JP2008090656A - Programmable controller - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a programmable controller, correctly repairing a failure of a user program without stopping a system while using a volatile memory as a backup memory of the user program. <P>SOLUTION: A user program memory 17 (RAM) stores the user program M which is read for control operation for each scan period, and a system work memory 16 and a user data memory 18 (RAMs) store backup user programs B1 and B2 of the same content as the program M, respectively. A majority memory diagnosis/repair means 15B (in a system program memory 15) detects a failure of each program M, B1, B2 by reading and comparing data in corresponding areas of the programs M, B1 and B2 for each scan period, and determining correct data when the number of programs having the same data is a majority of the total number of user programs and backup user programs (two or more in this embodiment), and repairs a faulty program with a non-faulty program. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

The present invention relates to a programmable controller (hereinafter also abbreviated as “PLC”) having a function capable of detecting a break in a user program to be executed during sequence control operation, automatically repairing it, and continuing control operation.
In the following drawings, the same reference numerals denote the same or corresponding parts.

A programmable controller (PLC) is a device that automatically executes sequence control of devices to be controlled connected to the PLC by executing and executing application programs created and stored by the user, and is widely used for factory automation (FA) Has been.
This PLC has a plurality of modules, that is, a power supply module that serves as a power supply source, a CPU module that performs overall control of the PLC, an input module that inputs signals from switches and sensors that are attached to various control target devices, and is also controlled. Various modules such as an output module for outputting a control output to an actuator of the target device and a communication module for connecting to a communication network are appropriately combined.

  FIG. 4 is a block circuit diagram showing a configuration example of a main part of a conventional PLC. In the figure, 100 is a programmable controller (PLC), 200 is a programming loader as a tool for creating and transferring a user program (also referred to as a user application program), and this programming loader 200 is a loader of the PLC 100 via a communication line 300. It is connected to the interface 30.

Further, in the PLC 100, 10 is a CPU module, and 40 is an input / output module (also abbreviated as I / O module) connected to a control target device (not shown).
The CPU module 10 includes the following components 11 and 13 to 18 connected to each other via an internal system bus 19.
Here, the CPU 11 executes the system program stored in the system program memory 15 to control the operation of each component in the CPU module 10, and executes the user program stored in the user program memory 17 to execute the user program. The sequence control of the control target equipment is performed. The CPU 11 is usually a general-purpose MPU or a dedicated IC (ASIC) that replaces it.

The driver / receiver 13 is connected to the loader interface 30 and has a function of passing transmission / reception data between the programming loader 200 and the CPU 11 via the communication line 300.
The PLC specific bus interface 14 inputs and outputs signals related to control of an external control target device to the I / O module 40 via the PLC specific bus 14a.
As the system program memory 15 for holding the system program, an EPROM or a FLASH memory which is a nonvolatile memory is usually used. The sum check / memory diagnostic means 15A is a memory diagnostic software means to be described later held by the system program stored in the memory 15.

The system work memory 16 has a role of temporarily storing data generated when the CPU 11 executes the system program, and a RAM is usually used for the memory 16.
The user program memory 17 has a role of storing a user program received from the programming loader 200, and a RAM is usually used for the memory 17.
The memory 17 stores the user program from the loader 200 after being converted into an instruction object code that is a machine code, that is, a code that can be understood by the CPU 11 that should execute the user program at high speed.

The user data memory 18 has a role of storing data used in the user program, for example, information such as contact signals transmitted / received to / from the control target device, and a RAM is usually used for the memory 18.
FIG. 5 is a flowchart showing an example of general software processing executed by the CPU 11 of the conventional PLC, and S1 to S13 are step numbers. Here, only step S6 corresponds to the processing of the user program, and the other steps correspond to the processing of the system program.

  In FIG. 5, after resetting upon power-on, the CPU 11 performs initialization processing (step S1) such as setting of a transmission IC in advance, and self-diagnosis processing (step S1) for checking whether there is a short circuit of a bus or an abnormality in memory backup. S2) After sequentially performing various system processes (step S3) such as memory clearing and setting for user program execution, a loop operation after step S4 is started.

In the state determination branch process of step S4, the CPU 11 determines whether or not the current state of the apparatus is a state in which normal operation can be performed, and branches to a loop process according to each state. If it is determined that the operation can be normally executed, the process proceeds to the “normal operation execution” branch, and the sequence control process from step S5 is executed.
In this sequence control process, the CPU 11 first takes in an input signal from a control target device input from an input module (not shown) in the I / O module 40 into an I / O memory area in the user data memory 18 (step S5, Next, the user program (sequence program) stored in the user program memory 17 is read, and a logical operation is performed using the latest input signal from the control target device (step S6, user program operation execution).

  Then, after writing the control output signal, which is the result of the calculation, to the I / O memory area in the user data memory 18, it is sent to the output module (not shown) in the I / O module 40 and output to the control target device side. (Step S7, output refresh), and then a so-called scan END process as described later, that is, a memory diagnosis process (Step S10), a loader process (Step S11), a reference SUM value calculation process (Step S12), and various system diagnosis processes (Step S13) is performed. And a series of processing of the above step S4-S13 is repeatedly performed for every scanning period (it is also called a sequence calculation period), and a control object apparatus is controlled.

  By the way, as the environment in the factory where the PLC is installed, various devices such as a servo motor, an inverter, and a high-voltage power device are connected to the PLC or arranged near the PLC. Therefore, destruction of data stored in the memory in the CPU module is likely to occur due to radiation noise, instantaneous power failure of the power source, electromagnetic field, and the like. The phenomenon of data destruction of the memory in the CPU module is also caused by cosmic rays. Data destruction due to the former cause usually occurs in units of several bits (multiple bytes), and data destruction due to the latter cosmic rays often occurs in units of 1 bit.

As a matter of course, since it does not operate normally if it is controlled based on the user program in which data destruction has occurred, the CPU 11 performs the memory diagnosis process (step S10) in the scan END process during operation as shown in FIG. It is confirmed whether the user program has been destroyed by the memory diagnosis subroutine processing.
In the loader process (step S11) in the scan END process, when a new or changed user program is downloaded from the programming loader 200, the downloaded user program is loaded into the user program memory 17 and the conventional program is loaded. Update the user program.

Similarly, in the reference SUM value calculation process (step S12) in the scan END process, the values from the beginning to the end of the updated user program are added, and the obtained value is used as the reference sum value (note that the sum is also referred to as SUM). Stored in a predetermined area in the system work memory 16.
Similarly, in various system diagnosis processes (step S13) in the scan END process, a check for disconnection of the I / O module 40 from the PLC specific bus 14a is performed.

Here, the memory diagnosis subroutine process of FIG. 6 as the detailed process performed in the memory diagnosis process (step S10) in the scan END process of FIG. 5 will be described. In FIG. 6, S41 to 46 are step numbers of this process.
The function of the sum check / memory diagnosis means 15A shown in the system program memory 15 of FIG. 4 is the memory diagnosis process (step S10) of FIG. 5, that is, the memory diagnosis subroutine process of FIG. 6 and the reference SUM value of FIG. This corresponds to the calculation process (step S12).

Summarizing the memory diagnosis process of FIG. 6, the SUM value (referred to as the diagnosis SUM value) of the data to be diagnosed on the RAM is calculated and compared with a reference SUM value stored in advance, and the diagnosis is made by matching. It is to confirm that there is no abnormality in the target data.
Specifically, during the actual operation (that is, during the sequence control loop process for each scan cycle), in the memory diagnosis process (step S10) in FIG. 5, the CPU 11 stores the user program stored in the RAM 17 of the user program memory. The diagnosis SUM value as the SUM value is calculated for a plurality of scan cycles (step S41).

Then, in the scan cycle in which it is determined that the SUM value calculation up to the final data has not been reached (step S42, branch NO), the processing of FIG.
On the other hand, if it is determined in step S42 that the calculation of the SUM value up to the final data has been completed (branch YES), the diagnosis SUM value is stored in the predetermined area in the system work memory 16 as described above and the reference SUM value. Compare (steps S43 and S44).

If the SUM values match (step S44, branch “match”), the calculation of the SUM value of the user program on the user program memory 17, that is, the diagnosis SUM value is repeated again in the same manner as described above. Preparation is made (step S46), and the process of FIG. 6 is exited.
However, if the SUM values do not match (step S44, branch “mismatch”), it is determined that the user program on the RAM 17 has been damaged for some reason, and the PLC operation is abnormally stopped to prevent runaway / illegal output. A change request is set (step S45), and the process of FIG. 6 is exited.

When the abnormal operation stop state change request is set in this way, the state determination branching process in the first step S4 of the loop process of FIG. 5 branches to “abnormal operation stop” and jumps to step S11. As a result, the PLC The sequence control operation by stops.
However, if the operation of the PLC is abnormally stopped in this way, the entire controlled system is stopped, and there is a possibility that the factory operation or the like may be seriously affected. Therefore, in order to restore the system, it is necessary for maintenance personnel to connect a tool such as a programming loader to the PLC and transfer the user program again to execute the memory correction work. Since it is installed in the back, the connection is not easy, and it takes a lot of time to repair the memory and restart the system.

In order to solve this problem, Patent Document 1 includes a user memory that stores a user program that is read out during arithmetic processing, and a backup memory that stores data having the same contents as the user program. User memory corruption is detected by comparing the user memory and backup memory data during the click operation, the detected abnormal data in the user memory is repaired with the corresponding data in the backup memory, and the system is stopped. A PLC automatic memory recovery method is disclosed that allows the sequence control to be continued without causing a failure.
JP 2006-59382 A

  However, in the automatic memory recovery method of Patent Document 1, there is no problem as long as the data in the backup memory is stable, but it can be changed in reality. There is a problem that it is not known which data of the backup memory is truly correct, and the reliability of the memory repair is lacking. This problem is particularly serious when the backup memory is not a nonvolatile memory (ROM, FLASH memory, etc.) but a volatile memory (RAM).

  SUMMARY OF THE INVENTION Accordingly, an object of the present invention is to provide a programmable controller (PLC) that can correctly repair the damage of the user memory even when the PLC uses a volatile memory (RAM) as a backup memory for the user program, and does not require the system to be stopped. There is.

In order to solve the above-mentioned problem, the programmable controller of claim 1 comprises:
A user program (M) read for arithmetic processing of sequence control for each scan cycle and a plurality of backup user programs (B1, B2, etc.) having the same contents as the user program are stored in one memory or a plurality of Programmable controller (100) in which at least one or a plurality of programs of the user program and the backup user program are stored in each of the memories (user program memory 17, RAM system work memory 16, user data memory 18, etc.). Because
Data of the areas corresponding to each other of the user program and all backup user programs are read and compared at each scan cycle (via majority memory diagnosis / repair means 15B), and the number of programs whose data match each other is Whether or not each program is damaged is detected on the assumption that the data that is a majority of the total number of programs and all backup user programs is correct data.

Further, the programmable controller according to claim 2 is the programmable controller according to claim 1, wherein the relevant data of the program determined to be damaged by the detection is restored with the correct data, and the sequence control is continued. .
The programmable controller according to claim 3 is the programmable controller according to claim 2, wherein when the program determined to be damaged by the detection is the user program, the backup user program is determined not to be damaged by the detection. The predetermined one is replaced with the user program and used for the arithmetic processing for each scan period, and the sequence control is continued.

  The operation of the present invention is as follows. That is, in addition to a user memory (user program memory) that holds a user program that is read for sequence control arithmetic processing in the PLC, a plurality of backup memories that hold data having the same contents as the user program (backup user program) (RAM), and by detecting damage to the memory by majority decision processing, the user can also use a PLC that does not store user program backup data (backup user program) on non-volatile memory (ROM, FLASH memory, etc.). Reliably detect memory corruption and repair this immediately from other undamaged backup memory data, or switch the program memory that the CPU reads to perform control operations to undamaged backup memory, Without stopping the PU calculation operation, but to continue the operation of the system.

According to the present invention, a plurality of backups each holding a backup user program having the same contents as the user program, in addition to a user program memory (RAM) holding a user program read for arithmetic processing of sequence control in the PLC. Since a memory (RAM) is provided and memory (program) damage is detected by majority decision processing,
Even in PLCs that do not store backup user programs on non-volatile memory (ROM, FLASH memory, etc.), it is possible to reliably detect user program corruption and repair it immediately from undamaged backup user program data. Alternatively, it is possible to continue the operation of the system without stopping the control operation of the PLC by switching the user program read by the CPU for executing the control operation to a backup user program that is not damaged.

  The user program that has been damaged is likely to have also been damaged in the program portion after the damage detection location, but the user program that the CPU reads for execution of the control operation as described above is not damaged. When switching to the backup user program, the program that has a high possibility of causing damage is not used for the calculation, so that the operation of the PLC can be continued more safely.

Next, an embodiment of the present invention will be described with reference to FIGS.
FIG. 1 is a block circuit diagram showing a configuration of a main part of a PLC according to an embodiment of the present invention, and corresponds to FIG. The difference between FIG. 1 and FIG. 4 is that the software means related to the memory diagnosis added to the system program memory 15 in FIG. 1 is replaced with the majority check memory diagnosis / repair means 15B from the sum check / memory diagnosis means 15A of FIG. The storage areas for backup user programs B1 and B2, which are two backup programs for the user program (shown as M in FIG. 1) stored in the user program memory 17, are the system work memory 16 and the user data memory, respectively. This is a point provided in each of the 18 RAMs.

1 are the same as the functions of the respective parts except for the functions related to the sum check / memory diagnosis means 15A in FIG. 4 except for the functions related to the majority memory diagnosis / recovery means 15B and the backup user programs B1 and B2. It is.
FIG. 2 is a flowchart showing an embodiment of general software processing executed by the CPU 11 of FIG. 1, and corresponds to FIG. 2 differs from FIG. 5 in that the memory diagnosis process (step S10) in FIG. 5 is replaced with a memory diagnosis repair process (step S10A) in FIG. 5 and the reference SUM value calculation process (step S12) in FIG. 5 is replaced with the backup user program storage process (step S12A) in FIG.

The function of the majority memory diagnosing / restoring means 15B shown in the system program memory 15 of FIG. 1 corresponds to the memory diagnosing / repairing process (step S10A) and the backup / user program storing process (step S12A) of FIG.
In the backup user program storage process (step S12A) in FIG. 2, when the user program M is downloaded to the user program memory 17 by updating the new or conventional program in the loader process (step S11) in FIG. Backup user programs B1 and B2, which are two programs having the same contents as the user program M, are stored in the system work memory 16 and the user data memory 18, respectively.

  Note that the RAM used for the system work memory 16, the user program memory 17, the user data memory 18 and the like has been increased in capacity due to advances in LSI technology (in contrast, a small-capacity RAM cannot be obtained). Therefore, in particular, there are many unused areas with respect to the capacity necessary for realizing the product specifications of the CPU module 10 for small / medium scale.

In the present invention, since the backup user program is also stored in the RAM originally provided for another purpose, the amount of RAM is used more than before, but the unused area of the existing RAM is used as described above. This will not affect product costs.
FIG. 3 is a flowchart showing an example of subroutine processing as detailed processing of the memory diagnostic repair processing (step S10A) of FIG. 2, and steps S21 to S32 are step numbers. In this embodiment, [data M], [data B1], and [data B2] defined in steps S21, S22, and S23 described later in FIG. For each process, it is assumed that one instruction sentence is sequentially read from the user program M, the backup user program B1, and the backup user program B2, respectively, and the relative addresses are common instruction data.

Next, FIG. 3 will be described. First, in step S21, the data of the command statement at the corresponding address in the user program used for driving (in this example, the user program M stored in the user program memory 17) is read out as [data M].
In the next step S22, a relative address common to the [data M] in the first backup user program (in this example, the backup user program B1 stored in the system work memory 16) that is not used for driving is used. The data of the command statement is read out and set as [data B1].

In the next step S23, the same relative address as that of the [data M] of the second backup user program (in this example, the backup user program B2 stored in the user data memory 18) that is not used for driving is used. The data of the command statement is read out and set as [data B2].
In the next step S24 (memory corruption detection), [data M] and [data B1] are compared. If they match (branch “match”), the process proceeds to step S25 (memory corruption detection), and [data M] and [data B2] are compared.

If [data M] and [data B2] match in the comparison in step S25 (branch “match”), it means that the data of [DATA M], [DATA B1], and [DATA B1] match. Then, the processing of FIG.
On the other hand, if the comparison result of the step S25 does not match (branch “mismatch”), the [data B2] is assumed to be damaged, and the next step S26 (corrupt memory repair) sets [data M2] to the address of [data B2]. The data is written to restore [data B2] and the process of FIG. 3 is exited. Note that this [data B2] is restored so that memory damage can be detected by the processing of FIG.

Next, when [data M] and [data B1] do not match in the comparison result of step S24 (branch “mismatch”), the process proceeds to step S27 (memory corruption detection) and [data M] and [data B2] are compared. To do.
If [data M] and [data B2] match in this step S27 (branch “match”), it is determined that [data B1] is damaged, and the address of [data B1] is set in the next step S28 (corrupted memory repair). [Data M] is written, [Data B1] is restored, and the process of FIG. 3 is exited. Note that this [data B1] is also restored so that memory damage can be detected by the subsequent processing of FIG.

  On the other hand, if [data M] and [data B2] do not match in the comparison result of step S27 (branch “mismatch”), [data B1] and [data B2] are compared in step S29. If they match (branch “match”), it is assumed that there is damage in [data M], and [data B1] is written to the address of [data M] in the next step S30 (corrupt memory repair). ] Is repaired.

By this restoration, the user program M in the user program memory 17 should be able to continue to be used for the execution of sequence control operations. However, once the user program M on the same RAM 17 is damaged, the future computations are not limited to [data M] at the restoration location. There is a possibility that the part used for execution is damaged.
Therefore, for the sake of safety in this embodiment, the address of the user program used for execution of the sequence control operation in the next step S31 (switch to the uncorrupted memory) is changed from the address of the damaged user program M to the backup user program B1. (That is, the previous backup user program B1 is replaced with the previous user program M), and the previous user program M whose damage has been repaired in the process of step S30 is replaced with the previous backup user program B1. The processing of FIG. 3 can be continued in the form replaced with and the processing of FIG. 3 is exited.

  Note that the above address changing method can be appropriately realized according to the function of the CPU to which the present invention is applied. For example, a base address may be changed if it has a concept of a base address such as a segment such as an 8086 general-purpose CPU. Even in the case of a CPU without the concept of base address, it is possible to change the address by correcting the data in the address management file in which the user program is stored.

  By the way, if the comparison between [data B1] and [data B2] in step S29 does not match (branch “mismatch”), the data of the three data [data M], [data B1], and [data B2] are Inconsistent and damaged data exists but cannot be identified as it is, so in this embodiment, a state change request is set to stop operation abnormally in the next step S32 (damaged and cannot be specified). Step 3 is exited.

As described above, in the process of FIG. 3, the three data of [data M], [data B1], and [data B2] for the user program and the backup user program are compared, and no damage is found by matching the three parties. In the majority decision based on the coincidence of the two parties, the data of the unmatched one is detected as being damaged.
In the case where the three-party data does not match, the operation is stopped abnormally in step S32. However, in fact, there is a possibility that there is data that is not damaged in the three-party data. Therefore, if the conventional sum check is further used before the abnormal operation stop, the user program (or backup user program) with the same sum value is “no damage”, and the user program with the sum value does not match ( Or, a normal user program (or backup user program) can be selected as “damaged” as the backup user program), and the probability of PLC abnormal stop can be further reduced.

In this embodiment, the two backup user programs are stored in the system work memory 16 and the user data memory 18 each composed of RAM. However, the backup user program is stored together with the user program in the user program memory 17 composed of the RAM. A way to do this is also possible.
In the above-described embodiment of the memory diagnosis / restoration process of FIG. 3, one instruction sentence of the user program and the backup user program is read and compared every time this process is performed in the scan cycle. Although the process takes time, it is possible to take a method of reading and comparing all the command statements of the user program and the backup user program all at once in a single memory diagnosis and repair process.

  Further, in the present embodiment, the execution of the memory diagnostic repair process of FIG. 3 is performed in the scan END process of the CPU of FIG. 2, but it may be executed at other timings such as a fixed-cycle interrupt process. .

The block circuit diagram which shows the structure of the principal part of PLC as one Example of this invention The flowchart which shows the Example of the procedure of the general process of CPU of PLC of FIG. The flowchart which shows the Example of the detailed procedure of the memory diagnostic repair process of FIG. 1 is a block circuit diagram showing a configuration example of a main part of a conventional PLC corresponding to FIG. The flowchart which shows the example of the procedure of the general process of CPU of PLC of FIG. The flowchart which shows the example of the detailed procedure of the memory diagnostic process of FIG.

Explanation of symbols

10 CPU module 11 CPU
DESCRIPTION OF SYMBOLS 13 Driver / receiver 14 PLC specific bus interface 14a PLC specific bus 15 System program memory 15B Majority memory diagnostic / restoration means 16 System work memory 17 User program memory 18 User data memory 19 System bus 30 Loader interface 40 I / O module 100 Programmable controller (PLC)
200 Programming loader 300 Communication line M User program B1, B2 Backup user program

Claims (3)

A user program read for calculation processing of sequence control every scan cycle and a plurality of backup user programs having the same contents as the user program are stored in one memory or in each of a plurality of memories. A programmable controller in which each program of a user program is stored at least one or more programs,
Data of areas corresponding to each other of the user program and all backup user programs is read and compared every scan cycle, and the number of programs whose data match each other is a majority of the total number of the user programs and all backup user programs. A programmable controller for detecting whether or not each of the programs is damaged by assuming that the data is correct data. 2. The programmable controller according to claim 1, wherein the corresponding data of the program determined to be damaged by the detection is restored with the correct data, and the sequence control is continued. When the program determined to be damaged by the detection is the user program, a predetermined one of the backup user programs determined not to be damaged by the detection is replaced with the user program, and the calculation process for each scan cycle The programmable controller according to claim 2, wherein the sequence control is continued.

Images