JP2023539613A - Functionally safe switch quantity output module and diagnostic processing method - Google Patents

Abstract

A functionally safe switch quantity output module, comprising a CPU unit and first/second output units respectively coupled to the CPU unit, the first/second output units sequentially coupled to logic circuits, 1. A diagnostic processing method based on a switch quantity output module, which includes a drive circuit, a checkback circuit, an output switch, and a power supply voltage detection circuit coupled to the drive circuit, and the above functions are safe, the method includes: diagnosing an output switch failure; The output of the output switch can be controlled based on the results of communication diagnosis, CPU unit internal failure diagnosis, power supply failure diagnosis, and line failure diagnosis.

Description

Cross-reference to related applications This application was filed on December 29, 2020, with application number 202011587822.6, and the title of the invention is "Functionally safe switch amount output module and diagnostic processing method". Claims priority based on a certain Chinese patent application, the entire contents of which are incorporated into this application.

TECHNICAL FIELD The present application relates to the technical field of industrial automatic control, and particularly to a functionally safe switch quantity output module and a diagnostic processing method.

An industrial switching output control system is one of the most important input assemblies in industrial control systems such as DCS and SIS. In related technology, the 2OO3 architecture is adopted for most switching output modules related to functional safety, and this architecture needs to be built and realized with a large amount of hardware, and products designed according to this architecture are Generally, the cost is high and the volume is large, and the products of 2OO3 architecture have limitations when the installation space and cost are required in practical applications.

As technology matures day by day, SIS product designs are moving towards smaller volumes and lower costs, and more designs start adopting architectures such as 1OO2D, 1OO2, or 1OO1D. .

The 1OO2D architecture is adopted as shown in FIG. In this design, two channels and two CPUs are adopted to respectively control the output and read the diagnostic data of each channel, but the two channels in this scheme lack the necessary information interaction, and even if one of them , If a fault occurs and the output circuit cannot be shut off, the CPU unit of the channel where the fault does not appear will not be able to obtain diagnostic information and perform a fail-safe shutoff, and will not be able to interact relatively independently. There are certain potential risks in the design of missing both channels.

A design employing the 1OO1D architecture is as shown in FIG. The design adds one diagnostic unit in addition to one CPU unit controlling one output unit, the diagnostic unit and the output unit each control one switch, and the two switches are connected in series. The diagnostic unit can diagnose the output unit and send information to the CPU, and can also shut off the failsafe of the switch it controls when a failure occurs, but the diagnostic unit itself can If this occurs and reliable diagnostic information cannot be provided to the CPU, there is a potential safety risk to the entire module.

The purpose of this application is to solve the problem of the lack of interaction design in the two output channels of the switch amount output module and the inability to provide reliable diagnostic information to the CPU due to failure of the diagnostic unit itself. Increase the interaction diagnostic measures between the two output circuits, and increase the output cutoff by cutting off the communication between the CPU and the output circuit, improve the safety performance of the module, and ensure the failsafe of the module. The goal is to reduce development costs and reduce product volume while ensuring functional safety.

A first aspect of the present application provides a functionally safe switch quantity output module, which includes a CPU unit, and a first output unit and a second output unit, each coupled to the CPU unit, wherein the CPU unit is connected to a second output unit. By transmitting communication data to the first output unit or the second output unit and outputting failure information based on the received diagnostic data fed back from the first output unit or the second output unit, the first output unit or the second output unit controlling the fail-safe of a second output unit, the first output unit or the second output unit comprising at least a logic circuit, a drive circuit, a checkback circuit and an output switch coupled in sequence, and a power supply voltage coupled to the drive circuit; The output switch SW1 of the first output unit and the output switch SW2 of the second output unit are connected in series, and the input terminal of the logic circuit receives communication data transmitted from the CPU unit. At the same time, it outputs to the drive circuit, receives a failure signal output from the power supply voltage detection circuit of the other output unit, and controls on/off of communication between the CPU unit and the drive circuit,
The drive circuit receives and verifies the communication data transmitted from the CPU unit, and after passing the verification, controls off or on of the output switch according to the communication data information, and controls the output state of the checkback circuit and the output switch. The checkback circuit detects the output state of the switch and sends it to the drive circuit, and the power supply voltage detection circuit detects the power supply voltage of the drive circuit and detects the power supply voltage based on the detected voltage. and sends a control signal to the logic circuit of another output unit.

Furthermore, the output unit further includes a monitor circuit coupled to the drive circuit, and the monitor circuit receives a signal output from the drive circuit after data verification, and outputs a control signal to determine whether the drive circuit is open or not. Turning the output switch off or on is controlled by outputting a cutoff signal.

Furthermore, if the data verification of the drive circuit fails, the monitor circuit is controlled to output a low level signal to the drive circuit by not outputting the pulse signal to the monitor circuit, and the data verification of the drive circuit is successful. Thereafter, by transmitting a pulse signal to the monitor circuit, the output state of the monitor circuit is controlled to be maintained as it is.

Further, the monitor circuit includes, but is not limited to, a monostable flip-flop circuit.

Furthermore, the logic circuit includes at least a logic gate chip and a logic device, and an input terminal of the logic gate chip receives communication data transmitted from the CPU unit and receives communication data after being converted by the logic gate chip. The logic device receives a power failure signal of the drive circuit of another output unit to control on/off of the logic gate chip of this output unit.

Furthermore, the CPU unit further controls the logic gate chip to turn off communication between the CPU unit and the driving circuit by transmitting a signal of an internal failure of the CPU unit to the logic device.

Furthermore, the output switch SW1 and the output switch SW2 are switches having a load current detection function.

Furthermore, the driving circuit includes, but is not limited to, a logic chip CPLD.

A second aspect of the present application provides a diagnostic processing method based on a functionally safe switch quantity output module, comprising at least the step of performing a diagnostic processing based on an output switch failure, and specifically:
S1, periodically controlling the output states of the output switch SW1 and the output switch SW2 according to the preset state;
S2: reading back the output state detected by the checkback circuit;
S3: Compare the actual checkback result read back within one cycle with the preset checkback result, and decide whether to cut off the outputs of the output switch SW1 and the output switch SW2 based on the comparison result. and determining.

Furthermore, the step S3 specifically includes:
S31, if the actual checkback result of the CPU unit and the preset checkback result are the same, repeating steps S1 to S3 to diagnose the output state of the switch;
S32: If the actual checkback result of the CPU unit does not match the preset checkback result, the CPU unit controls the two drive circuits to simultaneously cut off the outputs of the output switch SW1 and the output switch SW2. and, including.

Furthermore, the diagnostic processing method further includes a diagnostic process based on communication failure, specifically, based on the communication data information after passing the inspection, based on the verification of communication data between the CPU unit and the drive circuit. and controlling the output of the output switch.

Furthermore, the diagnostic processing method further includes a diagnostic process based on an internal failure of the CPU unit, specifically, by transmitting a failure signal to a logic circuit based on a failure of software or hardware inside the CPU unit. It includes a step of controlling on/off of communication.

Furthermore, the diagnostic processing method further includes a diagnostic process based on a power failure, specifically, turning off communication between the drive circuit of the other output unit and the CPU unit based on the detected power failure. The method includes the step of controlling the output of the output switch by controlling the output switch to

Furthermore, the diagnostic processing method further includes a diagnostic process based on the line fault, specifically, comparing the load current read back by the CPU unit and detected by the output switch with a preset threshold value, and determining the result of the comparison. controlling the output of the output switch accordingly.

The beneficial technical effects of this application are as follows.
1, the main control CPU unit, and the two output circuits that make up the 1OO2 architecture make up the overall architecture of the 1OO1D of the present application. Smaller volume, lower cost can be achieved while ensuring the functionality is safe, satisfying applications in narrow spaces and harsh environments.
2. By increasing the interaction diagnostic measures between the two output circuits, it ensures that when one channel has a fault and cannot shut off the output switch, the other can shut off the output switch, improving the safety performance of the product. Further upload.
3. By cutting off communication between the CPU unit and the output unit, we increase the fail-safe mechanism in which the monitor circuit cuts off the output, ensuring that the output can still be cut off even when the CPU cannot directly control the output. do.
4. It has a diagnostic process for the failure of a plurality of members in a module, and satisfies the requirements that the method is simple and easy to implement, and the function is safe.

The drawings described herein are intended to enhance the understanding of this application and constitute a part of this application. The illustrative examples of this application and their descriptions are intended to be construed and not to unduly limit this application.

FIG. 2 is a structural block diagram of a functionally safe digital quantity output circuit of 1OO2D architecture. FIG. 2 is a structural block diagram of a functional safety switch quantity output module with high diagnostic coverage of 1OO1D architecture; FIG. 1 is a schematic diagram of the 1OO2 architecture. FIG. 2 is a principle block diagram of a functionally safe switch amount output module according to an embodiment of the present application. 1 is a schematic flowchart of an output switch failure diagnosis processing method in an embodiment of the present application.

In order to further understand the present application, the preferred embodiments of the present application are described below in combination with examples, which descriptions are for the purpose of further explaining the features and advantages of the present application, and are intended to further explain the features and advantages of the present application. It is not a limitation on the scope of the claims.

Before describing this application, we first interpret proper nouns.
1OO2 Architecture: The 1OO2 architecture includes two parallel channels, both capable of performing safety functions. It is possible to allow a failure to occur in one channel on the premise that it does not affect the execution of the safety function, and only when dangerous failures occur in both channels will the failure of the safety function occur. An outline of its architecture is shown in FIG.

Based on the above interpretation, the technical solution of the present application will be described in detail below.

As shown in FIG. 4, the functional safety switch amount output module according to this embodiment includes a CPU unit, and a first output unit and a second output unit each coupled to the CPU unit. The CPU unit transmits communication data to the first output unit or the second output unit, and outputs failure information based on the received diagnostic data fed back from the first output unit or the second output unit. Controls failsafe of the first output unit or the second output unit. The first output unit or the second output unit includes at least a logic circuit, a drive circuit, a checkback circuit, and an output switch coupled in sequence, and a power supply voltage detection circuit coupled to the drive circuit, and the output of the first output unit The switch SW1 and the output switch SW2 of the second output unit are connected in series. The input terminal of the logic circuit inputs communication data sent from the CPU unit and outputs it to the drive circuit, receives a failure signal output from the power supply voltage detection circuit of the other output unit, and connects the CPU unit and drive circuit. Controls on/off of communication between. The drive circuit receives and verifies the communication data transmitted from the CPU unit, and after passing the verification, controls the output switch to turn off or on according to the communication data information, and controls the output state of the checkback circuit and the output switch. Collect track diagnostic information. The checkback circuit detects the output state of the switch and sends it to the drive circuit, and the power supply voltage detection circuit detects the power supply voltage of the drive circuit and sends a control signal to another output unit based on the detected voltage. to the logic circuit.

In the switch amount output module of the embodiment of the present application, taking the first output unit in FIG. 4 as an example, the first output unit includes a drive circuit 1, a checkback circuit 1, a monitor circuit 1, a power supply voltage detection circuit 1, and an output It includes a switch SW1, one end of the output switch SW1 is coupled to +24V, the other end is connected in series with one end of the output switch SW2 of the second output unit, and the other end of the output switch SW2 outputs the switch amount. connected to the load.

In the example of the present application, as a possible embodiment, it is considered that for the safe state of the system, the output state should be off, requiring the off of the output switches SW1 and/or SW2. The CPU unit transmits control data including switch amount information to the drive circuit 1. The drive circuit 1 performs communication verification of the received control data, and if the verification is passed, determines whether the output switch SW1 is in the OFF state or the ON state according to the control data transmitted from the CPU unit. Control. The drive circuit 1 further collects the output state of the output switch SW1 through the checkback circuit 1, and directly reads the line state fed back from the output switch SW1. The output switch SW1 itself has a line fault diagnosis function and can feed back fault information to the drive circuit in the event of a failure. The CPU unit can integrally read the checkback data from the drive circuit 1 and can integrally analyze the checkback data according to the checkback data of the first output unit and the second output unit.

If a failure such as overvoltage or undervoltage occurs in the power supply VCC1 of the drive circuit 1, the power supply voltage detection circuit 1 sends a VCC1_Check failure signal to the logic device 2 of the second output unit, and the logic device 2 Upon receiving the VCC1_Check fault signal, the logic gate chip IC2 controls the communication between the drive circuit 2 and the CPU unit to be turned off, so that the drive circuit 2 can send a pulse signal to the monitor circuit 2. After a timeout of 1.6 seconds, the monitor circuit 2 outputs a low level signal to the drive circuit 2, thereby causing the drive circuit 2 to cut off the corresponding output switch SW2, thereby making the module fail-safe.

In embodiments of the present application, as an optional implementation, the drive circuitry typically employs logic chips such as CPLDs to perform programming, data verification, and output control signals to the output switches. The monitor circuit generally employs a monostable flip-flop circuit, and the trigger pulse time is 1.6 seconds.

The present application further submits a diagnostic processing method based on the above-mentioned functional safety switch amount output module, and the schematic flowchart of this embodiment includes at least the step of performing diagnostic processing based on the output switch failure, as shown in FIG. ,in particular,
S1, periodically controlling the output states of the output switch SW1 and the output switch SW2 according to the preset state;
S2: reading back the output state detected by the checkback circuit;
S3: Compare the actual checkback result read back within one cycle with the preset checkback result, and decide whether to cut off the outputs of the output switch SW1 and the output switch SW2 based on the comparison result. and determining.

Hereinafter, a plurality of fault diagnosis processing methods shown in the embodiment of FIG. 3 will be explained respectively, so that those skilled in the art can better understand the technical solution of the present application.

Output Switch Fault Diagnosis Processing: In some embodiments, output switches have failure modes such as open and short. The output switch failure diagnosis process mainly targets failure modes such as open and short circuits that may occur in the output switch SW1 and the output switch SW2.

The CPU unit periodically cycles through four states, 1 to 4, in accordance with the preset states shown in the table below, and sequentially controls the states of the output switch SW1 and the output switch SW2.

Taking one cycle as an example, compare four actual checkback results and four expected results in one cycle of the CPU unit, and if the actual checkback results and expected results do not match, output switch SW1 Alternatively, it is considered that the output switch SW2 has failed, and in this case, the CPU unit controls the drive circuit 1 and the drive circuit 2 to simultaneously cut off the outputs of the output switch SW1 and the output switch SW2, thereby achieving a failsafe. To avoid load malfunctions, the diagnostic pulse width should be smaller than the load response time, with a typical value of 2ms.

Communication failure diagnosis process: In some embodiments, a communication failure exists between the CPU unit and the drive circuit. The concrete steps of diagnosing the communication data between the CPU unit and the drive circuit 1 in FIG. 4 will be explained. The CPU unit transmits communication information including control information to the drive circuit 1, and the drive circuit 1 and starts verifying internal communication data. If the data verification passes, the drive circuit 1 sends one pulse signal to the monitor circuit 1, and by maintaining the output state of the monitor circuit 1 as it is, the output of the monitor circuit 1 is transferred to the output switch SW1 of the drive circuit 1. does not affect the output state.

If a failure appears in the communication between the CPU and the drive circuit 1, the communication data inside the drive circuit 1 cannot pass the verification, and the drive circuit 1 does not send a pulse signal to the monitor circuit 1. After a timeout of 1.6s, the output state is reversed and outputs a low level signal to the drive circuit 1, forcing the corresponding output switch SW1 to output OFF, making the module fail-safe.

CPU unit internal fault diagnosis processing: A fault may appear in the software and hardware inside the CPU, and in some embodiments, after a fault occurs inside the CPU unit, the safety state of the system is often changed. One external, independent circuit is required to ensure that After a failure occurs inside the CPU unit, a failure indication signal ERROR is sent to the logic device 1, and the logic device 1 receives the failure indication signal ERROR and controls the IC1 to stop operating. The communication between the unit and the drive circuit 1 is cut off.

Furthermore, since the drive circuit 1 cannot receive the communication data sent from the CPU unit, the pulse signal cannot be sent to the monitor circuit 1, and eventually the monitor circuit 1 times out and sends a low level signal to the drive circuit 1. By transmitting , the drive circuit controls the output switch SW1 to output OFF, leading the module to a safe signal.

Power supply failure diagnosis process: In some embodiments, the power supply of the drive circuit may experience failures such as overvoltage or undervoltage. In order to guarantee the safe state of the system, taking the first output unit shown in FIG. 4 as an example, if a failure such as overvoltage or undervoltage appears in the power supply VCC1 of the drive circuit 1, the failure is detected by the power supply voltage detection circuit 1. In this case, the drive circuit 1 is already in a power supply abnormal state and it cannot be guaranteed that the output can be cut off, so the power supply voltage detection circuit 1 sends a signal to the logic device 2 to turn off the IC 2. A fail-safe signal is output by turning off the communication between the CPU unit and the drive circuit 2 and using the normally operating drive circuit 2 to cut off the output switch SW2. For the same reason, if a failure occurs in the power supply of the drive circuit 2, the normally operating drive circuit 1 can shut off the output switch SW1, thereby making the module fail-safe.

Line Fault Diagnosis Processing: In some embodiments, output switch SW1 and output switch SW2 are equipped with load current detection functionality. If the load current does not meet the requirements of the preset threshold, that is, it is greater than the preset threshold when a fault occurs in the line and a short circuit occurs, or it is greater than the preset threshold when an open line occurs in the line. If it is smaller, the signal on the indication pin of the chip of the output switch SW1 is reversed, and the CPU unit can read back the line fault information and the output status information indicated by the output switch SW1 together through the drive circuit 1.

The above description of the embodiments will contribute to the understanding of the method of the present application and its core idea. It should be noted that those skilled in the art may make slight improvements and modifications to this application without departing from the principles of this application, and all of these improvements and modifications fall within the protection scope of the claims of this application. .

Claims (15)

A functionally safe switch quantity output module,
a CPU unit; a first output unit and a second output unit each coupled to the CPU unit;
The CPU unit transmits communication data to the first output unit or the second output unit, and outputs failure information based on received diagnostic data fed back from the first output unit or the second output unit. controlling the failsafe of the first output unit or the second output unit by
The first output unit or the second output unit includes at least a logic circuit, a drive circuit, a checkback circuit, and an output switch coupled in sequence, and a power supply voltage detection circuit coupled to the drive circuit, The output switch SW1 of the output unit and the output switch SW2 of the second output unit are connected in series,
An input terminal of the logic circuit inputs communication data transmitted from the CPU unit and outputs it to the drive circuit, receives a failure signal output from a power supply voltage detection circuit of another output unit, and receives communication data transmitted from the CPU unit. controlling on/off of communication between the unit and the drive circuit;
The drive circuit receives and verifies the communication data transmitted from the CPU unit, and after passing the verification, controls off or on of the output switch according to the communication data information, and controls the output state of the checkback circuit. and collecting line diagnosis information of the output switch,
the checkback circuit detects the output state of the switch and sends it to the drive circuit;
The power supply voltage detection circuit detects the power supply voltage of the drive circuit, and transmits a control signal to a logic circuit of another output unit based on the detected voltage.
A switch amount output module characterized by: The output unit further includes a monitor circuit coupled to the drive circuit, the monitor circuit receiving a signal output from the drive circuit after data verification, and outputting a control signal to cause the drive circuit to open. or controlling off or on of the output switch by controlling to output a cutoff signal;
The switch amount output module according to claim 1, characterized in that: If the data verification of the drive circuit fails, the monitor circuit is controlled to output a low level signal to the drive circuit by not outputting a pulse signal to the monitor circuit, and the data verification of the drive circuit is successful. After that, controlling the output state of the monitor circuit to be maintained as it is by transmitting a pulse signal to the monitor circuit,
The switch amount output module according to claim 2, characterized in that: The monitor circuit includes a monostable flip-flop circuit.
The switch amount output module according to claim 2, characterized in that: The logic circuit includes at least a logic gate chip and a logic device, and an input terminal of the logic gate chip receives communication data transmitted from the CPU unit, and receives the communication data after being converted by the logic gate chip. is output to the drive circuit,
The logic device controls on/off of the logic gate chip of the other output unit by receiving a power failure signal of the drive circuit of the other output unit.
The switch amount output module according to claim 1, characterized in that: The CPU unit further controls the logic gate chip to turn off communication between the CPU unit and the drive circuit by transmitting a signal of an internal failure of the CPU unit to the logic device.
6. The switch amount output module according to claim 5. The output switch SW1 and the output switch SW2 are switches having a load current detection function,
The switch amount output module according to claim 1, characterized in that: The drive circuit includes a logic chip CPLD.
The switch amount output module according to any one of claims 1 to 7. A diagnostic processing method based on the switch amount output module according to any one of claims 1 to 8, comprising at least a step of performing diagnostic processing based on an output switch failure,
S1, periodically controlling the output states of the output switch SW1 and the output switch SW2 according to a preset state;
S2: reading back the output state detected by the checkback circuit;
S3: Compare the actual checkback result read back within one cycle with the preset checkback result, and decide whether to cut off the outputs of the output switch SW1 and the output switch SW2 based on the comparison result. a step of determining whether the
A diagnostic processing method characterized by: The step S3 is
S31: If the actual checkback result of the CPU unit is the same as the preset checkback result, repeating steps S1 to S3 to diagnose the output state of the switch; and S32: actually checking the CPU unit. If the back result and the preset check back result do not match, the CPU unit controls two drive circuits to simultaneously cut off the outputs of the output switch SW1 and the output switch SW2.
The diagnostic processing method according to claim 9, characterized in that: The diagnostic processing method further includes a diagnostic process based on a communication failure, and based on verification of communication data between the CPU unit and the drive circuit, the output switch is determined based on the communication data information after passing the test. controlling the output of the
The diagnostic processing method according to claim 9, characterized in that: The diagnostic processing method further includes a diagnostic process based on an internal failure of the CPU unit, and turns communication on and off by transmitting a failure signal to the logic circuit based on a failure of software or hardware inside the CPU unit. including the step of controlling the
The diagnostic processing method according to claim 9, characterized in that: The diagnostic processing method further includes diagnostic processing based on a power failure, and controls to turn off communication between a drive circuit of another output unit and the CPU unit based on the detected power failure. The method further comprises the step of cutting off the output of the output switch for fail-safe purposes.
The diagnostic processing method according to claim 9, characterized in that: The diagnostic processing method further includes a diagnostic process based on a line fault, in which the load current read back by the CPU unit and detected by the output switch is compared with a preset threshold value, and the output is adjusted according to the comparison result. controlling the output of the switch;
The diagnostic processing method according to claim 9, characterized in that: the time of the one cycle is less than the response time of the load;
The diagnostic processing method according to any one of claims 9 to 14, characterized in that: