JP4111772B2 - Mobile control system - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates to a mobile body control system that realizes an interlock function by dividing mobile roads into a plurality of sections and transmits / receives mobile body control information between modules assigned to each section, thereby safely driving the mobile body. In particular, the present invention relates to a technique for improving the reliability and safety of a mobile control system.
[0002]
[Prior art]
There is a blocking system as one of mobile control systems for safely operating a mobile. The blocking system divides the travel path of the mobile body into a plurality of sections, manages the travel of the mobile body in units of sections, and keeps the distance between the mobile bodies safe so that there is only one mobile body in one section. Control system. In such a blocking system, the traveling of the moving body and the control of the traffic light, the branching device, etc. Are interlocked with each other to provide an interlock function for controlling the traveling of the moving body.
[0003]
Conventionally, such an interlock function has been realized by electrically wiring a large number of electromagnetic relays with the logic function, self-holding function and timer function necessary for the interlock function. There is a problem that the configuration is complicated. For this reason, a predetermined module prepared in advance is assigned to each section of the entire travel path, and each module is connected in accordance with the connection of the sections, thereby realizing an interlock function required for the entire travel path, and traveling of the mobile object Applicants who have ensured safety have been proposed by the present applicant in Japanese Patent Application Nos. 2000-67214 and 2001-565229.
[0004]
[Problems to be solved by the invention]
By the way, in the mobile control system using the above-described module, when the system is abnormal, particularly when a failure occurs in the module, it becomes impossible to perform the branch device switching control or the traffic light on / off control. Therefore, in this type of mobile control system, it is necessary to monitor the operation state of the module, and to find and replace the defective module at an early stage.
[0005]
As a method of monitoring the operation state of this type of module, the input / output information of the module to be inspected is monitored, and whether or not output information expected when predetermined input information is input is output in advance. A general method is to determine whether the data is normal or not by checking with the provided data table.
However, as the number of input information increases, the size of the prepared data table increases. Further, when the setting conditions of each module are different, it is necessary to provide an inspection data table for each module, and there is a problem that the size of the prepared data table increases when the number of modules is large.
[0006]
The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a mobile control system excellent in reliability and safety in which an operation state of a module can be easily confirmed online.
[0007]
[Means for Solving the Problems]
Therefore, according to the first aspect of the present invention, the traveling path of the mobile body is divided into a plurality of sections, modules are assigned to the sections, the modules are wired according to the connection state of the sections, and the mobile bodies are connected between the modules. In a mobile control system that controls the travel of a mobile body so as to allow only one mobile body to travel in one section by transmitting and receiving control information, the mobile control system is communicably connected to the modules and relates to mobile travel control A central processing unit that outputs control command information; a simulation processing unit that monitors input information input to each module and simulates the same processing operation as the actual each module based on the monitor information; and the input Based on the information, the actual output information generated from each module is compared with the simulated output information generated from the simulation processing unit, and the actual output information and the simulated output information Determining a match / mismatch, it has a configuration in which the operation of each module based on the determination result provided an inspection apparatus having an inspection unit for inspecting whether normal or not.
[0008]
In such a configuration, the simulation processing unit simulates the same process as the moving object control operation process executed by the actual module by software. The inspection processing unit collates the actual output information obtained from the actual module with the simulated output information obtained by the simulation processing of the simulation processing unit, and determines that the module is normal if they match, and if there is a mismatch, there is an abnormal module Is determined. As a result, the operation state of the module can be easily confirmed online on the central processing unit side.
[0009]
According to a second aspect of the present invention, the inspection apparatus may be configured to stop power supply to a module that is determined to be abnormal by the inspection processing unit. Specifically, as in claim 3, the inspection apparatus includes a power supply control circuit for controlling the power supply of the module for each module, and corresponds to the module determined to be abnormal by the abnormality detection output of the inspection processing unit. The power supply control circuit is driven to stop the power supply of the abnormal module.
[0010]
With this configuration, it is possible to stop the output of the module in which an abnormality has occurred.
According to a fourth aspect of the present invention, each module is provided with a monitor circuit for monitoring whether or not the central processing unit is normal, and a power supply line of the central processing unit is turned ON / OFF by the monitor circuit. It is good to set it as the structure which interposes the switch controlled by OFF in series connection. Specifically, as in claim 5, each of the monitor circuits monitors whether or not it is normal based on the transmission timing of the control command information transmitted from the central processing unit, and when the transmission timing is abnormal, It is determined that the processing apparatus is abnormal and the corresponding switch is controlled to be OFF.
[0011]
In such a configuration, when an abnormality occurs on the central processing unit side, the output on the central processing unit side can be stopped.
In the invention of claim 6, the number of modules smaller than the total number of sections of the travel path is provided, the mobile control information is transmitted and received between the actual module and the simulation processing unit, and the actual module allocation section Module processing operations in other sections other than the above are performed by the simulation processing unit, and the mobile unit control information transmission / reception path between the actual module and the simulation processing unit is selectively switched to sequentially allocate the actual module allocation sections. In addition to the configuration to be changed, the output result of the actual processing module and the simulation processing unit for each module allocation section change is compared by the inspection processing unit, and it is determined whether or not it is normal based on the comparison result.
[0012]
In such a configuration, a part of the simulation module operation processing in the simulation processing unit is performed by the actual module, and the actual module is processed in the simulation module operation processing of the simulation processing unit by sequentially changing the allocation interval of the actual module. The part performed by changes sequentially. Thereby, it becomes possible to easily diagnose the malfunction of the simulation processing unit.
[0013]
According to a seventh aspect of the present invention, the actual module may be a straight line module assigned to a straight section and a branch module assigned to a branch section including a branch section.
As in claim 8, connecting to all modules, connecting at least one alternative module having the same function as each module to a communication line for mutually transmitting and receiving the mobile control information between the modules, When an abnormality of a module assigned to a section is detected by the inspection device, the operation process of the abnormal module is performed by the alternative module. When a malfunction occurs in the module, the function of the abnormal module is replaced with the alternative module. Instead, it can maintain a mobile control system.
[0016]
DETAILED DESCRIPTION OF THE INVENTION
Hereinafter, embodiments of the present invention will be described with reference to the drawings.
FIG. 1 is a block diagram showing a configuration of a first embodiment of a mobile control system according to the present invention.
In FIG. 1, a mobile system according to the present embodiment includes a central processing unit 1 such as CTC, a number of modules M1 to Mn connected to the central processing unit 1 through communication lines 2 and 3, and a traffic light. And an on-site equipment group 4 such as a branching device and a moving body detection device. In FIG. 1, the signal equipment, the branching device, the moving body detection device, etc. are comprehensively shown as the field equipment group 4. However, the traffic signal and the branching device are connected to the respective modules assigned to the section where they are installed and connected. Controlled by each module. In addition, the moving body detection device is, for example, a track circuit or the like, and detects the presence or absence of a moving body in each section, and reports the presence or absence of a moving body in each section to the corresponding module. .
[0017]
The central processing unit 1 is connected to the communication line 2 connected to the modules M1 to Mn via the input / output interface 11, and generates control command information such as a control command for allowing the traffic signal to proceed and a switching command for the branching device. Connected to the communication line 3 connected to the modules M1 to Mn via the input / output interface 13, and the input / output information of each module M1 to Mn is monitored to determine whether the operating state of the modules M1 to Mn is normal. And an inspection device 14 for inspecting the above. The input / output information monitored by the inspection device 14 includes mobile body control information transmitted and received between modules, control command information of the central processing unit 1, transmission / reception information between the field device group 4 and the module, and the like.
[0018]
The inspection device 14 takes input information input to the modules M1 to Mn from the input / output interface 13, and transmits / receives information according to the connection of the actual modules M1 to Mn based on the acquired monitor information. A simulation processing unit 15 having software programmed to simulate the same processing operation as Mn, and actual output from the modules M1 to Mn by the processing operation of the modules M1 to Mn based on the input information. An inspection processing unit 16 is provided which takes in the output information from the input / output interface 13 and collates the actual output information with the simulated output information obtained by the simulation processing unit 15 to inspect the normality / abnormality of the modules M1 to Mn. . As a result of the collation, the inspection processing unit 16 determines that all the modules M1 to Mn are normal when the actual output information and the simulated output information match, and if there is a mismatch between the actual output information and the simulated output information, the inspection processing unit 16 The module that has generated the output information is determined to be abnormal.
[0019]
Each module M1 to Mn is assigned to each section obtained by dividing the traveling path in the mobile body control section of the central processing unit 1 into a plurality of sections, wired according to the connection state of the sections, and mobile body control information between adjacent modules. To achieve a desired interlock function. The moving body control information transmitted and received between the modules M1 to Mn with the adjacent modules is a signal indicating that there is no moving body, and the traveling movement that reports to the adjacent side section in the traveling direction of the moving body It is a progress permission signal which reports to the near side adjacent section with respect to the traveling direction of the moving body by a body absence confirmation signal and a signal indicating that the travel is permitted. The modules M1 to Mn are composed of two types of modules, a straight line module assigned to a straight section and a branch module assigned to a branch section including a branch path. The straight line module is a field device 4 installed at the end of the own section. A function for controlling a certain traffic light is provided, and the branching module has a function for controlling a branching device in its own section which is the field device 4. Each of the modules M1 to Mn includes a communication device and is communicably connected to the central processing unit 1 via the communication lines 2 and 3 to transmit and receive the control commands and input / output information described above.
[0020]
The configuration and logic processing operation of the straight line module and the branch module are described in detail in the aforementioned Japanese Patent Application Nos. 2000-67214 and 2001-565229, and the description thereof is omitted here.
Next, the module inspection operation in the mobile control system of this embodiment will be described.
[0021]
Each module M1 to Mn generates output information corresponding to the input information for the module in the adjacent section based on the command information from the central processing unit 1, the information from the field device 4, and the information from the module in the adjacent section. And a control output is generated for the traffic signal and the branching device so as not to cause derailment or collision.
The simulation processing unit 15 of the inspection apparatus 14 receives input information of each module M1 to Mn under mobile control from the communication line 3, and based on the received input information, the same processing operation as the actual modules M1 to Mn. And the result is output to the inspection processing unit 16. The inspection processing unit 16 collates the output information of the actual modules M1 to Mn received through the communication line 3 with the simulated output information input from the simulation processing unit 15, and if both match, all the modules M1 to Mn are matched. Is determined to be normal. On the other hand, if there is a mismatch between the actual output information and the simulated output information, the module that generated the mismatched output information is determined to be abnormal.
[0022]
According to such a configuration, since it is possible to monitor online whether or not the modules M1 to Mn are normal on the central processing unit 1 side, the operation state of the modules can be checked very easily and quickly. The reliability and safety of the mobile control system using the module can be improved. In addition, since an abnormal module can be easily identified from the collation result, it is possible to quickly restore the mobile control system to a normal state by replacing the module.
[0023]
By the way, it is desirable that each module M1 to Mn has a fail-safe configuration in which the control output to the traffic light or the branching device stops in the event of a failure. Compared with this, the mounting area and power consumption increase.
When each of the modules M1 to Mn is configured by a semiconductor circuit, the configuration as in the second embodiment shown in FIG.
[0024]
FIG. 2 is a block diagram showing a main part of a second embodiment of the mobile control system according to the present invention. In addition, the same code | symbol is attached | subjected to the same element as 1st Embodiment, and description is abbreviate | omitted.
In FIG. 2, the present embodiment is the same as the configuration except that the inspection apparatus 14 of the central processing unit 1 is provided with power supply control circuits 17-1 to 17-n for controlling the power supply of the modules M1 to Mn. The configuration is the same as that of the first embodiment.
[0025]
In such a configuration, when the inspection processing unit 16 determines that the module M1 is abnormal, for example, the inspection processing unit 16 drives and controls the power supply control circuit 17-1 to stop the power supply of the module M1. If the module M2 is abnormal, the power supply control circuit 17-2 is driven and controlled to stop the power supply of the module M2. As a result, since the power supply of the module in which the abnormality has occurred can be forcibly stopped, it is possible to prevent an erroneous control output from being generated from the abnormal module even when the module is configured with a semiconductor circuit.
[0026]
Next, a third embodiment of the present invention is shown in FIG.
In FIG. 3, in the present embodiment, each of the modules M1 to Mn is provided with monitor circuits 20-1 to 20-n for monitoring a failure of the central processing unit 1, and the power supply line 21 of the central processing unit 1 is connected to the power supply line 21. In this configuration, switches 22-1 to 22-n that are turned off by abnormality detection outputs from the monitor circuits 20-1 to 20-n are provided. Other configurations are the same as those in the first embodiment or the second embodiment, and the illustration is omitted.
[0027]
In such a configuration, each of the monitor circuits 20-1 to 20-n monitors the transmission timing of the control command transmitted from the control unit 12 of the central processing unit 1, and if the control command is transmitted at a normal timing, The processing device 1 is determined to be normal, and if the transmission timing is not normal, the central processing device 1 is determined to be abnormal, and the switches 22-1 to 22-n are turned off to stop the power supply to the central processing device 1. .
[0028]
The central processing unit 1 monitors the operating state of each of the modules M1 to Mn. If the module is normal, the module is ready to generate a control output based on a control command with respect to a traffic light or a branching device. A control command is output to Therefore, if each control circuit 20-1 to 20-n receives a control command when its own module M1 to Mn is ready to receive a control command, the monitor circuit 20-1 to 20-n determines that the transmission timing is normal and the own module M1 to Mn. If the control command is input when Mn is in a state where the control command cannot be received, the transmission timing is determined to be abnormal, and the central processing unit 1 determines to be abnormal. If any one of the monitor circuits 20-1 to 20-n is determined to be abnormal, the corresponding switches of the switches 22-1 to 22-n interposed in the power supply line 21 are turned OFF by the abnormality detection output, The power supply to the central processing unit 1 is stopped and the operation of the central processing unit 1 is stopped.
[0029]
If a failure occurs in the central processing unit 1, the operation state of the modules M1 to Mn cannot be confirmed, but the operation state of the central processing unit 1 is confirmed by monitoring the operation state of the central processing unit 1 as in the third embodiment. Since the output is stopped when an abnormality occurs, it is possible to prevent erroneous control output from the modules M1 to Mn.
Further, when the second embodiment and the third embodiment are combined, the operation states of the modules M1 to Mn and the central processing unit 1 can be mutually confirmed, and the outputs are stopped in the event of an abnormality, respectively. And safety are further improved.
[0030]
Next, a fourth embodiment of the present invention will be described.
In the fourth embodiment, a straight line module is assigned to one straight section of the travel section, a branch module is assigned to one branch section, and module operations in the other sections are assigned to the simulation processing unit 15, The section to which the branching module is assigned is sequentially switched to check the operation state of the mobile control system.
[0031]
FIG. 4 is a block diagram showing the configuration of the fourth embodiment. In addition, the same code | symbol is attached | subjected to the same element as 1st Embodiment, and description is abbreviate | omitted.
In FIG. 4, the central processing unit 1 of the present embodiment includes a switching control unit 31, first to third switching circuits 32 to 34 controlled by the switching control unit 31, and a branching device group described later that is field equipment. 39 and a control output blocking unit 35 that blocks the control output output from the simulation processing unit 15 with respect to the traffic signal group 40 by the abnormality detection output of the inspection processing unit 16. Other configurations are the same as those in the first embodiment except that the input / output interface 11 is omitted and the output of the control unit 12 is directly input to the simulation processing unit 15. When It is the same composition.
[0032]
The straight line module 36 receives the moving body presence / absence information from a track circuit that is selectively switch-connectable to one of the track circuit groups 37 provided in all sections via the first switching circuit 32. The branching module 38 inputs the presence / absence information of the moving body from the track circuit connected to the one of the track circuit groups 37 via the first switching circuit 32 so as to be selectively switchable and connected, and the second switching circuit 33. A travel path opening confirmation signal and a non-convertible confirmation signal are input from a branching device that is selectively switchably connectable to one of the branching device groups 39 provided in all branching sections. The straight line module 36 and the branching module 38 are connected to the simulation processing unit 15 via the third switching circuit 34, and the transmission / reception path with the simulation module in the simulation processing unit 15 is selectively switched.
[0033]
The simulation processing unit 15 includes a control command from the control unit 12, input information from the track circuit and the branching device not connected to the straight line module 36 and the branching module 38 input from the first and second switching circuits 32 and 33, A control output is generated by a simulated operation process including the straight line module 36 and the branching module 38, and the branching device group 39 is connected via the control output blocking unit 35. , The signal is output to the traffic signal group 40.
[0034]
Straight line module 36 And branch module 38 Is the same configuration as the module used in each of the above-described embodiments, but has a fail-safe configuration in which output stops when a failure occurs.
Next, the operation will be described.
For example, the straight line module 36 and the branch module 38 are respectively assigned to any one straight section and branch section in the travel path. The switching control unit 31 performs switching control of the first and second switching circuits so that information from the track circuit and the branching device in the allocated straight section and branch section is input to the straight line module 36 and the branch module 38, respectively. In addition, the switching control unit 31 transmits and receives signals to and from the simulation processing unit 15 so that the simulation processing unit 15 operates as a module of a straight line section and a branch section assigned by the straight line module 36 and the branching module 38 in the simulation operation process. The path is switched by the third switching circuit 34. The inspection processing unit 16 stores the output results of the straight line module 36 and the branching module 38 and the output result of the simulation processing unit 15 at this time. Next, the switching control unit 31 switches and controls the first to third switching circuits 32 to 34 according to a predetermined switching pattern, and assigns the straight line module 36 and the branch module 38 to different straight line sections and branch sections, In this case, the output results of the straight line module 36 and the branching module 38 and the output result of the simulation processing unit 15 are stored. In this manner, the sections to which the straight line module 36 and the branch module 38 are assigned are sequentially switched at a high speed and assigned to all straight sections and branch sections, and the output result is stored each time.
[0035]
The inspection processing unit 16 determines that the simulation processing unit 15 is normal if all the output results stored in this way match. If there is a discrepancy in the output results, it is determined that there is an abnormality in the simulation processing unit 15, an abnormality detection output is output to the control output blocking unit 35, and control output to the branch device group 39 and the traffic signal group 40 is stopped. Thereby, the operation state of the simulation processing unit 15 can be confirmed. Then, by switching the section to which the straight line module 36 and the branching module 38 are allocated, the possibility that the same output result occurs even if a defect exists is reduced, and the detection of the defect in the simulation processing unit 15 is facilitated. .
[0036]
Next, a fifth embodiment of the present invention will be described.
The fifth embodiment shown in FIG. 5 has a configuration in which an alternative module is substituted when a failure occurs in a module. In addition, the same code | symbol is attached | subjected to the same element as 1st Embodiment, and description is abbreviate | omitted.
5, in this embodiment, the control unit 12 of the central processing unit 1 is connected to the modules M1 to Mn via the communication line 2, and the inspection device 14 is connected to the modules M1 to Mn via the communication line 3. In the same manner as in the first embodiment, the simulation processing unit 15 of the inspection apparatus 14 takes in a control command via the communication line 2 and takes in mobile control information transmitted / received between adjacent modules via the communication line 3. is there.
[0037]
Each module M1-Mn of this embodiment is the structure which transmits / receives mutual mobile body control information via the communication line 3. FIG. That is, identification information for each module is given to the mobile control information by the transmission source module, and whether each module M1 to Mn is information that should be received by the identification information added to the mobile control information. And receive only necessary information. Each module M <b> 1 to Mn transmits and receives information to and from the field device group 4 via the input / output interface 40 through the communication line 41.
[0038]
In the present embodiment, the simulation processing unit 15 of the inspection apparatus 14 is configured to incorporate information on the field device group 4 via the communication line 41.
Furthermore, in this embodiment, an alternative module Ms is provided in addition to the modules M1 to Mn. The substitute module Ms has the same logic processing function as each of the modules M1 to Mn, and the communication lines 2, 3, and 41 are also connected to the substitute module Ms.
[0039]
The inspection device 14 monitors the operating state of each of the modules M1 to Mn, and executes a replacement process between the failed module and the alternative module Ms when a malfunction of any module is detected.
In the figure, the configuration in which one alternative module is provided is shown, but a plurality of alternative modules may be provided. By doing so, even when a failure occurs in a plurality of modules, the interlock function can be maintained up to the number of alternative modules, and the mobile control system can be maintained. In addition, this mobile control system is basically composed of two types of modules: a straight line module assigned to a straight section and a branch module assigned to a branch section. An alternative module is provided.
[0040]
Next, the operation of the fifth embodiment will be described.
The inspection process of each module M1 to Mn in the inspection apparatus 14 is the same as that of the first embodiment, and the simulation processing unit 15 takes input information input to each module M1 to Mn, and actually executes the input based on the acquired input information. The same processing operations as those of the modules M1 to Mn are simulated and processed to obtain simulated output information. The simulated output information and the actual output information of each of the modules M1 to Mn are compared and collated by the inspection processing unit 16, and a match / mismatch is determined to monitor normality / abnormality of the modules M1 to Mn. If it is determined that there is a problem, the module in which the problem has occurred is disconnected from the communication line 3, and at the same time, the substitute module Ms is operated to replace the function of the module in which the problem has occurred with the substitute module Ms. For example, as shown in FIG. 2, the power supply control circuit 17 is used to shut off the operating power of the corresponding defective module, or the command from the central processing unit 1 side is used as the disconnection operation of the defective module. The faulty module itself executes the disconnection process from the communication line 3.
[0041]
According to such a configuration, even when a failure occurs in the module, the replacement module Ms substitutes its function, so that the mobile control system can be maintained without being down, and the reliability and safety of the mobile control system can be maintained. It can be improved.
next, Reference example Will be described.
As shown in FIG. Reference example Is a configuration in which the module itself diagnoses normality / abnormality. In addition, the same code | symbol is attached | subjected to the same element as 5th Embodiment, and description is abbreviate | omitted.
[0042]
In FIG. Reference example Then, the central processing unit 1 does not include the inspection device 14 and includes the input / output interface 11 and the control unit 12. Each of the modules M1 to Mn includes a diagnostic circuit 50-1 to 50-n for self-diagnosis of its own normality / abnormality and has a self-diagnosis function. The alternative module Ms includes a monitoring circuit 51 that monitors normality / abnormality of each of the modules M1 to Mn in addition to the diagnostic circuit 50-s.
[0043]
Each of the diagnostic circuits 50-1 to 50-n and 50-s includes, for example, two CPUs that execute the same processing operation. The processing results of the respective CPUs are collated with each other. If it occurs, it is determined as abnormal.
The monitoring circuit 51 in the alternative module Ms receives a signal indicating a diagnosis result from each module M1 to Mn, and monitors normality / abnormality of each module M1 to Mn.
[0044]
next, Reference example The operation of will be described.
Each of the modules M1 to Mn performs a self-diagnosis operation by the diagnosis circuits 50-1 to 50-n in addition to the original transmission / reception operation of the mobile control information. When the diagnosis circuits 50-1 to 50-n determine that the circuit is normal, a signal indicating the diagnosis result (hereinafter referred to as LV signal) is output to the communication line 3. This LV signal is output in a state in which it can be identified from which module, and is output as LV = 1 in a normal state and LV = 0 in an abnormal state. The monitoring circuit 51 of the alternative module Ms receives the LV signal of each of the modules M1 to Mn via the communication line 3, the module that outputs LV = 1 is considered normal, and the module that outputs LV = 0 is considered abnormal. . Each module M1 to Mn stops its own output when its own diagnostic circuit diagnoses an abnormality. Therefore, when an abnormality occurs, the signal transmission / reception operation is stopped and the communication line is substantially disconnected. . On the other hand, when the substitute module Ms receives the signal of LV = 0, the substitute module Ms confirms the module in which the malfunction has occurred from the signal of LV = 0, and executes the function of the module in which the malfunction has occurred. This has the same effect as the fifth embodiment.
[0045]
these Fifth embodiment and reference examples In addition to the above-described effects, the following advantages can be obtained by providing a replacement module as described above and replacing the module with a replacement module when a failure occurs in the module.
When the module is composed of an electronic circuit, as a measure for improving the reliability of this type of mobile control system, it is common to adopt a dual system configuration in which two modules (modules M1 to Mn) are prepared. is there. In a normal dual system configuration, if a problem occurs in one system, the entire system is switched to another system. However, not all faulty modules have a fault, and there is usually one faulty module and the other modules are normal. Therefore, in the case of a normal double system configuration, there is a drawback that many normal modules in a system in which a problem has occurred are not used. On the other hand, as mentioned above Fifth embodiment and reference examples If the defective module is replaced with a replacement module as described above, it is only necessary to replace the defective module, and a normal module can be used as it is. Therefore, it is possible to eliminate the waste of the module as compared with a general dual system configuration, and it is possible to improve the reliability of this type of mobile control system at a low cost.
[0046]
【The invention's effect】
As described above, according to the present invention, module abnormality can be easily monitored on the intermediate processing device side online, and the reliability and safety of the mobile control system can be improved.
In addition, the module and the central processing unit are mutually monitored. Constitution By doing so, the reliability and safety of the mobile control system can be further improved.
[0047]
In addition, if the power supply of the module in which an abnormality has occurred is stopped, the output of the module can be stopped in the event of an abnormality, so that the module can be configured with a semiconductor circuit, and the module can be made compact and save power. Can do. And if it is set as the structure which stops the power supply of the central processing unit in which abnormality generate | occur | produced, since the output of a central processing unit can be stopped at the time of abnormality occurrence, the reliability and safety | security of a mobile body control system can be improved.
[0048]
In addition, if the replacement module is prepared online and can be replaced with a defective module, the function of the mobile control system can be maintained even if a fault occurs in the module. Reliability and safety can be greatly improved. Furthermore, module waste can be eliminated compared to a normal dual system configuration in which two systems having the same configuration for executing the same processing are provided.
[Brief description of the drawings]
FIG. 1 is a block diagram showing a configuration of a first embodiment of the present invention.
FIG. 2 is a principal block diagram showing a configuration of a second embodiment of the present invention.
FIG. 3 is a principal block diagram showing a configuration of a third embodiment of the present invention.
FIG. 4 is a block diagram showing a configuration of a fourth embodiment of the present invention.
FIG. 5 is a block diagram showing a configuration of a fifth embodiment of the present invention.
[Fig. 6] Reference example Block diagram showing the configuration of
[Explanation of symbols]
1 Central processing unit
2, 3, 40 Communication line
4 Field equipment group
12 Control unit
14 Inspection equipment
15 Simulation processing section
16 Inspection processing section
17-1 to 17-n Power supply control circuit
21-1 to 21-n monitor circuit
22-1 to 22-n switch
31 Switching control unit
32 First switching circuit
33 Second switching circuit
34 Third switching circuit
35 Control output shut-off section
50-1 to 50-n, 50-s diagnostic circuit
51 Monitoring circuit
M1-Mn module
Ms alternative module

Claims (8)

Dividing the traveling path of the mobile body into a plurality of sections, assigning modules to each section, wiring each module in accordance with the connection state of the sections, and transmitting and receiving mobile body control information between the modules into one section In a mobile body control system that controls the travel of a mobile body to allow only one mobile body to travel,
The central processing unit that is communicably connected to each module and outputs control command information related to mobile body travel control, monitors the input information that is input to each module, and the actual each module based on the monitor information A simulation processing unit that performs the same processing operation as the simulation, and the actual output information generated from each module based on the input information and the simulated output information generated from the simulation processing unit The inspection apparatus has an inspection processing unit that determines whether or not the output information and the simulated output information coincide with each other and checks whether or not the operation of each module is normal based on the determination result. Body control system.   The mobile body control system according to claim 1, wherein the inspection device is configured to stop power supply to a module that is determined to be abnormal by the inspection processing unit. The inspection apparatus includes a power supply control circuit for controlling the power supply of the module for each module, and drives the power supply control circuit corresponding to the module determined to be abnormal based on the abnormality detection output of the inspection processing unit. mobile control system according to claim 2 is configured to stop the power supply.   Each module is provided with a monitor circuit for monitoring whether or not the central processing unit is normal, and a switch that is ON / OFF controlled by each monitor circuit is connected in series to the power supply line of the central processing unit. The mobile body control system according to any one of claims 1 to 3, wherein the mobile body control system is interposed.   Each of the monitor circuits monitors whether the control command information transmitted from the central processing unit is normal or not, and determines whether the central processing unit is abnormal when the transmission timing is abnormal. The mobile body control system according to claim 4, wherein the mobile body control system is configured to perform OFF control on the vehicle.   The number of modules less than the total number of sections of the travel path is provided, the mobile control information is transmitted and received between the actual module and the simulation processing unit, and the modules in sections other than the actual module allocation section The processing operation is performed by the simulation processing unit, and the mobile unit control information transmission / reception path between the actual module and the simulation processing unit is selectively switched to sequentially change the allocation interval of the actual module. 2. The mobile control system according to claim 1, wherein an output result of an actual module and a simulation processing unit for each module allocation section change is compared by the inspection processing unit, and whether or not normal is determined based on the comparison result. .   The mobile control system according to claim 6, wherein the actual modules are a straight line module assigned to a straight section and a branch module assigned to a branch section including a branching section.   Connect to all modules, connect at least one alternative module having the same function as each module to a communication line for transmitting and receiving the mobile control information between the modules, and assign to each section by the inspection device The mobile body control system according to claim 1, wherein when an abnormality of a detected module is detected, an operation process of the abnormality module is performed by the alternative module.

Images