JP2007172079A - Duplex control system, and update method of control program for control device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a duplex control system in which operation efficiency in maintenance work of a control program and the reliability of the maintenance work are enhanced without providing a new facility such as a simulation test device, and an update method of the control program for control devices thereof. <P>SOLUTION: This duplex control system comprises a maintenance tool 4, two sets of control devices 1, and a process input and output device 3. When "internal double setting instruction" is inputted from the maintenance tool, this system is operated as an internal double control system in which one system is operated as an ordinary system and the other system is operated as a standby system by starting one set of control devices in a single ordinary mode and transferring it in an internal double state in which initial tracking processing is executed. The maintenance tool downloads a new control program to the standby system, uploads control data of both the systems followed by comparative determination, and sets the internal double setting instruction from the maintenance tool when the data are determined to be updatable for the operation as the internal double control system. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a redundant control system that controls operation of a plant such as a power plant with two identical control programs, and a method for updating a control program of the control controller, and in particular, control during plant operation. The present invention relates to a duplex control system capable of updating a program and a method for updating a control program of the control device.

  In a control device that controls the operation of various plants such as factories and public facilities, it may be predicted that some abnormality will occur in this control device and a serious accident will occur if the controlled plant stops. is there.

  In general, for such a control target, two sets of control devices having the same configuration are connected, and either one is a regular system, the other is a standby system, and usually the control target is controlled only by the regular system, There is a standby redundant type redundant control device configured to switch the standby system to the normal system and continue the control when an abnormality occurs in the normal system.

  In such a redundant control device, when the control program of both systems is made the same and this control program is maintained during operation as a redundant control system, first, the control program of the standby control device is changed to a new control program. Update and compare the control result of the normal system with the control result of the new control program of the standby system control device, confirm that the result is appropriate, and then update the normal system control device to the new program (For example, refer to Patent Document 1).

  The duplexing control system of Patent Document 1 shown in FIG. 9 includes a duplexing control device 20, a simulation test device 24 connected to the duplexing control device 20, and a dedicated unit connected to the duplexing control device 20 and the simulation test device 24. The redundant control device 20 executes a plant control program, and one of the two CPU systems 21 is a regular system for plant control and the other is a standby system. The process input / output device 23 is connected to the CPU system 21 and exchanges data for plant control with the plant 19.

The simulation test apparatus 24 is connected to the standby side of the two CPU systems 21 and obtains the output data from the plant online among the data for plant control, and the plant control by the acquired output data. Means for executing the separate program 115, and the dedicated maintenance device 26 compares the result of the program 111 executed in the normal system with the result of the separate program 115 executed by the standby CPU system 22. Means for instructing download of the other program 115 to the standby CPU system 22 when the compared result is a desired result; and means for instructing switching of the common right of the two CPU systems 21; And a means for instructing to write the downloaded separate program 115 into the other CPU system.
JP 2001-202101 A

  In the duplex control system disclosed in Patent Document 1, not only can the control program be changed and the operation verified without affecting the duplex control system, but the new control program can be written to the standby system in a short time. The feature is that the possibility of temporary suspension of plant control that occurs when the service system goes down can be further reduced.

  However, since the verification of the new program is performed using the simulation test device 24 configured independently of the duplex control device, there is not only a problem that the configuration increases and the system becomes complicated, but also the simulation test device 24 and the duplex test device are duplexed. It is difficult to maintain the individual control devices of the control system in the same state over a long period of time, and there may be a difference in the hardware and software states of the simulation test device 14 and the operating control device.

  Therefore, there is a difference between the result of controllability verified by the simulation test device 24 for the new control program and the result of controllability by the operating control device, and the evaluation of the new program may be erroneous. There is a problem that reliability decreases.

  By the way, as a method for improving the maintenance reliability of such a duplex control system, the standby system without changing the status of the standby system controller and the standby system controller operating as the standby redundancy type duplex control system. Although it is possible to verify the performance of the new control program using the control device and then return to the standby redundancy type, it is possible to take measures against the failure of the system during replacement work, and transition from the redundant control system to the system during maintenance work. In addition, there is a problem in the maintenance reliability of the standby redundant type redundant control system when the standby system becomes unusable, such as recovery to the redundant control system after maintenance work.

  In addition, control device failures include transient minor failures that can be recovered by initialization of the control program and severe failures that cannot be recovered. If the system and the standby system are switched, there is a problem that the operation efficiency of the plant is lowered.

  The present invention has been made to solve the above problems, and when updating a control program, control of a redundant control system that is operating in a standby redundant type without providing new equipment such as a simulation test apparatus or the like. A duplex control system capable of recovering even if a failure occurs during a program update operation and improving the operation efficiency and reliability of the maintenance operation of the control program, and a method for changing the control program of the control device The purpose is to provide.

  In order to achieve the above object, the duplex control system according to claim 1 of the present invention has two sets of control devices arranged for a control target, one control device serving as a normal system control device, and the other control device serving as a control system. As a standby system control device, the control system is usually controlled by a normal system control device, and when this normal system control device fails, the control system is controlled by switching to the standby system control device. Dual control system comprising a maintenance tool, two sets of control devices, and a process input / output device, wherein the maintenance tool sets an operation mode of the control system to two sets of the control devices. The control program is based on a comparison of control signals of setting means, control program maintenance means for maintaining a control program stored in the control device, and the regular control device and the standby control device. Control program comparison and determination means for comparing and determining the quality of the operation, the control device, the operation mode command signal from the operation mode setting means, the failure state of the own system and the failure state of the counterpart system of the control device Operation mode setting processing means for setting the operation mode of the control device from, and a tracking memory for storing the control data of the own system and the counterpart system and the failure state in synchronization with the control cycle of the control device set in advance A synchronization signal detection means comprising communication means for communicating the control data and the failure state stored in the tracking memory with each other in synchronization with the control cycle; a control program memory for storing the control program; A control data memory for storing control data, and exchange control signals with the control target to perform control calculations based on the control program A calculation processing means having a CPU for outputting the calculation result and a selection signal of the calculation output to the process input / output device according to the operation mode stored in the operation mode setting processing means; An input circuit that inputs output signals from the control target to two sets of the control devices in parallel, and an operation output of one of the two control devices selected by the selection signal is transmitted to the control target. An output circuit, and when one of the control devices is in single service operation and the other control device is in operation stop, when the "internal double setting command" is transmitted from the maintenance tool, the other The control device initializes its own system, and writes the control data and operating state of the operating control device to the tracking memory of the own system for one of the normal operating systems. As an internal double control system, when this initialization tracking process is normally completed, the internal system becomes an internal double standby system, and the normal operating system is an internal double normal system. During operation with the internal double control system, when an “internal double release command” is sent from the maintenance tool, the system is returned to the redundant control system and is operating with the internal double control system. In addition, when an “internal duplex system switching setting command” is sent from the maintenance tool, the internal dual standby system is switched to the internal dual standby system, and the internal dual standby system is switched to the internal dual standby system. The system is characterized in that it switches between a normal system and a standby system.

  In order to achieve the above object, the duplex control system according to claim 2 of the present invention is characterized in that the maintenance tool includes display means for displaying a state of an operation mode of the control device processed by the operation mode setting processing means. It is characterized by having.

  In order to achieve the above object, the duplex control system according to claim 3 of the present invention is characterized in that the synchronization signal detection means of one system during normal operation of the internal duplex control system is in the standby state. When receiving that the control device has failed, the normal system transitions its own system to the state of the single normal system and memorizes that it is in the state of the single normal system. When the initialization tracking process is normally completed, the single service system transitions its own system to the state of the internal double service system. The other system is characterized in that the system is operated in the state of an internal double standby system.

  In order to achieve the above object, the duplex control system according to claim 4 of the present invention is configured so that when the control device in normal operation as the internal duplex control system detects that the own system has failed, When the failure is recovered normally after the initialization process, the controller is operated as a single-use system, and the other control device in the internal double standby state stops the operation of the own system.

  In order to achieve the above object, the duplex control system according to claim 5 of the present invention is such that when the control device in regular operation as the internal duplex control system detects a failure in its own system, When the failure of the normal system is detected by the synchronization signal detecting means, the initial system is initialized and the initial tracking process is requested, and when the normal system failure is recovered and the initial tracking process is normally completed When the operation is started as an internal double standby system and the initial tracking process is not completed, the initialization process and the initial tracking process are repeated a specified number of times, and the operation is stopped if the failure is not recovered. The system repeats the initialization process of its own system, and if the failure recovers, the system starts operation in a single-use system state, and if the standby system requests the initial tracking process, the initial trackin Process carried out, it is characterized in that so as to start the operation as internal double the normal control system upon successful completion.

  In order to achieve the above object, the duplex control system according to claim 6 of the present invention provides an “internal duplex system switching command” from the maintenance tool to the two sets of control devices during operation in the internal duplex state. When the control signal is transmitted, the control device switches between the normal system and the standby system in the respective operating states, and the selection signal for selecting the calculation output of the local system from the control device of the normal system to the process input / output device Is transmitted.

  In order to achieve the above object, the duplex control system according to claim 7 of the present invention is configured such that when the internal control signal is received from the maintenance tool during operation in the duplex control system, The system is changed to an internal double standby system, and the other double standby system is changed to an internal double standby system so as to operate as the internal double control system.

  In order to achieve the above object, a method for changing a control program of a control device of a duplex control system according to the present invention includes arranging two sets of control devices for a control target, and setting one control device as a regular system control device, The other control device is a standby control device, and usually the control target is controlled by a normal control device. If this normal control device fails, the control target is switched to the standby control device. A control program for a control device of a redundant redundant control system for standby redundancy, comprising a maintenance tool, two sets of control devices, and a process input / output device. Operation mode setting means for setting operation modes in the two sets of control devices, control program maintenance means for maintaining control programs stored in the control devices, and the regular system control And a control program comparison / determination means for comparing and judging the quality of the control program from a comparison of the control signals of the standby system control device, and the control device includes an operation mode command signal from the operation mode setting means, The operation mode setting processing means for setting the operation mode of the control device from the failure state of the own system of the control device and the failure state of the counterpart system, and in synchronization with the control cycle of the control device set in advance And a tracking memory for storing the control data of the counterpart system and the failure state, and a communication means for communicating the control data and the failure state stored in the tracking memory with each other in synchronization with the control cycle. Detecting means; a control program memory for storing the control program; a control data memory for storing the control data; and the control pair. The control signal is transmitted and received, the control calculation is performed based on the control program, and the calculation output selection signal is output to the process input / output device according to the calculation result and the operation mode stored in the operation mode setting processing means. And the process input / output device, the input circuit for inputting the output signal from the control target to the two control devices in parallel, and the two sets selected by the selection signal An output circuit for transmitting a calculation output of any one of the control devices to the control target, wherein the one control device is in a single operating state and the other control device is in a stopped state, and the maintenance is performed. When the “internal double setting command” is transmitted from the tool, the other control device initializes its own system, and the tracking of its own system with respect to one of the normal operating systems The initial tracking process for writing the control data and the operation state of the control device in operation to the memory is requested, and when this initialization tracking process is normally completed, the own system is set as an internal double standby system, and the normal operation is performed. A step of operating as an internal double control system in which the internal system is an internal double service system, a step of downloading the new control program to the standby system, and the maintenance tool including the standby system and the service system Uploading the control data of the system, comparing and determining the control data of the control program and the new control program, and if the result of the comparison is determined to be updatable, from the maintenance tool And a step of setting an “internal double switching command” to the normal system and the standby system.

  When updating the control program of the redundant control system or performing maintenance work, the system is in a state where the initial tracking of the standby system has been completed from the single active system (in the non-standby redundant special duplex state, here referred to as internal duplex) Operation mode setting means for setting the "internal duplex setting command" for operating the system and the "internal duplex release command" for returning from the internal duplex state to the standby redundant type redundant system, and the operating status of the two sets of control devices And an operation mode setting processing means for setting the operation mode of the own system.

  When a failure occurs in the standby system in the internal duplex state, the standby system requests initialization processing of the standby system itself and initial tracking from the regular system. Operation can be continued as a heavy working system and a standby system, and if a failure occurs in the working system, the operation of the standby system can be stopped and the normal system itself can be initialized to restore operation as a single working system. I did it.

  Furthermore, when a failure occurs in the normal system, the standby system continues the initialization process a specified number of times without stopping the operation of the standby system, requests initial tracking from the normal system, and the initial tracking is completed normally. As a result, the operation was continued as an internal double control system.

  Therefore, there is no automatic transition from the state of the internal duplex control system to the standby redundant type redundant control system. When returning the standby system to the standby redundant type, the standby system including the performance of the control program It is possible to confirm that the state is normal and shift the operation state.

  In addition, as an operation mode command, an “internal double switching command” is provided to switch between the active system and standby system in the internal duplex state, making it possible to operate both systems with different control programs. Since the determination can be performed, the performance of the control device can be reliably verified, and the control program can be updated and maintained.

  Therefore, when it is necessary to update the control program of the duplex control system, it is possible to update the control program of the duplex control system that is operating in the standby redundant type without providing new equipment such as a simulation test apparatus. It is possible to provide a duplex control system that can perform a recovery process even if a failure occurs and that enhances the operation efficiency and the reliability of the maintenance work of the control program, and a method for changing the control program of the control device.

  Embodiments of the present invention will be described below with reference to the drawings.

  A duplex control system according to a first embodiment of the present invention will be described with reference to FIGS. FIG. 1 is a system function block diagram showing the configuration of the duplex control system.

  The duplex control system includes two sets of control devices 1 that control the control target 9, a process input / output device 3 that outputs the output of any one of these control devices 1 to the control target 9, and two sets of control devices 1. The maintenance tool 4 includes a function for setting the operation mode and updating the control program of the control device 1.

  The control device 1 (one is called an A system control device and the other is called a B system control device) includes an operation mode setting processing means 1a, a synchronization signal detecting means 1b, and an arithmetic processing means 1c, respectively.

  The two sets of control devices 1 are normally set to the state of a standby system in which one side is constantly controlling the controlled object 9 and the other side is in a standby redundant redundant control control system, and the normal system fails. Is switched to the standby system, but is set to the internal dual control system in which the other is in a non-standby state during work for maintenance of the control program.

  Further, the maintenance tool 4 creates a control program in the operation mode setting means 4a for setting the operation start and stop commands of the redundant control system and the redundant configuration of the control system, and the two sets of control devices 1, and loads them in advance. The program maintenance means 4b and the A system control device 1 and the B system control device 1 are composed of two sets of control outputs and a control program comparison judgment means 4c for comparing and judging the quality of the loaded control programs.

  Next, the detailed configuration of each unit will be described. A detailed configuration of the control device 1 will be described with reference to FIGS. 1 and 2. The control device 1 including the operation mode setting processing means 1a, the synchronization signal detecting means 1b, and the arithmetic processing means is configured by hardware as shown in FIG. 2, for example.

  The control device 1 is connected to each part of the hardware constituting the control device 1 through an internal bus 19a, and executes an operation mode command output set from the CPU 11a and the maintenance tool 4 for executing operation mode setting processing and control calculation. The presence / absence of the failure state of the counterpart control device 1 received via the interface 14a and detected by the synchronization signal detection circuit 18a and the presence / absence of the failure state detected by the failure detection circuit 13a of the own control device 1 are set. An operation state memory 12a that stores the state of the operation mode of the own system and a failure detection circuit 13a that detects a failure of the own control device 1 and detects whether it is a minor failure that can be controlled or a severe failure that cannot be controlled.

  Further, a control program memory 15a for storing a control program for controlling the control target 9, a control data memory 16a for storing control signals to be exchanged with the control target 9 in a predetermined control cycle unit, and a process input / output device 3 A PIO interface 17a for interfacing control signals with the other system, a synchronization signal detection circuit 18a for detecting a failure of the partner system based on the presence or absence of a response of the partner system, and an internal bus 19a for connecting these parts.

  The operation mode setting processing means 1a includes a CPU 11a, an operation state memory 12a, and a failure detection circuit 13a, and is detected by an operation mode setting signal transmitted from the maintenance tool 4 via the tool interface 14a and the failure detection circuit 13a. Based on the failure signal and the failure detection signal of the counterpart system detected by the synchronization signal detection circuit 1b, the operation mode of the own system is set and stored in the operation state memory 12a, and the state of this operation mode is output to the outside. Display.

  The arithmetic processing means 1c is composed of a CPU 11a, a control program memory 15a, a control data memory 16a, and a PIO interface 17a. The arithmetic processing means 1c receives a control target detection signal transmitted from the process input / output device 3, and receives the control program memory 15a. The control calculation is performed in accordance with the control program stored in, and a control signal is transmitted to the process input / output device 3.

  The failure detection circuit 13a detects a minor failure that does not hinder driving and a major failure that hinders driving. These failures are stored in the operation state memory 12 and when a major failure is detected, the operation mode setting processing means 1a determines whether the failure is recovered by performing initialization processing or is a failure that cannot be recovered. judge.

  The synchronization signal detection circuit 18a includes a transmission unit 18a1, a tracking memory 18a2, and a reception unit 18a3. The synchronization signal detection circuit 18a stores the tracking data in the tracking data 18a2 and the control data of the own system and the other system in synchronization with a preset control cycle. The transmission unit 18a1 and the reception unit 18a3 communicate with each other in synchronization with the control data stored in the memory 18a2 in synchronization with the control cycle. The presence / absence of the failure of the partner system is detected and stored in the tracking memory 18a2 and the operation state memory 12a of the own system.

  For example, when the maintenance tool 3 is set as a regular system, the A-system control device 1 controls the control data stored in its own tracking memory 18a2, the presence / absence of a failure, and the other B-system control device 1 When the initial tracking process to be written in the tracking memory 18a2 is executed and the A-system control device 1 is set as a standby system, the control data of the counterpart system written in the own tracking memory 18a2 and the presence / absence of a failure are determined. The data is written in the own control data memory 16a2 and the operation state memory 12a, respectively.

  Then, response communication with the partner system is performed at each control cycle, and if there is no response from the partner system even after waiting for a certain period of time, the CPU 11a determines that the partner system is out of order and sets the operation mode to single use. The transition is made, and the operation mode of the own system is written in the operation state memory 12a as “single use”.

  Next, the process input / output device 3 will be described. The process input / output device 3 transmits a signal from the control target 9 in parallel to two sets of control devices 1 and a selection signal from one of the control devices 1 from the two sets of control devices 1. And an output circuit (not shown) that outputs a control signal from the selected control device 1 to the control target 1.

  Next, the maintenance tool 4 will be described with reference to FIGS. The operation mode setting means 4a of the maintenance tool 4 has two control devices 1 "control operation start", "control operation stop", "internal double setting command", "internal double release command", and Sends "Internal dual system switching command" signal.

  Furthermore, since the program maintenance means 4b performs maintenance of the control program used by the control device 1 in the internal double control state, the program maintenance means 4b (not shown) creates a control program created in the control program memory 15a of the control device 1. Download from the memory, upload from the control program memory 15a to the memory of the program maintenance means 4b, and execute the maintenance of the control program.

  The control program comparison / determination means 4c uploads the control data executed by each control device 1 from the control data memory 16a to a memory (not shown) of the control program comparison / determination means 4c, and compares the two sets of control data. The quality of the control state is determined from the difference.

  Next, the transition state of the operation mode processed by the operation mode setting processing means 1a of the duplex control system configured as described above will be described with reference to FIG.

  FIG. 3 shows the operation mode setting processing means 1a based on the operation mode command set from the maintenance tool 4, the presence / absence of the own system failure, and the presence / absence of the failure of the counterpart control device 1 detected by the synchronization signal detection circuit 18a. The transition state of each operation mode set by is illustrated.

  The A system and B system described in the solid lines indicate the respective control devices 1, and the articles attached to the stock are the operation modes of the control devices processed by the respective operation mode setting processing means 1a. The state of is indicated and shown.

  Further, the content surrounded by the broken line indicates a command signal from the operation mode setting means 4a of the maintenance tool 4, the arrow indicates the direction in which the operation mode of the control device 1 is changed by the command signal, and the bold arrow indicates Shows the transition to and from the internal double state.

  Whether the control device 1 is a normal system or a standby system is set in the order of activation in advance, and normally, the one activated first is activated as the normal system, and the one activated later is activated as the standby system, Each control device 1 detects the presence / absence of mutual failure by the synchronization signal detection circuit 18a, sets the operation mode of the own system from the presence / absence of the failure of the partner system and the presence / absence of the failure of the own system, and sets the operation state. Transition automatically.

  For example, in the initial state, both the A-system control device (hereinafter referred to as A-system) and the B-system control device (hereinafter referred to as B-system) are in the operation stop state. Here, when the A-system operation mode setting processing means 1a receives the “control operation start command” signal transmitted from the operation mode setting means 4a, the A-system transitions to the “single use state”, and the operation state memory 12a The state is stored as “single use” (s1).

  When the A system is in the “single-use state”, the “control operation stop command” is received, or when the failure detection circuit 13a detects a failure of the own system, the A system stops the control operation (s2).

  First, when the B-system operation mode setting processing means 1a receives the “control operation start command” signal transmitted from the operation mode setting means 4a, the B-system transitions to the “single use state” and stores it in the operation state memory 12a. The state is stored as “single use” (s3).

  When the B system is in the “single-use state” and receives the “control operation stop command” or when the failure detection circuit 13a detects a failure in the own system, the B system stops the control operation (s4).

  When the system A is in the “single service use” state and the system B receives the “control operation start command”, the system A transitions to the “double service use” state and the system B transitions to the “double standby” state ( s5).

  Here, when the B system receives a “control operation stop command” or a failure is detected in the B system, the B system stops the operation, and the A system transitions to its “single use” state. (S6).

  Thereafter, the states of the A system and the B system are switched. For example, the operations corresponding to (s7) in (s5) and (s8) in (s6) are the same transition operations, and thus description thereof is omitted. The case where the A system and the B system shown in the left part of FIG. 3 transition from (s1) will be described.

  When the A system is in the duplex control system state where the B system is in the double standby state and the B system is in the dual standby state, when the “internal duplex setting command” is received, the A system will be “internal dual service”, The state transits to the “double standby” state, and this state, that is, the operation state in the internal double control system is stored as “double use” or “double standby” in the A system operation state memory 12a (s9).

  The transition to the internal double control system is that the A system is in single use and the B system is in a shutdown state, and even when the "Internal double setting command" is received, the A system is in double use. The system B is configured to shift to a double standby state and shift to an internal duplex control system (s9 ′).

  In this internal double state, when the system B performs initialization processing while the system A is in single use, the system B sends a request for initial tracking processing to the system A, and the system A tracking is sent to its own tracking memory. This refers to the state in which the control data stored in the memory and the presence / absence of a failure are written.

  When the “internal double release command” is received in the state of the internal double control system, the state returns to the state of the internal double control system (s10).

  Further, when a serious failure is detected in the B system in the state of the internal double control system, the A system is stopped for internal double use, and the B system is stopped (s13). Here, when the B system executes the initialization process and the failure is restored to the normal state, the B system returns to the internal double standby state again (s13 ').

  If a “control operation stop command” is received in this state or if a serious failure is detected in the internal double normal state A, the system A stops operating (s17). When the “internal double release command” is received, the system A transitions to the single use state (s21).

  Further, when an “internal double setting command” is received in a state where both systems are stopped, the A system enters the “internal double normal use” state (s19), and if the B system executes the initialization process, the internal 2 Transition to the heavy control system.

  If a failure occurs in the active system in the state of the redundant control system, the redundant standby system of this system transitions to the active system (s15).

  Furthermore, when an “internal double switching command” is received in the state of the internal double control system, the internal double standby system becomes the internal double standby system, and the internal double standby system uses the internal double normal system. Each state is transited to the system (s16).

  Next, details of the operation mode setting processing operation of the internal double control system configured as described above will be described with reference to the flowcharts of FIGS.

  FIG. 4 is a process flow diagram in the case of operating as an internal duplex service system and further transitioning to a duplex control system.

  When one side is operated as a regular system (A system) and the other is operated as a standby entry system (B system), a “control operation start command” is transmitted from the maintenance tool 4 to the regular system. The received A system starts operation for single use (s310).

  When the system B is powered on (s321), the system B executes its own system initialization process (s321) and requests the system A for initial tracking (s311).

  Here, in synchronization with the control cycle, the A system control data is written to the B system, and the control data of both systems match (referred to as equalization) (s312), (s322), and the response is completed normally. Then, the operation in the internal double control system in which the A system operates as an internal double service system and the B system operates as an internal double standby system is started (s314) and (s324).

  When an “internal duplex release command” is received in this state (s315) and (s325), the respective systems are used as a standby system and a standby system of a standby redundant type redundant control system, and each state changes in synchronization with the control cycle. Control operation is started while monitoring (s316) and (s326).

  At this time, if the “internal double state exists” state is displayed on the maintenance tool, the display state can be confirmed and the “internal double release command” can be set by the operation mode setting means 4a. .

  5 and 6 are flowcharts of processing operations when a failure occurs in the standby system and the regular system during operation as the internal double control system. FIG. 5 shows that a failure of the B system is detected in the state (s410) and (s420) where one (A system) is operating as an internal double service system and the other (B system) is operating as an internal double standby system. Is detected (s411), the A system transitions to the single service system (s412).

  Then, the failed B system (s421) executes its own system initialization process (s422), and requests initial tracking from the A system (s413). When the initial tracking (s414, (s423) is completed and the response operation is normally completed (s415), (s424), each system is synchronized with the control cycle as an internal double standby system and an internal double standby system. The controlled operation is started (s416) and (s425).

  As shown in FIG. 6, in the state (s510) and (s520) in which one (A system) is operating as an internal double service system and the other (B system) is operating as an internal double standby system, the A system has failed. If this is the case (s511), initialization processing is executed (s512), and when the normal state is restored (s513), the A system transitions to the single service system (s514).

  On the other hand, when the system B detects a failure of the system A (s521), the system B stops its own operation. (S522).

  Therefore, in the internal double control system, even if the normal system fails, it is possible to operate in the internal double state as long as the standby system does not shift to the normal system and the normal system does not fail. During this time, maintenance and control operations of the standby system are possible.

  FIG. 7 is a flowchart of the automatic return processing operation when the operating system operating as the internal double control system fails. When a failure occurs in the A system in the state where the internal double normal operation is performed in the system A (s610) and the internal double standby operation is performed (s620), the system A is the own system as in FIG. When initialization processing is executed (s612) and normal recovery is performed (s613), a transition is made to a single-use system.

  Here, when the B system detects a failure of the A system (s621), the own system does not stop the operation, the own system initialization process (s622) is executed, and the initial tracking (s623) is executed a specified number of times. (S626) When it is confirmed that the initial tracking is normally completed (s624), the operation is started again as the internal double standby system, and the system A receives the request for the initial tracking (s615), and the initial tracking (s616). Is completed normally (s617), the operation is started again as the internal double service system.

  If the system B does not recover even after the initial tracking is performed a specified number of times, the system B stops operating (s627).

  Therefore, when the working system operating in the internal duplex temporarily fails, the working system can be restored as the working system in the internal duplex state, and the standby system can be restored as the internal duplex standby system. The recovery operation at the time of failure is automatically executed without switching the standby system to the regular system, and the operation can be resumed while the operation stop time is minimized.

  In addition, if the regular system that is operating in the internal double fails continuously. The normal system repeats the initialization process, the standby system repeats the initialization process and the initial tracking process a specified number of times, and if the failure is recovered, the operation is resumed as an internal dual system control system, and if the failure is not recovered, the operation is stopped. Therefore, maintenance work in the standby system is possible without the standby system transitioning to the regular system, and efficient control operation is possible even if there is a failure.

  Therefore, as long as a continuous failure does not occur in the regular system, an internal duplex operation state is possible, and a duplex control system with high maintenance reliability that can reliably perform the maintenance work of the standby system can be provided.

  Hereinafter, a method for changing the control program of the control device of the duplex control system according to the second embodiment of the present invention will be described with reference to FIG. 8 and FIG.

  About each part of Example 2, the same part as the duplication control system of Example 1 is shown with the same code | symbol, and the description is abbreviate | omitted.

  The second embodiment is an explanation of a method for updating a control program, and collects control data of each system from the maintenance tool 4 for comparison and determination, and uses a control program whose performance has been confirmed. However, this is different from the first embodiment.

  When a partial change of the control program or the entire update becomes necessary, an internal duplex setting command is transmitted from the maintenance tool 4 of the duplex control system (s701).

  In this state, the standby system requests the program maintenance means 4b of the maintenance tool 4 to download a new control program (s702).

  Then, from the control program comparison / determination means 4c, the control data in the active control program and the control data in the new control program loaded in the standby system are uploaded (s703).

  Then, the difference (time-series difference) between the control data responses of the two systems is compared (s704), and it is determined which performance is better within the preset range (s705). If it is determined that the performance of the new control program is good, an “internal duplex switching command” is transmitted to start control operation with the new control program.

  Therefore, in the internal duplex state, the standby system does not automatically switch to the regular system, and different control programs are loaded on the regular system and the standby system, and each control data is uploaded to compare and judge the control performance. In addition, since the control performance of the new control program is confirmed and the normal system and the standby system are switched, it is possible to perform the control program replacement work safely and reliably.

  The present invention is not limited to the above-described embodiments. If the normal system fails, the standby system does not automatically switch to the normal system, and the failed system can be efficiently recovered. In addition, the recovery process from the failure state may be implemented with various modifications without departing from the gist of the present invention.

The block diagram of the duplication control system of this invention. The functional block diagram of the duplication control system of this invention. Explanatory drawing of the transition of the driving | running state of the duplication control system of this invention. The operation | movement flowchart of the duplication control system which concerns on Example 1 of this invention. Simulated configuration when all input / output devices do not exist. The operation | movement flowchart of the duplication control system which concerns on Example 1 of this invention. The operation | movement flowchart of the duplication control system which concerns on Example 1 of this invention. The operation | movement flowchart of the duplication control system which concerns on Example 1 of this invention. The flowchart explaining the update method of the control program of the duplexing control system which concerns on Example 2 of this invention. The block diagram explaining the maintenance method of the program of the conventional duplex control system.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 A system control apparatus 1a Operation mode setting process means 1b Synchronization signal detection means 1c Arithmetic processing means 2 B system control apparatus 3 Process input / output device 4 Maintenance tool 4a Operation mode setting means 4b Program maintenance means 4c Control program comparison judgment means 9 Control Target 11a CPU
12a Operating state memory 13a Fault detection circuit 14a Tool interface 15a Control program memory 16a Control data memory 17a PIO interface 18a Synchronization signal detection circuit 18a1 Transmitter 18a2 Tracking memory 18a3 Receiver 19 Plant 20 Controller 21 CPU A system 22 CPU B system 23 PIO
24 Simulation test device 26 Dedicated maintenance device 111 Program 115 Another program

Claims (8)

Two sets of control devices are arranged for the control target, one control device is used as a normal system control device, the other control device is used as a standby system control device, and usually the control target is controlled by the normal system control device, When this regular system control device fails, it is switched to a standby control device, and is a standby redundant type redundant control system for controlling the control object,
Maintenance tools,
Two sets of control devices;
Consisting of process I / O devices,
The maintenance tool includes an operation mode setting means for setting the operation mode of the control system in the two sets of the control devices, a control program maintenance means for maintaining a control program stored in the control device, and the regular system control. A control program comparison / determination means for comparing and determining whether the control program is good or bad based on a comparison of a control signal between the apparatus and the standby control device,
The control device includes an operation mode setting processing means for setting an operation mode of the control device from an operation mode command signal from the operation mode setting means, a failure state of the own system of the control device, and a failure state of the counterpart system; ,
In synchronization with the control cycle of the control device set in advance, a tracking memory for storing the control data of the own system and the counterpart system and the failure state, and the control data and the failure state stored in the tracking memory Synchronization signal detection means comprising communication means for communicating with each other in synchronization with the control cycle;
A control program memory for storing the control program, a control data memory for storing the control data, a control signal to be exchanged with the control target and performing a control calculation based on the control program, and the calculation result and the operation mode setting Arithmetic processing means having a CPU that outputs a selection signal of the arithmetic output to the process input / output device according to the operation mode stored in the processing means;
The process input / output device includes an input circuit that inputs an output signal from the control target to two sets of the control devices in parallel, and an operation output of one of the two sets of the control devices selected by the selection signal. An output circuit for transmitting to the controlled object,
When an “internal double setting command” is transmitted from the maintenance tool in a state where one of the control devices is single and in normal operation and the other control device is stopped, the other control device Requesting an initial tracking process to write the control data and operating state of the control device in operation to the tracking memory of the own system for one of the systems in normal operation, When this initialization tracking process is completed normally, the system is operated as an internal double standby system, and the system in operation is used as an internal double control system.
During operation in the internal duplex control system, when an "internal duplex release command" is transmitted from the maintenance tool, the system is returned to the duplex control system,
During operation in the internal double control system, if an "internal double system switching setting command" is sent from the maintenance tool, the internal double standby system is changed to the internal double standby system, and the internal double standby system is set to A duplex control system characterized in that an internal duplex service system is switched between a service system and a standby system in each operating state.   2. The duplex control system according to claim 1, wherein the maintenance tool includes display means for displaying a state of an operation mode of the control device processed by the operation mode setting processing means. When the synchronization signal detecting means of one system during normal operation of the internal double control system receives that the other control device in a standby state has failed, the normal system uses the single system for the single normal use. Memorize that it is the state of the single normal system by transitioning to the state of the system,
The other control device initializes its own system and requests the single-use system to perform the initial tracking process. When the initialization tracking process is normally completed, the single-use system sets up its own system. 3. The duplex system according to claim 1, wherein the system is transited to a state of a heavy duty system, and the other system is operated in a state of its own system as an internal double standby system. Control system.   When the control device in normal operation as the internal double control system detects that the own system has failed, it operates as a single-use system when the own system is initialized and the failure is recovered normally. The duplex control system according to any one of claims 1 to 3, wherein the control device in an internal double standby state is configured to stop its own operation. When the control device in normal operation as the internal double control system detects a failure in its own system, the standby system detects the failure in the normal system by the synchronization signal detection means, and initializes the own system. When the initial tracking process is requested and the failure of the normal system is recovered and the initial tracking process is normally completed, the operation is started as an internal double standby system, and the initial tracking process is not completed. Repeats the initialization process and the initial tracking process a specified number of times, and stops operation if the failure is not recovered,
The normal system repeats the initialization process of its own system, and if the failure is recovered, the operation is started in the state of the single normal system, and when the initial tracking process is requested from the standby system, the initial tracking process is performed, The duplex control system according to any one of claims 1 to 4, wherein when the operation is normally completed, the operation is started as an internal dual service control system.   When the "internal duplex system switching command" is transmitted from the maintenance tool to the two sets of control devices during the operation in the internal duplex state, the control device is used as a normal system and a standby system in the respective operation states. 6. The method according to claim 1, wherein the selection signal for selecting a computation output of the own system is transmitted from the control device for a normal system to the process input / output device. The duplex control system according to claim 1.   If an "internal duplex setting command" is received from the maintenance tool during operation with the duplex control system, one duplex normal system is an internal duplex regular system and the other dual standby system is an internal duplex standby The duplex control system according to any one of claims 1 to 6, wherein the system is changed to a system and operated as the internal duplex control system. Two sets of control devices are arranged for the control target, one control device is used as a normal system control device, the other control device is used as a standby system control device, and usually the control target is controlled by the normal system control device, When this regular system control device fails, it is switched to the standby system control device, and is a method for changing the control program of the control device of the standby redundant type redundant control system for controlling the control object,
Maintenance tools,
Two sets of control devices;
Consisting of process I / O devices,
The maintenance tool includes an operation mode setting means for setting the operation mode of the control system in the two sets of the control devices, a control program maintenance means for maintaining a control program stored in the control device, and the regular system control. A control program comparison / determination means for comparing and determining whether the control program is good or bad based on a comparison of a control signal between the apparatus and the standby control device,
The control device includes an operation mode setting processing means for setting an operation mode of the control device from an operation mode command signal from the operation mode setting means, a failure state of the own system of the control device, and a failure state of the counterpart system; ,
In synchronization with the control cycle of the control device set in advance, a tracking memory for storing the control data of the own system and the counterpart system and the failure state, and the control data and the failure state stored in the tracking memory Synchronization signal detection means comprising communication means for communicating with each other in synchronization with the control cycle;
A control program memory for storing the control program, a control data memory for storing the control data, a control signal to be exchanged with the control target and performing a control calculation based on the control program, and the calculation result and the operation mode setting Arithmetic processing means having a CPU that outputs a selection signal of the arithmetic output to the process input / output device according to the operation mode stored in the processing means;
The process input / output device includes an input circuit that inputs an output signal from the control target to two sets of the control devices in parallel, and an operation output of one of the two sets of the control devices selected by the selection signal. An output circuit for transmitting to the controlled object,
When an “internal double setting command” is transmitted from the maintenance tool in a state where one of the control devices is single and in normal operation and the other control device is stopped, the other control device Requesting an initial tracking process to write the control data and operating state of the control device in operation to the tracking memory of the own system for one of the systems in normal operation, When this initialization tracking process is normally completed, the system is operated as an internal double standby system, the internal double standby system, and the operating system as an internal double normal system.
The maintenance tool downloads a new control program to the standby system;
The maintenance tool uploads the control data of the standby system and the regular system, and compares and determines the control data of the control program and the new control program,
As a result of the comparison determination, the control of the redundant control system comprising the step of setting an “internal double switching command” to the normal system and the standby system from the maintenance tool when it is determined that the update is possible How to change the control program of the device.

Images