JP7137994B2 - SIMULATION METHOD, SIMULATION SYSTEM AND PROGRAM - Google Patents

Description

The present invention relates to simulation methods, simulation systems, and programs.

A control system that controls robots, airplanes, etc. is composed of various devices, and each device operates based on the software installed in each device. When constructing a new control system, there is a known technology that uses MATLAB (registered trademark) or the like to model the control system into a plurality of functional blocks and simulate the operation of the control system (for example, Patent Document 1 ).

Japanese Patent No. 5651251

Each device that constitutes a control system is often produced individually by different companies, and when the control system as a whole is operated, defects are found here and there. As a result, it took a lot of time and effort to coordinate among manufacturers and re-implement device software. However, Patent Document 1 only provides a technique for improving the speed of parallel execution of logical processes, and has the problem that it is not possible to predict abnormalities that occur in each device when the control system as a whole operates. .

Accordingly, it is an object of the present invention to provide a simulation method, a simulation system, and a program capable of predicting abnormalities occurring in each device that constitutes a control system.

A simulation method of the present invention is a method for simulating the operation of a system including a plurality of devices and a communication network connecting the plurality of devices, wherein the operations of the plurality of devices and the communication between the plurality of devices are performed. setting logical processes that respectively define operations on a network; setting a timetable according to the plurality of devices; and causing the plurality of devices to execute the defined logical processes in parallel according to the timetable. and a step.

According to this method, the operation of a plurality of devices and the network operation between the plurality of devices can be simulated. Therefore, the operation of the system can be confirmed without actually constructing the system and operating the system as a whole.

Also, it is preferable to further include the step of detecting an abnormality in the plurality of devices and an abnormality in communication between the plurality of devices based on execution results of the logical process.

According to this method, it is possible to simulate an abnormality that occurs in the operation of a plurality of devices and in the network operation between the plurality of devices. Therefore, an abnormality occurring in the system can be predicted without actually constructing the system and operating the system as a whole.

Preferably, in the step of detecting the communication abnormality, the communication abnormality is detected based on specification information of the plurality of devices.

According to this method, it is possible to detect anomalies that occur in the operations of a plurality of devices and network operations between the plurality of devices based on the difference from the specification information. Therefore, anomalies occurring in the system can be predicted with higher accuracy.

The system preferably comprises a redundant system including an active system and a standby system, and further includes a step of switching from the active system to the standby system when the communication abnormality is detected.

According to this method, it is possible to simulate the operation of a plurality of devices and the network operation between the plurality of devices in a system having a redundant system. Therefore, the operation of the system can be confirmed with higher accuracy without actually constructing the system and operating the system as a whole.

Further, in the step of detecting the communication abnormality, when the communication abnormality is continuously detected and the operation system is not switched to the standby system, the abnormality is detected, and the communication abnormality is detected continuously. It is preferable to detect that there is an abnormality when the active system is switched to the standby system when the system is not detected.

According to this method, it is possible to simulate an abnormality that occurs in the operation of a plurality of devices that occurs in a system with a redundant system and in the network operation between the plurality of devices. Therefore, it is possible to predict an abnormality occurring in a system having a redundant system without actually constructing the system and operating the system as a whole.

A simulation system of the present invention generates a system model simulating a system including a plurality of devices and a communication network connecting the plurality of devices, and generates a system model that simulates the operation of the plurality of devices and the communication network between the plurality of devices. a logical process setting unit that sets logical processes that respectively define operations in the above; a timetable setting unit that sets a timetable according to the plurality of devices; and a logical process execution unit for parallel execution according to the table.

According to this configuration, it is possible to simulate an abnormality that occurs in the operation of a plurality of devices and in the network operation between the plurality of devices. Therefore, an abnormality occurring in the system can be predicted without actually constructing the system and operating the system as a whole.

A program of the present invention is a program for causing a computer to simulate the operation of a system including a plurality of devices and a communication network connecting the plurality of devices, wherein the computer controls the operations of the plurality of devices and a step of setting logical processes respectively defining operations on the communication network between the plurality of devices; a step of setting a timetable according to the plurality of devices; and the logical processes defined for the plurality of devices. are executed in parallel according to the timetable.

According to this program, it is possible to simulate an abnormality that occurs in the operation of a plurality of devices and in the network operation between the plurality of devices. Therefore, an abnormality occurring in the system can be predicted without actually constructing the system and operating the system as a whole.

FIG. 1 is a schematic diagram showing an example of the configuration of an actual control system for constructing a control system model in an embodiment of the present invention. FIG. 2 is a block diagram showing an example of a control system model modeling the control system according to the embodiment of the present invention. FIG. 3 is a block diagram showing an example configuration of a device model of the control system model according to the embodiment of the present invention. FIG. 4 is an example of a time chart set in the control system model according to the embodiment of the present invention. FIG. 5 is a block diagram showing the configuration of the simulation system according to the embodiment of the invention. FIG. 6 is a flow chart showing an example of the operation flow of the simulation device according to the embodiment of the present invention. FIG. 7 is a block diagram showing an example of a redundant control system model according to the embodiment of the present invention. FIG. 8 is a sequence diagram showing an example of the operation flow of the redundant control system model according to the embodiment of the present invention. FIG. 9 is a sequence diagram showing an example of the operation flow of the redundant control system model according to the embodiment of the present invention. FIG. 10 is a sequence diagram showing an example of the operation flow of the redundant control system model according to the embodiment of the present invention. FIG. 11 is a sequence diagram showing an example of the flow of operations when there is an abnormality in the redundant control system model according to the embodiment of the present invention. FIG. 12 is a sequence diagram showing an example of the flow of operations when there is an abnormality in the redundant control system model according to the embodiment of the present invention.

Embodiments according to the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that the present invention is not limited by this embodiment, and when there are a plurality of embodiments, a combination of each embodiment is also included.

The configuration of the system modeled in the embodiment of the present invention will be described with reference to FIG. FIG. 1 is a schematic diagram showing an example of the configuration of a control system to be modeled.

As shown in FIG. 1, the control system 1 includes a first device 2-1, a second device 2-2, . including. The first device 2-1 to the Nth device 2-N are connected to each other via the communication network 3 so as to be able to communicate with each other. A control system 1 is, for example, a control system that controls an airplane, a rocket, or the like.

Each of the first device 2-1 to the Nth device 2-N comprises an application, middleware, an OS (Operating System), and hardware. Here, the OS is, for example, an embedded OS such as TOPPERS (Toyohashi Open Platform for Embedded Real-Time Systems). The first device 2-1 to the Nth device 2-N share middleware, OS, and hardware, and differ only in applications. The first device 2-1 to the Nth device 2-N measure physical quantities according to applications, respectively, in order to control airplanes, rockets, and the like. Physical quantities measured by the first device 2-1 to the Nth device 2-N are not particularly limited, but are, for example, the angle and acceleration of the airframe. In this embodiment, the application is assumed to be written in C language, for example. The first device 2-1 to the Nth device 2-N are devices that operate independently. Specifically, in order to synchronize the first device 2-1 to the Nth device 2-N, one of the first device 2-1 to the Nth device 2-N is, for example, , outputs synchronization signals to other devices at intervals of 32 milliseconds. Each device performs an operation according to the application on the basis of the synchronization signal.

The communication network 3 is a network that connects each of the first device 2-1 to the Nth device 2-N so as to be able to communicate with each other. Although the communication network 3 is not particularly limited, communication standards such as MIL-STD-1553B and Ethernet (registered trademark) are used.

Next, a system model generated by simulating an actual system will be described with reference to FIG. FIG. 2 is a block diagram showing a control system model simulating the control system 1 shown in FIG. In this embodiment, a system model that simulates the control system 1 is constructed by software, and the operation of the control system 1 is simulated by simulation.

As shown in FIG. 2, the control system model 10 includes a first equipment model 11-1, a second equipment model 11-2, . 12. The control system model 10 is configured on the model editor by a plurality of blocks and connections representing transmission and reception of signals between the blocks.

In this embodiment, the control system model 10 is generated by, for example, Simulink (registered trademark) operating on MATLAB. Specifically, in the present embodiment, a control system model 10 is generated by arranging control blocks corresponding to devices using the Simulink function, and a closed loop simulation is executed.

The configuration of each device model will be described with reference to FIG. FIG. 3 is a block diagram showing the configuration of the first equipment model 11-1. The configuration of the second device model 11-2 to the N-th device model 11-N is the same as that of the first device model 11-1, so the explanation is omitted.

As shown in FIG. 3, the first device model 11-1 has a simulated application 13, a simulated middleware 14, and a simulated OS 15. FIG.

The simulated application 13 is an application of the first device 2-1 generated based on the specification of the application installed in the first device 2-1 shown in FIG. 1 and the specification regarding redundancy. This model simulates In this case, the simulated application 13 is preferably written in the same language as the application of the first device 2-1. Specifically, when the application of the first device 2-1 is written in C language, the simulated application 13 is preferably written in C language.

The simulated middleware 14 is a model that simulates the middleware of the first device 2-1, which is generated based on the specifications of the middleware of the first device 2-1 shown in FIG.

The simulated OS 15 is a model simulating the OS of the first device 2-1, which is generated based on the specifications of the OS of the first device 2-1 shown in FIG. The simulated OS 15 is composed of source code, for example, and is configured so that the simulated application 13 operates only at predetermined times. Therefore, the first equipment model 11-1 to the N-th equipment model 11-N constituting the control system model 10 simulate the operation of the corresponding equipment according to a predetermined timetable. The timetable can be changed according to the design of the first equipment model 11-1 to the Nth equipment model 11-N.

Refer to FIG. 2 again. The virtual communication network 12 is a model simulating the communication network 3 of the first device 2-1, which is generated based on the specifications of the communication network 3 of the first device 2-1 shown in FIG. Here, the virtual communication network 12 does not have to be a model that completely simulates the communication network 3, and may be a model that simply simulates it. That is, the virtual communication network 12 virtually realizes, for example, 1553B communication and Ethernet. A first device model 11-1 to an N-th device model 11-N are connected to the virtual communication network 12. FIG. As a result, each of the first device model 11-1 to the Nth device model 11-N can transmit and receive data via the virtual communication network 12. FIG. At this time, the virtual communication network 12 can simulate variations in processing time due to differences in load and variations in execution time due to differences in operations.

In this embodiment, the first device model 11-1 to Nth device model 11-N are generated based on the specifications of the first device 2-1 to Nth device 2-N, respectively. there is The virtual communication network 12 is generated based on the specifications of the communication network 3 . Therefore, in this embodiment, each device and the modeled interface of each device match, so that a timetable that can simulate and execute a desired operation according to the specifications of each device can be generated. can be done. Moreover, in this embodiment, not only the communication network 3 connected to each device but also the power supply connected to each device is modeled, and the operation of the power supply can be simulated and operated. Therefore, in this embodiment, for example, in a simulation system to be described later, the behavior of the control system 1 on the network according to the timetable can be simulated.

An example of the timetable will be described with reference to FIG. FIG. 4 is a diagram showing an example of a timetable.

In FIG. 4, four device models of a first device model 11-1, a second device model 11-2, a third device model 11-3, and a fourth device model 11-4 are shown. Shows a timetable for operation. The numbers "1" to "24" in the timetable indicate the order in which the respective device models simulate the corresponding device operations. The timetable shown in FIG. 4 has 16 time intervals from T1 to T16, and the first equipment model 11-1 to the fourth equipment model 11-4 operate within the divided intervals. is configured to The intervals T1 to T16 have the same time interval, for example 200 microseconds to 300 microseconds. In this way, after dividing the 32 milliseconds, which is the interval for outputting the synchronization signal, into short times, the first equipment model 11-1 to the fourth equipment model 11-4 are operated periodically. As a result, it is possible to perform a simulation in which a plurality of devices are operating simultaneously in the divided section. The timetable shown in FIG. 4 is an example and does not limit the present invention. The order of simulating the operation of the device corresponding to each device model and the time interval can be arbitrarily changed according to the design.

Specifically explaining the timetable of FIG. 4 means that the operation of the corresponding equipment is simulated in order. In the section T1, for example, the first equipment model 11-1 outputs a synchronization signal to simulate the operation of synchronizing with the second equipment model 11-2 to the fourth equipment model 11-4.

In the section T2 and the section T3, only the first device model 11-1 simulates the operation of the corresponding device. Here, for example, the first device 2-1 simulates the operation of detecting a specific physical quantity with a sensor.

In the section T4 and the section T5, the first device model 11-1 and the second device model 11-2 simulate the operation of the corresponding devices. Here, for example, the operation of transmitting the detection result detected by the first device 2-1 to the second device 2-2 is simulated.

In the section T6 and the section T7, the operation of the corresponding equipment is simulated by the first equipment model 11-1 and the third equipment model 11-3. Here, for example, the operation of transmitting the detection result detected by the first device 2-1 to the third device is simulated.

In the section T8, the first equipment model 11-1 and the fourth equipment model 11-4 simulate the operation of corresponding equipment. Here, for example, the operation of transmitting the detection result detected by the first device 2-1 to the fourth device is simulated.

From section T9 to section T11, the first device model 11-1 to the fourth device model 11-4 do not simulate the operation of the corresponding device, respectively.

In the section T12 and the section T13, the operation of the corresponding devices of the first device model 11-1 and the second device model 11-2 is simulated. Here, for example, the second device 2-2 simulates the operation of transmitting feedback to the first device 2-1 on the detection result received from the first device 2-1.

In the section T14 and the section T15, the operation of the corresponding devices of the first device model 11-1 and the third device model 11-3 is simulated. Here, for example, the third device simulates the operation of sending feedback to the first device 2-1 on the detection result received from the first device 2-1.

In section T16, the operation of each corresponding device is not simulated.

As described above, in this embodiment, each device that normally operates independently can be simulated in such a manner that two or more devices operate simultaneously in one section according to the timetable. can. In this embodiment, as a result of simulating according to the timetable, it is determined that there is an abnormality when a result different from the timetable is output.

Next, the configuration of the simulation system according to the embodiment of the present invention will be described using FIG. FIG. 5 is a block diagram showing the configuration of the simulation system according to the embodiment of the invention.

As shown in FIG. 3, the simulation system 100 includes an operation unit 110, a display unit 120, and a simulation device .

The operation unit 110 is, for example, an input device configured by a touch panel or a keyboard. The user can cause the simulation device 130 to perform various functions by operating the operation unit 110 . The user, for example, operates the operation unit 110 to input product information including specifications of each device constituting the control system 1 in source code. The product information input by the user in source code is stored as the specification information 153 in the storage unit 150 of the simulation device 130, which will be described later. Further, the user can update the specifications of each device by operating the operation unit 110 and rewriting the source code of the specification information 153 .

The display unit 120 is a display including, for example, a liquid crystal display (LCD) or an organic EL (organic electro-luminescence) display. The display unit 120 provides the user with, for example, simulation results.

The simulation device 130 is a device that executes a simulation of the control system 1 and includes a control section 140 and a storage section 150 .

The control unit 140 controls the simulation system 100 . Specifically, the control unit 140 controls the simulation system 100 by developing and executing a program stored in the storage unit 150 . The control unit 140 can generate the control system model 10 by developing and executing the simulation program 151 stored in the storage unit 150, for example. The control unit 140 can be realized by, for example, an electronic circuit including a CPU (Central Processing Unit).

Storage unit 150 stores a program for control unit 140 to control simulation device 130 . The storage unit 150 is, for example, a semiconductor memory device such as RAM (Random Access Memory), ROM (Read Only Memory), or flash memory, or a storage device such as a hard disk, solid state drive, or optical disk. The storage unit 150 stores a simulation program 151, simulation result information 152, and specification information 153, for example.

Next, the controller 140 will be specifically described. The control unit 140 has a logical process setting unit 141 , a timetable setting unit 142 , a logical process execution unit 143 and an abnormality detection unit 144 .

The logical process setting unit 141 sets logical processes that respectively define operations of a plurality of devices and network operations among the plurality of devices. Specifically, the logical process setting unit 141 develops and executes the simulation program 151 stored in the storage unit 150 to generate the control system model 10 . Then, the logical process setting unit 141 executes the operation desired by the user with respect to the first equipment model 11-1 to the N-th equipment model 11-N constituting the control system model 10 and the virtual communication network 12. set up a logical process to Here, the “logical process” means a program for executing an operation simulating the operation of the control system 1 . Setting a logical process means setting a program for causing the control system model 10 to perform an operation desired by the user.

The timetable setting unit 142 sets a timetable corresponding to the first to N-th device models 11 - 1 to 11 -N constituting the control system model 10 and the virtual communication network 12 . Specifically, the timetable setting unit 142 sets a timetable according to each device based on the specification information 153 indicating the product information of each device stored in the storage unit 150 . Since the timetable setting unit 142 is based on the specification information 153, the timetable can be set so as to perform the optimum operation. Optimal operation is, for example, operation that minimizes the time required to operate each device.

The logical process executing section 143 executes the logical process specified by the logical process setting section 141 in the control system model 10 according to the timetable set by the timetable setting section 142 . That is, the logic process execution unit 143 executes a simulation that imitates the operation of the control system 1 . The logic process execution unit 143 outputs simulation results to the display unit 120 . This provides the user with simulation results. The logic process execution unit 143 stores the simulation result in the storage unit 150 as simulation result information 152 .

The abnormality detection unit 144 compares the result of the simulation executed by the logical process execution unit 143 with the expected value of the execution result of the preset operation. Thereby, the abnormality detection unit 144 detects the difference between the simulation result and the expected value.

Specifically, the abnormality detection unit 144 calculates a desired simulation result of the set logical process based on the timetable and the specification information 153 . The abnormality detection unit 144 detects a difference from the desired simulation result by comparing the simulation result information 152 and the desired simulation result. Specifically, when the simulation result information 152 by the abnormality detection unit 144 and the desired simulation result match, the user can determine that the control system 1 operates normally. On the other hand, if the simulation result information 152 and the desired simulation result do not match, the user will either determine whether the preset expected value is wrong, the executed program is wrong, or the configuration of the control system 1 is wrong. It can be determined that

The operation flow of the control unit 140 of the simulation device 130 will be described with reference to FIG. FIG. 6 is a flow chart showing the operation flow of the control unit 140. As shown in FIG.

First, the control unit 140 sets logical processes that respectively define operations of a plurality of devices and network operations between the plurality of devices (step S11). And the control part 140 progresses to step S12.

The control unit 140 sets a timetable corresponding to a plurality of devices for the logical process (step S12). And the control part 140 progresses to step S13.

The control unit 140 executes the set logical processes in parallel according to a timetable set according to a plurality of devices (step S13). And the control part 140 progresses to step S14.

The control unit 140 compares the result of the simulation executed in step S13 with a predetermined desired result (step S14). And the control part 140 progresses to step S15.

If the simulation result and the desired result match ("Yes" in step S15), the control unit 140 proceeds to step S16 and determines that the control system 1 operates normally (step S16). Then, control unit 140 terminates the operation of FIG.

On the other hand, if the simulation result and the desired result do not match ("No" in step S15), the control unit 140 proceeds to step S17 and determines that the control system 1 has an abnormality (step S17). Then, control unit 140 terminates the operation of FIG.

With reference to FIG. 7, an example of a system that executes an operation when an abnormality occurs in the control system in this embodiment will be described. FIG. 7 is a diagram showing an example of a control system with a redundant system.

As shown in FIG. 7, the control system 1A includes an actuator 20, an active system 30, and a standby system 40. As shown in FIG.

The active system 30 includes a first controller 31 and a first sensor 32 . The first controller 31 can be realized, for example, by an electronic circuit including a CPU. A first sensor 32 measures a specific physical quantity. In the control system 1A, the first controller 31 controls the first sensor 32 to measure a specific physical quantity. The first controller 31 controls the actuator 20 according to the physical quantity measured by the first sensor 32 .

The standby system 40 has a second controller 41 and a second sensor 42 . The standby system 40 is a redundant system of the active system 30 . The second controller 41 and the second sensor 42 perform operations similar to those of the first controller 31 and the first sensor 32, respectively.

A desired operation flow in the control system 1A will be described with reference to FIGS. 8, 9, and 10. FIG. FIG. 8 is a sequence diagram showing an example of the operation of the control system 1A when no communication abnormality occurs. FIG. 9 is a sequence diagram showing an example of the operation of the control system 1A when a communication error occurs once. FIG. 10 is a sequence diagram showing an example of the operation of the control system 1A when communication abnormalities occur consecutively. It is assumed that the operational flow of FIGS. 8, 9, and 10 is the desired flow of the logical process executed by simulation system 100. FIG.

A desired operation flow of the control system 1A when no communication abnormality occurs will be described with reference to FIG.

The first controller 31 requests sensor data by transmitting an inquiry to the first sensor 32 (step S101). The first sensor 32 transmits the sensor data obtained by measuring the physical quantity to the first controller 31 according to the inquiry (step S102). The first controller 31 transmits a command A to the actuator 20 to cause the actuator 20 to perform an operation according to the received sensor data (step S103).

In parallel with steps S101 to S103, the second controller 41 requests sensor data by sending an inquiry to the second sensor 42 (step S104). The second sensor 42 transmits the sensor data obtained by measuring the physical quantity to the second controller 41 according to the inquiry (step S105). Here, the sensor data transmitted by the second sensor 42 is the same as the sensor data transmitted by the first sensor 32 to the first controller 31 in step S102. The second controller 41 transmits a command B to the actuator 20 to cause the actuator 20 to perform an operation according to the received sensor data (step S106).

The actuator 20 normally adopts the command A received from the first controller 31, which is the operating system (step S107). Actuator 20 performs an operation according to command A. FIG.

Thereafter, as shown in steps S108 to S114, the operations of steps S101 to S107 are repeated.

With reference to FIG. 9, the desired operation flow of the control system 1A when a communication error occurs once will be described.

Since steps S201 to S207 are the same as steps S101 to S107, the description thereof is omitted.

The first controller 31 sends an inquiry to the first sensor 32 (step S208). When the first controller 31 cannot receive the sensor data from the first sensor 32 due to a communication error or the like, it transmits the command A transmitted in step S203 to the actuator 20 (step S209).

Steps S210 to S212 repeat the operation of steps S204 to S206, and thus description thereof is omitted.

If the communication error is the first time, the actuator 20 adopts the command A received from the first controller 31, which is the operating system (step S213). In this case, the actuator 20 performs the same operation as that performed in step S207.

Thereafter, as shown in steps S214 to S220, the operations of steps S101 to S107 are repeated.

A desired operation flow of the control system 1A when communication abnormalities occur consecutively will be described with reference to FIG.

Since steps S301 to S313 are the same as steps S201 to S213, the description thereof is omitted.

The first controller 31 sends an inquiry to the first sensor 32 (step S314). When the first controller 31 cannot continuously receive sensor data due to a communication error or the like, it transmits a command A indicating that there is an error to the actuator 20 (step S315).

Steps S316 to S318 repeat the operation of steps S304 to S306, and thus description thereof is omitted.

When the actuator 20 receives the command A indicating that there is an abnormality, it adopts the command B (step S319). In this case, the actuator 20 performs the operation according to the command B.

Thereafter, as shown in steps S320 to S323, the operations of steps S316 to S319 are repeated.

A method for the simulation system 100 to detect a device abnormality or a communication abnormality will be described with reference to FIGS. 11 and 12. FIG. FIG. 11 is a sequence diagram showing an example of abnormal operation of the control system 1A when no communication abnormality occurs. FIG. 12 is a sequence diagram showing an example of abnormal operation of the control system 1A when a communication abnormality occurs once.

An example of a method for the simulation system 100 to detect an abnormality in the control system 1A when no communication abnormality has occurred will be described with reference to FIG. 11 .

Since steps S401 to S414 are the same as steps S101 to S114, the description thereof is omitted. Further, since steps S415 to S420 repeat steps S101 to S106, description thereof will be omitted.

The actuator 20 adopts the command B (step S421). In this case, the actuator 20 performs the operation according to the command B. However, when no communication error has occurred, the actuator 20 is desired to adopt command A, as shown in FIG. The control unit 140 of the simulation system 100 compares the desired flow of operation when no communication error occurs as shown in FIG. 8 with the actual simulation result shown in FIG. Abnormalities that occur can be predicted. Accordingly, the control unit 140 of the simulation system 100 determines that the flow of operations in FIG. 11 is abnormal.

With reference to FIG. 12, an example of a method of detecting an abnormality by the simulation system 100 in the control system 1A when communication abnormality occurs once will be described.

Since steps S501 to S508 are the same as steps S201 to S208, the description thereof is omitted.

The 1st controller 31 transmits the command A which shows that there was abnormality (step S509). Since steps S510 to S512 are the same as steps S210 to S212, the description thereof is omitted.

Since the actuator 20 has received the command A indicating that there is an abnormality, it adopts the command B (step S513). In this case, the actuator 20 performs the operation according to the command B. Since steps S514 to S519 are repetitions of steps S201 to S206, description thereof will be omitted. In this case, the actuator 20 adopts the command B despite having received the command A (step S520).

However, when the communication error occurs for the first time, as shown in FIG. 9, it is desired that command A of step S503 is transmitted and the actuator 20 adopts command A of step S503. The simulation system 100 compares the desired flow of operation in the case where the communication abnormality shown in FIG. 9 occurs once and the actual simulation result shown in FIG. can be predicted. Accordingly, the control unit 140 of the simulation system 100 determines that the flow of operations in FIG. 12 is abnormal.

As described above, in the control system in which a plurality of devices are connected via a communication network, the operation of the control system can be checked without actually constructing the control system. Thereby, this embodiment can predict an abnormality that occurs in the control system.

In this embodiment, the case of predicting a communication abnormality between devices has been described, but this is an example and does not limit the present invention. This embodiment can also detect anomalies that occur in devices, such as outputting erroneous signals.

1, 1A control system 2-1 first device 2-2 second device 2-N Nth device 3 communication network 10 control system model 11-1 first device model 11-2 second device model 11 -Nth device model 12 virtual communication network 13 simulated application 14 simulated middleware 15 simulated OS
20 actuator 30 operating system 31 first controller 32 first sensor 40 standby system 41 second controller 42 second sensor 100 simulation system 110 operation unit 120 display unit 130 simulation device 140 control unit 141 logical process setting unit 142 timetable setting unit 143 logical process execution unit 144 abnormality detection unit 150 storage unit 151 simulation program 152 simulation result information 153 specification information

Claims (5)

A method of simulating the operation of a system comprising a plurality of devices and a communication network connecting the plurality of devices, comprising:
setting up logical processes respectively defining operations of the plurality of devices and operations on the communication network between the plurality of devices;
setting a timetable according to the plurality of devices;
causing the plurality of devices to execute the defined logical processes in parallel according to the timetable;
calculating a desired simulation result of the logic process based on the timetable and the specification information of the plurality of devices;
detecting an abnormality in the plurality of devices and an abnormality in communication between the plurality of devices based on the difference between the execution result of the logic process and the simulation result;
including,
simulation method. The system is composed of a redundant system including an active system and a standby system,
further comprising switching from the active system to the standby system when the communication abnormality is detected;
The simulation method according to claim 1 . In the step of detecting the communication abnormality, when the communication abnormality is continuously detected and the operation system is not switched to the standby system, the abnormality is detected, and the communication abnormality is not continuously detected. Detecting an abnormality when switching from the active system to the standby system in the case of
The simulation method according to claim 2 . A system model simulating a system including a plurality of devices and a communication network connecting the plurality of devices is generated, and operations of the plurality of devices and operations on the communication network between the plurality of devices are defined respectively. a logical process setting unit for setting a logical process;
a timetable setting unit that sets a timetable according to the plurality of devices;
a logical process execution unit for executing the logical processes set in the plurality of devices in parallel according to the timetable;
A desired simulation result of the logical process is calculated based on the timetable and the specification information of the plurality of devices, and the plurality of devices is calculated based on the difference between the execution result of the logical process and the simulation result. an anomaly detection unit that detects an anomaly of the device and an anomaly in communication between the plurality of devices ;
simulation system. A program for causing a computer to simulate the operation of a system including a plurality of devices and a communication network connecting the plurality of devices,
to the computer;
setting up logical processes respectively defining operations of the plurality of devices and operations on the communication network between the plurality of devices;
setting a timetable according to the plurality of devices;
causing the plurality of devices to execute the defined logical processes in parallel according to the timetable;
calculating a desired simulation result of the logic process based on the timetable and the specification information of the plurality of devices;
detecting an abnormality in the plurality of devices and an abnormality in communication between the plurality of devices based on the difference between the execution result of the logic process and the simulation result ;
program.

Images