JP3668632B2 - Railway safety control device and security control system - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a railway safety control device and a security control system.
[0002]
[Prior art]
In general, even if a failure occurs in a railway train control device, the device is always in a safe state so that it can avoid a dangerous state. Such a function is called a fail-safe function. For example, in a signal control device, the failure state on the safe side means that the signal (red light) that prohibits the progression of the train is incorrect even though a signal (blue light) that permits the progression of the train should be output. On the other hand, the failure state on the dangerous side is a signal that permits the train to travel even though it should output a signal that prohibits the train from traveling (red signal). (Blue light) is in a wrong state. Moreover, in the railroad crossing control device, the failure state on the safety side is a state in which a signal for lowering the breaker is erroneously output even though a signal for raising the breaker should be output, On the other hand, the dangerous failure state is a state in which a signal for raising the breaker is erroneously output even though a signal for lowering the breaker should be outputted.
[0003]
FIG. 19 is a block diagram showing a configuration of a main part of a conventional railway safety control device that requires such a fail-safe function. This control device has a double system configuration consisting of an A system and a B system, and the A system and the B system have microprocessor units 101A and 101B and memories 102A and 102B, respectively. These microprocessor units 101 </ b> A and 101 </ b> B are running while being synchronized with a clock signal from the clock circuit 103.
[0004]
A bus verification / alternating signal output circuit 105 is connected to the microprocessor units 101A and 101B via buses 104A and 104B. The bus collation / alternating signal output circuit 105 collates the signals of the microprocessor units 101A and 104B appearing on the buses 104A and 104B, and outputs the collation result to the collation abnormality detection circuit 106 as to whether or not they match. doing. The bus verification / alternating signal output circuit 105 outputs an alternating signal at all times. If the two match, the output of the alternating signal is continued to allow the microprocessor units 101A and 101B to run. To do.
[0005]
However, if a mismatch between the two signals occurs even once, the bus verification / alternating signal output circuit 105 stores this mismatch information and stops the output of the subsequent alternating signal. When the alternating signal from the bus verification / alternating signal output circuit 105 is stopped, the verification error detection circuit 106 detects a verification error and outputs a reset signal to the microprocessor units 101A and 101B. When the microprocessor units 101A and 101B are reset, there is no data to be collated by the bus collation / alternating signal output circuit 105, and collation is inconsistent and the alternating signal cannot be output.
[0006]
Since both the microprocessor units 101A and 101B stop running in a reset state (a safe state), the above fail-safe function is ensured.
[0007]
[Problems to be solved by the invention]
As described above, the conventional railroad safety control device has a fail-safe function secured by the fail-safe circuit configured as shown in FIG. However, the fail-safe circuit shown in FIG. 19 is usually configured by dedicated hardware. Therefore, every time a high-performance microprocessor unit or microcomputer is developed, dedicated hardware must be developed, resulting in a great deal of labor and cost.
[0008]
Moreover, although semiconductor elements are used in many places in recent railway safety control devices, the fail-safe function may not be ensured depending on the location or mode of failure of these semiconductor elements. It was very difficult to improve the safety more than a certain level.
[0009]
The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a railway safety control device and a safety control system capable of improving the fail-safe property with a simple configuration.
[0010]
[Means for Solving the Problems]
As means for solving the above-mentioned problems, the invention described in claim 1 has at least two or more control systems capable of controlling field devices, and each of the two or more control systems is a dedicated microprocessor. In the railway safety control device having a controller, each control system is A dedicated input unit that inputs a signal from the field device, and a dedicated output unit that outputs an output signal to the field device and whose signal output path is connected in series between the local system side and the other system side A shared memory for storing the input / output results of the own system side and one other system side via the input unit and the output unit, an alternating signal output circuit for outputting an alternating signal, and an alternating from the alternating signal output circuit A transformer that inputs a signal to the primary side and outputs only the alternating signal of the alternating signal from the secondary side and a healthy relay contact that operates by rectifying the alternating signal from the transformer. A healthy circuit that outputs a signal indicating whether the output unit on the other system side is in a normal state or in a failure state, and the micro of each control system The processor controller has a function of diagnosing a failure of the own system side input unit using the shared memory, and a function of collating with a failure diagnosis result of one other system side input unit. When the input signal of the input unit on the side does not match the input signal of the input unit on the other system side, the control operation of both control systems is stopped and the dangerous side failure is reliably detected based on both functions In addition, when the output signal of the output unit on the own system side and the output signal of one output unit on the other system side do not match, the control operation of both control systems is stopped. It is characterized by that.
[0012]
The invention according to claim 2 is the invention according to claim 1, The input unit of each control system includes an input semiconductor element provided on a signal input path from the field device, and a check semiconductor element connected in series to the input semiconductor element, The microprocessor controller of each control system has a check signal generation circuit for outputting a check signal or stopping the output in order to detect a continuity failure or an open failure of the input semiconductor element. And
[0014]
The invention according to claim 3 is the invention according to claim 1 or 2, Each of the output units includes an output semiconductor element provided on the signal output path, a fault detection semiconductor element that indicates an on / off state opposite to the on / off state of the output semiconductor element, and the fault detection semiconductor A check semiconductor element that periodically checks whether or not the failure detection semiconductor element itself has a failure by periodically turning on and off a current flowing through the element, and each of the microprocessor controllers includes the output semiconductor element. An output signal drive circuit for turning on and off the circuit, a failure detection circuit for detecting the presence or absence of a failure in the output semiconductor element by detecting an on / off state of the failure detection semiconductor element, and a continuity failure or open of the failure detection semiconductor element In order to detect a failure, a check signal is generated or output is stopped periodically. And a contact readback circuit for reading the relay contact state of the field device, and determining a failure state for each output unit based on the input state or output state of each circuit. It is characterized by that.
[0015]
The invention according to claim 4 is the invention according to claim 3, Each of the microprocessor controllers can detect that either one of the output semiconductor element of the output unit on the own system side or the output semiconductor element of the output unit on the one other system side is in a semi-conducting state. It is characterized by being.
[0016]
The invention according to claim 5 3. The microprocessor controller of each control system according to claim 1, wherein the microprocessor controller of each control system generates the alternating signal by interrupting an interrupt program to the main program every predetermined time, and a control processing means for executing a main program. The control processing means and the alternating signal generation means monitor the number of interrupts of the interrupt program during one processing time of the main program, and the value of the number of interrupts is The control of the microprocessor controller is stopped when it is out of the predetermined range.
[0017]
The invention according to claim 6 is the invention according to any one of claims 1 to 5, The shared memory is capable of storing the rewritten contents when a part of the program contents of the microprocessor controller on the own system side or the one other system side is rewritten. Yes, when a part of the program content of either one of the microprocessor controller on the own system side or the one other system side is rewritten, the other program content is similarly rewritten. It is characterized by that.
[0018]
The invention according to claim 7 is the invention according to any one of claims 1 to 6, When a failure occurs in any of the control systems, the controller's microprocessor controller is forcibly disconnected from the other control systems. It is made to stop.
[0019]
The invention described in claim 8 The invention according to claim 1, wherein the control system is composed of first to third control systems, and when any one of the control systems fails, the remaining two control systems fail. Only when it is detected using the collation function that control is not performed, control of the field device is continued by the remaining two control systems.
[0020]
The invention according to claim 9 is the invention according to claim 8, If any two control systems detect a failure of the remaining control system during execution of the control operation by all of the first to third control systems, the microprocessor controller of the remaining one control system The power supply circuit of the control system is turned off, and one control system detects a failure of the other control system during execution of the control operation by any two of the first to third control systems. In this case, the power supply circuits of the microprocessor controllers of both control systems are turned off.
[0021]
The invention according to claim 10 is the invention according to any one of claims 1 to 9, The microprocessor controller of each control system determines a predetermined operation execution time point in the main program based on the count value of the timer, and at this time, when the verification between the own system side and one other system side is performed By invalidating the collation result in a period from this point in time until a predetermined time elapses, a collation error caused by a deviation in count timing between the timer on the own system side and the timer on one other system side can be obtained. It is characterized by being excluded.
[0022]
The invention according to claim 11 A plurality of input / output terminal devices that exchange signals with field equipment and at least one control processing terminal device are connected by a communication network, and the control processing terminal device connects these plurality of input / output terminal devices. In a control system for controlling a plurality of field devices via the input / output terminal device and the control processing terminal device, The method according to claim 1. It is characterized by comprising a railway safety control device.
[0023]
The invention of claim 12 is the invention of claim 11, The control processing terminal device is composed of a first control processing terminal device for current train operation and a second control processing terminal device in which a new application program is installed. In a time zone where the number of train operations is large, The first control processing terminal device exchanges signals with all input / output terminal devices, and the first control processing terminal device communicates with a specific input / output terminal device in a time zone when the number of train operations is small. The second control processing terminal device transmits / receives signals to / from the remaining input / output terminal devices.
[0024]
The invention of claim 13 is the invention of claim 12, Each of the input / output terminal devices has a change-over switch that determines which of the first control processing terminal device and the second control processing terminal device is to send and receive signals. Control is performed by the second control processing terminal device.
[0025]
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, embodiments of the present invention will be described with reference to the drawings. However, in the following embodiments, an electronic railroad crossing control device and an electronic railroad crossing control system will be described as examples of the railroad safety control device and the railroad security control system, but the application of the technology of the present invention is limited to these. However, the present invention can be applied to other control devices and control systems such as signal control devices and signal control systems.
[0026]
FIG. 1 is a block diagram showing the configuration of the first embodiment. The first embodiment has two control systems, an A system (first control system) and a B system (second control system).
[0027]
In FIG. 1, first, the configuration of the A system will be described. The A system microprocessor controller 1A includes a microprocessor unit 2A, a storage unit 3A composed of ROM, a storage unit 4A composed of RAM, and an input / output interface. 5A, which are connected to each other by the MPU bus 6A.
[0028]
The input / output interface 5A is connected to an I / O bus 7A, and an input unit 8A, an output unit 9A, and a healthy circuit 10A are also connected to the I / O bus 7A. The healthy circuit 10A includes an output circuit 11A, a transformer 12A, a relay 13A, a healthy relay contact 14A, and the like. The I / O bus 7A is controlled by an I / O bus controller 15A, and a shared memory 16A is connected to the I / O bus controller 15A.
[0029]
Since the configuration of the B system is the same as that of the A system, the redundant description of the B system is omitted. A relay 17 of a field device is connected between the output units 9A and 9B, and the circuit breaker is controlled, for example, by turning the relay contact 18 on and off. The state of the relay contact 18 is input to the input units 8A and 8B as a readback (RB) signal.
[0030]
The microprocessor unit 2A performs data input / output control, various calculations, serial data transmission, and the like. The storage unit 3A stores a program for the microprocessor unit 2A. In this embodiment, the storage unit 3A is formed of an EEPROM that can be electrically written and erased. The storage unit 4A is a memory necessary for the operation of the user application program and the microprocessor unit 2A. The input / output interface 5A serves as an interface between the MPU bus 6A and the I / O bus 7A, and is configured by a gate array.
[0031]
The input unit 8A inputs, for example, a signal notifying the presence of a train in a predetermined section, or the above-described readback signal, and sends it to the A-system microprocessor controller 1A.
[0032]
The output unit 9A outputs a control signal from the A-system microprocessor controller 1A and controls the relay 17. However, as will be described later, the relay 17 operates only when the output values of the output units 9A and 9B coincide with each other in the operation direction.
[0033]
The shared memories 16A and 16B store their own input data and output data, respectively. However, the control of the I / O bus controllers 15A and 15B allows the controllers 1A and 1B to read not only the contents of the own shared memory but also the contents of the other shared memory.
[0034]
The healthy circuit 10A is a circuit that outputs a signal indicating whether or not the own system is in a normal state. In the normal state, the alternating signal from the output circuit 11A excites the relay 13A via the transformer 12A, and the healthy relay contact 14A is turned on. On the other hand, in the case of a failure state, the healthy relay contact 14A is turned off. When the healthy relay contact 14A is off, the A system is of course stopped, but when the healthy relay contact 14A is turned off, the healthy relay contact 14B is also turned off, and the B system eventually stops controlling. It has become.
[0035]
In the configuration of FIG. 1 described above, the controller portion is separated from the other portions by the I / O interface, and is highly independent. Therefore, a highly versatile board computer or the like can be adopted, and by replacing only the microprocessor with a high-performance model, it is possible to easily improve the function and cope with the new model. ing.
[0036]
FIG. 2 is a block diagram showing the configuration of the input units 8A and 8B in FIG. 1 and the configuration of the microprocessor controllers 1A and 1B that exchange signals with the input units 8A and 8B. In this figure, an input unit 8A includes a resistor 19A, a photocoupler 20A (input semiconductor element) formed by a light emitting diode 21A and a phototransistor 22A, and a photocoupler 23A (formed by a light emitting diode 24A and a phototransistor 25A). Check semiconductor element).
[0037]
The controller 1A includes a failure diagnosis circuit 26A, a signal input circuit 27A, a comparison / collation circuit 28A, and a check signal generation circuit 29A. The input unit 8B and the controller 1B have the same configuration as the input unit 8A and the controller 1A.
[0038]
An input contact signal S1 is input to the input units 8A and 8B. The input contact signal S1 is a binary signal that informs whether or not a train is present within a predetermined section near the railroad crossing. “0” indicates that there is a train and “1” indicates that there is no train. Yes. Here, the fail-safe function of the input units 8A and 8B will be described. The fail-safe property when the signal S1 is input reliably prevents the signal “0” from being erroneously determined as the signal “1”. To do.
[0039]
In other words, if a failure occurs in the input unit, the actual input signal “0” (the train is present) is mistakenly recognized as the input signal “1” (the train is not present) and the breaker is opened. Such a failure must be avoided because it could lead to an accident. Such a failure is called a “dangerous failure”. On the other hand, a fault that causes the actual input signal “1” (no train) to be erroneously recognized as the input signal “0” (the train exists) is not directly connected to a serious accident. Such a failure is called a “safety failure”. The configuration of FIG. 2 is for reliably preventing an accident caused by the above-mentioned dangerous failure.
[0040]
Next, the operation of FIG. 2 will be described. First, consider a case in which no failure has occurred in any of the input units 8A and 8B. For example, when the signal “0” is input to the input units 8A and 8B as the input contact signal S1, no current flows through the path of the resistor 19A, the light emitting diode 21A, and the phototransistor 25A in the input unit 8A. The signal input circuit 27A also inputs “0”. This input result is written into the shared memory 16. The same operation is performed in the input unit 8B and the controller 1B.
[0041]
The comparison / collation circuit 28A reads the input result of the signal input circuit 27B written in the shared memory 16, and performs comparison / collation with the input result of the signal input circuit 27A. The collation result is sent to the failure diagnosis circuit 26A, and based on this, the failure diagnosis circuit 26A performs failure diagnosis. The comparison / collation circuit 28B and the failure diagnosis circuit 26B in the controller 1B perform the same operation. In this case, the comparison results of the comparison / collation circuits 28A and 28B match, and therefore the failure diagnosis circuits 26A and 26B perform a diagnosis that both are normal.
[0042]
However, when the phototransistor 22A in the input unit 8A has a conduction failure, the signal input circuit 27A inputs "1" even though the actual input contact signal S1 is "0". In this case, the conduction failure of the phototransistor 22A is a dangerous failure, but the configuration shown in FIG. 2 can eliminate an input result based on such a failure.
[0043]
That is, the check signal generation circuit 29A periodically outputs “0” signal and “1” signal alternately as check signals. If the check signal generation circuit 29A is outputting a “0” signal to the light emitting diode 24A, the phototransistor 25A is in an off state, so that no current flows through the light emitting diode 21A. It must be off. Nevertheless, the signal input circuit 27A inputs “1” because the conduction failure has occurred in the phototransistor 22A. The failure diagnosis circuit 26A determines that the input unit 8A is in failure based on the output state of the check signal generation circuit 29A and the input result of the signal input circuit 27A.
[0044]
On the other hand, when the check signal generation circuit 29A is outputting the “1” signal, it is not clear whether or not the input unit 8A has failed even if the signal input circuit 27A inputs “1”. Absent. However, in this case, since the comparison / collation circuit 28A collates with the B system, the failure diagnosis circuit 26A can determine that a failure has occurred in the input unit 8A based on the collation result.
[0045]
Further, an open failure may occur in the phototransistor 22A when the input contact signal S1 is “0”. In this case, the signal input circuit 27A inputs “0” regardless of whether the output signal of the check signal generation circuit 29A is “0” or “1”, and shows the same input result as in the normal state. Therefore, the failure diagnosis circuit 26A is determined to be normal. That is, the controller 1A determines that the controller is normal, but in reality, a failure is latent. However, as described above, this failure is a safety-side failure, and even if it is not detected immediately, it is not directly linked to a serious accident, and is an acceptable oversight.
[0046]
FIG. 3 is a chart showing typical failure modes of the input unit. The above-described example corresponds to items 1 to 4. When the “0” signal and the subsequent “1” signal are regarded as one set of signals, the item 1 and the item 2 or the item 3 and the item 4 may be described as one item at a glance. It seems possible. However, since the normal / failure state of the input unit may change instantaneously, in order to pursue the fail-safe function, the time when the check signal generation circuit 29A outputs the “0” signal and the “1” signal It is necessary to make a judgment of normality or failure independently at each point of time when the signal is output. Therefore, in FIG. 3, the items 1, 2, items 3, 4,..., Items 19, 20, etc. are not shown together but are shown as single items.
[0047]
FIG. 4 is a block diagram showing the configuration of the output units 9A and 9B in FIG. 1 and the configuration of the microprocessor controllers 1A and 1B that exchange signals with the output units 9A and 9B. In this figure, the output unit 9A includes a photocoupler 30A (output semiconductor element) formed by a light emitting diode 31A and a phototransistor 32A, and a photocoupler 33A (fault detection semiconductor formed by a light emitting diode 34A and a phototransistor 35A. Element), a photocoupler 36A (semiconductor element for check) formed by a light emitting diode 37A and a phototransistor 38A, and a resistor 39A. The output unit 9B has the same configuration as the output unit 9A, but additionally includes a diode 40 and a resistor 41.
[0048]
The controller 1A includes an output signal drive circuit 42A, a failure detection circuit 43A, a check signal generation circuit 44A, and a contact readback circuit 45A. The controller 1B has the same configuration as the controller 1A. Moreover, the relay 17 and the relay contact 18 shown also in FIG. 1 are arrange | positioned in field devices, such as a circuit breaker control apparatus.
[0049]
A photocoupler 30A is connected to the high-voltage side terminal of the 24-volt power supply via series-connected healthy relay contacts 14A and 14B, followed by connection of one end of the relay 17 via the photocoupler 30B and diode 40. The other end of the relay 17 is connected to a 0 volt terminal of a 24 volt power source. Therefore, the signal output path of the output unit 9A and the signal output path of the output unit 9B are connected in series with each other.
[0050]
When the relay 17 is excited by simultaneously outputting the "1" signal as the excitation signal to the relay 17 from the output units 9A and 9B, the relay contact 18 is closed and the circuit breaker is raised. . In addition, if a “0” signal as a non-excitation signal is output from the output units 9A and 9B to the relay 17 and the relay 17 is in a non-excitation state, the relay contact 18 is opened and the breaker is lowered. It is in a state. Therefore, the fail-safe property of the output unit is that the “1” signal is erroneously output and the breaker is raised despite the fact that the breaker must be lowered by outputting the “0” signal. It is to reliably prevent failure. As in the case of the input unit in FIG. 2, the configuration of the output unit in FIG. 4 treats the “1” signal as a dangerous signal and the “0” signal as a safe signal so that accidents caused by dangerous failures can be assured. It is for preventing.
[0051]
Next, the operation of FIG. 4 will be described. When both the A system and the B system are functioning normally, both the healthy relay contacts 14A and 14B are on. Now, if a “0” signal is output from one or both of the output signal drive circuits 42A and 42B, no current flows through the path of the phototransistors 32A and 32B and the diode 40, so the relay 17 is in an unexcited state. Yes, so the breaker is in a lowered state. At this time, the relay contact 18 is off, and the contact readback circuits 45A and 45B detect the “1” signal. On the other hand, if the “1” signal is output from both of the output signal drive circuits 42A and 42B, current flows through the paths of the phototransistors 32A and 32B and the diode 40, so that the relay 17 is in an excited state, and therefore the circuit breaker is It goes up. At this time, the relay contact 18 is turned on, and the contact readback circuits 45A and 45B detect the “0” signal.
[0052]
As described above, in the state where no current flows through the paths of the phototransistors 32A and 32B and the diode 40, a weak current flows through the resistor 39A, the light emitting diode 34A side, the resistor 39B, and the light emitting diode 34B side, respectively. The circuits 43A and 43B input a “1” signal. On the other hand, in a state where current flows through the path of the phototransistors 32A and 32B and the diode 40, no weak current flows through the resistor 39A, the light emitting diode 34A side and the resistor 39B and the light emitting diode 34B side, and the failure detection circuits 43A and 43B A “0” signal is input.
[0053]
The failure of the phototransistors 32A and 32B can be detected by the failure detection circuits 43A and 43B. That is, for example, when the phototransistor 32A has a conduction failure, the failure detection circuit 43A inputs the “0” signal even though the output signal drive circuit 42A outputs the “0” signal ( If it is normal, the circuit 43A should input a “1” signal.) Therefore, the conduction failure of the phototransistor 32A can be detected. When the phototransistor 32A has an open failure, the failure detection circuit 43A inputs the “1” signal even though the “1” signal is output from the output signal drive circuit 42A (normally) If there is, the circuit 43A should input a “0” signal.) Therefore, an open failure of the phototransistor 32A can be detected.
[0054]
As described above, the failure of the phototransistor 32A can be detected by the photocoupler 33A and the failure detection circuit 43A. However, when the phototransistor 35A of the photocoupler 33A fails, particularly when the failure is a conduction failure, the fail-safe property cannot be maintained. This is because when the phototransistor 35A has a continuity failure, the input of the failure detection circuit 43A is always "1". Therefore, a continuity failure occurs in the phototransistor 32A, and the "1" signal, which is a dangerous signal, is erroneously relayed. This is because it is impossible to detect this even if it is output to 17 (in contrast to this, in the case of an open failure of the phototransistor 35A, the input of the failure detection circuit 43A is always "0" and the controller itself relays. Since it recognizes that the “1” signal, which is a dangerous signal, is output to No. 17, there is no direct connection to a serious accident. Therefore, in order to ensure the fail-safe property, the conduction failure of the phototransistor 35A is an event that should be reliably detected. The photocoupler 36A and the check signal generation circuit 44A are provided for detecting a conduction failure of the phototransistor 35A, which is an event that should be reliably detected. The check signal generation circuit 44A is periodically set to “0”. The signal and the “1” signal are alternately output.
[0055]
That is, the check signal generation circuit 44A alternately outputs “1” signal and “0” signal as check signals to the light emitting diode 37A, and turns on / off the phototransistor 38A. Thereby, the current flowing through the light emitting diode 34A is forcibly turned on and off. Therefore, when the check signal generation circuit 44A outputs a check signal while the failure detection circuit 43A inputs a “1” signal, the signal input state of the failure detection circuit 43A does not change according to the check signal, If the “1” signal is input, it can be understood that a conduction failure has occurred in the phototransistor 35A.
[0056]
FIG. 5 is a time chart for explaining the operations of the output signal drive circuit 42A, the contact readback circuit 45A, the check signal generation circuit 44A, and the failure detection circuit 43A. FIG. ) Shows a dangerous failure, and (c) shows a safe failure. The “signal to be output” means a signal that should be output correctly to the relay 17.
[0057]
As shown in FIG. 5A, in the normal case, the signal input to the failure detection circuit 43A is always “0” when the check signal generation circuit 44A outputs a “0” signal. In addition, when the check signal generation circuit 44A outputs a "1" signal, the signal is the same as the signal read by the contact readback circuit 45A.
[0058]
However, as shown in FIG. 5B, when a conduction failure occurs in the phototransistor 35A, the failure detection circuit 43A inputs the “1” signal even though the check signal is “0”. Yes. For this reason, the system is immediately stopped at this point to prevent the occurrence of a serious accident caused by a dangerous failure. If the operation is continued without stopping the system at this time, even if a conduction failure occurs in the phototransistor 32A, it cannot be detected.
[0059]
In addition, as shown in FIG. 5C, when an open failure occurs in the phototransistor 35A, the contact readback circuit 45A reads the “0” signal during this period even when the check signal changes. No fault is detected. However, as described above, even if an open failure of the phototransistor 35A cannot be detected during this period, it does not directly lead to a serious accident. If an open failure occurs in the phototransistor 32A in this state, the signal input to the failure detection circuit 43A becomes “0” even though the check signal is “1”, and the signal of the contact readback circuit 45A Since they do not match, an open failure of the phototransistor 32A is detected and the system is stopped. FIG. 6 shows a typical failure mode of the output unit including the failure as described above.
[0060]
By the way, the phototransistors 32A and 32B in FIG. 4 have a possibility of falling into a peculiar state. For example, when the output signal drive circuit 42A outputs a “0” signal, the peculiar state may increase the leakage current when the phototransistor 32A is unsaturated, thereby exciting the relay 17. This means a state in which a certain level of current is flowing (this state is referred to as a “semi-conductive state”). In this semi-conducting state, the relay 17 is not actually energized, and no failure is detected because the failure detection circuit 43A also inputs the “1” signal. However, if a photoconductive failure occurs in the phototransistor 32B while the phototransistor 32A is in such a semiconductive state, the relay is performed even though the output signal drive circuits 42A and 42B output a “0” signal. 17 is excited and the fail-safe property of the output units 9A and 9B is lost. In order to reliably prevent the occurrence of a serious accident and improve safety, it is necessary to reliably detect the occurrence of such a semi-conducting state and promptly stop the system to maintain fail-safety. It is done. According to the configuration of FIG. 4, it is possible to reliably detect such a semiconducting state.
[0061]
That is, when the output signal drive circuit 42A outputs a “0” signal in a normal state, a weak current is output to the output unit 9B through the resistor 39A, the light emitting diode 34A, and the phototransistor 38A. The weak current output is a signal in which “0” and “1” are alternately repeated by the operation of the check signal generation circuit 44A. Therefore, when the phototransistor 38B is turned on by the output of the check signal generation circuit 44B, the failure detection circuit 43B inputs the “1” signal when the signal from the output unit 9A side is “1”. When the signal from the output unit 9A side is “0”, the “0” signal should be input. However, when the phototransistor 32A is in the semi-conducting state, the leakage current increases the current level from the output unit 9A, and the failure detection circuit 43B is in a state where the phototransistor 38B is on. In this case, a "1" signal is always input. By this phenomenon, it can be detected that the phototransistor 32A is in a semi-conducting state. In the above example, it is determined that the A-system side phototransistor 32A is in a semi-conductive state based on the input state of the B-system side failure detection circuit 43B. Even when a state has occurred, it can be determined based on the input state of the fault detection circuit 43A on the A system side.
[0062]
Next, the healthy circuits 10A and 10B shown in FIG. 1 will be described. FIG. 7 is a configuration diagram of the healthy circuits 10A and 10B. In FIG. 7, taking the A system as an example, the microprocessor unit 2A of the controller 1A generates an alternating signal. This alternating signal is sent to the healthy circuit 10A via the input / output interface 5A and the I / O bus 7A. Sent out. In the healthy circuit 10A, the output circuit 11A outputs the alternating signal to the primary side of the transformer 12A, and the DC side is cut from the secondary side, and only the AC component of the alternating signal is output. The alternating signal output from the secondary side of the transformer 12A is rectified by the diode 46A, the relay 13A is excited by this rectified current, and the healthy relay contact 14A is turned on.
[0063]
As described above, the relay 13A is indirectly excited based on the alternating signal generated by the microprocessor unit 2A. Therefore, when the microprocessor unit 2A detects a failure, the relay 13A is always de-energized and healthy. The relay contact 14A is turned off. That is, when the microprocessor unit 2A detects a failure, the microprocessor unit 2A normally clears all the outputs to “0”, but the output may not be cleared depending on the type of failure. The "1" signal continues to be output from the microprocessor unit 2A to the output circuit 11A. In this case, the signal supplied from the output circuit 11A to the primary side of the transformer 12A is not an alternating signal. Since the secondary side output of the transformer 12A becomes zero, the relay 13A is not excited. Therefore, when the microprocessor unit 2A detects a failure, the relay 13A is always de-energized and the healthy relay contact 14A can be turned off. As shown in FIG. 4, since the healthy relay contacts 14A and 14B are connected to the power supply circuit in a state of being connected in series, the relay 17 in the field device is never turned on when either one is turned off. Is not excited.
[0064]
FIG. 8 is a time chart showing signal output states of the output circuits 11A and 11B and excitation states of the relays 13A and 13B. In this figure, it is assumed that both the A system and the B system functioned normally at the beginning, but the A system microprocessor unit 2A detected a failure at a certain point in time. Then, since the microprocessor unit 2A immediately clears all outputs, the output of the alternating signal from the output circuit 11A is stopped, and the relay 13A that has been in the excited state until then becomes the non-excited state. The B-system microprocessor unit 2B can detect by the verification function that the A-system microprocessor unit 2A has stopped generating the alternating signal. Therefore, the microprocessor unit 2B also immediately stops generating the alternating signal. Thereby, the output of the alternating signal from the output circuit 11B is also stopped, and the relay 13B is also in a non-excited state.
[0065]
Here, a technique for keeping the time “1” and the time “0” in the alternating signal constant will be described. When outputting an alternating signal, it is usually considered that the microprocessor unit 2A outputs the main program. However, while the processing of the microprocessor unit 2A is normally performed, there is no particular problem because the control processing time of the main program is constant, but this control processing depends on the input status of the input signal from the outside. The time is not constant, and it becomes difficult to keep the time “1” and the time “0” constant.
[0066]
Therefore, in the present embodiment, as shown in FIG. 9, in addition to the control processing means 47 for executing the main program, an alternating signal generating means 48 for executing the interrupt program is provided in the microprocessor unit 2A. A signal is generated. The control processing means 47 has a counter 49 and a running flag 50, and the alternating signal generation means 48 has a counter 51.
[0067]
In order to generate a fail-safe alternating signal with such a configuration, when an abnormality occurs in the main program, it is necessary to stop the traveling by the interrupt program to stop the generation of the alternating signal. On the other hand, even if an abnormality occurs in the interrupt program, it is necessary to stop the traveling by the main program to stop the generation of the alternating signal. The alternating signal cycle is preferably as short as possible, but if the interrupt program runs too frequently, the processing time in the main program will be lost, so that cycle must be selected appropriately. In the example of FIG. 9, the processing time for one time of the main program executed by the control processing unit 47 is 100 to 200 ms, and the interrupt period of the interrupt program executed by the alternating signal generating unit 48 is 5 ms. Therefore, in the normal state, the interrupt program runs 20 to 40 times during one processing time of the main program. An alternating signal of a healthy circuit can be generated using this relationship.
[0068]
Next, the operation of FIG. 9 will be described. In this example, the processing time for one time of the main program is 100 ms, and the normal number of interruptions is 20 ± 1. The control processing means 47 sets the travel flag 50 at the start of one run, adds a count value for the number of runs to the counter 49, and resets the travel flag 50 at the end of one run. On the other hand, when the traveling flag 50 is set, the alternating signal generating means 48 interrupts every 5 ms until the traveling flag 50 is reset, and generates an alternating signal of “1” or “0”. Then, the alternating signal generating means 48 adds the count value for the number of interrupts at this time to the counter 51.
[0069]
When the control processing means 47 finishes one run, resets the run flag 50, and sets the run flag 50 again for the next run, the alternating signal generating means 48 counts the counter 51 at this time. Check the value. Now, assuming that the count value of the counter 51 is 22 times, the control processing unit 47 determines that an abnormality has occurred in the main program, and stops the running of all programs.
[0070]
On the other hand, the control processor 47 also checks the count value of the counter 51 at this time. Therefore, even if some abnormality occurs on the alternating signal generating means 48 side and the count value of the counter 51 becomes 22 as a result, the control processing means 47 stops the running of all programs as an interruption abnormality. Can be made.
[0071]
Note that the control processing unit 47, when an abnormality other than the above-described interruption abnormality (for example, an abnormality such as the result of collation with the input data on the B system side does not match), an error flag not shown in the figure. Set to stop all programs. For this error flag, the alternating signal generating means 48 is also checked, and when the error flag is set, the interruption program runs immediately and the generation of the alternating signal is stopped.
[0072]
According to the configuration shown in FIG. 9, the main program itself detects these failures when the main program causes a failure that takes some processing time for some reason, or a failure that causes the processing time to be too short. Even when it is not possible, a failure can be detected by the interrupt program and the healthy relay can be de-energized. Further, if the interrupt program side has a fault with an abnormally high interrupt frequency or an abnormally low fault, this can be detected by the main program and the healthy relay can be de-energized. That is, an alternating signal having a high-speed and high-accuracy cycle can be output, and fail-safe can be realized. Furthermore, since the alternating signal can be speeded up, the transformers 12A and 12B in the healthy circuits 10A and 10B can be reduced in size, and quick response can be obtained.
[0073]
Next, a technique for efficiently rewriting part of the contents of a program by using the shared memories 16A and 16B shown in FIG. 1 will be described. In general, standard programs for electronic level crossing control devices are prepared, but constants such as timers need to be matched to the actual situation of level crossings at the site. It is normal to change some parts. Such program changes are often made when the electronic level crossing control device is actually installed or based on the operation results after installation. It is desirable that the processing can be easily and reliably executed. According to the configuration of the present embodiment, if a part of the program content is changed for only one of the A system and the B system by the action of the shared memory, the program content of the other system is automatically also changed. Can be changed.
[0074]
That is, the operator at the site operates a PC (personal computer) monitor (not shown in FIG. 1) to store constants such as a timer to be changed in the storage unit 3A via the microprocessor unit 2A. Write. As described above, since the storage unit 3A is formed of an EEPROM, it can be electrically written, and can retain data even when the power supply fails.
[0075]
Data written to the storage unit 3A is also written to the shared memory 16A, but the B-system microprocessor controller 1B reads the contents of the shared memory 16A and writes it to the storage unit 3B and the shared memory 16B of its own system. The A-system microprocessor controller 1A collates the data in the shared memory 16A with the shared memory 16B, and outputs the collation result to the PC monitor. The PC monitor compares the data written in the A system with the data written in the B system as the A system is written, and if they match, the PC monitor displays that the data is normal. If they do not match, the system A microprocessor controller 1A is instructed to stop the system A operation. In order to increase the reliability of the change data, a check code that can detect an error in the data can be transmitted together with the constant data.
[0076]
Thus, according to the configuration of FIG. 1, when changing constants such as timers, if only one of the two microprocessor controllers is changed, the constants of the other system are also automatically updated. Will be changed. Further, since it is possible to simultaneously check whether or not the change contents of the own system and the other system are the same, it is possible to prevent an erroneous constant setting due to a human operation error.
[0077]
Next, a second embodiment of the present invention will be described. FIG. 10 is a block diagram showing the configuration of the second embodiment. The first embodiment shown in FIG. 1 has two control systems, an A system (first control system) and a B system (second control system), but this second embodiment. Has three control systems, and further has a C system (third control system) in addition to the two control systems of the A system and the B system. FIG. 11 is a block diagram of an electronic level crossing control system configured using the electronic level crossing control apparatus shown in FIG.
[0078]
First, the electronic level crossing control system of FIG. 11 will be described first. In this figure, the control systems of the first control processing terminal device 61, the second control processing terminal device 62, and the four input / output processing terminal devices 63 to 66 are connected to each other by A to C LANs. ing. The input / output processing terminal devices 63 to 66 exchange signals with the field devices 67 to 70, respectively.
[0079]
The first control processing terminal device 61 and the second control processing terminal device 62 are host devices of the input / output processing terminal devices 63 to 66, and the field devices 67 to 70 are substantially these first control processing terminal devices. 61 or the second control processing terminal device 62 is controlled via the input / output processing terminal devices 63-66.
[0080]
A program used for the current train operation is implemented in the first control processing terminal device 61, and a newly developed application program is implemented in the second control processing terminal device 62. And all the field devices 67-70 operate in the time zone (daytime) with many train operations, but only the field device 67 operates in the time zone (nighttime) with few train operations, and the field devices 68- 70 is subject to renovation work or testing.
[0081]
Each of the input / output processing terminal devices 63 to 66 includes a changeover switch that determines which of the first control processing terminal device 61 and the second control processing terminal device 62 is to exchange signals with, The control of the changeover switch is performed by the second control processing terminal device 62. In the daytime, all the input / output processing terminal devices 63 to 66 output the input signals from the field devices 67 to 70 only to the first control processing terminal device 61, while only the first control processing terminal device 61 is provided. Outputs signals to the input / output processing terminal devices 63-66. However, when the second control processing terminal device 62 switches the changeover switch to a predetermined position at night, only the input / output processing terminal device 63 receives the input signal from the field device 67 as the first control processing terminal device. On the other hand, the first control processing terminal device 61 outputs a signal only to the input / output processing terminal device 63. The input / output processing terminal devices 64 to 66 output the input signals from the field devices 68 to 70 to the second control processing terminal device 62, while the second control processing terminal device 62 performs the input / output processing. A signal is output to the terminal devices 64-66.
[0082]
According to such a railroad safety control system, it is possible to carry out repair work or tests of railroad crossings provided on other tracks while the operation of trains using specific tracks continues. The efficiency of renovation work can be greatly improved, and the construction period can be shortened.
[0083]
Next, the configuration of FIG. 10 will be described. In this figure, an A-system microprocessor controller 71A has a microprocessor unit 72A, a memory unit 73A, a LAN control unit 74A, and an I / O bus interface 75A. The microprocessor controller 71A is connected to the input unit 77A, the output unit 78A, and the healthy circuit 79A via the I / O bus interface 76A (the configurations of the input unit 77A and the output unit 78A are shown in FIGS. The configuration is substantially the same as that shown in FIG. The B system and the C system have the same configuration as the A system. A shared memory 80 is provided between the A system and the B system, a shared memory 81 is provided between the B system and the C system, and a shared memory 82 is provided between the C system and the A system. .
[0084]
Each system input unit 77A, 77B, 77C receives a signal from the field device 67 (or the field devices 68 to 70) via the field device input signal module 83. The signals from the output units 78A, 78B, 78C are output to the field device 67 via the field device output signal module 84. The state of the healthy relay contact signal from the healthy circuits 79A, 79B, 79C of each system is transmitted to the field device output signal module 84 and further to the field device input signal module 83, and the three systems. If at least two systems are not normal, the on-site equipment output signal module 84 and the on-site equipment input signal module 83 do not operate. The field device input signal module 83 and the field device output signal module 84 are illustrated as conceptual elements for facilitating the understanding of the configuration of FIG. 10, and actually are microprocessors in each controller. -It can be considered as a function of the units 72A, 72B, 72C.
[0085]
FIG. 12 is a configuration diagram of the healthy circuits 79A, 79B, and 79C in FIG. 10 (the configuration of the healthy circuits 79B and 79C is the same as that of the healthy circuit 79A and is omitted). In this figure, the microprocessor unit 72A of the A system microprocessor controller 71A generates an alternating signal, which is sent to the healthy circuit 79A via the I / O bus interfaces 75A and 76A. In the healthy circuit 79A, the two output circuits 85A1 and 85A2 output this alternating signal to the primary side of the transformers 86A1 and 86A2, respectively, and the DC component is cut from the secondary side and only the AC component of the alternating signal is output. Is done. The alternating signals output from the secondary sides of the transformers 86A1 and 86A2 are rectified by the diodes 87A1 and 87A2, respectively, and the relays 88A1 and 88A2 are excited by the rectified currents, and the healthy relay contacts 89A1 and 89A2 are turned on.
[0086]
Since the operation of the healthy circuit 79A in FIG. 12 is substantially the same as that in FIG. 7, the redundant description thereof will be omitted, and only the combination of ON / OFF of the healthy relay contacts between the systems will be described. “Healthy A = B, Healthy A = C,... Healthy C = B” in FIG. 12 indicates a healthy relay contact associated with another system. That is, the alphabet symbol on the left side of the equal symbol indicates the own system side, and the alphabet symbol on the right side of the equal symbol indicates the other system side.
[0087]
For example, when the A-system controller detects a failure of the own system through self-diagnosis, the contacts of A = B and A = C are turned off to stop the running of the own system. At this time, the contact of B = C is kept on on the B system side, but the contact of B = A which is a contact related to the A system is turned off. Similarly, the contact of C = B is kept on on the C system side, but the contact of C = A, which is a contact related to the A system, is turned off.
[0088]
On the other hand, when the A-system controller detects a failure of the other system by its collation function, only the contact related to the other system is turned off. For example, when the A-system controller detects a B-system failure, only the A = B contact is turned off and the A = C contact is turned on. At this time, on the C system side, the C system controller should detect a failure of the B system, and only the contact of C = B should be turned off and the contact of C = A should be turned on. Then, since the contacts A = B and C = B on the A system side and the C system side are turned off, the contacts B = C and B = A on the B system side are also turned off, and the traveling of the B system is stopped. The
[0089]
As described above, the second embodiment shown in FIG. 10 has a triple system configuration of the A system, the B system, and the C system, and the input data or output data of the two systems coincides. In addition, a so-called “2out of 3” method is adopted in which the input data or output data is handled as normal data. There are the following three modes as the modes when the input / output data of the 2 systems among the 3 systems match.
[0090]
(1) Both the A system and B system healthy relay contacts are on (the healthy relay is in an excited state), and both the A system and B system output data (or input data) are “1”.
(2) Both the B system and C system healthy relay contacts are on (the healthy relay is in an excited state), and both the B system and C system output data (or input data) are “1”.
(3) Both the C-system and A-system healthy relay contacts are on (the healthy relay is in an excited state, and both the C-system and A-system output data (or input data) is “1”.
[0091]
For example, when a failure occurs in the B system, the contacts B = C and B = A of the healthy circuit 79B are turned off, and the contacts A = B and C = B of the healthy circuits 79A and 79C are turned off. However, since the contacts A = C and C = A of the healthy circuits 79A and 79C are kept on, the control of the system can be continued by the normal A system and C system (see (3) above). Embodiment).
[0092]
Next, the operation of FIG. 10 will be described based on the flowchart of FIG. However, in FIG. 13, only the operation between the A system and the B system is described, and the redundant description between the B system and the C system and between the C system and the A system is omitted.
[0093]
First, the controllers 71A and 71B perform a synchronization process for starting control by a program. That is, the controllers 71A and 71B write a number indicating the number of processes called “synchronization serial number” in the own system areas 80A and 80B of the shared memory 80, and whether or not the own system synchronization number and the other system synchronization number match. It is determined whether or not synchronization has been achieved by confirming (step 101A, 101B). If synchronization cannot be established, the system waits for a certain period of time. If synchronization cannot be established, the other systems are determined to be faulty, and the healthy relay contacts are turned off to de-energize the healthy relay. When synchronization is established, control processing is started at that timing.
[0094]
After synchronization, each controller reads the input signal from the field device 67 input through the input module 83 and writes it in its own storage areas 80A and 80B. Then, it is determined whether or not the input signal written in the own system matches the input signal written in the other system (steps 102A and 102B). If they do not match, it is determined that the other system is a failure. On the other hand, if they match, arithmetic processing for control is performed (steps 103A and 103B).
[0095]
Each controller writes the arithmetic processing result as an output signal in its own storage areas 80A and 80B, and determines whether the output signal written in its own system matches the output signal written in the other system ( Steps 104A, 104B). If they do not match, it is determined that the other system is a failure. On the other hand, if they match, this is output to the field device 67 via the output module 84.
[0096]
In this way, the A-system side controller performs its own control process, and also functions as a failure detector for the B-system side controller, and the B-system controller also performs its own control process. It also functions as a failure detector for the system controller. Therefore, reliable input / output control can be performed with field devices.
[0097]
FIG. 14 is a flowchart showing, as an example of the A system side, main cases in which error processing is performed, including the synchronization check process, input process, and output process with another system described in FIG. First, the A-system controller 71A performs self-diagnosis as to whether or not there is any abnormality in its own I / O bus (step 1). If there is an abnormality, excitation is output as error processing if it has already been output. The processing output is stopped (step 19), and the control operation is stopped (step 20). The excitation output means that the microprocessor unit 72A generates an alternating signal in FIG. 12 and causes the output circuits 85A1 and 85A2 to output the alternating signal.
[0098]
If there is no abnormality as a result of the self-diagnosis of the controller, the above excitation output is performed (step 2). Then, the controller 71A performs a write test and a read test on the shared memories 80 and 82 (step 3), and performs processing of step 19 if there is an abnormality. Next, an off check of the input unit 77A and the output unit 78A is performed to check whether a continuity failure has occurred (steps 4 and 5). If there is an abnormality, the process of step 19 is performed. Then, the previous control output is read back to check whether or not there is any abnormality (step 6).
[0099]
If there is no abnormality as a result of the check in Steps 4 to 6, as already described in FIG. 13, synchronization with other systems, that is, the B system and the C system is performed (Step 7). Perform the process. If synchronization is established, data is input from the input module 83 and input processing is started (step 8). Then, 8-bit inverted data is created and written in the shared memories 80 and 82 (step 9), and the memory shared with these other systems is checked by comparing with the B-system and C-system inverted data. Data is checked (step 10), and if there is an abnormality, the process of step 19 is performed. Next, whether or not the input signal input from the input module 83 matches that of the other system is checked using the shared memories 80 and 82 (step 11), and if there is an abnormality, the process of step 19 is performed.
[0100]
After the above collation, control processes 1 and 2 which are two programs having the same contents are executed while changing the memory area and time (steps 12 and 13). Then, the result of collating the calculation results of the control processes 1 and 2 (step 14), if not matched, the process of step 19 is performed assuming that it is abnormal.
[0101]
After that, before trying to output the calculation result, the creation and writing of the inverted data and the collation with the inverted data of the other system are performed as in steps 9 and 10 (steps 15 and 16). The process of step 19 is performed. Next, whether or not the output signal to be output from the output module 84 matches the other system is checked using the shared memories 80 and 82 (step 17). If there is an abnormality, the process of step 19 is performed. If there is no abnormality, an output process is performed (step 18), and the operations after step 1 are repeated.
[0102]
When the A system controller stops the excitation output in step 19 and detects an abnormality in its own system, both the A = B and A = C healthy relay contacts are turned off and the B system (or C system) is turned off. When an abnormality is detected, the healthy relay contact of only A = B (or only A = C) is turned off. When both A = B and A = C healthy relay contacts are turned off, the A system controller stops running (step 19), but A = B only (or A = C only) healthy relay. When the contact is turned off, the control process is continued with the C system (or B system).
[0103]
As described above, when a failure occurs in one of the three systems, the controller of the system stops the running of the own system by deactivating the healthy relay of the own system. Even if the healthy relay of the own system could not be de-energized, the other two systems would de-energize the faulty healthy relay so that the failure system would not participate in the control process to ensure system safety. Yes. However, while the control process is continued in the other two systems excluding the fault system, if the fault system rejoins the control process for some reason, the safety of the system will be hindered. Become. Therefore, in the present embodiment, in order to prevent such a situation from occurring, the faulty power supply circuit is turned off and the faulty system is forcibly disconnected from the other two healthy systems.
[0104]
FIG. 15 is a chart showing a system for turning off the power supply circuit for each mode. Although not shown in FIG. 10, this power supply circuit is provided in each system controller 71A, 71B, 71C. In FIG. 15, “0” indicates a healthy relay contact (contact to be turned off) of a system determined to be a failure or its related system, and “1” indicates a normal system healthy relay contact. ing. Further, X1 indicates a healthy relay contact of a system in which the power supply circuit has already been turned off due to a failure (which is naturally turned off), and X2 is turned off following the healthy relay contact related to X1. A healthy relay contact is shown.
[0105]
Accordingly, in item 1, since the system A failed during the control of the system 3, the contacts A = B and A = C of the system A are first turned off, and the contacts B = A and C = A of the systems B and C are first turned off. Is turned off, the power supply circuit of the A system is turned off, and the control processing is continued in the B system and the C system. Item 2 is that the power supply circuit has already been turned off due to the failure of the C system, and this time the A system has failed while the control processing is being performed in the two systems of the A system and the B system. Is turned off, and eventually the B-system power supply circuit should also be turned off. Item 3 is that the power supply circuit has already been turned off due to failure of the B system, and this time the A system has failed while performing control processing in the two systems of the A system and the C system. Is turned off, and eventually the C-system power supply circuit should also be turned off.
[0106]
FIG. 16 is an explanatory view showing a configuration for forcibly turning off the power supply circuit of the failed system, taking the A system as an example. In this figure, an on-timer relay 90 is connected between the 0V terminal and the 24V terminal of a 24 volt power supply circuit, and a series connection of a contact group formed by a plurality of contacts and an A-system power supply relay 91. The body is also connected between both terminals.
[0107]
The plurality of contacts are the relay contact 92 of the on-timer relay 90, the relay contact 93 of the A-system power supply relay 91, the B = A healthy relay contact 94, the A = B healthy relay contact 95, and the C = A healthy contact. Relay contact 96, A = C healthy relay contact 97. The A-system power supply relay 91 has a main contact 98 of an AC 100 volt power supply.
[0108]
Next, the operation of FIG. 16 will be described. When the power supply circuit is turned on, the on-timer relay 90 is excited for several seconds and the contact 92 is turned on, so that the A-system power supply relay 91 is forcibly excited. As a result, the contact 93 is turned on, the main contact 98 is turned on, and AC 100 volts is supplied to the controller. The A-system controller turns on the contacts 95 and 97. At the same time, the B-system and C-controllers start operating to turn on the contacts 94 and 96. Therefore, a self-holding circuit for the A-system power supply relay 91 is formed, and the excited state of the A-system power supply relay 91 is held even after the on-timer relay 90 is de-energized.
[0109]
In this state, when the B system and the C system detect a failure of the A system, the contacts 94 and 96 are turned off. Therefore, the A system power supply relay 91 is de-energized and the main contact 98 is turned off. The system is completely disconnected from the healthy B system and C system. Further, when the B system detects a failure in the A system during the control processing in the two systems, the A system and the B system (the contacts 96 and 97 have already been turned off because the C system has failed), the contact 94 Is turned off, the A system power supply relay 91 is de-energized, the main contact 98 is turned off, and the control of the A system that is the fault system is stopped (accordingly, the control of the B system that is the healthy system is stopped). Will eventually stop.) Similarly, when the C system detects a failure in the A system during the control process in the A system and the C system (the contacts 94 and 95 have already been turned off because the B system has failed) Since 96 is turned off, the A-system power supply relay 91 is de-energized, the main contact 98 is turned off, and the control of the A-system that is the fault system is stopped (accordingly, the control of the C-system that is the healthy system is stopped). Control will eventually be stopped.) Further, when the A system detects a failure of the own system by self-diagnosis during the control processing in the third system, the contacts 95 and 97 are turned off. System control is stopped.
[0110]
FIG. 17 is a time chart showing changes in the excitation state of each relay and the on / off state of each healthy relay contact. FIG. 17A shows a case where the system A becomes abnormal during normal operation in system 3, and FIG. This shows a case where the A system becomes abnormal during operation in the two systems of the A system and the B system.
[0111]
In FIG. 17A, the on-timer relay 90 is turned on immediately after the power is turned on, and the A-system power relay 91 and the C-system power relay are turned on. Then, after the on-timer relay 90 is turned off, the B system and the C system have detected an abnormality in the A system, so that the contacts 94 and 96 are turned off and the A system power relay 91 is turned off. Further, the A system contacts 95 and 97 are also turned off.
[0112]
In FIG. 17B, after the abnormality of the C system is detected first and the C system power supply relay is turned off (the contacts 96 and 97 are already turned off), the B system has the abnormality of the A system. Detected, the contact 94 is turned off and the A-system power supply relay 91 is turned off. Thereafter, the A-system contact 95 is also turned off.
[0113]
Next, a technique for eliminating a collation error caused by a shift in count timing between timers of each system when the controller of each system performs a collation operation with another system will be described.
[0114]
Since the basic clock signals of each system are generated independently from each other, a time difference of 1 count occurs between the timers of the controllers of each system, and there is a period in which the timer processing states do not match. For example, consider a case where the main program is set to execute a certain operation after a lapse of 3 seconds from a predetermined reference time point. In this case, the A system and the B system perform the above-described input or output collation when the respective timers display “3”, and execute the above operation when the collation results match.
[0115]
However, since each of the A system and B system timers counts time independently, when the A system timer displays “3” seconds, the B system timer still displays “2” seconds. There may be cases where Both timers display "3" seconds during the period of 3.0 to 3.9 seconds. For example, when the A timer counts 3.7 seconds, the B system finally Assuming that the timer has counted 3.0 seconds, the A system timer displays “3” seconds while the A system timer is counting 3.0 to 3.6 seconds, The B-timer displays “2” seconds. Therefore, if the two systems are collated to execute the above-described operation when the A-system timer displays “3” seconds, the collation results are inconsistent, so that a failure is determined.
[0116]
FIG. 18 is a time chart for explaining a technique for preventing erroneous detection due to such a shift between the timers of both systems. In this figure, (a) and (b) are signals indicating the processing states of the A system timer and the B system timer, respectively, and CA1, CA2,..., CB1, CB2. ing. (C) and (e) show the scan signals S1 to S9 with scan numbers. (D) and (f) are signals TA1 and TB1 indicating the processing state at the time of actual verification of the A system timer and the B system timer. (G) is a signal indicating the coincidence state and disagreement state of the signals (d) and (f). In addition, t1 is a time indicating an interval of one count of the timer, t2 is a time indicating a difference between operation start points of the A system timer and the B system timer, and t3 is a control processing cycle (scan cycle), that is, a main program. The running cycle is shown.
[0117]
As apparent from FIGS. 18A and 18C, the state in which the signal CA2 of the A-system timer is “1” is detected from the rising edge of the scan signal S3. The processing state of the A-system timer at the time of collation is indicated by a signal TA1 in FIG. Similarly, as apparent from FIGS. 18B and 18E, the state in which the signal CB3 of the B-system timer is “1” is detected from the rising edge of the scan signal S5. Therefore, the processing state of the B-system timer at the time of actual verification is indicated by the signal TB1 in FIG. As shown in FIG. 18 (g), the signals TA1 and TA2 are inconsistent with each other during the scan signals S3 and S4.
[0118]
Therefore, if the A system and the B system are collated during the period of the scan signals S3 and S4, a collation error occurs because the timer processing states of both systems do not match, and a failure is detected. It will be judged. However, in this case, a failure does not actually occur in the A system or the B system, and the above-described failure detection is a false detection.
[0119]
Therefore, in this embodiment, in order to prevent such erroneous detection, even if a mismatch between the processing states of the timers of both systems is detected, a control process for invalidating the mismatch is performed for a predetermined time. Yes. In the example of FIG. 18, since the time t1 for one count of the timer is longer than the scan period t3, the processing states of the timers of both systems are not surely matched unless at least one count time is waited. For example, when t1 is set to 100 ms and t3 is set to 40 ms, even if a mismatch is detected during three scans (S3, S4, S5), this mismatch is invalidated, and four scans are continuously performed (S3 to S6). ) Only when a mismatch is detected, processing for validating this mismatch is performed. In the example of FIG. 18, the case where the time t1 of one count of the timer is larger than the scan period t3 has been described, but when t1 is sufficiently smaller than t3, the processing state of the timers of both systems can be waited for one scan time. Are matched.
[0120]
【The invention's effect】
As described above, according to the present invention, each control system determines whether or not the input / output result of a signal with the field device matches between its own system side and one other system side. Is used to perform control on the field device only when the combination of verification results of all control systems is a predetermined combination. It has a function to detect whether it is in a normal state or a failure state using a healthy circuit, and when a failure signal is input from a healthy circuit of either system, the control operation is stopped, so it is easy With such a configuration, the fail-safe property can be improved.
[Brief description of the drawings]
FIG. 1 is a block diagram showing a configuration of a first embodiment of the present invention.
FIG. 2 is a block diagram showing the configuration of the input units 8A and 8B in FIG. 1 and the A-system controller 1A and B-system controller 1B that exchange signals with the input units.
FIG. 3 is a chart showing typical failure modes of the input unit of FIG. 2;
4 is a block diagram showing a configuration of output units 9A and 9B in FIG. 1 and A system controller 1A and B system controller 1B that exchange signals with the output units.
5 is a time chart for explaining the operation of FIG. 4; FIG.
6 is a chart showing a typical failure mode of the output unit of FIG. 4;
7 is a configuration diagram of healthy circuits 10A and 10B in FIG. 1. FIG.
8 is a time chart for explaining the operation of FIG. 8;
9 is a block diagram showing a configuration of a microprocessor unit 2A in FIG.
FIG. 10 is a block diagram showing a configuration of a second exemplary embodiment of the present invention.
11 is a configuration diagram of an electronic level crossing control system (railway security control system) configured using the electronic level crossing control device (railway security control device) according to the embodiment of FIG.
12 is a configuration diagram of healthy circuits 79A, 79B, and 79C in FIG.
FIG. 13 is a flowchart for explaining the operation of FIG. 10;
14 is a flowchart for explaining a main case in which the error processing of FIG. 10 is performed.
15 is a chart showing a mode in the case of turning off a power supply circuit in a controller of each system in FIG.
16 is a configuration diagram for turning off a power supply circuit in a controller of each system in FIG. 10;
FIG. 17 is a time chart for explaining the operation of FIG. 16;
18 illustrates a technique for eliminating a collation error caused by a deviation in count timing between timers of each system when the controller of each system in FIG. 10 performs a collation operation with another system. The flowchart for doing.
FIG. 19 is a block diagram showing a configuration of a main part of a conventional railway safety control device.
[Explanation of symbols]
1A, 1B A system and B system microprocessor controller
2A, 2B microprocessor unit
3A, 3B storage unit
4A, 4B storage unit
5A, 5B I / O interface
6A, 6B MPU bus
7A, 7B I / O bus
8A, 8B input unit
9A, 9B output unit
10A, B10 Healthy circuit
11A, 11B output circuit
12A, 12B transformer
13A, 13B relay
14A, 14B Healthy relay contact
15A, 15B I / O bus controller
16A, 16B shared memory
17 Relay
18 Relay contact
19A, 19B resistance
20A, 20B Photocoupler
21A, 21B Light emitting diode
22A, 22B Phototransistor
23A, 23B Photocoupler
24A, 24B Light emitting diode
25A, 25B phototransistor
26A, 26B Fault diagnosis circuit
27A, 27B signal input circuit
28A, 28B comparison and verification circuit
29A, 29B Check signal generation circuit
30A, 30B Photocoupler
31A, 31B Light emitting diode
32A, 32B phototransistor
33A, 33B Photocoupler
34A, 34B Light emitting diode
35A, 34B Phototransistor
36A, 36B Photocoupler
37A, 37B Light emitting diode
38A, 38B Phototransistor
39A, 39B resistance
40 Diode 40
41 Resistance 41
42A, 42B output signal drive circuit
43A, 43B Fault detection circuit
44A, 44B Check signal generation circuit
45A, 45B contact readback circuit
46A, 46B Diode
47 Control processing means
48 Alternating signal generating means
49 counter
50 Travel flag
51 counter
61 1st control processing terminal device
62 Second control processing terminal device
63 to 66 I / O processing terminal device
67-70 field equipment
71A, 71B, 71C A system, B system and C system microprocessor controller
72A, 72B, 72C Microprocessor unit
73A, 73B, 73C Memory part
74A, 74B, 74C LAN controller
75A, 75B, 75C I / O bus interface
76A, 76B, 76C I / O bus interface
77A, 77B, 77C Input unit
78A, 78B, 78C Output unit
79A, 79B, 79C Healthy circuit
80-82 shared memory
83 Field equipment input signal module
84 Field equipment output signal module
85A1, 85A2 output circuit
86A1, 86A2 transformer
87A1, 87A2 diode
88A1, 88A2 relay
89A1, 89A2 Healthy relay contact
90 On-timer relay
91 A power relay
92 to 97 contacts
98 Main contact
101A, 101B Microprocessor unit
102A, 102B memory
103 Clock circuit
104A, 104B Bus 104
105 Bus verification / alternating signal output circuit
106 Verification error detection circuit

Claims (13)

There are at least two control systems capable of controlling on-site equipment, and these two or more control systems are each a railroad safety control device having a dedicated microprocessor controller.
Each of the control systems is
A dedicated input unit for inputting a signal from the field device;
A dedicated output unit that outputs an output signal to the field device and whose signal output path is connected in series on the own system side and the other system side,
A shared memory for storing input / output results on the own system side and one other system side via the input unit and the output unit;
An alternating signal output circuit for outputting an alternating signal, an alternating signal from the alternating signal output circuit being input to the primary side, a transformer for outputting only the alternating signal of the alternating signal from the secondary side, and an alternating signal from the transformer being rectified A healthy circuit that outputs a signal indicating whether the output unit on the own system side or the other system side of the verification partner is in a normal state or a failure state,
With
The microprocessor controller of each control system is
Using the shared memory, each has a function of diagnosing a failure of the own system side input unit and a function of collating with a failure diagnosis result of one other system side input unit, If the input signal does not match the input signal of one input unit on the other system side, the control operation of both control systems is stopped, and the dangerous side failure is reliably detected based on the both functions,
Also, when the output signal of the output unit on the own system side does not match the output signal of one output unit on the other system side, the control operation of both control systems is stopped.
A railway safety control device characterized by that. The input unit of each control system includes an input semiconductor element provided on a signal input path from the field device, and a check semiconductor element connected in series to the input semiconductor element.
The microprocessor controller of each control system has a check signal generation circuit that outputs a check signal or stops its output in order to detect a conduction failure or an open failure of the input semiconductor element.
The railroad safety control device according to claim 1 . Each of the output units includes an output semiconductor element provided on the signal output path, a failure detection semiconductor element showing an on / off state opposite to the on / off state of the output semiconductor element, and the failure detection semiconductor A check semiconductor element that periodically turns on and off the current flowing through the element to check whether there is a failure in the failure detection semiconductor element itself,
Each of the microprocessor controllers includes an output signal driving circuit that turns on and off the output semiconductor element, and a failure detection circuit that detects the presence or absence of a failure in the output semiconductor element by detecting an on / off state of the failure detection semiconductor element A check signal generating circuit for periodically outputting a check signal or stopping the output in order to detect a continuity failure or an open failure of the semiconductor element for failure detection, and a contact lead for reading a relay contact state of the field device A back circuit, and based on the input state or output state of each of these circuits, to determine a failure state for each of the output units,
The railway security control device according to claim 1 or 2, wherein Each of the microprocessor controllers can detect that either one of the output semiconductor element of the output unit on the own system side or the output semiconductor element of the output unit on the one other system side is in a semi-conducting state. Is,
The railroad safety control device according to claim 3 . The microprocessor controller of each control system has control processing means for executing a main program, and alternating signal generating means for generating an alternating signal by interrupting the main program at an interrupt program every predetermined time. ,
The control processing means and the alternating signal generation means monitor the number of interruptions of the interrupt program in one processing time of the main program, respectively, and when the value of the number of interruptions falls outside a predetermined range, The control of the microprocessor controller is stopped.
The railroad safety control device according to claim 1. The shared memory is capable of storing the rewritten content when a part of the program content of the microprocessor controller on the own system side or the one other system side is rewritten. Yes,
When a part of the program content of either the own system side or the one other system side microprocessor controller is rewritten, the other program content is similarly rewritten. ,
The railway safety control device according to any one of claims 1 to 5 . If a failure occurs in any of the control systems, the controller's microprocessor controller is forcibly disconnected from the other control systems. To stop,
The railway safety control device according to any one of claims 1 to 6 . When the control system is composed of the first to third control systems, and any one of the control systems fails, it is confirmed that no failure has occurred in the remaining two control systems. Only when it is detected by using the remaining two control systems, control of the field device is continued.
The railroad safety control device according to claim 1. When any two control systems detect a failure of the remaining control system during execution of the control operation by all of the first to third control systems, the microprocessor controller of the remaining one control system Is turned off,
When one control system detects a failure in the other control system during execution of a control operation by any two of the first to third control systems, both control systems The microprocessor controller power circuit is turned off.
The railway safety control device according to claim 8, wherein: The microprocessor controller of each control system determines a predetermined operation execution time point in the main program based on the count value of the timer, and performs verification between the own system side and one other system side at this time point By invalidating the collation result in a period from this point in time until the predetermined time elapses, a collation error caused by a shift in the count timing between the timer on the own system side and the timer on one other system side is eliminated. I tried to eliminate it,
The railway safety control device according to any one of claims 1 to 9 . A plurality of input / output terminal devices that exchange signals with field equipment and at least one control processing terminal device are connected by a communication network. In a control system that controls a plurality of field devices via
The input / output terminal device and the control processing terminal device are configured by the railroad safety control device according to any one of claims 1 to 10 .
This is a railway safety control system. The control processing terminal device is composed of a first control processing terminal device for current train operation and a second control processing terminal device in which a new application program is installed,
In times when there are many train operations, the first control processing terminal device exchanges signals with all input / output terminal devices,
In a time zone when the number of train operations is small, the first control processing terminal device exchanges signals only with a specific input / output terminal device, and the second control processing terminal device communicates with the remaining input / output terminal devices. Send and receive signals between
The railway security control system according to claim 11 . Each of the input / output terminal devices has a change-over switch that determines which of the first control processing terminal device and the second control processing terminal device is to send and receive signals. Control is performed by the second control processing terminal device.
The railway security control system according to claim 12 .

Images