JP2023074675A - Safety PLC - Google Patents

Abstract

To give at least one timer the possibility of dual use for time measurement of another control while suppressing a delay from a desired timer synchronization start timing to an actual timer synchronization start timing.SOLUTION: In a safety PLC (100), when a first time measured by a first timer (11) is a first predetermined period, a first microcomputer (10) transmits a synchronization signal to a second microcomputer and resets the first timer to zero to repeat a measurement start; and when a second time measured by a second timer (21) does not exceed a second predetermined period which is longer than the first predetermined period, and the synchronization signal is received from the first microcomputer, a second microcomputer (20) continues the measurement by the second timer without resetting the second timer to zero and determines whether the first microcomputer and the second microcomputer are in a normal condition based on whether or not an intermediate target time in which the number of receiving times of the synchronization signal from the start of the measurement by the second timer is multiplied by the first predetermined period can be considered to be equal to the second time.SELECTED DRAWING: Figure 1

Description

The present invention relates to a safety PLC (Programmable Logic Controller).

Conventionally, there are at least two microcomputers that synchronously execute processing of an input signal input from an external device with the same program, and one microcomputer has data indicating its own processing state and data indicating the processing state of the other microcomputer. There is a safety PLC that compares the two data and stops the control output to the controlled device if the two data do not match (see Patent Document 1).

JP 2009-259134 A

By the way, in general, each microcomputer executes a watchdog operation using its own timer, and when a signal is input within the time limit of the timer, the timer is reset to monitor the processing time of the other microcomputer. continue to do so. At that time, each microcomputer measures each cycle by a timer, and performs handshake communication between the microcomputers at the start of each cycle to synchronize the timers.

To explain this timer synchronization in detail, first, one microcomputer (referred to as the first microcomputer) sends a handshake signal to the other microcomputer (referred to as the second microcomputer) at the timing at which it wishes to start timer synchronization. The second microcomputer receiving it resets the timer to zero and starts measurement (timer synchronization start), and also sends a handshake signal to the first microcomputer. The first microcomputer receiving this resets the timer to zero and starts measurement (timer synchronization start).

However, with this method, the timer synchronization start timings of both the first microcomputer and the second microcomputer are always delayed by a certain period of time with respect to the timing at which timer synchronization is desired.

In addition, the current watchdog operation timer is not suitable for use in separate control because both the first microcomputer and the second microcomputer are reset to zero in an extremely short period. Since PLC control has become more sophisticated in recent years, the inventors of the present invention devised the possibility of using a timer for such a watchdog operation in combination with time measurement for another control.

The present invention has been made to solve the above problems, and its main purpose is to provide a safety PLC in which, when synchronizing the timers of a plurality of microcomputers, the timing from the timing at which timer synchronization is desired to the actual timer synchronization start timing is controlled. To provide at least one timer with the possibility of being used together for time measurement of another control while suppressing the delay of .

The first means for solving the above problems is
A safety PLC comprising a redundant circuit including a first microcomputer and a second microcomputer,
The first microcomputer has a first timer, and transmits a synchronization signal to the second microcomputer and resets the first timer to zero when the first time measured by the first timer is a first predetermined period. to start measurement,
The second microcomputer has a second timer, and the second time measured by the second timer exceeds a second predetermined period longer than the first predetermined period and receives the synchronization signal from the first microcomputer. In the case, repeat resetting the second timer to zero and starting measurement,
The second microcomputer performs measurement by the second timer without resetting the second timer to zero when the second time does not exceed the second predetermined period and the synchronization signal is received from the first microcomputer. Based on whether the intermediate target time obtained by multiplying the number of times the synchronization signal is received from the start of measurement by the second timer by the first predetermined period can be regarded as equal to the second time. It is determined whether or not the first microcomputer and the second microcomputer are normal.

According to the above configuration, the safety PLC has a redundant circuit including the first microcomputer and the second microcomputer. Therefore, even if one of the first microcomputer and the second microcomputer fails, the other can execute a program or the like, and the safety of the safety PLC can be ensured.

The first microcomputer has a first timer, and transmits a synchronization signal to the second microcomputer and resets the first timer to zero when the first time measured by the first timer is a first predetermined period. to start measurement. Therefore, the synchronization signal used for the watchdog operation and timer synchronization can be transmitted from the first microcomputer to the second microcomputer every first predetermined period. The second microcomputer has a second timer, and the second time measured by the second timer exceeds a second predetermined period longer than the first predetermined period and receives the synchronization signal from the first microcomputer. In this case, resetting the second timer to zero and starting measurement are repeated. Therefore, even if the first predetermined period is set short for the watchdog operation, the second timer can measure time up to an arbitrary second predetermined period longer than the first predetermined period. Therefore, the second timer can be given the possibility of being used together for time measurement of another control.

Furthermore, when the first microcomputer transmits a synchronization signal to the second microcomputer, the first timer is reset to zero and measurement is started (timer synchronization is started), and when the second time exceeds the second predetermined period, the second microcomputer is synchronized. When the signal is received, the second timer is reset to zero and measurement is started (timer synchronization is started). For this reason, the delay from the timing at which timer synchronization is desired (timing for transmitting the synchronization signal by the first microcomputer) to the actual timing for starting timer synchronization (timing for receiving the synchronization signal by the second microcomputer) is set to the start of the second predetermined cycle. to end can be only one time, which occurs in the second microcomputer at the beginning of the second predetermined period. Therefore, compared to the conventional technology in which the timer synchronization start timings of both the first microcomputer and the second microcomputer are always delayed by a certain period of time with respect to the desired timer synchronization start timing, the timer synchronization start is desired. It is possible to greatly reduce the delay from the timing to start timer synchronization to the actual timer synchronization start timing.

Moreover, the second microcomputer does not reset the second timer to zero when the second time does not exceed the second predetermined period and the synchronization signal is received from the first microcomputer. Based on whether or not the intermediate target time obtained by continuing measurement and multiplying the number of times the synchronization signal is received from the start of measurement by the second timer by the first predetermined period and the second time can be considered equal, It is determined whether or not the first microcomputer and the second microcomputer are normal. Here, if an abnormality occurs in either one of the first microcomputer and the second microcomputer, an intermediate target time obtained by multiplying the number of times the synchronization signal is received from the start of measurement by the second timer by the first predetermined period and the second microcomputer 2 hours can no longer be considered equal. Therefore, it is possible to determine whether or not both the first microcomputer and the second microcomputer are normal at each first predetermined cycle even in the middle of the second predetermined cycle, that is, to execute the watchdog operation. can.

In a second way,
When the second time does not exceed the second predetermined period and the synchronization signal is received from the first microcomputer, the second microcomputer determines that the absolute value of the difference between the intermediate target time and the second time is If it is smaller than the first predetermined value, the intermediate target time and the second time can be regarded as equal, and if the absolute value of the difference is larger than the first predetermined value, the intermediate target time and the second time cannot be considered equal, and
The second microcomputer, when the second period does not exceed the second predetermined period and receives the synchronization signal from the first microcomputer, provides a second microcomputer in which the absolute value of the difference is smaller than the first predetermined value. If it is smaller than the predetermined value, the measurement by the second timer is continued without resetting the second timer to zero, and if the absolute value of the difference is larger than the second predetermined value and smaller than the first predetermined value 2. The safety PLC according to claim 1, wherein said second time is preferentially corrected to said intermediate target time and measurement by said second timer is continued.

According to the above configuration, if the absolute value of the difference between the intermediate target time and the second time in the middle of the second predetermined period is smaller than the first predetermined value, the second microcomputer determines the intermediate target time and the second time. It is determined that the first microcomputer and the second microcomputer are normal, assuming that two hours are equal. On the other hand, if the absolute value of the difference is greater than the first predetermined value in the middle of the second predetermined cycle, the second microcomputer determines that the intermediate target time and the second time cannot be considered equal. and at least one of the second microcomputer is not normal.

Here, the time measured by the second timer is not reset to zero until the second predetermined cycle is exceeded. Therefore, even if the first microcomputer and the second microcomputer are normal, the difference between the time measured by the first timer and the time measured by the second timer is accumulated during the second predetermined period, and the first microcomputer and the second microcomputer At least one of the microcomputers may be erroneously determined to be abnormal.

In this regard, the second microcomputer does not reset the second timer to zero if the absolute value of the difference is smaller than a second predetermined value smaller than the first predetermined value in the middle of the second predetermined period. 2 Continue the measurement by the timer. On the other hand, if the absolute value of the difference is larger than the second predetermined value and smaller than the first predetermined value in the middle of the second predetermined period, the second microcomputer adjusts the second time to the intermediate target time. Correction is given priority and the measurement by the second timer is continued. Therefore, even if it is determined that the first microcomputer and the second microcomputer are normal, if the absolute value of the difference between the intermediate target time and the second time is greater than the second predetermined value, the first The measurement time of the second timer can be corrected based on the timer.

In the third means, the second microcomputer obtains in advance a delay time from the transmission timing of the synchronization signal by the first microcomputer to the reception timing of the synchronization signal by the second microcomputer, and sets the second timer to zero. A time obtained by adding the delay time to the time measured by the second timer after resetting is defined as the second time. According to such a configuration, the timer synchronization start timing of the second microcomputer can substantially match the desired timing of timer synchronization start (transmission timing of the synchronization signal by the first microcomputer). Therefore, it is possible to further reduce the delay from the timing at which timer synchronization is desired to the timing at which timer synchronization is actually started.

Schematic diagram showing a safety PLC and peripheral devices. A time chart showing measurement time of each signal and each timer. The time chart which shows the synchronous aspect of each timer. 4 is a time chart showing measurement times of each signal and each timer in a comparative example; 4 is a time chart showing synchronization modes of respective timers in a comparative example;

An embodiment embodied in a safety PLC will be described below with reference to the drawings.

As shown in FIG. 1, the safety PLC 100 receives a signal from the safety input device 30, executes a program based on the input signal, and outputs a signal to the controlled device 40 based on the execution result. The safety input device 30 is, for example, an emergency stop button, a safety door switch, a safety sensor, or the like. The controlled device 40 is, for example, a robot, a machine tool, a valve, a motor, or the like.

The safety PLC 100 includes a first microcomputer 10, a first crystal oscillator 18, a second microcomputer 20, a second crystal oscillator 28, and the like. The first crystal oscillator 18 and the second crystal oscillator 28 generate a clock signal at a common predetermined frequency. However, due to the difference in accuracy between the first crystal oscillator 18 and the second crystal oscillator 28, there is a slight difference between the frequency of the clock signal of the first crystal oscillator 18 and the frequency of the clock signal of the second crystal oscillator 28. exists.

The first microcomputer 10 includes a first timer 11, a memory 12, a CPU 13, a serial communication port UART, a GPIO (General Purpose Input/Output) port, and the like.

The first timer 11 measures time based on the clock signal from the first crystal oscillator 18 . Hereinafter, the time measured by the first timer 11 will be referred to as a first time Tm1. The CPU 13 controls the start of measurement, reset, etc. of the first timer 11 .

The memory 12 stores various programs executed by the CPU 13, data, and the like. Various programs include a predetermined program commonly executed by the first microcomputer 10 and the second microcomputer 20 and other programs. A program includes a plurality of tasks, which are a set of instructions (processes).

The CPU 13 operates with a clock signal from the first crystal oscillator 18 . The CPU 13 executes various programs stored in the memory 12 . That is, the CPU 13 (first microcomputer 10) executes each task included in the predetermined program. The first microcomputer 10 processes the signal input from the safety input device 30 and creates a signal to the controlled device 40 based on the processing result.

The second microcomputer 20 also has a configuration similar to that of the first microcomputer 10 and executes tasks similar to those of the first microcomputer 10 . That is, the safety PLC 100 has a duplexed circuit including the first microcomputer 10 and the second microcomputer 20 .

When the signal created by the first microcomputer 10 and the signal created by the second microcomputer 20 match, the safety PLC 100 outputs the signal to the controlled device 40 . On the other hand, when the signal generated by the first microcomputer 10 and the signal generated by the second microcomputer 20 do not match, the safety PLC 100 detects an abnormality and executes predetermined fail-safe processing. The predetermined fail-safe process is, for example, a process of stopping power supply to the robot.

First, referring to FIG. 4, each signal and the measurement time of each timer 11 and 21 in the comparative example will be described.

The first microcomputer 10 and the second microcomputer 20 execute the GPIO handshake every first predetermined period Pd1. Specifically, the first microcomputer 10 and the second microcomputer 20 transmit and receive a handshake signal via the GPIO port every first predetermined period Pd1, and reset the first timer 11 and the second timer 21 to zero, respectively. to start measuring with them. The first predetermined period Pd1 is set corresponding to the upper limit value of each timer 11, 21 in the watchdog operation, and is 100 [μs], for example. The microcomputers 10 and 20 detect an abnormality when the handshake signal is not received before reaching the upper limit of the watchdog operation.

Also, the CPUs 13 and 23 each execute the same task process included in the predetermined program in each of the first predetermined cycles Pd1. Then, the CPUs 13 and 23 exchange histories of processes executed with each other via the serial communication port UART at a predetermined timing in each first predetermined period Pd1. The CPUs 13 and 23 detect an abnormality when the histories do not match, and execute predetermined fail-safe processing.

FIG. 5 is a time chart showing how the timers 11 and 21 of the comparative example are synchronized.

The first microcomputer 10 transmits a handshake signal to the second microcomputer 20 via the GPIO port at the timing t21 at which the timer synchronization start is desired. The second microcomputer 20 receives the handshake signal via the GPIO port at timing t22 after the delay time Δt1 from timing t21.

Upon receiving the handshake signal, the second microcomputer 20 resets the second timer 21 to zero, starts measurement, and transmits the handshake signal to the first microcomputer 10 via the GPIO port. The first microcomputer 10 receives the handshake signal via the GPIO port at timing t23 after delay time Δt2 from timing t21. Upon receiving the handshake signal, the first microcomputer 10 resets the first timer 11 to zero and starts measurement.

Thus, in the comparative example, the synchronization start timing (t22) of the second timer 21 is delayed by the delay time Δt1, and the synchronization start timing (t23) of the first timer 11 is delayed with respect to the timing t21 at which timer synchronization is desired. It is delayed by time Δt2. Moreover, these synchronization start timing delays occur every time the first predetermined period Pd1 starts.

Therefore, in this embodiment, the timers 11 and 21 are synchronized as follows. FIG. 2 is a time chart showing the measurement time of each signal and each timer 11, 21. As shown in FIG. Here, for simplification of explanation, an example is shown in which the second predetermined period Pd2 for resetting the second timer 21 to zero is twice the first predetermined period Pd1. The second predetermined period Pd2 can also be set to tens of thousands or hundreds of millions of times (any multiple) the first predetermined period Pd1. The second predetermined period Pd2 can also be set to a value obtained by adding or subtracting a predetermined value by tens of thousands or hundreds of millions of times the first predetermined period Pd1.

The first microcomputer 10 unilaterally instructs the second microcomputer 20 every first predetermined period Pd1. Specifically, the first microcomputer 10 transmits the synchronization signal Sy via the GPIO port at each first predetermined period Pd1, resets the first timer 11 to zero, and starts measurement. The first predetermined period Pd1 is set in the same manner as in the comparative example. The second microcomputer 20 continues the measurement by the second timer 21 without resetting the second timer 21 to zero when the synchronization signal Sy is received in the middle of the second predetermined period Pd2. The second microcomputer 20 determines whether or not the intermediate target time T(n) obtained by multiplying the number n of times the synchronization signal Sy is received by the first predetermined period Pd1 is equal to the time measured by the second timer 21 (T (n)=n×Pd1). The second microcomputer 20 detects an abnormality when it determines that the intermediate target time T(n) and the time measured by the second timer 21 are not equal.

Also, the CPUs 13 and 23 each execute the same task process included in the predetermined program in each of the first predetermined cycles Pd1. Then, the CPUs 13 and 23 exchange histories of processes executed with each other via the serial communication port UART at a predetermined timing in each first predetermined period Pd1. The CPUs 13 and 23 detect an abnormality when the histories do not match, and execute predetermined fail-safe processing.

FIG. 3 is a time chart showing how the timers 11 and 21 are synchronized.

The first microcomputer 10 transmits the synchronization signal Sy to the second microcomputer 20 via the GPIO port at the timing t11 at which the timer synchronization start is desired. The second microcomputer 20 receives the synchronization signal Sy via the GPIO port at timing t12 after the delay time Δt1 from timing t21. Upon receiving the synchronization signal Sy, the second microcomputer 20 resets the second timer 21 to zero and starts measurement. It is assumed that the time measured by the second timer 21 (hereinafter referred to as "second time Tm2") exceeds the second predetermined period Pd2 at timing t12.

The first microcomputer 10 next transmits the synchronization signal Sy to the second microcomputer 20 via the GPIO port at the timing t13 at which the start of timer synchronization is desired. The second microcomputer 20 receives the synchronization signal Sy via the GPIO port at timing t14 after the delay time Δt1 from timing t13.

When the second time Tm2 does not exceed the second predetermined period Pd2 and the synchronization signal Sy is received from the first microcomputer 10, the second microcomputer 20 does not reset the second timer 21 to zero and performs measurement by the second timer 21. continue. Further, the second microcomputer 20 multiplies the number of times n (here, n=1) that the synchronization signal Sy is received from the start of measurement by the second timer 21 (timing t12) by the first predetermined period Pd1, to obtain an intermediate target time T(n ) is equal to the second time Tm2, it is determined whether the first microcomputer 10 and the second microcomputer 20 are normal.

Specifically, if the absolute value of the difference (|T(n)-Tm2|) between the intermediate target time T(n) and the second time Tm2 is smaller than the first predetermined value Tr1, the second microcomputer 20 sets the intermediate target time T(n). Assume that the time T(n) and the second time Tm2 can be considered equal. If |T(n)-Tm2| is greater than the first predetermined value Tr1, the second microcomputer 20 does not consider that the intermediate target time T(n) and the second time Tm2 are equal.

The second microcomputer 20 determines that both the first microcomputer 10 and the second microcomputer 20 are normal when the intermediate target time T(n) and the second time Tm2 can be considered equal. The second microcomputer 20 determines that at least one of the first microcomputer 10 and the second microcomputer 20 is abnormal when the intermediate target time T(n) and the second time Tm2 cannot be considered equal.

The first microcomputer 10 next transmits the synchronization signal Sy to the second microcomputer 20 via the GPIO port at the timing t15 at which the start of timer synchronization is desired. The second microcomputer 20 receives the synchronization signal Sy via the GPIO port at timing t16 after the delay time Δt1 from timing t15. At timing t16, the second time Tm2 exceeds the second predetermined period Pd2. Therefore, the second microcomputer 20 resets the second timer 21 to zero and starts measurement.

The embodiment detailed above has the following advantages.

The first microcomputer 10 has a first timer 11, and when the first time Tm1 measured by the first timer 11 is the first predetermined period Pd1, the first microcomputer 10 transmits the synchronization signal Sy to the second microcomputer 20 and Repeat the process of resetting the timer 11 to zero and starting measurement. Therefore, the synchronization signal Sy used for watchdog operation and timer synchronization can be transmitted from the first microcomputer 10 to the second microcomputer 20 every first predetermined period Pd1. The second microcomputer 20 has a second timer 21, and the second time Tm2 measured by the second timer 21 exceeds a second predetermined period Pd2 longer than the first predetermined period Pd1 and the synchronization signal Sy from the first microcomputer 10 is exceeded. is received, the second timer 21 is reset to zero and measurement is started. Therefore, even if the first predetermined period Pd1 is set short for watchdog operation, the second timer 21 can measure time up to an arbitrary second predetermined period Pd2 longer than the first predetermined period Pd1. becomes. Therefore, it is possible to give the second timer 21 the possibility of being used together for time measurement of another control. Since the first predetermined period Pd1 is set short for the watchdog operation, it is difficult to use it for time measurement of another control.

・When the first microcomputer 10 transmits the synchronization signal Sy to the second microcomputer 20, the first timer 11 is reset to zero and measurement is started (timer synchronization is started), and the second time Tm2 exceeds the second predetermined period Pd2. When the second microcomputer 20 receives the synchronization signal Sy, the second timer 21 is reset to zero and measurement is started (timer synchronization is started). For this reason, the delay from the timing at which timer synchronization is desired (the transmission timing of the synchronization signal Sy by the first microcomputer 10) to the actual timer synchronization start timing (the timing at which the synchronization signal Sy is received by the second microcomputer 20) is set to the second From the start to the end of the predetermined period Pd2, it is possible to have only one occurrence in the second microcomputer 20 at the start of the second predetermined period Pd2. Therefore, compared with the prior art in which the timer synchronization start timings of both the first microcomputer 10 and the second microcomputer 20 are always delayed by a certain period of time with respect to the desired timing of timer synchronization start every first predetermined period Pd1, timer synchronization It is possible to greatly reduce the delay from the desired start timing to the actual timer synchronization start timing.

When the second time Tm2 does not exceed the second predetermined period Pd2 and the synchronization signal Sy is received from the first microcomputer 10, the second microcomputer 20 does not reset the second timer 21 to zero and performs measurement by the second timer 21. and the intermediate target time T(n) obtained by multiplying the number n of times the synchronization signal Sy is received from the start of measurement by the second timer 21 by the first predetermined period Pd1 is considered to be equal to the second time Tm2. Based on, it is determined whether the first microcomputer 10 and the second microcomputer 20 are normal. Here, if an abnormality occurs in either the first microcomputer 10 or the second microcomputer 20, an intermediate target time T ( n) and the second time Tm2 cannot be considered equal. Therefore, it is possible to determine whether or not both the first microcomputer 10 and the second microcomputer 20 are normal every first predetermined period Pd1 even in the middle of the second predetermined period Pd2. be able to.

It should be noted that the above embodiment can be modified as follows. Parts that are the same as those in the above embodiment are denoted by the same reference numerals, and descriptions thereof are omitted.

The second microcomputer 20 detects the difference between the intermediate target time T(n) and the second time Tm2 when the second time Tm2 does not exceed the second predetermined period Pd2 and the synchronization signal Sy is received from the first microcomputer 10. is smaller than a second predetermined value Tr2 which is smaller than the first predetermined value Tr1, the second timer 21 is not reset to zero and the measurement by the second timer 21 is continued. , |T(n)−Tm2| is larger than the second predetermined value Tr2 and smaller than the first predetermined value Tr1, the second time Tm2 is preferentially corrected to the intermediate target time T(n) and the second Measurement by the timer 21 may be continued.

Here, the time measured by the second timer 21 is not reset to zero until it exceeds the second predetermined period Pd2. Therefore, even if the first microcomputer 10 and the second microcomputer 20 are normal, the time measured by the first timer 11 (the first time Tm1) and the time measured by the second timer 21 (the time Tm1) during the second predetermined period Pd2 The difference from the two hours Tm2) is accumulated, and there is a possibility that at least one of the first microcomputer 10 and the second microcomputer 20 is erroneously determined to be abnormal.

In this regard, the second microcomputer 20 sets the second timer 21 to zero if |T(n)-Tm2| The measurement by the second timer 21 is continued without resetting. On the other hand, if |T(n)-Tm2| The target time T(n) is preferentially corrected and the measurement by the second timer 21 is continued. Therefore, even if it is determined that the first microcomputer 10 and the second microcomputer 20 are normal, if |T(n)-Tm2| is greater than the second predetermined value Tr2, the first timer 11 can be used to correct the measurement time of the second timer 21 .

Instead of the absolute value of the difference between the intermediate target time T(n) and the second time Tm2 (|T(n)-Tm2|), the ratio T(n)/Tm2) can also be used. In that case, instead of determining whether |T(n)-Tm2| It is only necessary to determine whether (n)/Tm2 is smaller than a fourth predetermined value Tr4 greater than one. is smaller than the second predetermined value Tr2, T(n)/Tm2 is smaller than 1 and greater than the third predetermined value Tr3. It may be determined whether T(n)/Tm2 is larger than the value Tr5 and smaller than a sixth predetermined value Tr6 which is larger than 1 and smaller than the fourth predetermined value Tr4.

・The second microcomputer 20 obtains in advance the delay time Δt1 from the timing of transmitting the synchronization signal Sy by the first microcomputer 10 to the timing of receiving the synchronization signal Sy by the second microcomputer 20, and resets the second timer 21 to zero. A time obtained by adding the delay time Δt1 to the time measured by the second timer 21 may be set as the second time Tm2. Note that the delay time Δt1 can be obtained in advance based on tests or the like. According to such a configuration, the second time Tm2 is equal to the measurement time when the second timer 21 starts measuring from timing t11. Therefore, the timer synchronization start timing of the second microcomputer 20 can substantially coincide with the timing T1 at which the timer synchronization start is desired (the transmission timing of the synchronization signal Sy by the first microcomputer 10). Therefore, it is possible to further suppress the delay from the timing T1 at which the timer synchronization start is desired to the actual timer synchronization start timing.

- The safety PLC 100 may include a third microcomputer, a fourth microcomputer, etc. having the same functions as the second microcomputer 20 .

It should be noted that it is also possible to implement a combination of the above modified examples.

10... First microcomputer, 11... First timer, 20... Second microcomputer, 21... Second timer, 100... Safety PLC.

Claims (3)

A safety PLC comprising a redundant circuit including a first microcomputer and a second microcomputer,
The first microcomputer has a first timer, and transmits a synchronization signal to the second microcomputer and resets the first timer to zero when the first time measured by the first timer is a first predetermined period. to start measurement,
The second microcomputer has a second timer, and the second time measured by the second timer exceeds a second predetermined period longer than the first predetermined period and receives the synchronization signal from the first microcomputer. In the case, repeat resetting the second timer to zero and starting measurement,
The second microcomputer performs measurement by the second timer without resetting the second timer to zero when the second time does not exceed the second predetermined period and the synchronization signal is received from the first microcomputer. Based on whether the intermediate target time obtained by multiplying the number of times the synchronization signal is received from the start of measurement by the second timer by the first predetermined period can be regarded as equal to the second time. A safety PLC that determines whether the first microcomputer and the second microcomputer are normal. When the second time does not exceed the second predetermined period and the synchronization signal is received from the first microcomputer, the second microcomputer determines that the absolute value of the difference between the intermediate target time and the second time is If it is smaller than the first predetermined value, the intermediate target time and the second time can be regarded as equal, and if the absolute value of the difference is larger than the first predetermined value, the intermediate target time and the second time cannot be considered equal, and
The second microcomputer, when the second period does not exceed the second predetermined period and receives the synchronization signal from the first microcomputer, provides a second microcomputer in which the absolute value of the difference is smaller than the first predetermined value. If it is smaller than the predetermined value, the measurement by the second timer is continued without resetting the second timer to zero, and if the absolute value of the difference is larger than the second predetermined value and smaller than the first predetermined value 2. The safety PLC according to claim 1, wherein said second time is preferentially corrected to said intermediate target time and measurement by said second timer is continued. The second microcomputer obtains in advance a delay time from the transmission timing of the synchronization signal by the first microcomputer to the reception timing of the synchronization signal by the second microcomputer, and after resetting the second timer to zero, 3. The safety PLC according to claim 1, wherein said second time is a time obtained by adding said delay time to the time measured by two timers.

Images