JPH06103444B2 - Standby dual programmable controller switching method - Google Patents

Description

Description: TECHNICAL FIELD OF THE INVENTION The present invention relates to a standby dual system programmable controller used as an object to be controlled, for example, for automatically operating an automated guided vehicle, and in particular, a fail safe including peripheral devices at the time of switching. The present invention relates to a switching method for a standby dual system programmable controller that incorporates logic to perform switching control.

[Technical background of the invention and its problems]

For example, a process controller for automatically operating an automated guided vehicle as a control target employs a multiplex configuration to ensure its reliability. In such a process controller, a method that is often used among the multiplex configurations is one in which the central processing unit (CPU), which becomes a complete failure at the time of failure, is duplicated and the control input / output section is shared. There is. In the case of this configuration, the control input / output unit normally has a healthy check logic so that the CPU can be automatically switched to the normal side CPU when an abnormality occurs. Also C
In the event of a PU error, without waiting for the final input / output switching by the healthy check logic in the control I / O unit, the backup CPU operation system program (OS) constantly monitors the error occurrence on the master side, A method of instructing disconnection on the master side by detecting abnormality is also used. Therefore, if such a method is adopted, the process controller can be instantaneously switched to back up the control as if it were continuous control.

By the way, in such a duplex process controller, in order to perform continuous control when the CPU is abnormal,
After each execution cycle, confirm that it is completed normally, transfer the internal register at that time to the backup register as it is, and configure the backup side to always start control from the latest register state. There is.

FIG. 6 is a block diagram showing the concept of the above-mentioned duplexed process controller. In FIG. 6, the central processing units (CPUs) 1 and 2, the internal registers (Reg) 3 and 4 and the peripheral devices 5 and 6 have symmetrical configurations on the master side and the slave side. The input / output unit (I / O) 7 is signal-coupled to the master side or slave side CPUs 1 and 2 via the input / output switching logic unit (CH) 8. The CH section 8 is configured to perform backup switching by a backup side operation system program (OS) and I / O7 switching by a healthy check logic included in the CH section 8.

However, such backup switching is mainly performed by detecting the failure of the arithmetic processing function of the CPU main body, and the backup processing is generally not performed for the failure of the peripheral device. Therefore, for example, when an automatic operation control device for an automated guided vehicle is configured by the process controller as described above, if there is a device in the peripheral device that is indispensable to continue its control, the automatic operation control function will occur due to the failure of the peripheral device. It will be stopped and continuous control cannot be realized. Further, when the switching fails due to a hardware trouble at the time of switching, the control target may cause an abnormal operation because there is no security control function.

[Object of the Invention]

The present invention has been made in view of the above circumstances.
In the case of a failure in the arithmetic processing function of the U main unit, backup control can be performed by the switching processing function that has already been established, and even if a peripheral device added to the process controller fails, switching can be performed while performing continuous control. An object of the present invention is to provide a switching method of a standby dual system programmable controller that can be performed.

[Outline of Invention]

In order to achieve such an object, the present invention is connected to a programmable controller having a diagnostic function for diagnosing the programmable controller itself and an automatic switching function for automatically switching to a standby system when a failure is detected by the diagnostic function. In the system in which the standby dual system is configured with the peripheral devices as one system, the control sequence of the programmable controller of each system has a failure monitoring function for monitoring the failure of the peripheral devices of the system, When a failure occurs, the programmable controller itself is simulated as a failure state by the control sequence of the programmable controller, and is switched to the standby system by the automatic switching function of the programmable controller.

Example of Invention

An embodiment of the present invention will be described below with reference to the drawings. First
The figure shows an example of the overall configuration of a standby dual system programmable controller according to the present invention. In FIG.
The master-side controller 10 executes the automatic control sequence using the master-side register 11, and the master-side information transmission device 12
Is connected to the centralized command device 40 by. Control target
A control signal is input / output to / from the input / output unit 31 via the input / output switching controller 31 provided for the duplex configuration.

The backup controller 20 is also composed of the backup register 21 and the backup information transmission device 22 similarly to the above system, and is capable of executing the automatic control sequence of the same function as the master side.

The input / output switching controller 30 monitors the power supply normal signals 301, 311 and the failure signals 302, 312 output from the master side controller 10 and the backup side controller 20, respectively, in order to perform automatic switching while maintaining a continuous control state, and the matrix of FIG. The automatic switching is performed by the logic shown by. That is, in FIG. 2, “ON” means that there is a signal, “OFF” means that there is no signal,
For example, in case 1, if the master controller power supply normal signal is “ON” and the failure signal is “OFF”, and if the backup controller power supply normal signal is “ON” and the failure signal is “OFF”, The current state is maintained as the logic processing of the input / output switching controller.

In addition, the master side register 11 and the backup side register 21
Confirm that the control sequence of the controller on the control side has ended normally, and then copy the contents of the mask side register 11 (internal signal and final input / output signal state) to the backup side register 21. Has become. Therefore, the controller that became the control side due to switching starts execution of the normal control sequence,
It is possible to continuously execute the sequence performed by the controller before switching.

On the other hand, the power supply normal signal 301 output from the master side controller 10 is output to the input / output unit 31 shared by both controllers.
The failure signal 302, the power supply normal signal 311 output from the backup controller 20, and the failure signal 312 are input. Further, the power supply normal signal 303 and the failure signal 304 output from the master side information transmission device 12 and the power supply normal signal 313 and the failure signal 314 output from the backup side information transmission device 22 are input to the input / output unit 31, respectively. Has become. Further, either the input / output master side connection signal 305 or the input / output slave side connection signal 315 indicating the input / output switching position output from the input / output switching controller 30 is input to the input / output unit 31.

Then, these signals respectively input to the input / output unit 31 can be read in the control sequence by the controller being controlled.

Next, in the standby dual system programmable controller configured as described above, the switching method will be described with reference to FIGS.
A specific description will be given with reference to the drawings.

Power supply normal signal 30 output from the master controller 10
The power supply normal signal 311 output from the controller 1 and the backup controller 20 is “ON” when the controller power supply is normal as a basic signal. Further, the failure signal 302 output from the master side controller 10 and the failure signal 312 output from the backup side controller 312 are sequence execution time-out detected as an abnormality of the controller when the controller executes the sequence, execution of an illegal sequence instruction. Turns on when the controller function including it fails.

Power supply normal signal 30 output from master side information transmission device 12
3 and the power supply normal signal 313 output from the backup side information transmission device 22 is “ON” when the power supply state of the information transmission device is normal, and the failure signal 304 and the backup side information output from the master side information transmission device 12 The failure signal 314 output from the transmission device 22 turns “ON” when the information transmission function fails.

These power supply normal signals 301, 311, 303, 313 and failure signals 30
2,312, 304 and 314 are all input as input signals from the input / output unit 31 to the control side controller. The controller on the control side makes a logical decision as shown in FIG. 3 in the automatic driving control sequence based on these input signals. That is, the power supply normal signal of the master side controller 10 is "OF".
If it is F ", the failure signal is" ON ", the power supply normal signal of the master side information transmission device 12 is" OFF ", or the failure signal is" ON ", the master is determined as the control sequence judgment 1. It is judged that switching to the backup side is impossible, and it is necessary to switch to the backup side as the control sequence judgment 2. Also, the power supply normal signal of the backup side controller 20 is "OFF" or the failure signal is "ON". In the case of "or the power supply normal signal of the backup side information transmission device 22 is" OFF "or the failure signal is" ON ", it is judged as the control sequence judgment 1 that switching to the backup side is impossible, and As control sequence determination 2, it is determined that switching to the master side is necessary.

When the logical judgment is made by the control sequence in this manner, the processing shown in FIG. 5 is executed based on the judgment. That is, when it is judged that the switching to the backup side is impossible as the control sequence judgment 1, and when it is judged that the switching to the master side is necessary as the control sequence judgment 2, the input / output master side selection signal is “ON”. If there is, no switching processing is performed, and the input / output backup side selection signal is "ON".
If so, the switching process to the backup side is performed. If it is determined in control sequence determination 1 that switching to the master side is impossible, and if it is determined in control sequence 2 that switching to the backup side is necessary, the I / O master side selection signal must be "ON". For example, switching processing to the backup side is performed, and if the input / output backup side selection signal is "ON", there is no switching processing.

Furthermore, when the logic judgment shown in FIG. 3 is a combination of control sequence judgment 1 and control sequence judgment 2 which are different from each other as in processing case 3 shown in FIG. 4, that is, in control sequence judgment 1, switching to the backup side is performed. I / O is judged to be impossible and switching to the master side is also impossible, whereas in control sequence 2 it is judged that switching to the backup side is necessary and switching to the master side is necessary, input / output Either the master side selection signal or the input / output backup selection signal is “O
Even if it is N ", security processing is performed.

Here, as shown in FIG. 4, the control controllers 10 and 20 are provided with the following functions when performing processing based on the control sequence logic judgment.

(I) Procedure when the process shown in FIG. 4 is a switching process.

(1) When the controlled object is, for example, a carrier vehicle, the control command is switched to the safest control command (for example, a low speed traveling command) that allows control to continue for all the carrier vehicles.

(2) An internal signal indicating that the switching procedure has been performed according to the control sequence is set to the partner controller.

(3) The normal sequence is executed for one scan so that the register contents (internal signal and final output signal state) are copied to the partner controller.

(4) The illegal sequence instruction is executed so that the fastest switching is performed.

Next, the control sequence of the partner controller activated by the switching according to the above procedure confirms the normal switching and performs the switching completion processing by the following procedure.

(1) It is confirmed whether or not the current input signal has changed with respect to the final input signal of the input / output master side selection signal and the input / output backup selection signal, and when there is a change, judgment is started.

(2) When it is confirmed that switching has occurred and the switching procedure has been performed as an internal signal, switching completion processing is performed,
Allow normal sequence execution.

(3) When only switching has occurred, the control sequence is continued as switching by the input / output switching controller.

(Ii) When the process shown in FIG. 4 is a security process.

In this case, a safety stop command can be output to the controlled vehicle, for example, and the control sequence can be terminated, and smooth safety control by the safety stop command can be performed without relying on the final stage function of the safety equipment. It becomes possible to control.

The flow of judgment and processing by the control sequence of the controller as described above is shown in FIGS. 5 (a) to 5 (c). The flow will be described. First, in step (a) of FIG. 5 (a), it is determined whether or not the input / output selection signal has changed, and if it has changed, the input is performed in step (b). It is determined whether or not the output master side selection signal is "ON". If it is "ON", it is determined whether or not the switching procedure is performed in step (C). ) To complete the switching to the master side. If the input / output master side selection signal is not "ON" in step (b) above, it is determined in step (e) whether or not the switching procedure is stepped. If so, in step (f). Complete the switching to the backup side.

In this way, when the switching completion processing is performed in steps (d) and (f), or when it is determined that the switching procedure is not performed in steps (c) and (e), step ( Switching procedure is initialized, and the process proceeds to step (h) shown in FIG. 5 (b). In step (h), the sequence judgment 1 shown in FIG. 3 is executed, and then in step (ri), the sequence judgment 2 is executed. Then, in step (n), it is determined whether or not it is impossible to switch to the master side, and if not, in step (l) it is determined whether or not it is necessary to switch to the master side. . If it is necessary to switch to the master side, go to step (e).
It is determined whether or not the input / output backup side selection signal is "ON", and if it is "ON", the switching process to the master side is performed in step (5). Further, if it is determined in step (e) above that switching to the master side is impossible, it is determined in step (f) whether or not switching to the master side is necessary. In step (Y), it is determined whether the input / output backup signal is "ON". If "ON", the backup side security process is performed in step (T).

In this way, in step (wa), the switching process to the master side,
When security processing is performed in step (TA), or it is determined that switching to the master side is not necessary in steps (LE) and (F), and input / output in steps (E) and (YO). 6th when the backup selection signal is not "ON"
The process proceeds to step (re) shown in FIG. Step (re)
Determines whether switching to the backup side is impossible, and if not, determines whether switching to the backup side is necessary in step (so), and if necessary, step In (), the input / output master side selection signal is "O
Whether it is N "or not is determined, and if" ON ", the switching process to the backup side is performed in step (n).
Further, if it is determined in the above step (re) that switching to the backup side is impossible, it is determined in step (na) whether or not switching to the backup side is necessary, and if necessary, step In (a), it is determined whether or not the input / output master side selection signal is "ON". If it is "ON", the security processing on the master side is performed in step (m).

In this way, when the switching process to the backup side is performed in step (n) and the security process is performed in step (m), a series of processing routines are ended. In addition, step (so),
The processing routine is also terminated when it is determined in (a) that switching to the backup side is not necessary, or when the input / output master side selection signal is not "ON" in steps (t) and (la).

As can be seen from the flow charts shown in FIGS. 5A to 5C as described above, in this embodiment, the control sequence of the programmable controller of each system has a failure monitoring function for monitoring the failure of peripheral devices of the system. When the peripheral device fails, the programmer controller itself is made to be in a simulated failure state by the control sequence of the programmable controller and switched to the standby system by the automatic switching function of the programmable controller. Therefore, it is added to the process controller. It is possible to perform the synchronous switching of the peripheral device while continuously controlling the failure of the peripheral device and without impairing the instantaneous switching function.

In addition, when switching based on the control sequence judgment of the programmable controller, start the normal stop control of the control target device by the control sequence before starting the switching control, confirm the normal switching in the partner control sequence after switching, and then stop normally. Since the control is stopped, there is no possibility of abnormal operation after switching due to a failure that occurs during switching control.

Furthermore, when switching is performed based on the judgment of the control sequence of the programmable controller, the switchable state of the switching destination system is monitored, and when the switching is not possible, instead of executing the switching control, the normal stop control of the control target equipment is executed by the control sequence. Since the control is terminated, the controlled device does not operate abnormally.

Further, since the programmable controller is input with the switching selection signal of the input / output switching controller and the switching control is started only when the switching selection signal and the switching factor occurrence logic judgment match, the master side and the backup side The control sequences incorporated in the programmable controller can be made completely the same, and the trouble of maintenance due to the correction of the sequences can be eliminated.

〔The invention's effect〕

As described above, according to the present invention, it is possible to perform the backup control by the switching processing function which has already been established for the failure of the programmable controller itself, and of course the failure of the peripheral device added to the process controller. Even in such a case, it is possible to provide a switching method of a standby dual system programmable controller capable of performing synchronous switching of peripheral devices while performing continuous control and without impairing the instantaneous switching function.

[Brief description of drawings]

FIG. 1 is a block diagram of an entire system configuration showing an embodiment for explaining a switching method of a standby dual system programmable controller according to the present invention, and FIG. 2 is an automatic switching logic of an input / output switching controller in the same embodiment. FIG. 3, FIG. 3 and FIG. 4 are explanatory diagrams of the logic judgment and processing of the control sequence in the same embodiment, FIG. 5 is a flowchart showing the same embodiment, and FIG. 6 is a conventional standby dual system. It is a block diagram which shows the whole system configuration of a programmable controller. 10 …… Master side controller, 11 …… Master side register, 12 …… Master side information transmission device, 20 …… Backup side controller, 21 …… Backup side register, 22…
... Backup side information transmission device, 30 ... I / O controller, 31 ... I / O unit, 32 ... Controlled object.

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Hiroshi Arimitsu, Hiroshi Arimitsu 1-chome, Mizushima Kawasaki-dori, Kurashiki-shi, Okayama Prefecture (no address) Inside the Mizushima Steel Works, Kawasaki Steel Co., Ltd. Chome (no address) Kawasaki Steel Co., Ltd. Mizushima Steel Works (56) Reference JP-A-52-30358 (JP, A) JP-A-58-66105 (JP, A) JP-A-49-12747 (JP, A) JP-A-48-49350 (JP, A) JP-A-57-93403 (JP, A) JP-A-55-121501 (JP, A) JP-A-59-157704 (JP, A) JP-A-59-149503 (JP, A)

Claims (4)

[Claims] 1. A programmable controller having a diagnostic function for diagnosing the programmable controller itself and an automatic switching function for automatically switching to a standby system when a failure is confirmed by the diagnostic function, and a peripheral device connected to the programmable controller. In a system in which a standby dual system is configured with one system as a system, the control sequence of the programmable controller of each system has a failure monitoring function for monitoring a failure of a peripheral device of the system, and when the peripheral device fails, A standby dual system programmable controller switching method characterized in that the programmable controller itself is simulated to a failure state by a control sequence of the programmable controller and is switched to a standby system by the automatic switching function of the programmable controller. 2. In the control sequence of the programmable controller of each system, the normal stop control of the controlled object is started before the switching control is started, and after the switching, the normal switching is confirmed by the partner control sequence. Standby 2 according to claim (1), in which stop control is stopped
Switching method for heavy system programmable controller. 3. The control sequence of the programmable controller of each system monitors whether or not the system to be switched to is in a switchable state, and when the system cannot be switched, normal stop control is executed for the controlled object. Thereafter, the control method is stopped, and the standby dual system programmable controller switching method according to claim (1). 4. The control sequence of the programmable controller of each system is such that the switching control is started only when the switching selection signal indicating which system is selected matches the switching factor generation logic judgment. In the range (1), the method for switching the standby dual system programmable controller.