JPH0535441B2 - - Google Patents

Description

[Detailed Description of the Invention] [Industrial Application Field] The present invention relates to a control device with a duplex configuration, and in particular,
The present invention relates to a duplex control device suitable for increasing reliability.

[Prior Art] FIG. 6 is a block diagram of a conventional duplex control device. When a command signal (target value) 3 from an unillustrated host control system or the like is given to the duplex control device 1, this command signal 3 is input to the duplex control calculation units 11a and 11b. Each control calculation unit 11
The feedback signal 4 from the controlled object 2 is also returned to a and 11b. Each control calculation unit 11a, 11
b is a subtracter for calculating the deviation between the target value 3 and the feedback signal 4, and each deviation signal 12a, 1
The control calculation function 13a, 13b is provided to calculate and output control signals 14a, 14b that make 2b zero. The signal selection section 21 includes a selection logic section 2
2. Equipped with signal selection relay contacts 4a, 24b corresponding to control signals 14a, 14b,
4b is selected by the selection logic section 22,
It is given to the controlled object 2 as the final control signal 16.

There have been various methods of selection in the selection logic section 22, but they can be broadly classified into the following two types.

(1) Systematically select one of the two control signals 14a and 14b in a fail-safe direction. Specifically, a high value or low value control signal is selected.

(2) Each of the control calculation units 11a and 11b performs a self-diagnosis of an abnormality, and at least the control signal output by the control calculation unit on the side where the abnormality has been detected is not selected.

The former is a fail-safe operation from a system perspective, but depending on the system, the fail-safe direction is not necessarily determined. Also,
If too much emphasis is placed on fail-safety, the operating rate of the control system will be reduced, and there is a problem in that its application will be extremely limited.

The latter has been increasingly used recently because by using a computer in the control calculation section, it is possible to strengthen the abnormality diagnosis ability without adding any special hardware. FIG. 7a is a logic circuit diagram showing an example of the logic, and FIG. 7b is a symbolic explanatory diagram of the logic circuit.

In FIG. 7a, the control calculation unit 11a (A system)
The self-diagnosis function inputs the self-diagnosis result 15a to the selection logic section 22 of the signal selection section 21. In addition, the self-diagnosis function of the control calculation unit 11b (B system) also
The self-diagnosis result 15b is input to the selection logic section 22.

The selection logic unit 22 includes AND logic 50a,
50b, 51a, 51b, 52, OR logic 53a, 53b, NOT logic 54, 55,
56 and 57. And self-diagnosis result 15
a and 15b are "1" when normal, and "0" when abnormal. Furthermore, when A-system manual and B-system manual are selected, "1" is output, and when the outputs of AND logic 51a and 51b become "1", A-system (B-system manual) is output.
system) selection command is output and relay contacts 24a, 2
4b is turned on.

(1) In this logic circuit, when both the A system and the B system are determined to be normal, the A system is automatically selected, and the A system selection command 23a turns on the relay contact 24a. At this time, the B-system signal selection relay contact 24b remains in the off state. Here, if for some reason it is desired to switch to B-system control, turn on the B-system manual selection switch. As a result, the output of the B system manual selection becomes “1”,
AND logic 50 because signal 15b is “1”
The output of b becomes "1". Therefore, the output of the NOT logic 54 becomes "0", the output of the AND logic 51a becomes "0", the A system selection command is not output, and the contact 24a is turned off. On the other hand, since the manual selection of A system is “0”
AND logic 50a outputs “0” and NOT
The output of logic 57 is "1". Also, since the self-diagnosis result 15b is "1" indicating normal, when the B system manual selection becomes "1", the OR
Logic 53b outputs "1", and AND logic 51b outputs "1". As a result, the B system selection command is output, and the contact 24b is turned on. If you want to switch to A system control again, turn on the A system manual selection switch and use the same logic as above to switch to contact 24a.
is turned on, and contact 24b is turned off.

(2) Suppose that an abnormality is detected in the A system while the A system is selected and controlled and the B system is on standby. Since the self-diagnosis result 15a is “0”,
The output of AND logic 51a becomes "0",
The A system selection command is not output, and the contact 24a is turned off. On the other hand, since the output of the AND logic 50a is "0", the output of the NOT logic 57 is "1", and the self-diagnosis result 15b of the B system is "1". Here, if an abnormality occurs in the A system,
The output of NOT logic 56 becomes “1” and OR
The output of logic 53b becomes “1” and AND
The output of logic 51b becomes "1". Therefore, the B system is selected and the contact 24b is turned on.

(3) If an abnormality is detected in the B system while the B system is selected and controlled and the A system is on standby, the operation is the same as in (2) above, and the contact 24a is turned on. Therefore, the contact 24b is turned off.

(4) If an abnormality occurs in the standby system while one system is selected to perform control and the other system is on standby, the control itself will not change.

(5) If both systems A and B become abnormal,
The output of AND logic 52 becomes "1",
Fail-as-ize or fail-safe actions such as locking the operating end are often performed.

(6) In addition to the above-mentioned control, it is often practical to output an alarm when an abnormality is detected.

[Problems to be solved by the invention] Although the logic in the prior art described above is extremely effective in practice and can be expected to be considerably more reliable than a single-layer system, it has the following three problems. be.

(1) In terms of basic operation, the system is simply a dual system by providing a backup system in addition to a single system, and the reliability of the output signal itself is equivalent to that of the single system.

(2) System reliability (operation rate) varies greatly depending on the level of anomaly detection ability.

(3) Even if the calculation results of system A and system B do not match,
If the self-diagnosis function cannot detect any abnormality,
It is not possible to determine which data is correct, and therefore, in the worst case, abnormal control may be allowed.

Therefore, in a system that requires this type of ultra-high reliability, a triple system capable of majority decision making is generally applied. However, since a triplex system requires a huge amount of hardware and the price increases accordingly, its scope of application must be limited to some extent, and it is not possible to use a triplex system for all control devices. Can not.

An object of the present invention is to provide a control device that can improve the reliability of a duplex system to the same level as that of a triplex system.

[Means for Solving the Problems] The above object includes two control calculation means that input a deviation between a target value and a feedback signal from a controlled object and output a control signal that reduces the deviation,
Duplex control in which one side is the control side and the other is the standby side, and the output signal of the control calculation means on the control side is given to the controlled object, and when an abnormality occurs on the control side, the control calculation means on the standby side is switched to the control side. In the apparatus, the first means detects a deviation between the output signals of both control calculation means, the second means detects a deviation between the feedback signal and the target value, and the first means detects a deviation exceeding a tolerance value. This is achieved by providing a third means that determines that an abnormality has occurred in the standby side control calculation means when the detected deviation of the second means is within an allowable value.

[Operation] If an abnormality occurs in either the control calculation means on the control side or the control calculation means on the standby side, it can be detected by the fact that the deviation between the calculation results of both becomes large. However, this alone does not tell whether the abnormality has occurred on the control side or the standby side. Therefore, when an abnormality occurs, the difference between the feedback signal and the target value is used to determine in which direction the abnormality has occurred. If an abnormality occurs on the control side, the feedback signal will become abnormal and the deviation from the target value will become large, and if an abnormality occurs on the standby side, the calculation result of the normal control calculation means will not be given. Since the feedback signal from the controlled object changes in accordance with the target value, the deviation is small. Therefore, depending on the degree of deviation between the feedback signal and the target value, it is possible to determine whether an abnormality has occurred on the control side or the standby side.

[Example] Hereinafter, an example of the present invention will be described with reference to the drawings.

FIG. 1 is a configuration diagram of a duplex control device according to a first embodiment of the present invention. The redundant control device of this embodiment has an abnormality determination section 31 added to the conventional control device shown in FIG. This abnormality determination section 31 includes two
Two deviation monitors 32 and 36 are provided.

The deviation monitor 32 includes control calculation units 11a and 11b.
The calculation results 14a and 14b are constantly monitored, and it is determined whether or not a deviation exceeding a preset first tolerance value has occurred between the results 14a and 14b.
If the deviation exceeds the tolerance value, a "1" signal is output, for example, and if it is within the first tolerance value, a "0" signal is output.

The deviation monitor 36 constantly monitors the deviation between the feedback signal 4 from the controlled object 2 and the estimated feedback value 35 obtained by passing the target value 3 through the simple model 34, and determines whether the deviation exceeds a second tolerance value. Determine whether or not. If the second tolerance is exceeded, a "1" signal is output, for example, and if it is within the second tolerance, a "0" signal is output.

The simple model is a model that simulates a control system and/or a controlled object, but the simple model 34 used in this embodiment is simply composed of a combination of dead time elements and first-order or second-order delay elements. still,
The simple model 34 may include only the first-order lag element,
Also, depending on the system, it may be possible to delete this.

The abnormality determination unit 31 further includes time delay pickup elements (hereinafter abbreviated as TDPU) 33 and 37. The TDPU 33 receives the output of the deviation monitor 32, and outputs "1" when the output "1" of the monitor 32 continues for a specified time or more, and outputs "0" otherwise. TDPU
37 receives the output of the deviation monitor 36 and outputs the output from the monitor 3
When the output "1" of 6 continues for a specified time or more, it outputs "1", and otherwise outputs "0".

The abnormality determination unit 31 takes the AND condition of both output signals of the TDPUs 33 and 36, and outputs the control side control calculation unit (1
a or 11b) which outputs a signal 38 indicating the presence or absence of an abnormality, and a standby side control calculation unit (11a or 11b) which takes an AND condition of the output signal of the TDPU 33 and the negation signal of the output of the TDPU 37.
AND logic that outputs a signal 39 indicating the presence or absence of an abnormality.

With this redundant control device shown in FIG. 1, for example, now,
It is assumed that the control calculation section 11a is on the control side and the control calculation section 11b is on the standby side. If it is assumed that an abnormality has occurred on the control side, the calculation result 14a of the control calculation section 11a and the calculation result 14b of the control calculation section 11b will be different, and the deviation between the two results will exceed the allowable value. Therefore, the deviation monitor 32 outputs "1" and the TDPU 33 outputs "1". if,
When the deviation monitor 33 outputs "1" due to noise, the output of the TDPU 33 remains "0" because it is rare that the error continues for more than a specified time.
In other words, the TDPU 33 functions to avoid false detection due to noise or the like. Note that 0 seconds can also be set as the specified time.

In this case, it is assumed that an abnormality has occurred in the control calculation unit 11a on the control side, so the abnormal calculation result 14a is given to the controlled object 2, and therefore the value of the feedback signal 4 also changes to the target value 3. The value is far different from that. Therefore, the deviation monitor 36 detects a deviation greater than the allowable value between the two and outputs "1".
TDPU37 also outputs "1". As a result, the signal 38 indicating an abnormality on the control side is "1" (indicating an abnormality).
Therefore, the signal 39 indicating an abnormality on the standby side remains at "0" (indicating normality). These signals 38,
39 controls the signal selection section 21, and the contact 24
By releasing the contact 24b and closing the contact 24b, the standby-side control calculation unit 11b can be switched to the control side.

Now, suppose that the control side control calculation unit 11a is normal,
Assume that an abnormality occurs in the standby-side control calculation unit 11b. In this case as well, the deviation monitor 32 detects this and outputs "1", and the TDPU 33 also outputs "1". On the other hand, since the output 14a of the normal control-side control calculation unit 11a is given to the controlled object 2, its feedback signal 4 follows the relationship with the target value 3, and the deviation between the two is within the allowable value. It is becoming. For this reason, the deviation monitor 36
The output of the TDPU37 becomes "0". As a result,
The signal 38 indicating an abnormality on the control side becomes “0” (indicating normality), and the signal 39 indicating an abnormality on the standby side becomes “1”.
(Indicating an abnormality.)

In this way, since the final judgment is made using two deviations (the deviation of the calculation result of the control calculation section and the deviation between the feedback signal and the target value), it is possible to reliably detect an abnormality. Note that if this method of abnormality detection is adopted, the deviation monitors 32, 36,
The TDPUs 33, 37 and the simple model 34 can be configured without requiring very detailed tests or analyzes, which is a great practical advantage. For example, if the determination is based only on the deviation between the outputs of the two control calculation units 11a and 11b, it can be determined that an abnormality has occurred in one of the dual systems, but it is not possible to determine in which one the abnormality has occurred. In addition, in the judgment based only on the deviation between the feedback signal and the target value, model 34
The accuracy of this problem becomes a problem, and an extremely complex model is required to improve the reliability of anomaly detection. Furthermore, if an unexpected disturbance were to occur in the system, this could be mistaken for an abnormality.

However, according to the embodiment of the present invention described above, 2
Only when a deviation greater than the allowable value occurs between the outputs of the two control calculation units, the presence or absence of an abnormality is determined using the judgment result based on the deviation between the feedback signal and the target value, so it is determined that there is an abnormality when it is not abnormal. The possibility of false detection is extremely small.

FIG. 2 is a detailed configuration diagram of the signal selection section 21. As shown in FIG. The logic configuration in Fig. 2 is for the case where each control calculation unit has a self-diagnosis function (the first
(omitted in the figure), and the operating end lock is omitted. Further, the fail-safe function in the event of signal loss is also omitted from illustration. Note that logic elements having the same connections as those in FIG. 7a are given the same reference numerals.

This signal selection section 21 includes an AND logic 60
a, 60b, 63a, 63b, 64a, 64b
, OR logic 62a, 62b, negative logic 61a, 61b, and TDPU 25a, 25b.

Currently, the A system (control calculation unit 11a) is in a normal state on the control side, and the B system (control calculation unit 11a) is normal.
Assume that b) is normal on the standby side. Since the A system is on the control side, the output of the AND logic 51a is "1" and the output of the AND logic 51b is "0". These outputs are TDPU25a, 2
AND logic 63a, 63b, 6 via 5b
4a, 64b. TDPU25a, 25
It is also possible to return the outputs of the AND logics 51a and 51b without providing b, but if the control system is switched due to the occurrence of an abnormality, the system that has newly become the control side will operate to return to the normal state. Since it is not always possible to return to normal immediately, these TDPUs 25a and 25b are provided in order to stabilize the operation.

The signal status is "0" because the A-system self-diagnosis result 15a is "normal", and the signal status is "0" as the B-system self-diagnosis result 15a is "normal".
b is also "1" indicating "normal". Further, according to the determination result of the abnormality determination unit 31 shown in FIG. 1, the control side abnormality signal 38 becomes "0" and the standby side abnormality signal 39 becomes "0".

Since the outputs of the AND logics 63a and 64a are both "0", the output of the OR logic 62a becomes "0", which becomes "1" in the NOT logic 61a and is input to the AND logic 60a.
The A-system self-diagnosis result 15a is input to the other input terminal of the AND logic 60a, and in this case it is "1", so the output of the AND logic 60a is "1".
becomes. Similarly, the output of AND logic 60b also becomes "1".

Since both the A system manual selection and the B system manual selection have their outputs "0" (manual selection not performed),
The output of AND logic 50a, 50b is "0". The OR logic 53a has an output of "1" from the AND logic 51a, which indicates that the A system is selected.
and negation of the output “0” of AND logic 51b indicating that B system is not selected (logic 55)
Since "1" and the output "0" of the AND logic 50a are input, the output becomes "1".
AND logic 60a is in AND logic 51a.
Since the output "1" of the AND logic 50b, the negation (logic 54) "1" of the output "0" of the AND logic 50b, and the output "1" of the OR logic 53a are input, the output becomes "1" and the A The system selection command 23a is output, and the contact 24a remains closed.

On the other hand, the OR logic 53b has the AND logic 51b output "0" indicating that the B system is not selected, the negation (logic 56) "0" of the output "1" of the AND logic 60a, and the AND logic 50
Since the output "0" of b is input, the output is "0". The AND logic 51b contains the output “0” of the OR logic 51 and the negation (logic 57) of the output “0” of the AND logic 50a.
Since "1" and the output "1" of the AND logic 60b are input, the output becomes "0", the B system selection command 23b is not output, and the contact 24b maintains the open state.

Now, suppose that an abnormality occurs in the control calculation unit 11b on the control side. In this case, A-system self-diagnosis result 1
5A changes from “1” to “0” and control side abnormal signal 3
8 changes from “0” to “1”. As a result, the output of AND logic 60a becomes "0" and the output of AND logic 51a also becomes "0". For this reason, A
The system selection command 23a becomes a signal indicating that system A is not selected, and the contact 24a is released.

When the output of AND logic 60a becomes “0”,
The negation (logic 56) of "1" is input to the OR logic 53b, the output of the OR logic 53b becomes "1", and all inputs of the AND logic 51b become "1". As a result, the B system selection command 23b is output, and the contact 24b is closed.

FIG. 3 is a configuration diagram of a duplication control device configured to also duplicate feedback signals to determine abnormality. Generally, in feedback control, the loss of a feedback signal leads to runaway control, so feedback signal detectors are often duplicated as shown in FIG. In the duplex control device shown in Fig. 1, the data input to the two control calculation units were the same feedback signal, but in the duplex control device shown in Fig. 3, the input data does not necessarily match. Since this is not guaranteed, somewhat complex decision logic is required. However, the basic idea is the same as in Figure 1. The functions of the abnormality determination section 31 in this embodiment can be broadly divided into three parts, similar to the example of FIG.

(1) Control calculation result mismatch detection function (2) Control system abnormality detection function using feedback signals (3) Abnormality determination function Of the above, the function (1) is completely the same as the embodiment shown in FIG. Regarding (2), since there are two feedback signals, by adding the feedback signal equivalent estimated value 35 and checking the deviation between the three signals, abnormalities in the feedback signals 4a and 4b and abnormalities on the control side or standby side can be detected. It is something to detect. In (3), a final judgment is made based on a combination of these detected abnormalities.

Now, as shown in FIG. 3, the deviation check result of the calculation results 14a and 14b of the control calculation section is used as an abnormality detection signal a44, and the deviation check result between the duplicated feedback signals 4a and 4b is used as an abnormality signal b.
45, the deviation check result between the B system feedback signal 4b and the feedback signal estimated value 35 is set as the abnormal signal c46, and the A system feedback signal 4
The deviation check result between a and the feedback signal estimated value 35 is set as an abnormality detection signal d47, and the combination is considered by setting "1" when an abnormality is detected and "0" when no abnormality is detected. This combination is shown in FIG. The meaning of each combination case will be explained below.

(1) Case 1 Abnormality detection signals a, b, c, and d are all “0”
That is, it is in a state where no abnormality has been detected, and is determined to be normal.

(2) Case 2 The deviation between the feedback signals 4a and 4b and the deviation between the feedback signal 4a and the estimated value 35 are normal, but the deviation between the feedback signal 4b and the estimated value 35 is determined to be abnormal. This is an extremely rare case, and can be considered normal from a system perspective.

(3) Case 3 Same as case 2 (however, feedback signals 4a and 4b are swapped.) (4) Case 4 The deviation of feedback signals 4a and 4b is normal, but the estimated value 35 and feedback signal 4a,
A case where it was determined that there was an abnormality in the deviation from 4b.
A case where it can be assumed that there is an error in the estimated value 35, the characteristics of the controlled object have changed (an abnormality has occurred), or some kind of disturbance has been added to the system.

Since both the two feedback signals and the two control calculation units can be considered normal (because the deviation is normal), it can be determined that the entire system is normal. It may be better to use a fail-as-is operation such as locking the end.)

(5) Case 5 The deviation between feedback signals 4a and 4b is abnormal, but the estimated value 35 and feedback signal 4
A case where the deviation from a and 4b is normal. An extremely unlikely case.

This case may appear at an early stage when an abnormality has just occurred in one of the feedback signal detectors. However, it is thought that the situation will eventually shift to Case 6 or Case 7, which will be described later.
Therefore, Case 5 may be determined to be normal for the time being.

(6) Case 6 Deviation between feedback signals 4a and 4b,
A case where the deviation between the feedback signal 4a and the estimated value 35 is abnormal, and the deviation between the feedback signal 4b and the estimated value 35 is normal. In other words, this is a case where it can be determined that the four values of the feedback signal are abnormal. It is thought that the situation will eventually move to Case 14, which will be described later. Since the A system performs control calculations based on the abnormal feedback signal, control must be transferred to the B system.

(7) Case 7 This corresponds to Case 6, where the A and B systems are reversed. Must be controlled on the A system side.

(8) Case 8 Either the estimation accuracy of the feedback signal estimated value 35 is poor, or both feedback signal detectors are abnormal, and the deviation is small in the control calculation result data calculated using the feedback signal with a large deviation. An extremely unlikely case.
If I were forced to do something, it would probably be to lock the operating terminal, but since it is thought that the situation will eventually move to Case 16, which will be described later, it is not necessarily necessary to take any corresponding action.

(9) Case 9 The deviation between the control calculation results is large, but the system is considered normal. That is, it can be estimated that the control side is operating correctly and that an abnormality has occurred in the control calculation section on the standby side.

(10) Case 10 In Case 2, a large deviation is also detected between the control calculation results, and the location of the abnormality cannot be determined. However, it is thought that the situation will eventually move to Case 9 or Case 12, which will be described later. this case
It is unlikely that it will reach 10, and there is no need to take any immediate action.

(11) Case 11 In Case 10, the A system and B system are swapped.

(12) Case 12 Both feedback signals can be considered to be true values. This is significantly different from the estimated value,
In addition, since the change between the control calculation results is large, it is considered that the system is being controlled by the output of the control calculation unit on the side where the abnormality has occurred. Therefore, it is necessary to switch to the standby side.

(13) Case 13 Same as Case 5, this is an extremely unlikely case. Since the feedback signal estimated value is in good agreement with the actual measured value, it is possible that the system is operating normally, and no special measures are required.

(14) Case 14 A case where the feedback signal of system A became abnormal, and the control calculation results calculated using this data differed greatly from the control calculation results of other systems. Control must be transferred to the B system.

(15) Case 15 This is a case in which the A and B systems of Case 14 are reversed. A
System control is appropriate.

(16) Case 16 This case is considered to be a development of the situation in Case 8. The operating end must be locked.

From the above considerations, cases 6, 7, 9, 12,
14 and 15, and it is in case 16 that it is necessary to lock the operating end (case 4,
5, 8, 10, 11, and 13 may also be used as operating end locks. This must be determined based on the characteristics of the target system. ).

FIG. 5 is a configuration diagram of the signal selection section of the duplex control device considering each of the above-mentioned cases. Now, A
Both system and B system are normal (self-diagnosis result is “1”),
Since each case has not occurred, it is assumed that the output is "0" in each case. The A system is the control side (AND logic 51a output is “1”),
It is assumed that the B system is on the standby side (the output of the AND logic 51b is "0"). Under this assumption, the AND logic 68a, 68b, 69a, shown in FIG.
The output of both 69b is “0” and the OR
The outputs of logic 67a and 67b become "0".
Therefore, the outputs of the AND logics 60a and 60b are both "1", and the connections of the other logics are the same as in FIG. 51
It is output from b.

Now, if case 12 occurs, the output will deviate from "0" to "1". As a result,
The output of AND logic 68a becomes “1” and OR
The output of the logic 67a becomes "1", the output of the AND logic 60a changes to "0", and the A system becomes unselected (the output of the AND logic 51a becomes "0").
becomes. ) On the other hand, when the output of the AND logic 60a changes to "0", the output of the OR logic 53b becomes "1", the output of the AND logic 51b becomes "1", and the B system is selected.

The above explanation has been given for one control loop, but for large-scale digital control systems (multivariable control), the most important point is Even if this method is adopted only for the control loop, the effect basically remains the same. In other words, the normality of the operation within the central processing unit is determined based on one point of representative data, but the present invention is only meaningful even though both systems are normal in self-diagnosis. This is when the output data differs, and this is because there are practically no cases where only one data out of a large number of data computed by the same computing device is abnormal.

In addition, in the embodiments described above, the self-diagnosis results are also incorporated into the switching logic to make a comprehensive judgment, but when the control calculation section is configured with an analog calculation unit, it is not necessary to add this self-diagnosis function. It's not necessarily possible. Also in this case,
The switching logic can be constructed by deleting this self-diagnosis result.

[Effects of the Invention] According to the present invention, in a duplex control device, by simply adding a determining means with an extremely simple configuration, three
It is possible to provide the same level of anomaly detection ability as a multiplex system, and it is possible to achieve system reliability close to that of a triplex system.

Generally, if the hardware amount of a single system is 1,
The increase is approximately 2.5 for a duplex system and approximately 4.5 for a triple system.If the system reliability is 1 for a single system, it is approximately 4.5 for a double system.
10, and rises to about 100 for triple systems (however, it depends on the system scale). According to the present invention, it is possible to achieve reliability close to that of a duplex system without substantially increasing the amount of hardware in the duplex system, thereby making it possible to construct a highly reliable system with excellent cost performance.

[Brief explanation of the drawing]

FIG. 1 is a block diagram of a duplex control device according to a first embodiment of the present invention, FIG. 2 is a detailed block diagram of the signal selection section shown in FIG. 1, and FIG. 3 is a block diagram of a second embodiment of the present invention. FIG. 4 is an explanatory diagram of the switching logic of the signal selection unit shown in FIG. 3, FIG. 5 is a detailed configuration diagram of the signal selection unit shown in FIG. 3, and FIG. is a configuration diagram of a conventional duplex control device, and FIG.
FIG. 7b is an explanatory diagram of the logic elements shown in FIG. 7a. 1... Duplex control device, 2... Controlled object, 3...
...Command signal (target value), 4...Feedback signal, 4a...Feedback signal A system, 4b...
Feedback signal B system, 5a... Feedback signal detector A system, 5b... Feedback signal detector B system, 11a... Control calculation unit A system, 11b
...Control calculation unit B system, 12a...Control deviation signal A
12b...Control deviation signal B system, 13a...Control calculation function A system, 13b...Control calculation function B system,
14a... Control calculation result A system, 14b... Control calculation result B system, 15a... Self-diagnosis result A system, 15
b...Self-diagnosis result B system, 16...Control signal, 2
1...Signal selection unit, 22...Signal selection logic unit, 23a...A system selection command, 23b...B system selection command, 24a...A system signal selection relay contact, 2
4b...B system signal selection relay contact, 25a, 25
b, 33, 37, 41, 43...Time-limited element (TDPU: time delay pick-up), 31
... Abnormality determination unit, 32 ... A system/B system control output signal deviation detection monitor, 34 ... Simple operation model of control system, 35 ... Feedback signal estimated value, 36, 42 ... Actual feedback signal and estimated value deviation detection monitor, 38...Control side abnormality determination signal, 39...Standby side abnormality determination signal, 40...A
System/B system feedback signal deviation detection monitor, 4
4...A system/B system control output signal deviation large signal, 45
...A system/B system feedback signal deviation large signal,
46... Large deviation signal of the B system feedback signal/feedback signal estimated value, 47... Large deviation signal of the A system feedback signal/feedback signal estimated value.

Claims (1)

[Claims] 1. Two control calculation means for inputting the deviation between the target value and the feedback signal from the controlled object and outputting a control signal to reduce the deviation, one of which is on the control side and the other on the standby side. In a redundant control device that applies an output signal of 1 to the controlled object and switches the standby side control calculation means to the control side when an abnormality occurs on the control side, a deviation between the output signals of both control calculation means is detected. a first means; a second means for detecting a deviation between the feedback signal and the target value; and a second means for detecting a deviation between the feedback signal and the target value; and third means for determining that an abnormality has occurred in the control calculation means on the standby side.