JP2011203965A - Self-diagnosis apparatus and self-diagnosis method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve security, reliability, availability, and cost in a self-diagnosis.SOLUTION: A self-diagnosis apparatus executes processing more than once by a previously-set application in a certain period and compares a plurality of results of executed processing to perform the self-diagnosis. The apparatus includes a secure application processing unit for executing the application more than once under a condition set by a diverse diagnostic method, a memory for storing a plurality of processing results obtained by the secure application processing unit in a predetermined save area, and a first postprocessing unit for comparing the plurality of processing results stored in the memory to determine if any error is present depending on whether the compared results indicate coincidence or are within a predetermined error range, thus solving the problem.

Description

  The present invention relates to a self-diagnosis device and a self-diagnosis method, and more particularly, to a self-diagnosis device and a self-diagnosis method for realizing safety and reliability, availability, and cost improvement in self-diagnosis.

  Conventionally, there is a technique for diagnosing data after processing in order to reduce a transient soft error phenomenon after data processing caused by, for example, radiation. Here, a soft error is a defect in which, for example, a part of a semiconductor chip is not broken, but only a part of stored data is inverted, and alpha, neutron, proton, heavy It is caused by the entry of a particle beam such as an ion beam into the semiconductor chip, and the characteristics that the time for the particle beam to pass through the semiconductor chip is extremely short and only a moment are known.

  As a countermeasure against soft errors, for example, an example of mounting a complex ECC (Error Correction Code) corresponding to an error of 2 bits or more is known (for example, see Non-Patent Document 1). As another soft error countermeasure, for example, a method is known in which positive data and inverted data are stored in advance, and parity is checked and inverted data is used when data is accessed (for example, Patent Document 1). Also, there is known a method of diagnosing a CPU (Central Processing Unit) and a memory that are hardware used when executing software when a software error occurs (see, for example, Non-Patent Document 2).

  Also, the data value used for processing executed inside the security device is read from the predetermined memory address multiple times, and the read data values are compared. If there is a mismatched data value, a failure attack is detected. There is also known a failure attack detection method for executing error processing performed when a failure occurs (see, for example, Patent Document 2). Also, if the same program is executed multiple times and the execution results in the result storage area are compared and the execution results are equal, the program address for executing the next program process is controlled, and if the execution results are not equal A data processing method for controlling a program address for executing the same program again is known (see, for example, Patent Document 3).

  Further, in a control device having a plurality of processors, and sequentially comparing the operation progress / results of the processing by the processors and diagnosing that the processing is valid in the same case, the control device includes a plurality of processors. A technique for detecting errors in a storage device by comparing the contents is also known (see, for example, Patent Document 4).

Japanese Patent Application Laid-Open No. 5-216671 JP 2009-259126 A Japanese Patent Laid-Open No. 11-306083 JP 2006-11576 A

2008 IPRS report [soft error edition], http: // pc. watch. impres. co. jp / docs / 2008/0502 / irps03. htm IEC61508 Functional safety of electrical / electronic / programmable electronic safety-related systems (IEC61508-7; A.5.7 (Double RAM with hardware or software comparison and read / write test), A.3.5 (Reciprocal comparison by software) )

  However, as described in Non-Patent Document 1 described above, mounting a complex ECC increases the hardware cost. Further, the technique described in Patent Document 1 needs to perform each process at the time of memory access. For example, it cannot be applied to software in a black box such as an OS (Operating System), and existing software is not used. When using it, software modification is required, which causes problems in terms of reliability and cost.

  Similarly, for the technique described in “A.5.7 Double RAM” of Non-Patent Document 2, it is necessary to perform each process at the time of memory access. For example, software that is a black box such as an OS In addition, when using existing software, it is necessary to modify the software, which causes problems in terms of reliability and cost. In addition, the technology described in “A.3.5 Reciprocal comparison by software” requires at least two CPUs, and the communication load between the CPUs and the processing for data matching become complicated, and reliability and There is a problem in terms of cost. Furthermore, three or more CPUs are necessary for availability of data by majority vote, which causes problems in terms of reliability and cost.

  Further, the technique described in Patent Document 2 reads a data value used for processing executed inside the security device a plurality of times and compares the data value. The technique described in Patent Document 3 executes the same program a plurality of times and compares the execution results. Therefore, none of the documents takes into account errors in input values (analog data, etc.) that occur with the passage of time in the execution of multiple times of processing, for example, and includes high accuracy including the error range. Can not make a self-diagnosis. Furthermore, since the technique described in Patent Document 4 is processed using a plurality of processors, there are problems in terms of reliability and cost as described above.

  The present invention has been made in view of the above-mentioned problems, and provides a self-diagnosis device and a self-diagnosis method for realizing safety and reliability, availability and cost improvement, and performing self-diagnosis with high accuracy. For the purpose.

  In order to solve the above-described problems, the present invention employs means for solving the problems having the following characteristics.

  The present invention is a self-diagnosis device that executes a process by a preset application a plurality of times within a fixed period and compares a plurality of executed process results to perform a self-diagnosis, and is set by a diversity diagnosis method. Comparing a plurality of processing results stored in the memory with a safety application processing unit that executes the application multiple times under conditions, a memory that stores a plurality of processing results obtained by the safety application processing unit in a predetermined save area And a first post-processing unit that determines whether or not there is an error based on whether the compared results match or are within a predetermined error range.

  The present invention further includes a second post-processing unit that determines the presence / absence of the error by voting the plurality of processing results, and the safety application processing unit determines that there is an error in the first post-processing unit. In such a case, one or more applications are executed under the conditions set by the diversity diagnosis method to obtain a processing result, and the second post-processing unit stores the obtained processing result and the memory. It is preferable to correct the processing result by making a majority decision using the plurality of processing results.

  In the present invention, the safety application processing unit executes a plurality of tasks set in advance, and the first post-processing unit performs a majority decision on the result obtained from the plurality of tasks, thereby preventing the error. It is preferable to determine the presence or absence.

  Further, the present invention is a self-diagnosis method for executing a process by a preset application multiple times within a fixed period and performing a self-diagnosis by comparing a plurality of executed process results. A safety application processing step for executing the application a plurality of times under the above-mentioned conditions, a storage step for storing a plurality of processing results obtained by the safety application processing step in a predetermined save area of the memory, and a plurality of storage results stored in the memory And a first post-processing step of comparing the processing results and determining whether there is an error based on whether the compared results match or are within a predetermined error range.

  The present invention further includes a second post-processing step for determining the presence or absence of the error by voting the plurality of processing results in majority, and the safety application processing step is determined to be an error in the first post-processing step. In this case, one or more of the applications are executed under the conditions set by the diversity diagnosis method to obtain a processing result, and the second post-processing step stores the obtained processing result and the memory. It is preferable to correct the processing result by making a majority decision using the plurality of processing results.

  In the present invention, the safety application processing step executes a plurality of preset tasks, and the first post-processing step determines the error by performing a majority decision on the results obtained from the plurality of tasks. It is preferable to determine the presence or absence.

  In addition, what applied the component, expression, or arbitrary combination of the component of this invention to a method, an apparatus, a system, a computer program, a recording medium, a data structure, etc. is also effective as an aspect of this invention.

  According to the present invention, safety and reliability, availability and cost can be improved, and self-diagnosis can be performed with high accuracy.

It is a figure which shows an example of the block configuration of a self-diagnosis apparatus. It is a figure which shows an example of the management table in this embodiment. It is a figure for demonstrating the structure of a process result area | region. It is a flowchart which shows an example of the pre-processing in this embodiment. It is a flowchart which shows an example of the safety application process in this embodiment. It is a flowchart which shows an example of the intermediate process in this embodiment. It is a flowchart which shows an example of the 1st post-process in this embodiment. It is a flowchart which shows an example of the 2nd post-process in this embodiment. It is a timing chart for demonstrating each process timing of the self-diagnosis in this embodiment.

<About the present invention>
In the present invention, a safety application process having the same safety function is executed a plurality of times within a certain period, and a transient error such as a CPU or memory soft error is detected based on the execution result. Further, in the present invention, the above-described safety application processing is performed using a divers diagnosis method, so that even if the output is the same, the processing method is different so that a CPU or memory abnormality other than a transient error is detected. Etc. can be diagnosed.

  Here, the “diversity diagnosis method” in the present invention is defined as follows. For example, the divers diagnosis method is for diagnosing the result obtained by separately reading the input data (instrument etc.) and processing method, etc., when predetermined input data is read and the same data is output. is there. More specifically, for example, when measuring temperature, pressure, voltage, flow rate, etc. from a certain fixed position, the difference in the measured instrument (here, the difference between the instruments is, for example, the same type of 2 (Including the concept of two instruments and different instruments from other companies), or when performing some kind of data processing on acquired data, differences in programming language, algorithms, versions, compilers, When a plurality of tasks are executed by different compiler parameters, diagnosis is performed using results processed under different conditions such as different execution orders. Note that the different conditions in the diversity diagnosis method are not limited to this in the present invention. Further, the condition set by the diversity diagnosis method may be any one of the above differences, or a plurality of conditions may be combined.

  In the present invention, each error range and data error range obtained by diverse is set in advance, and it is determined whether or not they match within the set range. Improve the safety of software errors by judging whether it is normal or abnormal.

  Hereinafter, preferred embodiments of a self-diagnosis apparatus and a self-diagnosis method according to the present invention will be described with reference to the drawings. In the embodiment described below, an example of a self-diagnosis device applied in a plant or the like will be described as an example. However, the present invention is not limited to this.

<Example of block configuration of self-diagnosis device>
FIG. 1 is a diagram illustrating an example of a block configuration of the self-diagnosis apparatus. The self-diagnosis device 1 shown in FIG. 1 is configured to have a CPU 10 and a memory 20. As functions in the CPU 10, a pre-processing unit 11, a safety application processing unit 12, an intermediate processing unit 13, a first post-processing unit 14, a second post-processing unit 15, and a self-diagnosis / other processing unit 16 are provided. Have. In addition, each process by the said function is performed by the preset fixed period start, as shown in FIG.

  In addition, as described later, the safety application processing unit 12 in the present embodiment includes a majority process by three safety application processings. Therefore, as shown in FIG. However, the present invention is not limited to this. For example, one safety application processing unit 12 may execute a plurality of safety application processes at a predetermined timing.

  The memory 20 shown in FIG. 1 includes a management table 21, a processing result area 22, a processing result initial save area 23, a process result primary process save area 24, and a process result secondary process save area 25. It is configured as follows.

  The pre-processing unit 11 stores, in the processing result initial saving area 23 of the memory 20 in advance, data that is rewritten by the result of the safety application processing before the first safety application processing by the safety application processing unit 12 is executed. Performs evacuation processing.

  In addition, the safety application processing units 12-1 to 12-3 execute application processing including one or a plurality of preset tasks that realize the safety function. In addition, as each safety application process in the safety application processing units 12-1 to 12-3, for example, when input points, input data, equipment such as execution programs and instruments, and the task order are completely the same, the same process is executed. And the above-described divers diagnosis method, for example, when the input points and input data are the same, and other processes are executed by changing at least one of other execution programs, equipment such as instruments, task order, etc., or the same process And separate processing may be combined. Therefore, the safety application processing units 12-1 to 12-3 can acquire a plurality of analog data (process data) with the passage of time depending on the contents and order of tasks to be executed.

  In addition, as each safety application processing in the safety application processing units 12-1 to 12-3, for example, in the case of a plant or the like, for a predetermined position, a temperature is measured for a certain task, and a pressure is determined for a certain task. For example, the same thermometer or pressure gauge is used for each safety application process, the version of the instrument is changed, or a thermometer or pressure gauge of another manufacturer is used when measuring a voltage or measuring a voltage in a certain task. Can be used to execute a plurality of processes under the conditions set by the above-described diversity diagnosis method. As a result, analog data (process data) over time from each safety application process to a predetermined position. ) Can be obtained.

  Further, in this embodiment, it is not determined whether the input value in the safety application process exceeds a preset upper limit value or lower limit value, and the execution result obtained by the safety application process is used as it is. Process.

  The intermediate processing unit 13 saves the processing result in the processing result primary processing saving area 24 after the safety application processing in the first safety application processing unit 12-1. Further, the intermediate processing unit 13 restores the initial state based on the data in the processing result initial saving area 23, and uses the data to start and execute the second safety application process in the safety application processing unit 12-2.

  The first post-processing unit 14 determines whether or not the first processing result in the above-described safety application processing unit 12-1 matches the second processing result in the safety application processing unit 12-2. As a result of the determination described above, the first post-processing unit 14 determines that a soft error has not occurred if the first and second processing results match.

  Since the first and second processing timings are usually different, an error occurs in input analog data or the like due to the difference in time. More specifically, for example, in the case of a plant or the like, a difference occurs in temperature and pressure at the time of initial startup and after startup. Further, even when processing is executed using different programs for the first time and the second time by the divers diagnosis method, an error due to the effective number of digits (fixed point, floating point, etc.) occurs. Therefore, in the present embodiment, an error range is set in advance by calculation or the like, and if it is within the error range, it is regarded as a match.

  That is, when the first and second processing results do not match, the first post-processing unit 14 determines whether or not the error is within a predetermined error range. The determination as to whether or not the error is within the error range can be made based on, for example, processing result error range data set in advance in the management table 21. An error also occurs in the input of digital data. In this case, a third safety application process, which will be described later, is executed, and the processing result can be determined by majority vote.

  Here, in the above-described safety application process, a plurality of tasks may be executed. Therefore, the first and second processing results may include execution results from a plurality of tasks, respectively. In that case, the first post-processing unit 14 performs the above-described matching determination on the execution results of the plurality of tasks obtained by the first and second safety application processes. Therefore, the first post-processing unit 14 sets, for example, “◯” when the processing results match or within a predetermined error range, and “x” otherwise, for each task. By performing majority processing on the determination result, it is possible to determine whether or not the execution results in the safety application processing match.

  Further, the first post-processing unit 14 determines that the second post-processing unit 15 when the first and second processing results do not match and is not included in the predetermined error range as a result of the determination described above. The third safety application process in the safety application processing unit 12-3 is activated and executed in order to perform the majority process.

  The second post-processing unit 15 uses the safety application processing unit 12-3 when the first and second processing results in the first post-processing unit 14 do not match and are not within a predetermined error range. Based on the processing result, the processing result is determined by majority using the first and second processing results and the third processing result. As described above, the majority processing here is “◯” when the processing results are coincident or within a predetermined error range, and “x” in other cases, “ If the number of “◯” is large, it is determined that the processing result is normal.

  As described above, the processes in the safety application processing units 12-1 to 12-3 may include a plurality of tasks. In this case, the determination results for all the tasks are displayed as described above. By voting the majority, it is determined whether the results match.

  Here, the second post-processing unit 15 has a case where the result of the first to third safety application processes does not reach the majority, that is, in the above example, the number of “x” is larger than the number of “◯”. In this case, it is determined that the soft error cannot be repaired, and preset error processing is performed. As error processing, for example, the operation in the CPU 10 may be stopped, the processing in the subsequent self-diagnosis / other processing unit 16 may be restricted, and an error message is stored in the processing result area 22 of the memory 20. It can be stored, displayed on the screen of the self-diagnosis device 1 or an alarm can be output.

  Further, when the processing result of the first to third safety application processing reaches a majority decision, the second post-processing unit 15 determines “x” as one of the first to third processing results, for example. If there is, correct the processing result as normal.

  As described above, in the first post-processing unit 14, when the first and second processing results coincide with each other or within the error range of the processing, it is assumed that the processing is normal. As shown in FIG. 4, the safety application processing in the above-described safety application processing unit 12-3 and the processing of the second post-processing unit 15 are not performed.

  The self-diagnosis / other processing unit 16 performs self-diagnosis processing and transmission processing on safety-related systems such as the CPU 10 and the memory 20 that are necessary for fulfilling the safety function of the apparatus other than the safety function by the safety application processing described above, for example. Or, process non-safety functions. Specifically, the self-diagnosis / other processing unit 16 performs, for example, a self-diagnosis process by a RAM (Random Access Memory) self-diagnosis or a ROM (Read Only Memory) CRC (Cyclic Redundancy Check) operation. The present invention is not limited to this.

  In the memory 20 of the present embodiment, the management table 21 is an area for storing various data for realizing the present embodiment. For example, data such as an analog input processing result error and a save area are managed. Details of the management table in the present embodiment will be described later.

  The process result area 22 is an area in which the process results of the safety application process in the above-described safety application processing units 12-1 to 12-3 are written. Note that the processing result area 22 does not have to be a continuous area. In addition, in the data included in the processing result area 22, data such as variables temporarily generated during processing is excluded.

  The processing result initial saving area 23 is an area for saving data in the processing result area at the start of the processing cycle. The processing result primary saving area 24 is an area for saving the processing result in the safety application processing unit 12-1. The processing result secondary saving area 25 is an area for saving the processing result in the safety application processing unit 12-2.

  Here, in the self-diagnosis process in the present embodiment, an example is shown in which majority processing is performed on the processing results of three safety application processes. In other words, in the present embodiment, any number of “◯” and “×” always increases due to the odd number of executions, so it is possible to easily determine whether it is normal or abnormal. Note that the present invention is not limited to this, and may be executed an even number of times. When executed even times, for example, if the numbers of “◯” and “x” are the same, it is possible to make an appropriate determination by performing a process of giving priority to safety and considering “abnormal”. In addition, the number of save areas (process result initial save area 21, process result primary save area 22, process result secondary save area 22) in the safety application processing unit 12 and the memory 20 according to the number of safety application processes. Is adjusted as appropriate.

  In the present embodiment, a system is adopted in which the safety application process for executing the above-described safety function is operated in a predetermined cycle and in a predetermined order. Therefore, in the present embodiment, the safety application process is executed twice during normal times and three times or more during abnormal times during a certain period.

  In the present embodiment, the memory 20 is provided with a processing result area 21, a processing result initial saving area 21, and a processing result N-order processing saving area. Note that N has a relationship of N = M−1. Therefore, in the present embodiment, the safety application process can be executed up to M times at the third time or more.

  Here, the result of the M-th processing and the data from the first time to the (M-1) th time are determined according to the majority rule based on the data in the processing result primary process save area to the process result N-order process save area, and the majority data is safely The processing result of the application. In addition, when the first to Mth safety application processes are processed by the diversity diagnosis method, the contents of the safety application process to be executed are changed as appropriate to diagnose not only soft errors and errors due to oscillation, but also diagnosis. It is possible to detect sticking, disconnection, drift error, etc. in the object.

<Specific Example of Management Table 21>
Here, a specific example of the management table 21 in the above-described embodiment will be described. FIG. 2 is a diagram illustrating an example of a management table in the present embodiment. The management table shown in FIG. 2 stores information including (a) analog input processing result error, (b) save area management table, and (c) post-processing table. In addition, the item “processing result” in FIGS. 2A to 2C indicates a processing result for one or a plurality of task processes executed for each safety application process.

  In the management table 21, (a) analog input processing result error is data in which an analog input error due to a shift in processing time of the safety application processing is set in advance. Here, (a) as specific data items in the analog input processing result error, for example, data such as “processing result” and “processing result error” are stored. Stored in a pair with “processing result error”. In the example of FIG. 2A, the error with respect to the task 1 processing result 2 is “0.1 ° C.”, and the error with respect to the task 3 processing result 1 is “0.1 mV”. In this way, the error range described above can be set in detail for each task.

  Also, in the management table 21, (b) the save area management table presets the address and the number of bytes for each data in the process result area, and the corresponding initial save area, primary process save area, and secondary process save It is a table which presets the address of a field. Here, as specific data items in (b) save area management table, for example, “processing result”, “number of process result areas (address)”, “number of process result areas (bytes)”, “initial save area” Data such as “address”, “primary processing save area address”, and “secondary process save area address” are stored. The contents and format of the stored data are not particularly limited, and necessary data is read from a predetermined save area based on each address, or processed data is written to a predetermined save area. Any management information may be used.

  Further, in the management table 21, (c) the post-processing table corresponds to each task of each safety application that is activated in the post-processing as shown in the first post-processing unit 14 and the second post-processing unit 15 described above. For example, a processing program for confirming feedback by digital output is installed. In addition, each post-process in the 1st post-process part 14 and the 2nd post-process part 15 is implemented twice similarly to the safety application process part mentioned above, and confirms a match of a result. If they do not match, the safety application process is performed three or more times, and soft error countermeasures such as majority processing are performed on the result.

<Specific Example of Processing Result Area 22>
Next, a specific example of the processing result area 22 in the above-described embodiment will be described. FIG. 3 is a diagram for explaining the configuration of the processing result area. In the processing result area 22 shown in FIG. 3, the processing result of each task in the executed safety application processing is stored. Note that the processing result area 22 does not have to be a continuous area. Further, as shown in FIG. 3, the processing result stored in the processing result area 22 includes a counter or the like that is added every processing cycle in order to manage a certain cycle.

<Pretreatment>
Next, a specific example of processing in the preprocessing unit 11 in the present embodiment will be described using a flowchart. FIG. 4 is a flowchart illustrating an example of preprocessing in the present embodiment. In addition, the flowchart shown in FIG. 4 is started with a fixed period corresponding to a predetermined process period.

  In the preprocessing in this embodiment, the management table 21 described above is read (S01), and the data in the processing result area is saved in the processing result initial saving area (S02).

<Safe application processing>
Next, specific examples of processing in the safety application processing unit 12-1, the safety application processing unit 12-2, and the safety application processing unit 12-3 according to the present embodiment will be described with reference to flowcharts. FIG. 5 is a flowchart showing an example of the safety application process in the present embodiment. The safety application process shown in FIG. 5 includes one or a plurality of tasks set in advance corresponding to the safety function. In the example of FIG. 5, a case where i tasks are provided will be described.

  First, task 1 is processed (S11). In the process of S11, data (for example, digital input, analog input, constant, variable data, data in the processing result area, etc.) is input (S11-1), and then, for example, execution of a predetermined program for the input data (for example, , Temperature calculation, pressure calculation, other numerical calculation, etc.) (S11-2), and outputs the processing result to the processing result area (S11-3).

  Further, after the process of S11, the process of the next task 2 is performed (S12). In task 2, the process shown in task 1 described above is performed. Therefore, for example, a preset task process is performed in which task 1 performs a temperature check and task 2 performs a pressure check process. Thereafter, up to a preset number of tasks (task i in the example of FIG. 5) is executed in a preset order (S1i).

  The safety application process shown in FIG. 5 is set by using the above-described diversity diagnosis method in the above-described safety application processing unit 12-1, the safety application processing unit 12-2, and further, the safety application processing unit 12-3, for example. Processing is performed based on the determined conditions. In addition, what kind of task is to be executed is set in advance depending on the diagnosis target or the like, and can be stored in the management table 21 of the memory 20, for example.

<Intermediate processing>
Next, a specific example of processing in the intermediate processing unit 13 of the present embodiment will be described using a flowchart. FIG. 6 is a flowchart illustrating an example of intermediate processing in the present embodiment. In the process shown in FIG. 6, the above-described management table 21 is read (S21), and then the data in the process result area is saved in the process result primary process save area 24 (S22). Further, the data in the processing result initial save area 23 is restored to the processing result area (S23). Thereby, in the 1st post-processing mentioned later, it can be made to compare between the safety application process part 12-1 and the safety application process part 12-2.

<First post-processing>
Next, a specific example of processing in the first post-processing of this embodiment will be described using a flowchart. FIG. 7 is a flowchart illustrating an example of the first post-processing in the present embodiment. In the first post-process shown in FIG. 7, the management table 21 described above is read (S31), and the data in the processing result area is compared with the data in the primary process save area corresponding to the data (S32).

  Here, it is determined whether or not the data match (S33). If the data does not match (NO in S33), then whether or not the mismatched data is within a preset error range. Judgment is made (S34). Whether or not the error is within the error range can be determined based on whether or not the error is within the error of (a) analog input processing result of the management table 21 shown in FIG.

  In the above-described processing of S33, when the compared data match (YES in S33), or in the processing of S34, within the error range (YES in S34), for example, as shown in FIG. Post-processing of the post-processing table is executed (S35).

  Here, it is determined whether or not all data of each task have been compared (S36). If all data has not been compared (NO in S36), the process returns to S32 and the subsequent processing is performed. If all the data are compared in the process of S36 (YES in S36), the self-diagnosis / other process is called and the process ends (S37).

  If the error is not within the error range in the process of S34 described above (NO in S34), the data in the process result area is saved in the process result secondary process save area (S38). In addition, the data in the processing result initial saving area is restored to the processing result area (S39), and the above-described safety application process is called and terminated (S40).

<Second post-processing>
Next, a specific example of processing in the second post-processing of this embodiment will be described using a flowchart. FIG. 8 is a flowchart illustrating an example of the second post-processing in the present embodiment. In the second post-process shown in FIG. 8, first, the save area management table is read (S51), then the data of the process result area, the data of the primary process save area corresponding thereto, and the secondary process save area The data is compared (S52).

  Here, it is determined whether or not any two of the above three data match (S53). If any two of the three data do not match (NO in S53), it is next determined whether any two of the three data are within a preset error range (S54). ). Whether or not the error is within the error range can be determined based on whether or not the error is within the error of (a) analog input processing result of the management table 21 shown in FIG.

  If any two data match in the process of S53 described above (YES in S53), or if any two data are within the error range in the process of S54 (YES in S54), the data is The data is stored in the processing result area (S55), and post-processing of the post-processing table is executed (S56). Note that the data stored in S55 is one of the two matched data.

  Here, it is determined whether or not the comparison of all data has been completed (S57). If the comparison of all data has not been completed (NO in S57), the process returns to S52 to perform the subsequent processing.

Further, in the above-described processing of S54, when two of the three data are not within the error range (NO in S54), error processing is executed (S58). Note that the error processing is determined as CPU abnormality, and CPU error processing such as stopping the CPU is executed.
Further, after the process of S58 or S59 is completed, the self-diagnosis / other process is called and the process ends (S59).

<Timing chart>
As described above, the self-diagnosis processing using the processing result in the present embodiment is repeatedly performed at a preset processing cycle. Here, FIG. 9 is a timing chart for explaining each processing timing of the self-diagnosis in the present embodiment. Note that the example shown in FIG. 9 shows a timing chart when it is determined that there is an abnormality in the processing in the first post-processing unit 15 described above.

  In the present embodiment, as shown in FIG. 9, in a predetermined processing cycle (in the example of FIG. 9, processing cycle 1 and processing cycle 2), “pre-processing” and “safety application processing (first time) with the passage of time. ) ”,“ Intermediate processing ”,“ safety application processing (second time) ”,“ first post-processing ”,“ safety application processing (third time) ”,“ second post-processing ”,“ self-diagnosis / other processing ” It is executed in order.

  If it is determined that the first post-process is normal, the processes in the “safe application process (third time)” and the “second post-process” are not performed. The “self-diagnosis / other processing” is performed for the remaining time in the predetermined cycle.

  In the example of FIG. 9, each processing cycle is provided with a margin time for absorbing a time error or the like from the end of the processing to the start of the next cycle. Further, the processing cycle in the present embodiment is not limited to twice as shown in FIG.

  As described above, according to the present invention, safety and reliability, availability, and cost can be improved, and self-diagnosis can be performed with high accuracy.

  Specifically, according to the present invention, for example, with respect to a soft error such as RAM (data corruption error due to α-rays, etc.), the CPU redundancy or hardware detection mechanism is implemented by executing the safety application process multiple times. It can be detected at low cost without using it. Further, by processing the safety application process using the diversity diagnosis method, it is possible to detect CPU and memory errors other than software errors, and to reduce the self-diagnosis process. Further, according to the present invention, for example, by detecting a soft error in the CPU or memory and correcting it by majority vote, it is possible to improve safety, reliability, availability, and cost.

  The present invention can also be applied to black box software such as an OS and commercially available software. In addition, when existing software is applied, the software can be applied without changing the processing in order to support Double RAM. In addition, self-diagnosis and other non-safety related processes do not need to be repeated, and the load on the CPU can be reduced.

  In addition, the self-diagnosis apparatus in the present invention can be implemented by being appropriately incorporated in, for example, a safety inverter, a safety controller, and other various plants.

  The preferred embodiments of the present invention have been described in detail above, but the present invention is not limited to such specific embodiments, and various modifications, within the scope of the gist of the present invention described in the claims, It can be changed.

1 Self-diagnosis device 10 CPU
DESCRIPTION OF SYMBOLS 11 Pre-processing part 12 Safety application processing part 13 Intermediate processing part 14 1st post-processing part 15 2nd post-processing part 16 Self-diagnosis and other processing part 20 Memory 21 Management table 22 Process result area 23 Process result initial save area 24 Process result Primary process save area 25 Process result secondary process save area

Claims (6)

A self-diagnosis device that executes a process by a preset application multiple times within a certain period and performs a self-diagnosis by comparing a plurality of executed process results,
A safety application processing unit that executes the application multiple times under conditions set by a divers diagnosis method;
A memory for storing a plurality of processing results obtained by the safety application processing unit in a predetermined save area;
A first post-processing unit that compares a plurality of processing results stored in the memory and determines whether there is an error based on whether the compared results match or are within a predetermined error range. Self-diagnosis device. A second post-processing unit that determines the presence or absence of the error by deciding a majority of the plurality of processing results;
When the safety application processing unit determines that there is an error in the first post-processing unit, the safety application processing unit further executes one or a plurality of the applications under the conditions set by the divers diagnosis method, and acquires a processing result,
The said 2nd post-processing part correct | amends a process result by the said majority decision using the acquired said process result and the several process result stored in the said memory, The said process result is characterized by the above-mentioned. Self-diagnosis device. The safety application processing unit executes a plurality of preset tasks,
3. The self-diagnosis apparatus according to claim 1, wherein the first post-processing unit determines the presence or absence of the error by voting on a result obtained from the plurality of tasks. A self-diagnosis method for executing a process by a preset application multiple times within a certain period and performing a self-diagnosis by comparing a plurality of executed process results,
A safety application processing step of executing the application multiple times under conditions set by a divers diagnosis method;
A storage step of storing a plurality of processing results obtained by the safety application processing step in a predetermined save area of the memory;
A first post-processing step of comparing a plurality of processing results stored in the memory and determining whether or not there is an error based on whether the compared results match or are within a predetermined error range. Self-diagnosis method. A second post-processing step of determining the presence or absence of the error by deciding the majority of the plurality of processing results;
When the safety application processing step determines that there is an error in the first post-processing step, the safety application processing step further executes one or a plurality of the applications under conditions set by the divers diagnosis method, and acquires a processing result,
The said 2nd post-processing step correct | amends a process result by the said majority decision using the acquired said process result and the several process result stored in the said memory, The said process result is characterized by the above-mentioned. Self-diagnosis method. The safety application processing step executes a plurality of preset tasks,
6. The self-diagnosis method according to claim 4, wherein the first post-processing step determines the presence or absence of the error by voting on a result obtained from the plurality of tasks.

Images