JP2020038416A - Standby redundancy multiplex control device - Google Patents

Abstract

To provide a standby/redundant multiplexing control device which has a low apparatus cost and a small burden on an installation space, and has high availability and reliability.SOLUTION: A standby/redundant multiplexing control device includes a plant concentrator having an I/O processing unit and a memory that records and manages control information of a plant apparatus to concentrate and control plant apparatus lines and a plurality of CPUs 3, and is connected to a process I/O device 4 for performing data I/O with field devices and to a server for communicating a plant monitoring device and plant information. The plurality of CPUs include a first CPU that executes a first control operation program, and a second CPU that reads and executes a second control operation program instead of the first CPU.SELECTED DRAWING: Figure 1

Description

  The present application relates to a standby redundant multiplexing control device including a plant concentrator.

  2. Description of the Related Art A control device used for a machine and a device in a factory or the like is configured by connecting a number of CPUs for executing programs and performing arithmetic processing of data, a process input / output device for transmitting and receiving process data to and from control devices, and a communication device. . Among such control devices, in particular, in a plant control device such as a power generation plant requiring availability and reliability, a multiplexing structure having redundancy is used so as to cope with a failure of the control device (for example, And Patent Document 1).

Japanese Patent No. 5908068

  In a multiplexed control device such as a power plant where high availability and reliability are required, it is necessary to provide a CPU and a process input / output device having the same configuration as the control system as a standby system in case of an abnormality in the control system. It is.

  The failure of the control system is complemented by the corresponding devices constituting the standby system. For this reason, when the control system has a plurality of control targets, the control system becomes large-scale and the standby system becomes large-scale, so that there is a problem that the cost of equipment and the load on the installation space increase.

  The present application has been made in order to solve the above-described problems, and is a standby redundant multiplexing control device that requires high availability and reliability of a power generation plant and the like, and has a small equipment cost and a small installation space burden. An object is to obtain a redundant multiplexing control device.

  The standby redundant multiplexing control device of the present application has a memory and an input / output processing unit that records and manages control information of plant equipment, and includes a plant concentrator and a plurality of CPUs for concentrating and controlling plant equipment lines. A standby redundant multiplexing control device connected to a process input / output device for inputting / outputting data to / from a device, a plant monitoring device, and a server for communicating plant information, wherein the plurality of CPUs includes a first control calculation program And a second CPU that reads and executes a second control calculation program instead of the first CPU.

  The standby redundant multiplexing control device of the present application can obtain a multiplexing control device requiring high availability and reliability, such as a power plant, with a small equipment cost and an installation space.

1 is an overall configuration diagram of a plant control device according to a first embodiment. FIG. 2 is a configuration diagram of a plant concentrator according to the first embodiment. FIG. 3 is a diagram showing a data array of a shared memory information table according to the first embodiment. FIG. 3 is a diagram showing a data array of a control calculation program information table according to the first embodiment. FIG. 3 is a diagram showing a data array of a control calculation information table according to the first embodiment. FIG. 5 is a diagram illustrating a state transition of a connected device according to the first embodiment. FIG. 4 is a diagram showing a CPU execution time schedule according to the first embodiment. FIG. 4 is a flowchart for monitoring execution of a control calculation program according to the first embodiment. FIG. 13 is a control operation program change flow chart according to the second embodiment. FIG. 10 is a configuration diagram of a plant concentrator according to a third embodiment.

  In the description of the embodiments and the drawings, parts denoted by the same reference numerals indicate the same or corresponding parts.

Embodiment 1 FIG.
This embodiment will be described with reference to FIGS. 1 is an overall configuration diagram of a plant control device, FIG. 2 is a configuration diagram of a plant concentrator, and FIGS. 3 to 5 show data arrays of a shared memory information table, a control operation program information table, and a control operation information table that constitute the plant concentrator. FIG. 6 shows a state transition of the connected device, FIG. 7 shows a CPU execution time schedule, and FIG. 8 shows a flow of monitoring the execution of the control calculation program when an abnormality occurs in the CPU executing the control calculation program. 2 shows a flow of switching to the alternative CPU.

<Configuration of plant control device>
FIG. 1 shows a configuration of a plant control device 1 according to the present embodiment.
The plant control device 1 confirms the operation status of the power generation equipment 6 such as a boiler, a turbine, and a generator constituting the power generation plant and the like, and instructs each power generation equipment 6 on a coping method and the like according to the status. A PIO (process input / output device) 4, an HMI (plant monitoring device) 7 connected to a sensor or an actuator 5, which is a field device for acquiring the status of the power generation facility 6, and a server 8 are connected around a plant concentrator 10. .

  In the present embodiment, a star-type connection mode is used, centering on the plant concentrator 10, but other types such as a bus type and a link type can also be used. The communication protocol required for connection is not particularly limited, and general-purpose communication protocol processing such as TCP, UDP, IP, and Internet (registered trademark) can be used. Further, in FIG. 1 of the present embodiment, a state in which a plurality of CPUs 3, HMIs 7, PIOs 4, sensors or actuators 5 are respectively connected is described. Can be varied and used.

  A portion composed of five CPUs 3 and a plant concentrator 10 surrounded by a broken line in FIG. 1 is the standby redundant multiplexing control device 2, and FIG. 2 shows the configuration of the plant concentrator 10 in detail.

  The plant concentrator 10 has an input unit 11 for receiving data, an input / output processing unit 12 for processing received data, and an output unit 13 for transmitting processed data. Here, transmission and reception of data between the input unit 11 and the output unit 13 can be performed by general-purpose protocol processing such as Internet (registered trademark).

  Further, the plant concentrator 10 includes a shared memory information table 14, a control calculation information table 15, a shared memory 16, a control calculation program information table 17, and a program storage file system 18 for storing information necessary for driving and data.

  The input unit 11 refers to the shared memory information table 14 and the control calculation information table 15 to transfer data from the input unit 11 to the input / output processing unit 12 if necessary for input / output processing. After the input / output processing is performed by the unit 12, the processed data is transferred from the input / output processing unit 12 to the output unit 13 and finally transmitted from the output unit 13.

  If input / output processing is not necessary in the input unit 11 based on the shared memory information table 14 and the control calculation information table 15, the input / output processing is directly passed from the input unit 11 to the output unit 13 and transmitted from the output unit 13. Also, the input unit 11 refers to the shared memory information table 14 and performs writing if it is necessary to write to the shared memory 16, performs reading if necessary to read from the shared memory, and then reads the data. Send.

<Data array of each table>
The data arrangement of the shared memory information table 14, the control calculation program information table 17, and the control calculation information table 15 will be described with reference to FIGS.
FIG. 3 is a diagram showing a data array of the shared memory information table 14, which includes a device identifier 101 for identifying a device connected to the plant concentrator 10, and a start address 102 of the shared memory 16 to which each connected device can write. And a size 103. The device identifier 101, the write start address 102 of the shared memory, and the size 103 are all set in the plant concentrator 10 in advance.

FIG. 4 shows a data array of the control operation program information table 17.
The control operation program information table 17 includes the number 201 of programs stored in the program storage file system 18 provided in the plant concentrator 10 and the control operation program information 210 corresponding to the number 201 of programs. Here, the control calculation program information 210 includes, for example, a file name 211 of the control calculation program, a program identifier 212 for the equipment connected to the plant concentrator 10 to identify the control calculation program, and an execution cycle of the control calculation in the CPU 3. 213.

  In FIG. 4, the program identifier 212 and the execution cycle 213 of the control operation are described as being included in the control operation program information 210. However, such information can also be included in the control operation program to manage data.

FIG. 5 is a diagram showing a data array of the control calculation information table 15. The control calculation information table 15 indicates the device identifier 311 of the CPU 3 executing the control calculation program indicated by the program identifier 301, the start address 321 and the size 322 of the write area of the shared memory.
The program identifier 301 is set in correspondence with the file name 211 of the control operation program being executed in the control operation program information table 17, and the device identifier 311, the start address 321 and the size 322 of the write area of the shared memory are the control operation program. Set when the program is executed.

<Operation of standby redundant multiplexing control device>
FIG. 6 is a state transition diagram of devices connected to the plant concentrator 10. The states of the devices connected to the plant concentrator 10 include a standby state 401, an operating state 402, and an abnormal state 403, which are shown in the shared memory information table 14.

FIG. 7 shows the execution time schedule of the CPU 3, and shows the lapse of time from left to right. If the state of the device is the standby state 401, only the processing of the data input 502 and the data output 504 is executed during the initial value of the execution period (T) 501 except for the control operation 503, and the processing is executed until the next execution period. The time of the empty space 505 is kept as it is.
In the case of the operation state 402, when the CPU 3 reads out the control calculation program from the plant concentrator 10, the execution cycle 213 acquired from the control calculation program information table 17 is replaced with the initial value of the execution cycle (T) 501, which is necessary for the control calculation 503. The data input 502, the execution of the control calculation 503 by the control calculation program, and the data output 504 of the control calculation result are performed, and the time of the empty space 505 until the next execution cycle (T + 1) is held as it is.
In the case of the abnormal state 403, nothing is performed, and the state is reset to shift to the standby state 401.

  Further, the CPU 3 reads the state instruction 506 from the plant concentrator 10 at the time of data input 502, shifts to the instructed state, and conversely, at the time of data output 504, conveys the state as a state notification 507 to the shared memory. Write 16

The status instruction 506 is stored in a defined writing area of the shared memory 16 of the plant concentrator 10, for example, in a format in which the device identifier 311 of the CPU 3 and the status of the CPU 3 are paired. The initial setting of the state instruction 506 is preferably the standby state 401 in many cases.
As an example, the state notification 507 is written in the write area of the shared memory 16 corresponding to the CPU 3 by combining the state of the CPU 3 and the counter value automatically increased for each execution cycle.

  FIG. 8 shows an execution monitoring flow of the control calculation program executed by the plant concentrator 10 in the present embodiment. This flow is performed for each control calculation program shown in the control calculation program information table 17, and indicates a step of switching to the alternative CPU 3 when an abnormality occurs in the CPU 3 executing the control calculation program.

  As a specific method for detecting an abnormal state of each CPU 3, as an example, monitoring is performed at predetermined time intervals or at time intervals of half the execution period 213, and the counter value of the automatic increase is executed. Although there is a method of confirming that it has changed within the cycle, it is not the essence of the present application, and the detailed description of the execution monitoring flow is complicated, so that the description is omitted here.

The plant concentrator 10 refers to the control calculation information table 15 and confirms that the status notification 507 of the device identifier 311 in which the control calculation program to be monitored is running indicates the operation state 402 (step S11). If the state notification 507 is the operation state 402, the operation is continued as it is until the next monitoring time (step S12).
If the state notification 507 is not the operation state 402, it is necessary to switch from the CPU 3 currently executing the control calculation program to the CPU 3 in another standby state 401, and therefore, the processing from step S21 to step S25 is performed.

If the status notification 507 of the device identifier 311 in which the control calculation program to be monitored is being executed is not the operating status 402, the CPU 3 selects from the CPUs 3 in the standby status 401 based on the status notification 507 (step S21).
Referring to the control calculation program information table 17, the control calculation program to be monitored is communicated from the program storage file system 18 by a communication protocol, and is written to the CPU 3 selected in the previous process (step S21) (step S22). .

  With reference to the control calculation information table 15, it is confirmed whether or not the device identifier 311 of the control calculation program to be monitored is valid (step S23). If the device identifier 311 is not valid, the control operation program to be monitored has not been executed, so the shared memory information table 14 is referred to and the shared memory write start address 102 corresponding to the device identifier 101 of the CPU 3 selected in step S21. And the size 103 are set to the shared memory write start address 321 and the size 322 of the control calculation information table 15 (step S31).

  When it is determined in step S23 that the device identifier 311 is valid, or when the shared memory information is updated in step S31 although the device identifier is not valid, the device identifier 101 of the selected CPU 3 is changed to the device identifier 311 of the control calculation information table 15. (Step S24). Finally, the operation state 402 is set in the state instruction 506 of the device identifier 311 (step S25), and the switching processing to the alternative CPU 3 can be completed.

  As described above, in the present embodiment, the standby redundant multiplexing control device is configured by using the plant concentrator 10 in combination with the plurality of CPUs 3 and is necessary for controlling the plant such as the CPU 3 and the PIO 4 to which the plant concentrator 10 is connected. Control information is stored in the shared memory 16 and a control calculation program executed by the CPU 3 is stored. Thereby, when an abnormality occurs in the CPU 3, the switching process to the alternative CPU 3 can be performed, and by adjusting the relationship between the number of constituent CPUs 3 and the number of stored programs 201, various levels of redundancy can be achieved. Can be planned.

  For example, by providing one more CPU 3 than the number 201 of control operation programs, redundancy can be achieved, and a multiplexing control device can be obtained with a small equipment cost and a burden of installation space. In addition, in order to increase availability and reliability, by providing a CPU having twice or more the number of control arithmetic programs, redundancy equivalent to that used in a conventional multiplex control device can be achieved, The level of availability and reliability can also be flexibly adjusted.

Embodiment 2 FIG.
In the first embodiment, the case where an abnormality has occurred in the CPU 3 has been described. However, in the present embodiment, control is performed using the same standby redundant multiplexing control device 2 regardless of the occurrence of an abnormality in the CPU 3 used. A procedure for changing the control calculation program without stopping the operation will be described.

FIG. 9 shows a control operation program change flow chart in the present embodiment.
First, a new control operation program to be changed is stored in the program storage file system 18 (step S101), and the CPU 3 in the standby state 401 is selected with reference to the state notification 507 (step S102).

  The control arithmetic program after the change stored in the program storage file system 18 in the step S101 is written into the CPU 3 selected in the step S102 by the communication protocol (step S103), and the control after the change of the file name 211 of the control arithmetic program information 210 to be changed is performed. The file is updated to the file name 211 of the calculation program (step S104).

  The status instruction 506 of the CPU 3 that has been executed so far is set to the standby state 401 (step S105), updated to the device identifier 101 of the CPU 3 selected in step S102 (step S106), and the status instruction 506 of the CPU 3 is operated. The state is set to 402 (step S107).

By following the above procedure, the control calculation program can be changed without stopping the control operation.
By using the plant concentrator 10, the control operation programs before and after the change can be centrally managed, and there is no need to individually replace the programs of the control system and the standby system, thereby improving maintainability.

Embodiment 3 FIG.
In the first embodiment, the configuration and operation when the plant concentrator 10 is used alone have been described. In the present embodiment, a device configuration for further improving the availability and reliability of the standby redundant multiplexing control device 2 will be described. In the present embodiment, as shown in FIG. 10, two plant concentrators 10, 100, a CPU 3, a PIO 4 necessary for plant control, and the like are connected to a hub 200.

  The two plant concentrators 10 and 100 are connected to the input unit 11 and the output unit 13 via different routes, and include an abnormality processing unit 20 in a shared portion between the two. By employing such a configuration, the two plant concentrators 10 and 100 can be used as a main system and a sub system. That is, when the abnormality processing unit 20 of the main plant concentrator 10 detects an abnormality, the abnormality is notified to the subordinate plant concentrator 100, and the subordinate plant concentrator 100 takes over the abnormality processing, so that multiplexing with high availability and high reliability is performed. The control device 2 can be obtained.

  In the standby redundant multiplexing control device 2 shown in the present embodiment, the device identifier 101 to be recorded in the shared memory information table 14, the start address 102 and the size 103 of the shared memory writing area are the same as those of the CPU 3 connected to the hub 200, Since each device such as the PIO 4 has a simultaneous data distribution function by IP broadcast communication or multicast communication, data can be transmitted and the contents of the shared memory 16 can be made the same.

  In the standby redundant multiplexing control device 2 according to the present embodiment, the control operation information table 15, the control operation program information table 17, and the program storage file system that are changed by the procedure of execution monitoring and program change performed in the main system The content of 18 is notified from the master system to the slave system via the path to which the concentrators 10 and 100 are directly connected when it is changed, and by updating its own information in the slave system based on the notification, the contents of the both are updated. It is possible to keep the data identical. Since the output of the slave system is suppressed from being output to the hub 200, the data is not duplicated with the data output by the master system.

Although this application describes various exemplary embodiments and examples, the various features, aspects, and functions described in one or more embodiments may be applied to the application of a particular embodiment. The present invention is not limited thereto, and can be applied to the embodiment alone or in various combinations.
Accordingly, innumerable modifications not illustrated are contemplated within the scope of the technology disclosed herein. For example, a case where at least one component is deformed, added or omitted, and a case where at least one component is extracted and combined with a component of another embodiment are included.

REFERENCE SIGNS LIST 1 plant control device, 2 standby redundant multiplex control device, 3 CPU, 4 PIO, 5 sensor or actuator, 6 power generation facility, 7 HMI, 8 server, 10 plant concentrator, 11 input section, 12 input / output processing section, 13 output Unit, 14 shared memory information table, 15 control operation information table, 16 shared memory, 17 control operation program information table, 18 program storage file system, 20 error processing unit, 100 plant concentrator, 101 device identifier, 102 start address, 103 size , 200 hub, 201 number of programs, 210 control operation program information, 211 file name, 212 program identifier, 213 execution cycle, 301 program identifier, 311 device identifier, 321 start address, 32 Size, 401 standby state, 402 operating state, 403 abnormal state, 501 execution period, 502 data input, 503 control operation, 504 data output, 505 free, 506 state instructions 507 status notification.

Claims (4)

It has a memory and an input / output processing unit for recording and managing control information of the plant equipment, and includes a plant concentrator and a plurality of CPUs for concentrating and controlling plant equipment lines,
A standby redundant multiplexing controller connected to a process input / output device for inputting and outputting data to and from a field device, a plant monitoring device, and a server for communicating plant information,
A first CPU that executes a first control calculation program;
A standby redundant multiplexing control device, comprising: a second CPU that reads and executes a second control operation program instead of the first CPU. The second control calculation program read by the second CPU is:
2. The standby redundant multiplexing control device according to claim 1, wherein the control program is the same as the first control calculation program executed by the first CPU. The standby redundant multiplexing control device according to claim 1, wherein the memory stores the second control operation program. 4. The standby redundant multiplexing control device according to claim 1, wherein the first CPU is replaced with the second CPU when an abnormality is found. 5.

Images