JP2011189709A - Equipment control system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To properly detect control commands of which execution should be restricted among a plurality of control modules connected via communicating wires. <P>SOLUTION: A detecting means executes determination whether or not the action condition corresponding to the control commands received by a receiving means, for example, is an action condition which is inhibited by the first list. The detecting means executes determination whether or not the transition among a plurality of action conditions corresponding to the plurality of control commands received by the receiving means is the transition which is not inhibited by the second list. Further, the detecting means executes determination whether or not the transition among a plurality of control commands received by the receiving means is the transition which is not inhibited by the third list. The detecting means detects the control commands of which the execution is restricted by executing at least one determination of the determinations described above. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a device control system realized by a distributed control system having a plurality of CPU groups.

  Conventionally, centralized control by a single CPU has been adopted for controlling image forming apparatuses such as printers and copiers. However, an increase in the CPU load due to a single point of control and an increase in the length of the control communication bundle routed to the load driver unit away from the control CPU board have been problems. In order to solve such a problem, a distributed control system that divides each control module constituting the electrophotographic system into individual sub CPUs has attracted attention (see Patent Document 1). In a distributed control system, a plurality of distributed control modules operate in a coordinated manner while transmitting and receiving control information and commands. Therefore, a malfunction occurs when control information or a command is erroneously transmitted. Communication data errors can be detected by parity check or the like, and data errors can be corrected by error correction codes. Further, according to Patent Document 2, it is described that the LAN communication control device stops functioning when it is detected that an abnormal number of packets are received.

Japanese Patent Laid-Open No. 08-336189 JP 2000-295259 A

  Incidentally, the image forming apparatus includes a plurality of functional groups with high control independence such as paper conveyance, heater control, and printing process control. Therefore, when the distributed control system is applied to the image forming apparatus, a plurality of distributed control modules adopt a hierarchical structure for each functional group, and the lower hierarchy will operate in response to a command from the higher hierarchy. In such a hierarchical structure, in order to increase the safety of the system, it is detected not only whether communication data is correctly transmitted and received between the upper layer and the lower layer, but also whether each layer is operating normally with each other. There is a need. The error detection code and the error correction code can detect an error in communication data generated in the communication path, but cannot detect an erroneous control command issued by a malfunction of the distributed control module because it is not an error generated in the communication path. Since a malfunction of one distributed control module may spread to other distributed control modules through a hierarchical structure, it is necessary to appropriately detect and deal with it. There are various causes of abnormal operation. There are cases where the distributed control module becomes abnormal directly due to the influence of electromagnetic noise, and there are cases where the output of various sensors becomes abnormal and the distributed control module becomes abnormal indirectly. There are also cases where an abnormality occurs due to a synchronization shift (control delay) between a plurality of distributed control modules. In order to prevent such abnormalities in some distributed control modules from spreading to other distributed control modules that cooperate, it is effective to mutually confirm that the individual distributed control modules are operating normally. Let's go.

  Therefore, an object of the present invention is to solve at least one of such problems and other problems. For example, in a device control system in which a plurality of control modules operate in cooperation, an object is to detect the abnormal operation in order to prevent an abnormal operation in a certain control module from spreading to other control modules. Other issues can be understood throughout the specification.

  The present invention can be applied to, for example, a device control system including a plurality of control modules connected by communication lines. At least the first control module of the plurality of control modules includes a reception unit, a list storage unit, and a detection unit. The receiving means receives a control command from a second control module connected via a communication line among the plurality of control modules. The list storage means includes at least one list among the three lists. The first list is a list indicating the operating state of the first control module corresponding to each of the plurality of control commands. The second list is a list showing transitions between a plurality of operation states in the first control module. The third list is a list showing transitions between a plurality of control instructions. For example, the detection unit determines whether the operation state corresponding to the control command received by the reception unit is an operation state prohibited by the first list. The detecting unit determines whether or not the transition between the plurality of operation states corresponding to the plurality of control commands received by the receiving unit is a transition that is not prohibited by the second list. Further, the detecting means determines whether or not the transition between the plurality of control instructions received by the receiving means is a transition that is not prohibited by the third list. The detection means detects a control instruction whose execution is to be restricted by executing at least one of these determinations.

  According to the present invention, it is possible to accurately detect a control instruction whose execution is restricted by listing a list of operation states that are not allowed, transitions between operation states, transitions between control instructions, and the like. If a control command whose execution is to be restricted can be detected, as a secondary effect, an effect of suppressing an abnormal operation in one control module from spreading to another control module can be expected.

1 is a diagram illustrating an overview of an image forming apparatus 1000 according to an embodiment. FIG. 3 is a cross-sectional view illustrating a configuration example of an image forming unit 300 according to the present embodiment. It is a figure which shows typically the relationship between the master CPU which concerns on a present Example, submaster CPU, and slave CPU. FIG. 3 is a diagram illustrating an example of a control board of the image forming apparatus 1000 according to the present embodiment. It is a figure which shows the connection relationship of submaster CPU601 and slave CPU602, 603 which concern on a present Example. FIG. 11 is a sequence diagram illustrating exclusive operations of the manual paper feed unit 253, the paper feed cassette 240, and the paper feed cassette 241 according to the present embodiment. It is a figure which shows the restrictions list | wrist of submaster CPU602, 603 shown in FIG. 5 which concerns on a present Example. It is a flowchart which shows the process performed when the slave CPU which concerns on a present Example receives a control command. FIG. 10 is a sequence diagram illustrating sheet feed control using a restriction list according to the embodiment. It is the figure which showed the restriction | limiting list about the group comprised by the some submaster CPU which concerns on a present Example.

[Example 1]
<Configuration of image forming apparatus>
In this embodiment, an image forming apparatus is taken up as an example of a device control system including a plurality of control modules connected to each other by communication lines. Needless to say, the technical idea of the present invention can be applied to any device control system that employs a plurality of distributed control modules. As shown in FIG. 1, the image forming apparatus 1000 includes an automatic document feeder 100, an image reading unit 200, an image forming unit 300, and an operation unit 10. The image forming apparatus shown in FIG. 1 is generally in the form of a product called a copying machine or a multifunction machine. As will be described in detail below, the image forming apparatus 1000 implements distributed control using a plurality of control units (CPUs). The automatic document feeder 100 automatically conveys a document onto a platen glass. The image reading unit 200 reads a document conveyed from the automatic document conveying device 100 and outputs image data. The image forming unit 300 forms an image on a recording material according to image data output from the image reading unit 200 or image data input from an external host device connected via a communication line. The operation unit 10 has a GUI (graphical user interface) for a user to perform various operations. Furthermore, the operation unit 10 includes a display unit such as a touch panel and presents information to the user.

<Image forming unit>
As an image forming method of the image forming unit 300 shown in FIG. 2, an electrophotographic method is adopted. The technical idea of the present invention does not depend on the image forming method. Therefore, the present invention can be applied to an ink jet method, a thermal transfer method, and other image forming methods. Note that alphabets Y, M, C, and K shown at the end of the reference numbers indicate yellow, magenta, cyan, and black toners, respectively. Therefore, the alphabets Y, M, C, and K at the end are omitted when describing items common to each toner. When describing individual items for each toner, alphabets Y, M, C, and K are added to the end of the reference number.

  A photosensitive drum (hereinafter referred to as “photosensitive member 225”) is rotated in the direction of arrow A by a motor. Around the photoconductor 225, a primary charging device 221, an exposure device 218, a developing device 223, a transfer device 220, a cleaner device 222, and a charge eliminating device 271 are arranged. The developing device 223K is a developing device for monochrome development, and develops the latent image on the photoreceptor 225K with K toner. The developing devices 223Y, M, and C are developing devices for full color development. The developing devices 223Y, M, and C develop the latent images on the photoreceptors 225Y, M, and C with Y, M, and C toners, respectively. The toner images of the respective colors developed on the photoconductor 225 are collectively transferred to the transfer belt 226, which is an intermediate transfer body, by the transfer device 220.

  The transfer belt 226 is stretched around rollers 227, 228, and 229. The roller 227 functions as a driving roller that is coupled to a driving source and drives the transfer belt 226, and the roller 228 functions as a tension roller that adjusts the tension of the transfer belt 226. The roller 229 functions as a backup roller for the transfer roller as the secondary transfer device 231. The transfer roller attaching / detaching unit 250 is a drive unit for adhering or releasing the secondary transfer device 231 to or from the transfer belt 226. A cleaner blade 232 is provided below the transfer belt 226 after passing through the secondary transfer device 231, and residual toner on the transfer belt 226 is scraped off by the blade.

  The recording materials stored in the paper feed cassettes 240 and 241 and the manual paper feed unit 253 are nipped by the registration roller 255, the paper feed roller pair 235, and the vertical pass roller pairs 236 and 237, that is, the secondary transfer device 231 and the transfer belt 226. Is fed to the contact portion. At this time, the secondary transfer device 231 is in contact with the transfer belt 226 by the transfer roller attaching / detaching unit 250. The toner image formed on the transfer belt 226 is transferred onto the recording material at this nip portion. Thereafter, the recording material onto which the toner image has been transferred is thermally fixed by the fixing device 234 and discharged outside the device. The sheet feeding cassettes 240 and 241 and the manual sheet feeding unit 253 include sheet-less detection sensors 243, 244, and 245 for detecting the presence or absence of a recording material, respectively. The paper feed cassettes 240 and 241 and the manual paper feed unit 253 include paper feed sensors 247, 248, and 249 for detecting a pickup failure of the recording material, respectively.

  Here, an image forming operation by the image forming unit 300 will be described. When image formation is started, the recording materials stored in the paper feed cassettes 240 and 241 and the manual paper feed unit 253 are conveyed to the paper feed roller pair 235 one by one by the pickup rollers 238, 239, and 254, respectively. . When the recording material is conveyed to the registration roller 255 by the pair of paper feed rollers 235, the registration sensor 256 immediately before the recording material detects passage of the recording material. After a predetermined time has elapsed since the registration sensor 256 detected the passage of the recording material, the paper feed roller pair 235 interrupts the recording material conveyance operation. As a result, the recording material hits the stopped registration roller 255 and stops. By starting the registration roller 255, the recording material is supplied to the secondary transfer device 231. The registration roller 255 is coupled to a driving source and is driven to rotate by being transmitted by a clutch.

  Next, a voltage is applied to the primary charging device 221 to uniformly negatively charge the surface of the photoconductor 225 at a predetermined charged portion potential. Subsequently, exposure is performed by an exposure device 218 having a laser scanner unit so that the image portion on the charged photoconductor 225 has a predetermined exposure unit potential, and a latent image is formed. The exposure device 218 forms a latent image corresponding to the image by turning on / off the laser beam based on the image data sent from the controller 460 via the printer control I / F 215. A developing bias set in advance for each color is applied to the developing roller of the developing device 223. The latent image is developed with toner when passing through the position of the developing roller, and is visualized as a toner image. The toner image is transferred to the transfer belt 226 by the transfer device 220, and further transferred to the recording material conveyed from the paper feeding unit by the secondary transfer device 231, and then passes through the post-registration conveyance path 268 to be fixed and conveyed. It is conveyed to the fixing device 234 via the belt 230. In the fixing device 234, in order to prevent image disturbance, the pre-fixing chargers 251 and 252 are charged to reinforce the toner adsorption force. Further, the toner image is thermally fixed by the fixing roller 233. Thereafter, the recording material is discharged to the discharge tray 242 as it is by the discharge roller 270 when the transport path is switched to the discharge path 258 side by the discharge flapper 257. The toner remaining on the photoreceptor 225 is removed and collected by the cleaner device 222. The photoconductor 225 is uniformly discharged to near 0 volts by the charge removing device 271 to prepare for the next image forming cycle.

  FIG. 3 shows a plurality of control modules connected to each other by communication lines. Each control load shown in FIG. 2 is controlled by four control blocks including a first transport module 280, a second transport module 281, an image forming module 282, and a fixing module 283 shown in FIG. The master module 284 is a control module that controls these four control blocks to function as an image forming apparatus. The master module 284 is provided with a master CPU 1001 as a master control unit / first layer control unit. The master CPU 1001 controls the entire image forming apparatus 1000 based on instructions, commands, and image data received from the controller 460 via the printer control I / F 215. The first transport module 280, the second transport module 281, the image forming module 282, and the fixing module 283 for performing image formation are sub-master CPUs 601, 901, and 701 as sub-master control units / second-layer control units that control each function. 801. The sub master CPUs 601, 901, 701 and 801 are controlled by the master CPU 1001. Each function module further includes slave CPUs 602, 603, 902, 903, 702, 703, 704, 705, 706, as slave control units / third layer control units for operating control loads for executing the respective functions. 802 and 803 are provided. The slave CPUs 602 and 603 are controlled by the sub master CPU 601. The slave CPUs 902 and 903 are controlled by the sub master CPU 901. The slave CPUs 702, 703, 704, 705, and 706 are controlled by the sub master CPU 701. The slave CPUs 802 and 803 are controlled by the sub master CPU 801.

  As shown in FIG. 3, the master CPU 1001 and the plurality of sub-master CPUs 601, 701, 801, and 901 are connected by a common network type communication bus 1002. The sub-master CPUs 601, 701, 801, and 901 are also connected by a network type communication bus 1002. Note that the master CPU 1001 and the plurality of sub-master CPUs 601, 701, 801, and 901 may be ring-connected. The sub-master CPU 601 is further connected to each of the plurality of slave CPUs 602 and 603 via the serial communication buses 612 and 613 in a one-to-one manner. Similarly, the sub-master CPU 701 is connected to slave CPUs 702, 703, 704, 705, and 706 via serial communication buses 711, 712, 713, 714, and 715, respectively. The sub master CPU 801 is connected to the slave CPUs 802 and 803 via serial communication buses 808 and 809, respectively. The sub master CPU 901 is connected to slave CPUs 902 and 903 via serial communication buses 909 and 910, respectively. Here, the serial communication bus is used for short-range communication.

  On the other hand, between the sub master CPUs 601, 701, 801, and 901 and the master CPU 1001, only communication that does not require precise control timing and that controls the rough processing flow of the image forming operation is performed. For example, the master CPU 1001 instructs the sub-master CPU to start pre-image formation processing, start paper feed, and start post-image formation processing. Further, the master CPU 1001 issues an instruction based on a mode (for example, a monochrome mode or a double-sided image formation mode) designated by the controller 460 to the sub-master CPU before starting image formation. Only communication that does not require precise timing control is performed between the sub-master CPUs 601, 701, 801, and 901. That is, the control of the image forming apparatus is divided into control units that do not require precise timing control, and each sub-master CPU controls each control unit at precise timing. As a result, the image forming apparatus 1000 can minimize the communication traffic and can be connected by the low-speed and inexpensive network type communication bus 1002. In addition, about the master CPU, submaster CPU, and slave CPU, the control board mounted does not necessarily need to be a control board as shown in FIG. 3, and can be changed according to the situation on mounting.

  As shown in FIG. 4, various control board configurations can be employed. For example, the sub master CPU 601 and the slave CPUs 602 and 603 are mounted on the same substrate. Further, like the sub master CPU 701 and the slave CPUs 702, 703, and 704, or the sub master CPU 801 and the slave CPUs 802 and 803, the sub master CPU and each slave CPU may be mounted on independent boards. Some slave CPUs such as slave CPUs 705 and 706 may be mounted on the same substrate. Like the sub master CPU 901 and the slave CPU 902, only a part of the sub master CPU and the slave CPU may be arranged on the same substrate.

  The slave CPU 802 uses the motor 804 for rotating the fixing conveyance belt 230 and the motor 805 for rotating the fixing roller 233 as control loads until the recording sheet medium is delivered from the secondary transfer device 231 to the conveyance path after fixing. Control. The slave CPU 803 uses the heater 806, the temperature detection thermistor 807, and the pre-fixing chargers 251 and 252 in the fixing device 234 as control loads. The slave CPU 803 controls the pre-fixing chargers 251 and 252 to charge the toner. Further, the slave CPU 803 controls the temperature of the heater 806 while feeding back the detection result of the temperature detection thermistor 807. The sub master CPU 801 and slave CPUs 802 and 803 are connected by a common serial communication bus 808.

  Next, an abnormality detection of a control command between control modules, which is a feature of the present invention, will be described. The first transport module 280 shown in FIG. 5 is used as an example as at least the first control module among the plurality of control modules. The first transport module 280 performs paper feed control until the recording material stored in the paper feed cassettes 240 and 241 and the manual paper feed unit 253 is fed to the contact portion between the secondary transfer device 231 and the transfer belt 226. I am in charge. The first transport module 280 includes a sub-master CPU 601 that performs overall control of paper feed control, and slave CPUs 602 and 603 that drive each load. Each slave CPU is connected to a load group that is directly controlled.

  The slave CPU 602 includes a first communication interface 501, a second communication interface 502, a ROM 503 and a RAM 504. The slave CPU 602 transmits and receives control commands, status information, and the like with the sub master CPU 601 via the first communication interface 501. Therefore, the first communication interface 501 functions as a receiving unit that receives a control command from the second control module connected via the communication line among the plurality of control modules. The slave CPU 602 receives information from the sensor via the second communication interface 502 or transmits a control signal to a motor or the like. The ROM 503 stores control programs, data, lists, and the like. The RAM 504 stores data acquired from sensors, a history of received control commands, and the like. The slave CPU 602 may transmit / receive a notification indicating the occurrence of an error to / from the slave CPU 603 via the third communication interface 505. The slave CPU 602 uses the motor 606 for driving the pickup roller 238 related to the paper feed cassette 240, the sheet absence detection sensor 243, and the paper feed sensor 247 as loads, and performs control until the recording material is delivered to the paper feed path 266. . Further, the slave CPU 602 uses the motor 607 for driving the pickup roller 239 related to the paper feed cassette 241, the sheet absence detection sensor 244, and the paper feed sensor 248 as loads, and controls until the recording material is delivered to the paper feed path 266. I do.

  The internal configuration of the slave CPU 603 is substantially the same as the internal configuration of the slave CPU 602, and thus the description thereof is omitted. The slave CPU 603 uses the motor 608 for driving the pickup roller 254 related to the manual paper feed unit 253, the sheet absence sensor 245, and the paper feed sensor 249 as loads, and performs control until the recording material is delivered to the paper feed path 266. Do. The slave CPU 603 further uses motors 609, 610, and 611 for driving the paper feed roller pairs 235, 236, and 237 and the registration sensor 256 as loads. The slave CPU 603 controls these loads until the recording material delivered from the paper feeding cassettes 240 and 241 and the manual paper feeding unit 253 is conveyed to the registration roller 255 and temporarily stopped. In this embodiment, the sub-master CPU 601 and the slave CPUs 602 and 603 are connected to each other in a one-to-one relationship by independent serial communication buses 612 and 613, respectively.

  Any control module may cause an abnormal operation due to the influence of electromagnetic noise or a synchronization shift (control delay) between a plurality of control modules. When an abnormal operation occurs, the control module that issues the control command may issue a control command that would otherwise not be issued. If the control module on the receiving side executes this erroneous control command, there is a possibility that the operating state (prohibited state) that is not assumed in design may be entered. Then, if another control module uses a value detected by the sensor in an operation state that is not assumed in this design, there is a possibility that an abnormal operation may spread to the entire device control system. Therefore, in the embodiment, the spread of abnormalities is suppressed by detecting a control command that causes the control module to shift to such a prohibited state. For example, a first list indicating the operation state of the control module corresponding to each of the plurality of control instructions, a second list indicating a transition between the plurality of operation states in the control module, and a third list indicating a transition between the plurality of control instructions At least one constraint list is stored in the memory. Then, it may be determined whether or not the operating state corresponding to the control command received by the receiving unit is an operating state prohibited by the first list. Alternatively, it may be determined whether a transition between a plurality of operation states corresponding to a plurality of control commands received by the receiving unit is a transition that is not prohibited by the second list. Alternatively, it may be determined whether a transition between a plurality of control commands received by the receiving unit is a transition that is not prohibited by the third list. That is, if at least one of the determination processes is executed, a control command that should be restricted from execution can be detected. In the following, this detection process will be described by taking the slave CPUs 602 and 603 functioning as detection means for detecting a control command that creates a prohibited state that is impossible in the operation of each slave CPU as an example.

  As shown in FIG. 6, the image forming apparatus 1000 supplies the recording material from any one of the manual paper feed unit 253, the paper feed cassette 240, and the paper feed cassette 241 when performing image formation. The plurality of paper feeding units do not shift to the recording material feeding operation state at the same time. That is, no paper feed command is issued simultaneously to a plurality of paper feed units. Furthermore, there are operational restrictions between loads such as motors and sensors connected to the slave CPU. For example, when paper is fed from the paper feed cassette 240, the motor 606 first shifts to the rotation state, then shifts to a state where the paper feed sensor 247 detects the recording material (on state), and thereafter The subsequent motor 611 shifts to the driving state. In addition, after the paper feed sensor 247 and the registration sensor 256 are turned off, the motors 606 and 611 are moved to a stopped state. As described above, the plurality of operation states have a correct transition order in time series.

  FIG. 7 shows an example of a restriction list for the slave CPUs 602 and 603. The slave CPUs 602 and 603 detect operation state restrictions and abnormal control instructions according to the restriction list, and determine whether or not the control instructions can be executed. That is, the slave CPUs 602 and 603 store these restriction lists in the built-in ROM or external ROM. The restriction list includes exclusive operation restrictions among multiple drive devices (function groups, motors, etc.), simultaneous (synchronous) operation restrictions of multiple drive devices, and operation restrictions based on conditions (such as various sensor inputs) that are preconditions for operation. It is assumed that it is created in advance. Here, three types of state lists, state transition lists, and instruction transition lists will be described as examples of constraint lists. These correspond to the above-described first list, second list, and third list, respectively. These restriction lists are, as appropriate, a prohibition list in which transitions between control instructions to be prohibited and transitions between operation states are registered, or a permission in which transitions between control instructions to be permitted and transitions between operation states are registered. Described in the form of a list. The forbidden list and the allowed list can express equivalent contents. Therefore, it is sufficient to select a list that is easy to describe due to system restrictions. For example, a device with few restrictions is described by a prohibit list, and if there are many restrictions, it is described by an allow list. In this way, if a format that reduces the size of the list is adopted, there is an advantage that the storage capacity of the ROM 503 functioning as the list storage means can be saved.

  The prohibition list is a list in which prohibited operation states, transitions between prohibited operation states, and transitions between prohibited control commands are described. If an operation state described in the prohibition list, a transition between operation states, or a transition between control instructions is detected, the control instruction is determined as a prohibition instruction by the CPU. The permission list is a list in which permitted operation states, transitions between a plurality of permitted operation states, and transitions between a plurality of permitted control commands are described. A control command that does not correspond to an operation state described in the allow list, a transition between a plurality of operation states, or a transition between a plurality of control commands is determined by the CPU as a prohibited command.

  The operation state list is a list describing the operation state of each load controlled by the control module. The CPU determines the operation state after virtually executing the received control command before actually executing it. For example, assume that the slave CPU 602 has received a control command from the sub-master CPU 601 to turn on the motor 606. In this case, when the slave CPU 602 executes this control command, the slave CPU 602 grasps from the internal table that the paper feed sensor 247 related to the paper feed cassette 240 shifts to a state in which the recording material is detected. Such a state determination method is called virtual execution. Normally, when this control command is received, the paper feed sensor 248 of the paper feed cassette 241 has not shifted to a state in which a recording material has been detected. If both the paper feed sensor 247 and the paper feed sensor 248 shift to the operation state in which the recording material is detected, a jam occurs, and such an operation state is prohibited by the operation state list, or Unauthorized. As described above, the slave CPU 602 determines an operation state after virtually executing the received control command before actually executing the received control command. Then, the slave CPU 602 refers to the operation state list based on the determined operation state and the current operation state, and determines whether the determined operation state and the current operation state are prohibited operation states. If the determined operation state and the current operation state are described in the operation state list, the slave CPU 602 detects that the received control command is a control command whose execution is restricted.

  The state transition list is a restriction list indicating the transition of the operation state. In the state transition list, an operation state before executing a certain control command and an operation state after executing this control command are registered in association with each other. Therefore, when the slave CPU receives the control command, the slave CPU acquires the operation state at that time by a sensor or the like. Further, the slave CPU determines an operation state after virtually executing the received control command. The slave CPU determines whether the operation states before and after this indicate a transition of the correct operation state. That is, transitions between a plurality of operation states are registered in advance in the state transition list. The slave CPU determines that the received control command is a correct control command if the transition between the plurality of operation states based on the control command is a transition registered in the state transition list. On the other hand, if the transition between a plurality of operation states based on the control instruction is a transition that is not registered in the state transition list, the slave CPU determines that the received control instruction is a prohibition instruction.

  The instruction transition list is a restriction list in which the execution order (issue order) of a plurality of control instructions is registered. There may be a restriction in the execution order among a plurality of control instructions. The slave CPU keeps a history of received control commands in the RAM. When the slave CPU receives the new control instruction, the slave CPU determines whether the execution order of the new control instruction and the one or more control instructions received immediately before is the execution order prohibited by the instruction transition list.

  FIG. 7 illustrates a plurality of lists from (a) to (g), but not all constraint lists are essential. FIG. 7A shows a state prohibition list for the slave CPU 602. In the figure, ○ indicates an operating state, and × indicates a stopped state. The first status list indicates that the paper feed cassette 240 is in an operating state and the paper feed cassette 241 is in a stopped state. The second status list indicates that the paper feed cassette 240 is in a stopped state and the paper feed cassette 241 is in an operating state. The third status list indicates that the paper feed cassette 240 is in a stopped state and the paper feed cassette 241 is also in a stopped state. Thus, the list shown in FIG. 7A is expressed as an allow list. Therefore, in this list, it is prohibited that both the paper feed cassette 240 and the paper feed cassette 241 are in an operating state. In FIG. 7, the definition of the function group is omitted. The function group definition can be defined as group table information.

  In the list of FIG. 7A, a plurality of operation states that should be permitted at the same time are registered in association with each other, but a constraint level is also registered. The restriction level corresponds to the severity of the error, and is a standard for selecting an error coping method that should be taken when a prohibition instruction is issued. The slave CPU specifies a restriction level corresponding to the prohibited instruction by referring to the restriction list, and selects an error handling method corresponding to the specified level. For example, “1” at the constraint level indicates a violation related to the safety of the device control system. Therefore, if the constraint level is 1, the slave CPU notifies other CPUs of the occurrence of an abnormality and immediately stops operation. In the restriction level, “2” indicates a violation related to the function restriction of the device control system. If the restriction level is 2, the slave CPU notifies other CPUs of the occurrence of the abnormality, and discards (cancels) without executing the control command. In the restriction level, “3” indicates a violation of the operation condition of the device control system. If the constraint level is 3, the slave CPU postpones execution of the control instruction until a precondition for executing the control instruction is satisfied.

  As is apparent from the description of FIG. 5, the motors 606 and 607 belong to the same functional group as the paper feed cassettes 240 and 241, respectively, and the control commands for operating them simultaneously are clearly abnormal. Therefore, when a control command for simultaneously driving these two motors is received from the sub-master CPU 601 that has operated abnormally, the slave CPU 602 notifies the other CPUs of the occurrence of the abnormality according to the restriction list in FIG. Immediately stop the operation.

  FIG. 7B illustrates an operation state list for the slave CPU 602. The operation state list is described as a prohibition list. According to this list, it is prohibited to stop driving the motors 606 and 607 when the paper feed sensor 247 is detecting paper (on). The slave CPU 602 monitors whether the paper feed sensor 247 is on or off. When the stop command for the motors 606 and 607 is received while the paper feed sensor 247 is on, the slave CPU 602 waits for the paper feed sensor 247 to turn off and stops the motors 606 and 607. That is, the control command is executed after waiting until a precondition for executing the received control command is satisfied. Here, the slave CPU 602 has been described using the list shown in FIG. 7A and the list shown in FIG. 7B. These lists are changed to the prohibit list shown in FIG. 7G. It may be integrated.

  As described above, the slave CPU determines the operation state after the virtual execution before actually executing the received control command, and whether or not the determined operation state is an operation state prohibited by the state list. Determine. If the operation state is prohibited, the slave CPU determines that the received control command is a prohibited command. Therefore, even if the communication partner CPU issues an incorrect control command (prohibition command) due to an abnormal operation, the slave CPU does not execute the prohibit command, so that a malfunction can be avoided. In addition, the abnormal operation of the communication partner CPU does not spread to the slave CPU. Further, it is possible to suppress the abnormality from spreading to other CPUs operating in cooperation with the slave CPU. Of the plurality of control modules, those with less restrictions are described in the prohibit list, and if there are more restrictions, they are described in the allow list, which has the advantage of saving the memory capacity of the memory.

  FIG. 7C shows a case where the operation state transition list is realized by a permission list. In this list, transitions of the respective operation states of the paper feed sensor 247 and the motor 606 are registered in association with each other. The operation state transition list is used when transitions between a plurality of operation states occur in a predetermined order. That is, transitions in the order not defined by the operation state transition list are prohibited, and transitions in the order defined by the operation state transition list are permitted. By comparing the transition from the current operating state to the operating state after virtually executing the control command before actually executing the control command with the transition registered in the list, the slave CPU can receive the received control command. Determine if it is a prohibited instruction. When a transition that is not registered in the operation state transition list occurs, the slave CPU discards it without executing the control command. Alternatively, the slave CPU may postpone the execution of the received control command until the registered transition is realized. Which of these should be adopted may be determined according to the restriction level registered in the operation state transition list.

  The slave CPU will be able to execute a stricter control command feasibility determination by using the operation state transition list to determine whether the control command can be executed in addition to or instead of the operation state list. That is, it is considered that the accuracy of determination is improved by increasing the number of determination elements by referring not only to the verification of the operation state as a result of executing a plurality of control instructions but also the transition between the plurality of operation states.

  FIG. 7D and FIG. 7E are constraint lists applied to the slave CPU 603. Since these are the same contents as FIG. 7 (b) and FIG. 7 (c) except that the target drive devices (registration sensor 256 and motor 611) are different, description thereof will be omitted. FIG. 7F shows an example of a control instruction transition list for the slave CPU 603. The constraint on the issue transition among a plurality of related control instructions is shown. That is, an issue order or an execution order is defined in advance for a plurality of control commands, and the order is managed in this list. In the list of FIG. 7F, transitions that should be prohibited for the control command for the motor 611 and the control command for the motor 608 are registered. The slave CPU 603 stores the received control command history in the RAM. When the slave CPU 603 receives a new control command (Next), the slave CPU 603 identifies the previous control command (Current) from the history, and determines whether the transition between the two control commands is a transition registered in the control command transition list. judge. As a result, the slave CPU 603 determines a new control command as a prohibited command if the transition is prohibited by the list, and determines a new control command as a permitted command if the transition is not prohibited by the list. Specifically, it is assumed that after an on command for the motor 608 is received, an on command for the motor 608 is received. Such a transition of the control command is prohibited by the third state list in FIG. Therefore, the slave CPU 603 discards the motor 608 without executing the ON command. It is not possible to detect from the lists shown in FIG. 7D and FIG. 7E that an unnecessary command that issues an ON command again while the motor 608 is ON is issued. This is because the transition of the operation state does not occur when the control instructions having the same contents are continuously issued. Therefore, if a control command transition list is introduced, an abnormality that cannot be detected from the transition of the operation state can be detected.

  With reference to FIG. 8, the processing of the slave CPU when receiving a control command will be described. In S800, the slave CPU determines whether a control command is received from the sub-master CPU. When the control command is received, the process proceeds to S801. In S801, the slave CPU determines an operation state after virtually executing the received control command. The operation state corresponding to the control command may be registered in advance in the table. The slave CPU can easily specify the operation state corresponding to the received control command by referring to the table. Further, the slave CPU may determine a transition between a plurality of operation states from the determined operation state. Further, the slave CPU may specify the transition between the immediately preceding control command and the new control command from the history of control commands. These processes are as described in detail with reference to FIG.

  In S802, the slave CPU determines whether the received control command is a prohibition command. For example, the slave CPU determines whether or not the operation state corresponding to the received control command is prohibited by the operation state list indicating the operation state of the control module corresponding to each of the plurality of control commands. Further, the slave CPU determines whether or not the transition from the current operation state to the operation state corresponding to the received control command is prohibited by the operation state transition list indicating the transition between the plurality of operation states in the control module. . Further, the slave CPU determines whether or not the transition from the control instruction executed immediately before to the newly received control instruction is prohibited by the control instruction transition list indicating the transition between the plurality of control instructions. Of these three determination processes, one or more may be executed. When the slave CPU determines that the received control instruction is a prohibited instruction by any of the determination processes, the restriction level corresponding to the prohibited instruction is specified from the list, and in order to execute the process according to the specified restriction level, Proceed to S810. If the received control command is not a prohibition command, the process proceeds to S803.

  In S803, the slave CPU formally receives and executes the control command received from the sub-master CPU. In S804, the slave CPU adds the received control command to the history and writes it to the RAM.

  In S810, the slave CPU specifies a restriction level corresponding to the prohibition instruction from the list, and determines whether or not the specified restriction level is level 1. If it is level 1, the process proceeds to S811, where the slave CPU discards the control command without executing it and notifies the sub-master CPU of the occurrence of an error. If there is another slave CPU linked with the slave CPU, the slave CPU may notify the other slave CPU of the occurrence of the error through the third communication interface 505. The third communication interface 505 functions as a transmission unit that transmits a notification indicating that an abnormality has occurred to another control module connected via a communication line among the plurality of control modules. Furthermore, the slave CPU requests these CPUs to perform a system reset. In this manner, the slave CPU functions as a discarding unit that discards a control command without executing the control command when a control command whose execution is restricted by the detection unit is detected.

  If the specified restriction level is not level 1, the process proceeds to S820. By the way, the detection of the prohibit command means that an error has occurred in the sub-master CPU. In this case, if an error has occurred in another slave CPU, there is a high possibility that a serious error has occurred in the entire device control system. Therefore, in this embodiment, when a notification notifying the occurrence of an error is received from another control module, the level specified by the specifying unit is changed to a level indicating a higher severity than the error severity indicated by the level. To do. In S820, the slave CPU determines whether the specified restriction level is level 2. If it is level 2, the process proceeds to S821. In step S821, the slave CPU determines whether an error notification is received from another slave CPU with which the slave CPU is linked. The slave CPU functions as a determination unit that determines whether a notification notifying the occurrence of an error is received from another control module different from the second control module among the plurality of control modules. If an error has occurred in other slave CPUs, it is presumed that a serious error has occurred in the device control system, and the process advances to step S811. In S811, an error handling method for level 1 having a higher severity than level 2 is executed. In this way, the level 2 specified in S820 is changed to level 1 indicating a higher severity than the error severity indicated by level 2.

  On the other hand, if an error notification has not been received from the other slave CPUs that are linked, the process proceeds to S822. In S822, the slave CPU notifies the sub master CPU of the error, and discards it without executing the control command received from the sub master CPU. If the specified constraint level is neither level 1 nor level 2, the process advances to step S831. In S831, the slave CPU monitors its own operation state, waits until the operation state satisfies a precondition for executing the received control command, and executes the control command when the precondition is satisfied. Thus, the slave CPU functions as a monitoring unit that monitors the operating state of the first control module. Further, the slave CPU functions as an execution postponing unit that postpones the execution of the control command until the operation state monitored by the monitoring unit changes to a state in which the control command can be executed.

  As described above, according to the present embodiment, it is possible to accurately detect a control instruction whose execution is restricted by listing an unacceptable operation state, a transition between operation states, or a transition between control instructions. It becomes like this. If a control command whose execution is to be restricted can be detected, as a secondary effect, an effect of suppressing an abnormal operation in one control module from spreading to another control module can be expected. For example, it is possible to suppress such a control command from being discarded without executing it, notify an error to another control module, or prevent the sub-master CPU error from spreading to the slave CPU. If the error severity is relatively low, execution of the control command may be postponed until the monitored operating state changes to a state where the control command can be executed. This will avoid a system reset that takes a relatively long time to recover. Thus, by selecting an error handling method corresponding to the constraint level, the time required for error recovery can be shortened.

  In addition, the slave CPU may detect a relatively low restriction level and may also detect an error from another slave CPU. In this case, by changing the restriction level to a relatively high restriction level (S820, S821), the slave CPU can reflect the error occurrence status in the entire device control system to each slave CPU. This is because if an error occurs not only in itself but also in other slave CPUs, it is considered that a large error has occurred in the entire device control system.

  FIGS. 9A and 9B are timing charts showing the relationship between control commands between the sub-master CPU 601 and the slave CPUs 602 and 603 and the operation states of the paper feed sensors 247 and 256 and the motors 606 and 611. is there. In particular, FIG. 9A shows a timing chart when a control instruction is normally issued, and FIG. 9B shows a timing chart when a restriction level 3 prohibition instruction is issued. At timing (A) in FIG. 9A, a sub-master CPU 601 issues a motor 611 stop command to the slave CPU 603. According to FIG. 7D, execution of a stop command for the motor 611 is prohibited when the registration sensor 256 is in an ON state. On the other hand, execution of a stop command for the motor 611 is permitted when the registration sensor 256 is in the OFF state. Therefore, the stop command at the timing (A) is executed, and the motor 611 stops. At timing (B) in FIG. 9B, a stop command for the motor 611 is issued. However, since the registration sensor 256 is in the ON state at the timing (b), this stop command is determined to be a prohibition command based on the list of FIG. Since the restriction level is 3, execution of the stop instruction is postponed. At the timing (C) when the registration sensor 256 shifts to the off state, the slave CPU executes a motor 611 stop command. At timing (D) in FIG. 9B, a control command for instructing the start of operation of the motor 607 is issued. According to the list of FIG. 7A, the motors 606 and 607 are prohibited from operating simultaneously. The restriction level is 2. Therefore, this control command is discarded when it is executed. Also, error notification is executed from the slave CPU 602 to the sub-master CPU 601. The sub master CPU 601 that has received the error notification may notify the master CPU 1001 of the occurrence of an abnormality. The master CPU 1001 may display an error occurrence on a display unit included in the operation unit 10 or may transmit error information to a host device via an external network (not shown). By notifying the operator and the host device of the error, it is possible to promptly recognize the occurrence of the error by the operator or the like. For example, if the error recurs even after the system reset is executed, the cause of the error may be repaired by maintenance by the operator.

  In FIG. 9A and FIG. 9B, it has been described that the slave CPU executes the on / off of the motor in response to a control command from the sub-master CPU 601. However, the slave CPUs 602 and 603 may autonomously execute control based on the operation state transition list as shown in FIG. 7C and FIG. 7E and other lists. In this case, the control command from the sub master CPU 601 can be only an operation start command. Further, there is an advantage that an error of the sub master CPU 601 is not easily propagated to the slave CPUs 602 and 603.

  As described above, in the device control system of the present embodiment, it is possible to accurately detect a control command resulting from an abnormal operation. Further, even when the control command issuance timing is shifted due to the normal operation, it can be detected as a prohibited command. Also, by introducing a constraint level that is defined reflecting the severity of the error level, it is possible to switch the control instruction handling method according to the error level.

[Other embodiments]
In the above-described embodiment, the restriction list is described as a list provided for each CPU. However, they may be integrated as a common restriction list for a plurality of CPU groups. A plurality of CPUs notify each other of each other, so that it is possible to improve the detection capability of the prohibited instruction by determining whether the control instruction to each CPU is normal as a whole group. .

  FIG. 10 shows an example of a list in which the constraint conditions of the slave CPUs 602 and 603 are integrated into one. In the list of FIG. 7A, only the exclusive operation of the paper feeding cassettes 240 and 241 is prohibited, but in the list of FIG. 10A, the simultaneous feeding of the paper feeding cassettes 240 and 241 and the manual paper feeding unit 253 is performed. Paper feeding operation is prohibited. Similarly, in FIG. 10B and FIG. 10C, the prohibit command is defined by three or more motors and sensors. Compared with the lists shown in FIG. 7B, FIG. 7C, FIG. 7D, FIG. 7E, and FIG. 7F, the prohibit command is set in more detail. In this way, it is possible to configure a safer system by grouping three or more modules operating in cooperation and defining a prohibition command. In addition, as described above, the prohibition instruction due to the abnormal operation may be detected not only by the slave CPU but also by another CPU. Further, in this embodiment, the abnormal operation in each control module is detected by detecting the prohibit command. However, the abnormal status may be detected by comparing the status of each control module, replacing each status with the status of the entire system, and comparing the status of the entire system with the list that defines the prohibit command. .

  In the embodiment described above, the first transport module 280 has been described, but the same technical idea can be applied to the second transport module 281, the image forming module 282, and the fixing module 283. Furthermore, the same technical idea may be applied between the master CPU 1001 and the sub-master CPUs 601, 701, 801, and 901. For example, the sub-master CPU 601 executes detection of the abnormal operation described above for a control command from the master CPU 1001. In this case, error notification between slave CPUs is executed between sub-master CPUs.

Claims (6)

In a device control system comprising a plurality of control modules connected by communication lines,
At least the first control module of the plurality of control modules is
Receiving means for receiving a control command from a second control module connected via the communication line among the plurality of control modules;
A first list indicating an operation state of the first control module corresponding to each of a plurality of control instructions, a second list indicating a transition between the plurality of operation states in the first control module, and a plurality of control instructions List storage means for storing at least one of the third lists indicating transitions;
Determining whether the operating state corresponding to the control command received by the receiving means is an operating state prohibited by the first list, between a plurality of operating states corresponding to the plurality of control commands received by the receiving means And whether or not a transition between a plurality of control instructions received by the receiving means is a transition not prohibited by the third list. A device control system comprising: detection means for detecting a control command whose execution should be restricted by executing at least one of the determinations. At least the first control module of the plurality of control modules is
The apparatus control system according to claim 1, further comprising: a discarding unit that discards the control command without executing the control command when a control command to be restricted by the detection unit is detected. At least the first control module of the plurality of control modules is
When a control command whose execution is to be restricted is detected by the detection means, it indicates that an abnormality has occurred in another control module connected via the communication line among the plurality of control modules. The device control system according to claim 1, further comprising a transmission unit that transmits the notification. At least the first control module of the plurality of control modules is
Monitoring means for monitoring an operating state of the first control module;
When a control instruction whose execution is to be restricted by the detection means is detected, execution to postpone execution of the control instruction until the operation state monitored by the monitoring means changes to a state in which the control instruction can be executed The device control system according to claim 1, further comprising a postponing unit. In each of the first list, the second list, and the third list, a level indicating the severity of an error corresponding to the control instruction to be restricted from execution is registered.
At least the first control module of the plurality of control modules is
Specifying means for specifying a level corresponding to a control instruction to be restricted from being executed;
5. The device control system according to claim 1, further comprising a selection unit that selects an error handling method corresponding to a level specified by the specifying unit. At least the first control module of the plurality of control modules is
Determining means for determining whether or not a notification notifying the occurrence of an error is received from another control module different from the second control module among the plurality of control modules;
When the notification notifying the occurrence of an error is received from the other control module, the information processing apparatus further includes a changing unit that changes the level specified by the specifying unit to a level indicating a severity higher than the severity of the error indicated by the level. The apparatus control system according to claim 5.

Images