standby one of the two CPU systems to continue the plant operation based on the new parameter. The program change can be performed by confirming the validity of the program change by actual plant control. Further, since the parameter before the change remains in one system of the redundant control device, when the limit value is reached, the parameter before the change can be returned.

According to the fourteenth aspect of the present invention,
The CP which holds the digital output value of the standby one of the two CPU systems and replaces the new program with the standby CPU system with the standby program instead of the program for operating the plant.
Given to the U system, switch the regular rights of the two CPU systems to operate the plant. If the newly used CPU system plant operation is within the normal range, release the hold and release the new program. If the signal handled by the process input / output device is a binary signal, the validity of the program change is confirmed by actual plant control and the program is executed. Changes can be made.
In addition, since the parameter before the change remains in one system of the redundant control device, it is possible to return to the parameter before the change when it is not desirable.

[Brief description of the drawings]

FIG. 1 is a block diagram for explaining a first embodiment of a redundant control system according to the present invention.

FIG. 2 is a block diagram illustrating a second embodiment of a redundant control system according to the present invention;

FIG. 3 is a block diagram for explaining a third embodiment of the redundant control system according to the present invention;

FIG. 4 is a block diagram for explaining a fourth embodiment of a redundant control system according to the present invention;

FIG. 5 is a block diagram for explaining a fifth embodiment of the redundant control system according to the present invention;

FIG. 6 is a block diagram illustrating a duplex control system according to a sixth embodiment of the present invention.

FIG. 7 is a block diagram for explaining a program maintenance method for a redundant control system according to a seventh embodiment of the present invention.

FIG. 8 is a flowchart showing a procedure of a program maintenance method for a redundant control system according to a seventh embodiment of the present invention.

FIG. 9 is a block diagram for explaining a program maintenance method for a redundant control system according to an eighth embodiment of the present invention.

FIG. 10 is a flowchart showing a procedure of a program maintenance method for a redundant control system according to an eighth embodiment of the present invention.

FIG. 11 is a block diagram for explaining a program maintenance method for a redundant control system according to a ninth embodiment of the present invention.

FIG. 12 is a flowchart showing a procedure of a program maintenance method of a redundant control system according to a ninth embodiment of the present invention.

FIG. 13 is a block diagram for explaining a program maintenance method for a redundant control system according to a tenth embodiment of the present invention.

FIG. 14 is a flowchart showing a procedure of a program maintenance method for a redundant control system according to a tenth embodiment of the present invention.

FIG. 15 is a block diagram for explaining a redundant control device;

[Explanation of symbols]

10, 20, 50, 60, 71, 91, 251, 451
Control device 11, 21, 51, 61, 76, 96, 256, 456
CPU-A system 12, 22, 52, 62, 77, 97, 257, 457
CPU-B system 13, 23, 33, 43, 47, 53, 63, 73, 9
3, 253, 453 Process input / output device 14, 24, 255 Simulated test device 16, 26, 35, 42, 72, 92, 252, 452
Dedicated maintenance device 19, 25, 34, 44, 54, 64, 74, 94, 2
54, 454 Plant 111 Program 115 New whole program 28 Program 214 New partial change program 31, 41 Controller X 32 Controller Y 36, 48 CPU-XA system 37, 49 CPU-XB system 38 CPU-YA system 45 Memory 46 Control device Z 410 CPU-ZA system 411 CPU-ZB system 55, 65 Simple operation device 56 Monitor device 57, 67 Operating device main body 512, 612 Operating terminal 66 CRT display 75 Memory

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Noriyuki Mito Inventor No. 1 Toshiba-cho, Fuchu-shi, Tokyo F-term in the Fuchu Plant of Toshiba Corporation 5B034 BB02 CC01 DD02 DD05 5B076 EA17 5H209 AA02 CC13 DD01 DD04 EE11 EE18 GG01 GG04 HH13 HH22 JJ09 SS01 SS04 SS08 SS09 TT01 5H223 AA02 CC08 EE01 EE05 EE19 FF05

Claims (14)

[Claims] 1. A duplication control device, a simulation test device connected to the duplication control device, and a dedicated maintenance device connected to the duplication control device and the simulation test device, wherein the duplication control device is A two-system CPU system that executes a plant control program and one of which is a regular system for the plant control and the other is a standby system; and A process input / output device for exchanging data for control, the simulation test device includes means for executing a new program of the plant control, and the dedicated maintenance device includes a program for the plant control. A redundant control system, comprising: means for replacing with a new program. 2. A duplication control device, a simulation test device connected to the duplication control device, and a dedicated maintenance device connected to the duplication control device and the simulation test device, wherein the duplication control device is A two-system CPU system that executes a plant control program and one of which is a regular system for the plant control and the other is a standby system; and A process input / output device for exchanging data for control, wherein the simulation test device is connected to a standby side of the two CPU systems and is output data from the plant among data for plant control. And a means for executing a new program for plant control based on the acquired output data. Is the result of the executed new program and the CP of the standby side.
Means for comparing the result of the executed program by the U system; means for instructing the download of the new program to the standby CPU system when the compared result is a desired result; A redundant control system, comprising: means for instructing switching of regular rights of two CPU systems; and means for instructing writing of the downloaded new program to the other CPU system. 3. The program and the new program are composed of a plurality of parts that can be divided and have commutability between corresponding parts, and the dedicated maintenance device includes a part that can be divided as the new program. 3. An instruction to download the new program to the standby CPU system, and an instruction to write the divided program as the downloaded new program to the other CPU system. Redundant control system. 4. A redundant control device, a control device connected to the redundant control device, and a dedicated maintenance device connected to the redundant control device, wherein the redundant control device executes a plant control program. And one of two CPU systems, one of which is a normal system for the plant control and the other is a standby system, and exchanges data for the plant control between a plant connected to the two CPU systems. The control device includes a CPU system capable of executing the plant control program, and the dedicated maintenance device includes one of the two CPU systems and the CPU system. Means for selecting the two CPU systems as a normal system and a standby system for the plant control. 5. A plurality of redundant control devices which can be connected to each other, and a dedicated maintenance device connected to the plurality of redundant control devices, wherein the plurality of redundant control devices execute a plant control program and execute A process for exchanging data for plant control between a plant connected to the two CPU systems, one of which can be a normal system for the plant control and the other a standby system for the plant control; An input / output device, wherein the dedicated maintenance device obtains and holds a program for plant control from a CPU system of any of the redundant control devices, and stores the stored program in any of the redundant devices. Means for writing to the CPU system of the control device; and Duplicated control system characterized by comprising means for instructing to direct over data in any said process input and output device. 6. A redundant control device, and a device for simple operation connected to the redundant control device, wherein the redundant control device executes a plant control program, and one of the redundant control devices executes the plant control program. A CPU system of two systems that is a service system and the other system is a standby system, and a process input / output device that is connected to the CPU systems of the two systems and exchanges data for plant control with a plant, A device for simple operation, a unit for acquiring data for controlling the plant that the process input / output device has; a unit for generating data for operating the plant based on the acquired data; and A duplication control system comprising: the process input / output device or a means for copying to the CPU system. 7. A redundant control device, and a simple operation device connected to the redundant control device, wherein the redundant control device executes a plant control program, and one of the redundant control devices executes the plant control program. A CPU system of two systems that is a service system and the other system is a standby system, and a process input / output device that is connected to the CPU systems of the two systems and exchanges data for plant control with a plant, A unit for acquiring the data for plant control held in the process input / output device as an analog value when the functions of the two CPU systems are down; and holding the acquired data. Means for performing, as an analog value, output data from the plant among data for controlling the plant via the process input / output device. Means for obtaining and updating; means for generating data for operating the plant while monitoring the updated output data; and means for writing the generated data to the process input / output device. A redundant control system characterized by the following. 8. A redundant control device, and a simple operation device connected to the redundant control device, wherein the redundant control device executes a plant control program, and one of the redundant control devices executes the plant control program. A CPU system of two systems that is a service system and the other system is a standby system, and a process input / output device that is connected to the CPU systems of the two systems and exchanges data for plant control with a plant, A means for acquiring data for controlling the plant included in the process input / output device; a means for generating data for operating the plant based on the acquired data; Means for giving permission to copy the data to the CPU system by monitoring when the two CPU systems return from the function failure; Means for copying the copied data to the CPU system on the basis of the permission, wherein the duplication control device further generates data for the plant control based on the copied data. Redundant control system. 9. A redundant control device and a simple operation device connected to the redundant control device, wherein the redundant control device executes a plant control program, and one of the redundant control devices executes the plant control program. A CPU system of two systems that is a service system and the other system is a standby system, and a process input / output device that is connected to the CPU systems of the two systems and exchanges data for plant control with a plant, The device for simple operation includes: means for acquiring binary data for the plant control held in the process input / output device when the two CPU systems fail; Means for holding, of the data for the plant control via the process input / output device, obtaining binary output data from the plant, Means for generating binary data for operating the plant while monitoring the updated output data; and means for writing the generated data to the process input / output device. A redundant control system. 10. A redundant control device, and a simple operation device connected to the redundant control device, wherein the redundant control device executes a plant control program, and one of the redundant control devices executes the plant control program. A CPU system of two systems that is a service system and the other system is a standby system, and a process input / output device that is connected to the CPU systems of the two systems and exchanges data for plant control with a plant, A device for simple operation, a means for acquiring data for controlling the plant of the process input / output device, and operating the plant with the acquired data 2
Means for generating data consisting of values; means for monitoring the generated data to give permission to copy the data to the CPU system when the two CPU systems return from a function failure; Means for copying the transferred data to the CPU system based on the permission, the duplication control device further generates data for the plant control based on the copied data. Control system. 11. A redundant control system for performing plant operation, wherein parameters relating to the plant operation of two CPU systems are stored in a predetermined storage area, and a limit is set on an output value of the two CPU systems. The new parameters are replaced with the two CPs
When the output values of the two CPU systems based on the given new parameter fall within the limit, the limit is released and the plant operation is continued with the new parameter. A program maintenance method for a redundant control system, characterized in that when the output values of the two CPU systems due to the parameters reach the limit, the parameters stored in the predetermined portion are returned to the two CPU systems. 12. A redundant control system for performing a plant operation, wherein a limit is set to an output value of a normal one of the two CPU systems, and a new parameter is replaced with a parameter related to the plant operation of the normal CPU system. When the output value of the service CPU system according to the given new parameter falls within the limit, the limit is released and the new parameter is set to the standby one of the two CPU systems. To continue the plant operation according to the new parameters, and when the output value of the service CPU system according to the given new parameters reaches the limit, the two CPUs
Switching of the regular use of the system and the newly used C
A program maintenance method for a redundant control system, wherein parameters related to the plant operation of the PU system are copied to the other CPU system. 13. A redundant control system for operating a plant, wherein a limit is set to an output value of a standby one of the two CPU systems, and a new program is provided in place of the plant operation program of the standby CPU system. Is given to the standby CPU system, and a simulation test of the standby CPU system is performed by the provided new program. With the two C
In the case where the output value in the plant operation of the newly used CPU system falls within the limit, the limit is released and the new program is switched to the other CPU. If the output value in the executed simulation test reaches the limit, the simulation test is terminated and the limit is released to copy the two CPU systems. Of the common CPU is copied to the standby CPU system, and when the output value of the newly used CPU system in the plant operation reaches the limit, the two CPUs are used.
A program maintenance method for a redundant control system, characterized in that the regular use right of the system is switched back, the restriction is released, and the program of the regular one of the two CPU systems is copied to the standby CPU system. 14. A redundant control system for performing a plant operation, comprising: holding a binary output value of a standby one of the two CPU systems and replacing the standby CPU system with the plant operation program. When the new program is given to the standby CPU system, the right of use of the two CPU systems is switched to operate the plant, and when the plant operation of the newly used CPU system is in a normal range, When the holding is released and the new program is copied to the other CPU system to continue the plant operation according to the new program, and when the plant operation of the newly used CPU system exceeds the normal range, The regular rights of the two CPUs are switched back, and the holding is released to release the two Cs.
A program maintenance method for a redundant control system, wherein a program of a common PU system is copied to the standby CPU system.