JP2013175118A - Control device, memory failure detection method thereof and self-diagnostic method thereof - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a control device that allows coupling failure detection of a memory to be efficiently performed while reducing a processing load of a CPU and reducing CPU processing time required for failure detection of the memory, and further to provide a memory failure detection method thereof and a self-diagnostic method thereof.SOLUTION: A control device comprises a CPU 20, a memory 40 for storing data therein and a memory failure detection section 30 for diagnosing failure of a data area. A memory failure detection method of the control device is provided such that the CPU 20 transmits a memory failure detection command specifying an address for failure detection, the data area and a data rewriting area to the memory failure detection section 30, the memory failure detection section 30 compares first coded data at the time of writing and second coded data that are read-out from the memory 40 and are coded with respect to an address of the data area and detects failure of the memory 40 and, further, the memory failure detection section 30 changes the data rewriting area and detects memory failure of all data areas.

Description

  Embodiments described herein relate generally to a control device, a memory failure detection method thereof, and a self-diagnosis method thereof.

  In recent years, as an international standard, functional safety standards for equipment manufacturers and suppliers are IEC61508 “Functional safety of electrical / electronic / programmable electronic safety-related systems” of the International Electrotechnical Commission. In safety systems, standards are set for specific applications.

  For example, for safety instrumented systems, the process application standard IEC61511 is defined for system designers, integrators, and users.

  These standards evaluate safety in the life cycle from system design, maintenance, and disposal, and define a safety integrity level (SIL), which is a required level of risk reduction, as a quantitative evaluation scale.

  In particular, in a safety instrumented system that requires a high safety level, a failure detection function for a storage device is required.

  In the case of a safety instrumented system, in order to cope with continuous operation for a long time, in order to cope with a memory failure of the system and a memory soft error due to radiation particles, the storage device can be diagnosed not only at system startup but also during system operation. When required and a failure is detected, the system output must be transitioned to a safe state.

  As a method of detecting a memory failure, there is generally a method of writing a test data pattern to a memory to be diagnosed, reading data from the same address, and confirming a match between the data pattern of writing and reading.

  At this time, since the value stored in the memory is rewritten, failure detection cannot be performed on the memory area being accessed from the CPU. In such a case, there is a technique capable of detecting a memory failure even when the system is operating by using a memory save area (for example, Patent Document 1).

  In addition, in order to prove high safety, it is necessary to use a detection method with a high failure detection rate corresponding to a coupling failure due to a failure in the memory address line, but a method with a high detection rate requires complicated memory access. Therefore, if the CPU in charge of system control processing detects a memory failure, the CPU load increases, and there is a possibility that processing time for system control processing may be restricted.

  Therefore, as a technique for shortening the processing time required for detecting a memory failure and making it possible to execute between system control processes, there is a technique for performing memory failure detection hierarchically and reducing the number of memory accesses (for example, Patent Document 2).

Japanese Patent No. 3570388 Japanese Patent No. 4312818

  In Patent Document 1 described above, in order to be able to detect a memory failure even while the system is operating, a save memory and a processor dedicated to failure detection are required outside the CPU.

  Since this method requires hardware dedicated to failure detection, in addition to the corresponding increase in hardware cost, the reliability decreases due to failure of the additional hardware itself.

  In Patent Document 2 described above, since a CPU for system control processing is used for failure detection processing, there is a problem that even if the diagnostic speed is improved, the diagnostic time becomes longer as the memory capacity increases.

  The present invention has been made to solve the above-described problems. In the memory failure detection of the control device including the CPU and its memory, the CPU processing load is reduced and the CPU processing time required for detecting the memory failure is reduced. It is an object of the present invention to provide a control device, a memory failure detection method thereof, and a self-diagnosis method thereof that can be shortened and can efficiently detect a memory coupling failure.

  In order to achieve the above object, the control device of the present embodiment includes a control program, a CPU that controls a plant via an input / output unit connected to its own external bus, the control program, and the control program A memory for storing data used during execution of the CPU, one of which is connected to the external bus of the CPU and the other is connected to the memory, and the CPU is preset in an idle time during execution of the control program. A memory failure detection unit for diagnosing a failure in the data region based on a “memory failure detection” command that specifies a data region to be diagnosed in the memory, the memory failure detection unit comprising: an address conversion unit; A coding calculation unit, a command receiving unit, and a detection data rewriting unit, wherein the address conversion unit stores data from the CPU into the memory. In the case of transmission, the logical address of the control program is converted into a physical address of the memory, and when data is transferred from the memory to the CPU, the physical address of the memory is converted into the logical address. When writing data to the data area based on the “memory failure detection” instruction, the encoding calculation unit performs an encoding operation based on a preset encoding rule for the data in the data area to be written in advance. When the first encoded data is created and written into the code area associated with the data area, and the memory fault diagnosis is performed by the “memory fault detection” command from the CPU, The encoding operation is performed on the read data to obtain second encoded data, and the first encoded data and the second encoded data are processed. The data rewriting unit for detection is notified of the “memory failure detection” command from the CPU via the command receiving unit, and the “memory failure detection” is detected. Rewriting the data in the data rewrite area in the data area preset by the instruction with the preset rewrite conversion pattern, the instruction receiving unit receives the “memory failure detection” instruction from the CPU, and the code The CPU sends to the calculation calculation unit, the address conversion unit, and the detection data rewrite unit, the CPU specifies the failure detection address, the data area, and the data rewrite area to the memory failure detection unit A “memory failure detection” command is transmitted, and the memory failure detection unit writes to the address of the data area based on the “memory failure detection” command. The first encoded data at the time of loading is compared with the second encoded data read from the memory and encoded, a failure of the memory in the data rewrite area is determined from the presence or absence of the difference, and the memory The data rewrite area is set, the write data in the data rewrite area is compared with the encoding operation result of the read data, and a memory failure in the data area is detected.

  In order to achieve the above object, a memory failure detection method for a control device according to this embodiment includes a control program, a CPU that controls a plant via an input / output unit connected to its own external bus, and the control program And a memory for storing data used during execution of the control program, one of the external buses of the CPU and the other connected to the memory, and the CPU is in an idle time during execution of the control program. And a memory failure detection unit for diagnosing a failure in the data area based on a preset “memory failure detection” command for designating a data area to be diagnosed in the memory. The CPU provides the failure detection address, the data area, and the data rewrite to the memory failure detection unit. The “memory failure detection” command designating an area is transmitted, and the memory failure detection unit, for the address of the data region based on the “memory failure detection” command, the first encoded data at the time of writing and Comparing the second encoded data read and encoded from the memory, determining whether or not the memory in the data rewriting area is faulty based on the difference, and setting the data rewriting area of the memory. The memory area in the data area is detected by comparing the encoding operation results of the write data and the read data.

  In order to achieve the above object, the control device self-diagnosis method of the present embodiment includes a control program, a CPU for controlling the plant via an input / output unit connected to its own external bus, the control program, And a memory for storing data used during the execution of the control program, one of the external buses of the CPU and the other connected to the memory, and the CPU is in an idle time during the execution of the control program, A self-diagnosis of the control device of the control device, comprising: a memory failure detection unit that diagnoses a failure in the data region based on a “memory failure detection” command that designates a preset data region to be diagnosed in the memory The CPU includes a coding calculation function executed by the memory failure detection unit, and a preset “self-diagnosis” command and its diagnosis The data is transmitted to the memory failure detection unit, the memory failure detection unit performs a preset encoding operation on the diagnostic data, and returns the encoded data to the CPU, The CPU is characterized by collating the returned encoded data with the encoded data calculated by itself to self-diagnose the failure of the memory failure detection unit or the CPU.

The block diagram of the control apparatus of 1st Embodiment. FIG. 6 is a diagram for explaining an example of setting a failure detection address, a data area, a data rewrite area, and a code area in the memory according to the first embodiment. The figure explaining the example of a setting of the other code field of a 1st embodiment. The figure explaining the example of a setting of the other data rewriting area | region of 2nd Embodiment. Explanatory drawing of the scanning method of the data area of 2nd Embodiment. The figure explaining the update operation | movement of the data area of 3rd Embodiment.

  Embodiments of the present invention will be described below with reference to the drawings.

(First embodiment)
This will be described with reference to FIGS. The configuration of the control device of the first embodiment is shown in FIG. In FIG. 1, a control device 10 includes a control program, a CPU 20 that controls a plant via an input / output unit connected to its own external bus 50, a control program, and data used during execution of the control program. A memory 40 to be stored, one of which is connected to the external bus 50 of the CPU, and the other is connected to the memory 40, and the CPU 20 is preset when the control program is first started or at an idle time during execution of the control program. And a memory failure detection unit 30 for diagnosing a failure in the data region based on a “memory failure detection” command for designating a data region in the memory 40, which will be described later in detail.

  That is, the CPU 20 is configured to indirectly access the memory 40 via the memory failure detection unit 30.

  Next, before describing the detailed configuration of each unit, first, a data area of the memory 40 and a “memory failure detection” command for designating the data area will be described.

  The inspection target area of the memory 40 in which data when the control program is executed is defined by a “memory failure detection” command. It is assumed that all the inspection target areas in the memory 40 are identified in advance by the CPU 40 as at least two areas of the execution data area and the inspection target data area. For example, as shown in FIG. 1, the entire inspection target area is divided into five parts A to E, one of which is designated as the inspection target data area, and the other is set as the data area during execution.

  The inspection of each storage area is uniquely specified by a failure detection address associated with the “memory failure detection” command. FIG. 2 shows a storage state when the “memory failure detection” command is executed in the inspection target data area D of the memory 40.

  In this case, the “memory failure detection” command causes a failure detection address jh for designating an address of a specific data region, a plurality of data regions 41 corresponding to the failure detection address jh, and a failure for each data region. A data rewrite area nh43 for detection is designated.

  Also, a code area 42 for storing encoded data, which will be described later in detail, for each data area 41 is provided at the end of the memory data access width. Alternatively, as shown in FIG. 3, a code address K +... H obtained by adding a fixed offset value K to the failure detection address in each data area 41 may be provided exclusively.

  In this case, the code area 42 is uniquely identified by the code address. The failure detection address and the code address indicate areas corresponding to the same address value excluding the address offset K, respectively. For example, the data area of the failure detection address 01h corresponds to the code area of the code address K + 01h.

  Further, the sign address K +... H is a value of 1 / L of the natural number of the memory address. In this case, a single failure detection address jh is assigned to each of a plurality of storage units occupying consecutive memory addresses.

  For example, in FIG. 3, when the horizontal width of the code area is the memory data access width of the CPU 20 = 32 bits and the L bit = 4 bits, the actual address value of the code address is the number of bytes of the access width (32 bits → 4 bytes). × Skip value every 4 bits.

  In this case, for example, when the head of the code address is 0000h, the address of the next row is 0010h, and the next row is 0020h (the real address advances in units of 16 bits). A failure detection address is assigned in such a manner that addresses 0000 to 000Fh (= storage units occupying consecutive memory addresses) are address jh, 0010 to 001Fh are j + 1h, and 0020 to 002Fh are j + 2h.

  The number of bits M of the memory data access width of the data area 41 corresponding to the failure detection address jh and the memory data access width L of the code area 42 may be different.

  Next, a detailed configuration of the memory failure detection unit 30 that receives such a “memory failure detection” command and detects a failure of the memory 40 will be described. An address conversion unit 31, an encoding calculation unit 32, an instruction reception unit 33, and a detection data rewriting unit 34 are provided.

  First, the command receiving unit 33 receives a command from the CPU 20 and sends the command to the address converting unit 31, the encoding calculation unit 32, and the detection data rewriting unit 34. The instruction receiving unit 33 includes an input circuit (not shown) and an instruction register. The instruction receiving unit 33 may be configured to transmit an instruction directly from the input circuit to the address conversion unit 31 and the encoding calculation unit 32 without using an instruction register.

  When transferring data from the CPU 20 to the memory 40, the address conversion unit 31 transfers a logical address recognized by the software of the control program to a physical address of the memory 40, and when transferring data from the memory 40 to the CPU 20. An address conversion function for converting a physical address of the memory 40 into a logical address is provided.

  When the data is written in the data area 41 based on the “memory failure detection” command, the encoding calculation unit 32 encodes the data in the data area 41 written in advance based on a preset encoding rule. When (first) encoded data is calculated and written into the code area 43 associated with the data area 41 and the memory fault diagnosis is performed by the “memory fault detection” command from the CPU 40, the data An encoding operation is performed on the data read from the area 41 to obtain (second) encoded data, and the first encoded data and the second encoded data are compared to detect the presence or absence of a failure.

  The encoding rule is, for example. A code having a high fault detection capability is used, such as a CRC (Cyclic Redundancy Check) code. The encoding rule of the encoding calculation unit 32 may be a code having both bit error detection and bit error correction capability such as ECC (Error Check and Correct).

  The data rewriting unit for detection 34 is notified of the “memory failure detection” command from the CPU 40 via the command receiving unit 33, and the data rewriting region nh in the data region preset by the “memory failure detection” command. In some cases, the preset data is converted on the basis of a specific change rule to be described later, and the data is overwritten, or the data is read from the memory 40 and inversely converted and sent to the CPU 40.

  Next, the memory failure detection operation of the memory 40 of the control device 10 configured as described above according to the first embodiment will be described.

(Step 1)
The target data used for the control calculation is stored in the data area 41 of the memory 40, and the encoded data corresponding to the target data in the data area 41 is stored in the code area 42 when the control device 10 is started or “memory failure detection” is performed. Is pre-stored before the command.

(Step 2)
Next, a “memory failure detection” command from the CPU 20 is transmitted to the command receiving unit 33, and a plurality of data areas 41 in the memory 40, which are data areas 41 to be inspected other than the data area being executed, are received from the CPU 20. The inspection target data stored in the data rewrite area 43 to be specified is read to the detection data rewrite unit 34.

(Step 3)
Subsequently, the detection data rewrite unit 34 rewrites the read data in the data rewrite area 43 through a conversion process based on a predetermined change rule by transmission from the instruction receiving unit 33. (Hereinafter, the conversion of the read data and overwriting is referred to as “rewriting”.)

  The conversion process based on the specific change rule referred to here is, for example, rewriting data in the data rewriting area 43 to a value obtained by bit-inversion.

  Also, the conversion process based on a specific change rule is a product sum such as an exclusive OR (XOR) of the read data and conversion data (for example, 001010101010101 = 5555h) stored in advance in the detection data rewriting unit 34. It may be an operation. At this time, the encoding calculation unit 32 also rewrites the value of the corresponding code area 42.

(Step 4)
The data in the data rewrite area 43 after rewriting is read into a memory (not shown) of the detection data rewriting unit 34 and rewritten in step 3 (the reference temporarily stored in the data rewrite area 43) and the data rewritten area after rewriting. The detection data rewriting unit 34 confirms that the data read from the data 43 matches.

  Here, if the rewritten reference data and the read data after rewriting do not match, it means that there is a failure in the data rewrite area 43 of the memory 40, so a memory failure is detected for the data rewrite area 43.

  That is, in the steps so far, an abnormality in the data rewrite area 43 and the corresponding code area 42 is detected.

(Step 5)
Next, all the failure detection addresses jh (except failure detection addresses 00h to jh and addresses nh in FIG. 2) of the memory 40 that are different from the data rewrite area 43 are encoded by transmission from the instruction receiving unit 33. The calculation calculation unit 32 calculates the encoded data from the read data from the data area 41, and performs a comparison check with the encoded data stored in the corresponding code area 42 and the calculated encoded data.

  Here, the failure detection addresses (failure detection addresses 00h to jh in FIG. 2) to be inspected in this step 5 may extend over the inspection target data area of the memory 40 in the inspectable state.

  Further, the failure detection address (failure detection addresses 00h to jh in FIG. 2) may be limited to any one of the areas A to E in the memory 40 of FIG.

  Here, if a coupling failure mode exists between the address line of the data rewrite area 43 and another address line, an address other than the data rewrite detection address nh is set when the data rewrite area 43 is rewritten. Data changes.

  It is possible to detect this coupling failure by a comparison check by encoding calculation of all failure detection addresses different from the data rewrite area 43 in step 5.

  Here, in a configuration in which a code having both bit error detection and bit error correction capability such as ECC is used for the encoding rule of the encoding calculation unit 32, a bit failure can be corrected for a single bit failure. .

  In this case, in order to improve availability, when a single bit failure is detected, it is possible to correct the bit error and continue the system control. In this case, there is a possibility that a single bit failure is erroneously detected in the case of a failure of a plurality of bits, but even at that time, when the corresponding memory address becomes the target of the data rewrite area 43, the failure detection is performed by the process of step 4. .

(Step 6)
After the memory failure detection processing in steps 2 to 5, the data rewriting area 43 writes the data in the data rewriting area 43 back to the original data read in step 2. (In other words, the reverse conversion of the data converted by the specific change rule in the data rewrite area 43 and overwriting is hereinafter referred to as “writing back”).

  Further, the data in the data rewrite area 43 may remain as the value rewritten in step 3 without being rewritten. When not writing back, the address conversion unit 31 stores the failure detection address nh of the data rewriting area 43 that has been subjected to the rewriting process, and newly reads data from the same address until there is writing to the same address. A conversion process with the same specific change rule as in step 3 is performed.

  That is, if step 3 is bit inversion, re-bit inversion is performed, and if step 3 is an XOR operation with a specific data pattern, re-XOR operation with a specific data pattern is performed to shorten the processing time for writing back.

(Step 7)
In response to an address change command for the data rewrite area 43 from the CPU 20 or the instruction accepting unit 33, the failure detection address in the data rewrite area 43 is changed over the entire range of the failure detection addresses 00h to jh in FIG. Repeat 6 Thereby, the memory failure detection is completed for the entire area of the memory 40 or the entire range of any of the areas A to E in the memory 40 of FIG.

  Here, when an address change command is issued from the instruction receiving unit 33, the address of the data rewrite area 43 is based on the address first given from the CPU 20. This is performed by automatically changing according to a preset address update rule (for example, incrementing by one).

(Step 8)
Each time Step 1 to Step 7 are completed, the conversion processing based on a specific change rule by the detection data rewriting unit 34 is changed from bit operation to exclusive OR, from exclusive OR to bit operation, and to exclusive OR. Also, the steps 1 to 7 may be repeated by changing to those based on different data patterns.

  In the example of step 8, for example, a failure that cannot be detected by conversion processing based on a single change rule, such as a coupling failure between neighboring bits in the data area 41 of the same address, is detected by changing the change rule. There is a possibility.

  Of the processes in steps 1 to 6, the CPU 20 is involved only in the process in step 1, and the other processes in steps 2 to 6 are automatically executed by the memory failure detection unit 30 and the memory 40. .

  Further, when the instruction for changing the address in Step 7 is issued from the instruction receiving unit 33, Step 7 can also be executed without involving the CPU 20.

  As described above, according to the first embodiment, most of the memory failure detection processing corresponding to the coupling failure mode is performed by the memory failure detection unit 30 without using the CPU 20, for example, an FPGA (Field-Programmable Gate). This can be implemented by hardware processing such as (Array), and the processor processing time of the CPU 20 for controlling memory failure detection can be reduced.

  As a result, after giving the instruction to the instruction receiving unit 33 in step 1, the CPU 20 can concentrate on the control processing other than the memory failure detection. Even if the memory capacity of the memory 40 of the control device 10 increases, the CPU 20 Memory failure detection can be performed without applying a load.

  That is, the CPU 40 transmits a “memory failure detection” command for designating the failure detection address jh, the data area 41, and the data rewrite area 43 to the memory failure detection unit 30. The encoded data at the time of writing is compared with the encoded data read from the memory 40 and encoded with respect to the address of the data area 41 based on the “failure detection” instruction, and all inspection target data is determined based on the difference between the encoded data. Detect a memory failure in the region.

  Therefore, according to the first embodiment, the CPU processing load is reduced in the memory failure detection of the control device including the CPU and its memory, the CPU processing time required for the memory failure detection is reduced, and the memory cup It is possible to provide a control device capable of efficiently detecting a ring fault, a memory fault detection method thereof, and a self-diagnosis method thereof.

(Second Embodiment)
Next, a second embodiment of the memory failure detection apparatus according to the present invention will be described with reference to FIGS. About each part of 2nd Embodiment, the part same as 1st Embodiment attaches | subjects the same code | symbol, and abbreviate | omits the description.

  As shown in FIG. 4, the second embodiment is different from the first embodiment in that the data rewrite area 43 is not the entire dememory data access width of the data area 41 but a part of the data access width direction. This is because the data rewrite area 43a is targeted.

  In the processing step 7 of the first embodiment, in the second embodiment, the address of the data rewrite area 43a is indicated by the arrow line in FIG. 5 so as to cover the entire range of the failure detection addresses 00h to jh in FIG. Scan as shown.

  In this scan, not only the failure detection address but also the position of the memory data access width is changed.

  The following effects are obtained by the configuration of the second embodiment. For example, the coupling failure between adjacent bits in the data area 41 of the same failure detection address in the first embodiment occurs, and the data area 41 is provided before the processing operation of the memory failure detection starts. If the data is the same value for the entire data area 41, such as 0000h, in the mechanism of the first embodiment, the rewritten data area 41 even if the same data is bit-inverted or XOR-calculated. It is self-evident that all the bits have the same value. If a coupling failure between neighboring bits has occurred, this cannot be detected.

  On the other hand, in the failure detection according to the second embodiment, a coupling failure can be detected when the bit where the coupling failure occurs crosses the boundary of the data rewrite area 43 in FIG.

  Thus, according to the second embodiment, it is possible to detect a memory failure even for a failure that cannot be detected in the first embodiment, such as a coupling failure between neighboring bits.

(Third embodiment)
Next, a third embodiment of the present invention will be described with reference to FIG. About each part of 3rd Embodiment, the same part as 1st Embodiment attaches | subjects the same code | symbol, and abbreviate | omits the description.

  The third embodiment of the present invention is different from the first embodiment in that, in the first embodiment, the entire storage area of the memory 40 includes at least two data areas, that is, an executing data area and an inspection target data area. In the third embodiment, the division position of the inspection target data area in the memory 40 is set by changing a plurality of division positions as shown in FIG. 6. is there.

  In the third embodiment, when the processing steps 1 to 7 of the first embodiment are completed and the memory failure detection processing for all the inspection target data areas A to E in the memory 40 is completed, the following “memory From the “failure detection” instruction, the area division of the memory 40 is divided at a failure detection address position different from the inspection target data area areas A to E as in the inspection target data areas A ′ to F ′ in FIG. Steps 1 to 7 are performed on the inspection target data areas A ′ to F ′.

  The following effects are acquired by the above processing. The coupling failure in the memory 40 also crosses between the areas of the inspection target data areas A ′ to F ′ in FIG. After the area division is changed, the coupling fault becomes within the same area C ′, and the fault can be detected by the processing steps 1 to 7 shown in the third embodiment.

  As described above, according to the third embodiment, a plurality of types of division positions can be set for the inspection target data areas A ′ to F ′ of the memory 40, thereby detecting a coupling failure across the division boundary. It becomes possible.

(Fourth embodiment)
The fourth embodiment of the present invention will be described again with reference to FIG. About each part of 4th Embodiment, the same part as 1st Embodiment attaches | subjects the same code | symbol, and abbreviate | omits the description.

  The fourth embodiment is different from the first embodiment in that the program configuration executed by the CPU 20 is further provided with an encoding program capable of performing the same encoding calculation as the encoding calculation unit 32. This is because a “diagnosis” command is sent to the command receiving unit 33.

  In this configuration, the CPU 40 does not have a configuration capable of performing an encoding calculation on data having a certain memory data access width or a configuration for this calculation with the same encoding rule as the encoding calculation unit 32. The data obtained by the encoding program and the encoded data may be stored in association with each other.

  In the fourth embodiment, the CPU 40 including the encoding program and the instruction receiving unit 33 that has received the “self-diagnosis” instruction can mutually verify the normal operation of the encoding calculation unit 32. .

  In this encoding calculation redundancy process, first, the target data for verification is given to the instruction receiving unit 33 by the “self-diagnosis” instruction.

  Then, the encoding calculation unit 32 calculates encoded data for verification based on the target data for verification.

  The encoded data for verification is returned from the memory failure detection unit 30 to the CPU 20, the encoded data included in the encoding program, and the encoding for verification by the encoding calculation unit 32 returned from the CPU 20 memory failure detection unit 30. Check the data match.

  Therefore, according to the fourth embodiment, since the CPU 20 has the encoded data verification function by the instruction receiving unit 33, if the encoded data and the calculation result of the encoded calculation unit 32 do not match, the CPU 20 It can be detected that any one of the memory failure detection units 30 has failed.

  Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

10 Memory failure detection device 20 CPU
30 Memory failure detection unit 31 Address conversion unit 32 Coding calculation unit 33 Instruction reception unit 34 Data rewrite unit for detection 40 Memory 50 External bus

Claims (12)

A CPU having a control program and controlling the plant via an input / output unit connected to its own external bus;
A memory for storing the control program and data used in the control program;
One of the external buses of the CPU is connected to the other, and the other is connected to the memory, and the memory is set as a diagnosis target of the memory that is set in advance when the control program is started or during idle time during execution of the control program. A memory failure detection unit for diagnosing a failure in the data region based on a “memory failure detection” command that designates a data region;
With
The memory failure detection unit includes an address conversion unit, an encoding calculation unit, an instruction reception unit, and a detection data rewriting unit,
The command receiving unit receives a “memory failure detection” command from the CPU and sends it to the encoding calculation unit, the address conversion unit, and the detection data rewriting unit,
When the address conversion unit transfers data to the memory in response to a “memory failure detection” command from the CPU, the logical address of the control program is changed to the physical address of the memory, and from the memory to the CPU. When transferring data, the physical address of the memory is converted to the logical address,
When the data is written in the data area based on the “memory failure detection” command, the coding calculation unit performs coding based on a preset coding rule for the data in the data area written in advance. When calculating and writing first encoded data, writing to the code area associated with the data area, and performing a memory fault diagnosis with the “memory fault detection” command from the CPU, the data Performing the encoding operation on the data read from the region to obtain the second encoded data, comparing the first encoded data and the second encoded data, detect the presence or absence of a failure,
The detection data rewriting unit is notified of a “memory failure detection” command from the CPU via the command receiving unit, and is a data rewriting region in the data region set in advance by the “memory failure detection” command. The data is rewritten with reference data converted according to a specific change rule set in advance, and further, the data in the data rewrite area after rewriting is read out, and the reference data and the data at the time of reading are compared. Detect faults,
The command receiving unit receives a “memory failure detection” command from the CPU and sends it to the encoding calculation unit, the address conversion unit, and the detection data rewriting unit,
The CPU transmits, to the memory failure detection unit, the “memory failure detection” command that designates the failure detection address, the data area, and the data rewrite area,
The memory failure detection unit includes a first encoded data at the time of writing and a second encoding that is read from the memory and encoded with respect to the address of the data area based on the “memory failure detection” command Compare the data, determine the failure of the memory in the data rewrite area from the presence or absence of the difference,
A control device characterized in that a data rewrite area of the memory is set and a memory failure in the data area is detected by comparing the write operation result of the write data and the read data of the data rewrite area. .   The encoding calculation unit reads and encodes data in a data area other than the data rewrite area that has been subjected to failure detection processing by the detection data rewrite unit in response to a command from the command receiving unit. The control device according to claim 1, wherein the failure detection is performed by comparing and comparing the encoded data obtained by executing the arithmetic processing and the corresponding encoded data stored in itself.   The detection data rewriting unit includes a plurality of the specific change tools and, when failure detection of all the data areas is completed, rewrites the data in the rewrite area based on the specific change tools set in advance. The control device according to claim 1, wherein The CPU transmits only the first address of the failure detection address in the “memory failure detection” instruction,
The control device according to claim 1, wherein the instruction receiving unit automatically updates an address designating the data rewriting area. The detection data rewrite unit performs a reverse conversion process on the rewritten data in the data rewrite area after the process based on the “memory failure detection” command is completed and the process proceeds to the process of the control program. Without returning
The address conversion unit stores the rewritten address for failure detection,
Until the CPU has a write command to the failure detection address, the data read from the failure detection address is subjected to the reverse conversion process by the detection data rewriting unit and transmitted to the CPU. The control device according to claim 1.   The encoding rule of the encoding calculation unit uses a code capable of bit error detection and bit error correction, and enables continuous processing of the control program in the case of a single bit error. Control device.   2. The control device according to claim 1, wherein the detection data rewrite unit sets a partial area as the data rewrite area with respect to a data area specified by the failure detection address.   The data area of the memory and the data rewrite area are updated in a time division manner to detect a memory failure across a boundary due to an area division based on the data area and the data rewrite area. The control apparatus according to 1. A self-diagnosis function of the control device, wherein the CPU includes an encoding calculation function executed by the memory failure detection unit;
Send a “self-diagnosis” command set in advance to the memory failure detection unit,
The diagnostic data based on the “self-diagnosis” command is transmitted to the command receiving unit, and the memory failure detection unit executes a preset coding operation on the diagnostic data in the coding calculation unit. And return the encoded data to the CPU,
The control device according to claim 1, wherein the CPU collates the returned encoded data with the encoded data calculated by itself to self-diagnose a failure of the memory failure detection unit or the CPU. A CPU having a control program and controlling the plant via an input / output unit connected to its own external bus;
A memory for storing the control program and data used in the control program;
One is connected to the external bus of the CPU and the other is connected to the memory, and the CPU becomes a diagnosis target of the memory set in advance when the control program is started or during an idle time during the execution of the previous control program Based on a “memory failure detection” command that designates a data area, a memory failure detection unit that diagnoses a failure in the data area;
A memory failure detection method for a control device comprising:
The CPU transmits, to the memory failure detection unit, the “memory failure detection” command that designates the failure detection address, the data area, and the data rewrite area,
The memory failure detection unit includes a first encoded data at the time of writing and a second encoding that is read from the memory and encoded with respect to the address of the data area based on the “memory failure detection” command Compare the data, determine the failure of the memory in the data rewrite area from the presence or absence of the difference,
A memory failure in a control device, wherein a data failure area in the memory is detected by setting a data rewrite area in the memory and comparing the result of encoding operation of write data and read data in the area Detection method.   Furthermore, the encoded data obtained by reading out data in the data area other than the data rewrite area processed in the “memory failure detection”, and the corresponding encoded data before the “memory failure detection” process stored in the memory 11. The memory failure detection method for a control device according to claim 10, wherein a failure is detected by comparing and comparing the two. A CPU having a control program and controlling the plant via an input / output unit connected to its own external bus;
A memory for storing the control program and data used in the control program;
One of the external buses of the CPU is connected to the other, and the other is connected to the memory. When the control program is started or during an idle time during the execution of the previous control program, the memory diagnosis target set in advance A memory failure detection unit for diagnosing a failure in the data region based on a “memory failure detection” command that designates a data region to be
A control device self-diagnosis method for a control device comprising:
The CPU includes an encoding calculation function executed by the memory failure detection unit,
Send a “self-diagnosis” command set in advance and its diagnostic data to the memory failure detection unit,
The memory failure detection unit performs a preset encoding operation on the diagnostic data, and returns the encoded data to the CPU.
The CPU collates the returned encoded data with the encoded data calculated by itself,
A self-diagnosis method for a control device, wherein the memory failure detection unit or CPU failure is self-diagnosed.

Images