JPH0756763A - Method for switching duplex control system - Google Patents

Abstract

PURPOSE:To keep the continuity of data outputted from input/output(I/O) devices even if abnormality occurs in a duplex control system and control right is transferred during the period of optional control operation. CONSTITUTION:This duplex control system has two controllers 1A, 1B mutually connected through a transmission line 8 and plural I/O devices 5 provided with transmission parts 6A, 6B respectively connected to the controllers 1A, 1B through respective transmission lines 9a, 9b and plural I/O parts 7A to 7N. The system executes operation while using one controller 1A as an active system and the other control device 1B as a stand-by system. Data are always equalized between both the active and stand-by control devices 1A, 1B through the transmission line 8, and in the case of switching control operation from the active controller 1A to the stand-by controller 1B, the I/O device 5 receives a hold command to hold the outputs of the I/O parts 7A to 7N in the I/O device 5. At the time of receiving a hold reset command from the controller 1B switched as an active system after completing the switching, the I/O device 5 resets the holding state of the I/O parts 7A to 7B.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for preventing erroneous output during a duplex switching period of a duplex control system.

[0002]

2. Description of the Related Art In order to improve the reliability and operating rate of a control device, the control device is duplicated for a particularly important control system. 1 and 2 show functional block diagrams of a dualized control system in which a control device is duplicated and systematized, and the same functional block diagram is used in the description of the prior art and the description of the embodiments of the present invention. In FIG. 1, two sets of control devices 1A and 1B operate as an active system (control device 1A in the illustrated example), the other operates as a standby system (control device 1B), and the control device 1A (1B) is , Control unit 2A (2
B), a transmission unit 3A (3B) for performing transmission between control devices, and a transmission unit 4A (4B) for performing transmission between a control device and an input / output device. Operating and standby control devices 1A-1B
In the meantime, data equalization is always performed by the inter-controller transmission line 8 via the transmission units 3A and 3B.

The input / output device 5 includes two sets of transmission units 6A and 6B for performing transmission between the control device and the input / output device, and a plurality of I / O units 7A to 7N.
Although one set of I / O devices 5 is shown in the illustrated example, a plurality of I / O devices 5 are provided between the control device and the I / O devices to connect the I / O transmission lines 9a and 9b. Connected by multi-drop. The configuration of FIG. 2 is different from that of FIG.
The input / output device 5 is composed of a set of transmission units 6A, and therefore, the transmission unit 4B and the input / output device 5 of the control device 1B in FIG.
The I / O transmission path 9b with the transmission unit 6B of the
This is the point that it became the transmission path 9b between the B transmission units 4A and 4B. Since the transmission lines 9a and 9b are not duplicated, they cannot be relieved in terms of high reliability in this part. Compared with the reliability of the control devices 1A and 1B, the transmission unit 6A of the input / output device 5 has a small number of parts and high reliability, so that the system can be economically constructed while ensuring the required reliability.

In the above configuration, when an abnormality occurs in the operating system control device 1A, the transfer of the control right is notified to the standby system control device 1B via the inter-control device transmission line 8, and the standby system control which has received the transfer notification of the control right is received. The device 1B immediately starts operating as an operating system control device. In addition, the input / output device 5 shown in FIG.
If the transmission units 6A and 6B of the system are duplicated and the transmission lines 9a and 9b between the control unit and I / O unit are also duplicated, the operating system control unit
When an abnormality occurs in 1A, the transfer of the control right is notified to the standby control device 1B by the inter-control device transmission line 8 and the transfer of the control right is also notified to the transmission units 6A and 6B of the input / output device 5. . The standby system control device 1B and the input / output device 5 that have received the notification of the transfer of the control right immediately start operating as operating system control devices and input / output devices.

[0005]

As described above, in the prior art method, the output data possessed by the transmission unit of the control device or the input / output device which newly operates as the operating system operates as the old operating system. When the data is different from the output data that the control unit or the transmission unit of the input / output device has, for example, an error occurs when the data equalization between the old operating system control unit and the standby system control unit is not completed, When the transfer of the control right occurs, the control device of the new operating system immediately after the transfer of the control right may send data different from the data of the control device of the old operating system in the first transmission, and may give an erroneous output. For example, the control device of the old operation system performs calculation / control operation, and data from "0"
Immediately after changing to "1", it is assumed that an abnormality occurred and the transfer of control right occurred while the data equalization to the old standby system control device was not completed. Since the data "1" is written from the old operating system controller to the I / O device, the output signal of the I / O device is data "1". , The old data "0" is output, and then the arithmetic / control operation is performed, and the same data "1" as the data of the old operating system control device is output. That is, when looking at the time series characteristics of the output signal of the input / output device, there is a possibility that the output fluctuations such as 1,0,1,1, ... Occur and the continuity of data cannot be maintained.

The present invention has been made in view of the above points, and an object thereof is to solve the above-mentioned problems and to perform control by causing an abnormality during an arbitrary calculation / control operation of a control device in an old operation system. It is an object of the present invention to provide a method of switching a duplex control system capable of maintaining the continuity of data of an output signal of an input / output device even if the right is transferred.

[0007]

In order to achieve the above-mentioned object, one or a plurality of control units are provided, which are provided with two sets of control units, a transmission unit for transmitting data with these control units, and a plurality of I / O units. The I / O device is connected to the control device by the inter-control device transmission line, and the control device and the I / O device are connected by the I / O transmission line. It operates as a system, the other control device operates as a standby system, and data is constantly equalized between the operating system and the standby system control device by data transmission via the inter-control device transmission path. In a redundant control system, when switching the control operation of the control device from the control device in the active system to the control device in the standby system, the input / output device receives a hold command, and during this switching period, the I / O unit output of the input / output device is output. Hold, and after switching is complete, Receiving the hold release command from the control device is switched to the 働系 shall release the output hold the I / O unit.

Further, in the method of switching the redundant control system having the above configuration, the hold command for the input / output device is issued from the control device operating as an operating system.
Further, in the method of switching the redundant control system having the above configuration, the hold command of the input / output device is issued from the standby control device when the control device operating as the standby system detects a failure of the operating control device. And

Further, in the switching method of the redundant control system having the above-mentioned configuration, the hold command of the input / output device detects that the transmission part of the input / output device detects a failure of the transmission system of the operating system control device, and the transmission part of the input / output device is detected. From the I / O of its own I / O device
A hold command shall be issued to the department.

[0010]

With the above configuration, when the control operation of the control device is switched from the operating control device to the standby control device, the input / output device receives a hold command during this switching period,
Put the I / O block output of the I / O device in hold status. The control device of the new operation system after the transfer of the control right is read back with the control calculation data immediately after the transfer of the control right, for example, by reading back the output data of the I / O unit of the input / output device in the hold state. If the output data of the I / O unit of the I / O device differs, and if the hold release command is not issued from the newly operating control device, it means that the different control calculation data immediately after the transfer of the control right is discarded. After confirming the match between the two data after the switching is completed, the hold release command is issued from the newly operating system control unit to release the output hold of the I / O unit and maintain the continuity of the output signal data of the I / O unit. .

When the operating system control device detects its own abnormality, the operating system control device notifies the standby system control device of the transfer of the control right, and also issues a hold command to the input / output device. Further, when the transmission unit of the input / output device is duplicated, the transmission unit of the input / output device is also switched in cooperation with the switching of the control device, and therefore the transfer of the control right is also notified to this transmission unit.

Here, the means for the control device to detect its own internal abnormality is a self-diagnosis of hardware such as a control unit in the control device, a transmission interface between control devices or a transmission interface between a control device and an input / output device. Is checked by a so-called RAS function such as a parity check, a watchdog timer check, a memory sum check or a read / write check, and the control unit in the control device, the inter-control device transmission unit interface or the control device-input / output device. Since the data between these functional units are communicated at a fixed cycle, it is determined that there is no access from the monitored unit within a fixed period, and the above-mentioned error is detected. The abnormality processing is performed.

Next, when the operating system control device detects an abnormality and notifies the standby system control device of the transfer of control right, but the standby system control device cannot receive it, or the operating system control device is normal, When data equalization between control devices is not performed due to an error in the transmission path between control devices, the standby control device determines that there is no access from the monitored unit within a certain period of time Then, the standby control device issues a hold command for the input / output device.

Next, when the operating system control device detects an abnormality and notifies the input / output device of a hold command but the input / output device cannot receive this command, or the operating system control device is normal. If the data communication from the control device is not performed due to an error in the transmission path between the control device and the I / O device, the I / O device will fail due to the absence of access from the monitored unit within a certain period. The transmission unit of the input / output device detects a failure of the transmission system of the operating system control device, and the transmission unit of the input / output device issues a hold command to the I / O unit of its own input / output device. In this case, if the transmission path between the control device and the input / output device is duplicated, it is determined that there is no access from the monitored unit within a certain period of time between the operating system control device and the input / output device, and it is judged as abnormal. Then
The control right is transferred to the standby system, and control is performed by the new operating system control device and the new transmission line between the control device and the input / output device.

[0015]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS FIGS. 3 to 5 are flow charts for explaining the method of switching the redundant control system according to the present invention shown in FIG. 1, FIG. 3 is a flow chart of the processing contents of the operating and standby control devices, and FIG. 5, FIG. 5 is a flow chart of the processing contents of the input / output device, FIGS. 6 and 7 are flow charts for explaining the switching method of the redundant control system shown in FIG. 2, and FIG. 6 is a control device for operating / standby systems. FIG. 7 shows a flowchart of the processing contents of the input / output device. The corresponding steps in FIGS. 3 to 5 and FIGS. 6 and 7 are designated by the same reference numerals.

In FIG. 3, the control devices 1A and 1B are stepped.
At S1, it determines whether its own control unit is an active system or a standby system. By knowing that this control device is an active system from the standby No, the following steps S2 to S12 are performed. In step S1, wait Yes and know that this controller is a standby system.
Perform S13 to S22. First, the operating system control device (the operating system control device is 1A and the standby system control device is 1B in the state immediately before switching) will be described. Self-diagnosis is performed in step S2. Here, the means for the control device to detect its own internal abnormality is the control unit 2A (2B) in the control device 1A (1B), the inter-control device transmission unit interface 3A (3B) or the control device-input / output device transmission. The self-diagnosis of the hardware of the interface 4A (4B) is checked by the so-called RAS function such as parity check, watchdog timer check, memory sum check or read / write check at startup, and the parity is also used in the program processing step. Checking for abnormalities between the control unit in the control unit, the inter-control unit transmission unit interface or the control unit-I / O device transmission unit interface is performed by checking the data between these functional units at regular intervals. Since it is being communicated with, it is judged as abnormal if there is no access from the monitored part within a certain period.

Abnormal in step S3 as a result of self-diagnosis? No
Then, the operating system control device 1A determines that it is normal,
The following normal control operation is performed. That is, the control calculation operation is performed in step S4, and the control calculation data obtained in step S4 is transmitted to the standby control device 1B via the inter-control device transmission line 8 in step S5, and vice versa. Receives a response from the standby control device indicating whether or not the standby control device is normal, and performs data equalization transmission processing between both control devices.

Next, in step S6, the operating system control device 1A confirms the presence or absence of a hold command. In this step S6, there is no hold command when the operation system control device 1A continues to operate as an operation system, but the control device 1B operates as a standby system until immediately before, and goes through the steps S18 to S21 to be described later and waits. It shows the processing contents of the new operating system control unit 1B after switching from the active system to the active system.
In S6, it is confirmed that the operation control device 1B has a hold command. In step S7, it is checked whether or not the hold command of this control device has already been cancelled, and the command cancel? Step S8 with No
Then, the hold release command is issued and the hold is released. In step S8, the control device 1B of the newly operating system after the transfer of the control right reads back the output data of the I / O unit of the input / output device in the hold state, thereby performing the control calculation immediately after the transfer of the control right. If the data differs from the read back I / O unit output data of the I / O device, the hold release command is not issued. As a result, the different control calculation data immediately after the transfer of the control right is discarded. On the other hand, if the data of both parties after the switching is completed, the hold release command is issued. As a result, the output hold of the I / O unit is released and the continuity of the data of the output signal of the input / output device can be maintained.

Release of hold command in step S7? If Yes, the hold has already been released, so step S8 is skipped, and the process proceeds to step S9. In step S9, the control operation data performed in step S4 is transmitted to the transmission unit 6A of the input / output device 5 via the transmission line 9a and output to the I / O units 7A to 7N of the input / output device 5, and I / O of I / O device 5
The data from the O units 7A to 7N is transmitted to the operating system control device 1A via the transmission unit 6A. After step S9 is processed, the process returns to step S1 again, and similar processing is repeated.

Is the self-diagnosis result abnormal in step S3? When it is Yes, that is, it means that the operating system control device 1A is abnormally detected by itself, and corresponds to the process corresponding to claim 2 of the present application, and holds the transmission unit 6A of the input / output device 5 at step S10. Issues a command and a standby switching command. Also, step S1
At 1, a command to switch the standby system control device 1B from the standby system to the active system is issued. Then, the operation system control device 1A switches from the operation system to the standby system in step S12, and again in step S1.
Return to.

Next, when the standby is Yes in step S1, this control device knows that it is a standby system and performs the processes of steps S13 to S22. Hereinafter, the control device for the standby system (the standby system control device is referred to as 1B) will be described. The standby system control device 1B performs self-diagnosis in step S13, and this self-diagnosis method is the same as that described in step S2. Is there an error in step S14 as a result of self-diagnosis? If No, the standby control device determines that it is normal and performs the following control operation in the standby state. That is, in step S15, the operation system control device 1A
The control calculation data is received, and the data is equalized and transmitted. Then, in steps S16 and S17, it is checked whether or not there is an abnormality in the inter-control unit transmission with the active system control unit 1A. Here, the abnormality check between the transmission unit interfaces is determined as an abnormality because there is no access from the monitored unit within a certain period because the data between these functional units is communicated at a constant cycle. The above-mentioned abnormality processing is performed.

Abnormal in step S17? No in step S18, S1
Go to 9. In step S18, the transmission between the control devices with the operating system control device 1A is normal, but the operation switching command issued to the standby system control device 1B from step S11 is received, the operation switching command is confirmed, and in step S19. Is there an operation switching command? No
Then, since there is no switching command to the operating system, the switching operation is not performed and the process directly returns to step S1.

Is there an operation switching command in step S19? Yes
Then, the standby system control device 1B learns about the abnormality of the operating system control device 1A,
In step S20, a hold command and an operation switching command are issued to the transmission section 6B of the input / output device 5. Then, the standby system control device 1B switches from the standby system to the operating system in step S21, and returns to step S1 again. In addition, is there an abnormality in the operating side diagnosis in step S17? When Yes, the standby system control device 1B has detected an abnormality in the inter-control device transmission with the active system control device 1A, and corresponds to the process corresponding to claim 3 of the present application.
In step S20, a hold command and an operation switching command are issued to the transmission section 6B of the input / output device 5. Then, the standby system control device 1B switches from the standby system to the operating system in step S21, and returns to step S1 again.

Abnormality in self-diagnosis in step S14? If Yes, it means that the standby system control device 1B has an abnormality, and this state cannot play the original role as the standby system. Therefore, in step S22, the abnormality is notified to the operator and appropriate abnormality processing is performed. Next, referring to FIG. 4, the transmission unit of the input / output device 5
The processing of 6A and 6B will be described. As shown in FIG. 1, there is a transmission unit 6A (6B) of the input / output device 5 corresponding to the control device 1A (1B). As described above, when the control device 1A is the active system, the transmission unit 6A of the input / output device 5 is also the active system. In step S31, the transmission unit 6A (6B) of the input / output device 5 determines whether its transmission unit is an active system or a standby system. Wait? When No is determined, the transmission unit 6A is in operation, and the processes in steps S32 to S47 are performed. Wait at step S31? If the answer is Yes, then the transmission unit 6B knows that it is a standby system, and the following steps S48 to S61 in FIG. 5 are performed.

In FIG. 4, in step S32, a self-diagnosis similar to the self-diagnosis described in step S2 of the control device processing is performed, and in step S33, an abnormality? If No, the operating system transmission unit 6A determines that it is normal, and performs the following normal operation as an input / output device. That is, in step S34, the transmission-related diagnosis with the active system control device 1A is diagnosed, and in step S35, is there an abnormality? No,
The operating system control device 1A including the transmission path 9a is determined to be normal.

Next, in step S36, the operating system transmission unit 6A
Step S1 has already been performed from the operation system control device 1A to the transmission unit 6A.
Check the presence or absence of the hold command and standby switching command described in 0. Are both the hold command and the standby switching command in step S37? If Yes, go to Step S42,
A hold command is issued to the I / O unit (7A, 7B, 7C ...) Of the I / O device 5, and the output of the I / O unit (7A, 7B, 7C ...) is held. At step S43, the presence / absence of a standby switching command from the standby transmission unit 6B to the active transmission unit 6A is confirmed. Is there a standby switching command confirmation? If No, and if both hold command and standby switching command are issued in step S37? If No, the transmission unit 6A of the operating system does not switch to the standby system but maintains the state of the operating system as it is, and proceeds to the next step S38.

This step S38 shows the contents of processing performed by the transmission unit as an operating system. When the transmission unit 6A continuously processes as an operating system, there is no hold command in the transmission unit 6A. Also, the transmission unit 6B operates as a standby system until immediately before,
Immediately after switching to the active system, a hold command is input to this transmission unit 6B. Therefore, in step S39, the transmission unit 6A continues to operate as an operating system, and when there is no hold command, the hold command is not canceled and there is no? Yes
And jump to step S41. Immediately after the transmitter 6B operates as a standby system until just before switching to the active system, there is a hold command in this transmitter 6B, so the hold command is released from the control device 1B newly switched to the active system. None? In response to No (the latter half of claim 1 of the present application), in step S40, the hold command is released to the I / O unit (7A, 7B, 7C ...) of the input / output device 5, and the I / O of the input / output device 5 is issued. Division (7A,
7B, 7C…) hold is released, and in step S41, I / O section
Data is transmitted between (7A, 7B, 7C ...) And the operating system control device, the process returns to step S31 again, and the same processing is repeated.

Is the self-diagnosis result abnormal in step S33? Yes
In this case, that is, the operation system transmission unit 6A of the input / output device 5 has detected an abnormality by itself, and the operation system control device 1A including the transmission path 9a with the operation system control device 1A is abnormal in step S35? When Yes, this corresponds to the process corresponding to claim 4 of the present application, and the operating system transmission unit 6A of the input / output device 5 performs the step S4.
At 5, a hold command is issued to the I / O unit (7A, 7B, 7C ...) of the input / output device 5. Abnormal operation system transmission unit 6A of I / O device 5, abnormal operation system control device 1A, or step
In S44, check whether there is a standby switching command from the standby system transmission unit 6B to the active system transmission unit 6A. Is there a standby switching command confirmation? Yes
In this case, the standby transmission command is confirmed from the standby system transmission unit 6B in steps S46 and S47, the operation system transmission unit 6A switches to the standby state, and the process returns to step S31.

Wait in step S31? If Yes, connect to FIG. 5 via connection symbol 1 to another page. 5, in step S48, the standby transmission unit 6B performs the same self-diagnosis as the diagnosis already described in step S32, and as a self-diagnosis result, an abnormality is found in step S49? No, standby transmission unit
6B determines that it is normal and performs the following standby operation. First, in step S50, a transmission-related diagnosis with the standby control device 1B is performed, and in step S51, is there an error? No, transmission line 9b
It is determined that the standby system control device 1B is normal, including the above, and then the operating system transmission unit 6A of the input / output device 5 is diagnosed in step S52, and in step S53 an error is detected? If No, it is determined that the working transmission unit 6A is normal. In step S54, the presence or absence of the hold command and the operation switching command from the standby system control device 1B to the transmission unit 6B is confirmed. Are both hold command and standby switching command in step S55? If Yes, step S5
6, shift to S57. This step S56 is step S5.
In response to a switching command from the control device 1B in the standby state of 5 to the operating state, an inquiry is made as to whether the standby transmission unit 6B of the input / output device 5 may be switched to the operating state of the operating transmission unit 6A. , In step S57, from the active transmission unit 6A to the standby transmission unit
In response to the reply that it is okay to switch to the operating state to 6B, is there an operation switching command confirmation in step S58? Yes, I / O device 5
The standby transmission unit 6B switches from the standby state to the operating state,
After connecting symbol 2 to another page, the process returns to step S31 in FIG.

In response to the reply from the operating system transmission unit 6A to the standby system transmission unit 6B regarding switching to the operating state, is there an operation switching command confirmation in step S58? If No, and step S55
Is there both a hold command and an operation switching command from the standby system controller 1B to the transmitter 6B? If No, the standby transmission unit 6B continues to be in the standby state, and step S3 in FIG.
Return to 1.

In step S53, the operating system transmission section 6A of the input / output device 5 is diagnosed to find an abnormality. If Yes, step S5
Move to 9 and issue a hold command to the I / O section (7A, 7B, 7C ...) of the I / O device 5, hold the output of the I / O section (7A, 7B, 7C ...), and in step S60. The standby transmission unit 6B performs the switching process from the standby state to the operating state, and then performs the step again.
Return to S31.

Abnormal self-diagnosis in step S49? If Yes, it means that the standby system transmission unit 6B is abnormal.
Abnormal in the diagnosis of the standby system control unit 1B including the transmission line 9b of? Ye
When s, it means that the standby system control device 1B including the transmission path 9b is abnormal, and in any case, it means that there is an error in either the standby system control device 1B or the standby system transmission unit 6B. It means that switching to the standby system is impossible. Therefore, step S61
Informs the operator of any abnormality and performs appropriate abnormality processing.

FIGS. 6 and 7 are flow charts for explaining the switching method of the duplex control system corresponding to FIG.
FIG. 6 is a flowchart of the processing contents of the operating / standby control device, and FIG. 7 is a flowchart of the processing contents of the input / output device. In Fig. 1, the I / O transmission lines 9a, 9b and the input / output device transmission units 6A, 6B are duplicated, whereas in Fig. 2, this portion is not duplicated, and high reliability is achieved in this portion. There is no relief in terms. FIG. 6 corresponds to the flowchart of the processing contents of the operating / standby control device in FIG. 3, and FIG.
Corresponding to the flow chart of, this non-redundant I /
O The part corresponding to the transmission line and the input / output device transmission part must always be in the operating state. Therefore, the processing content corresponding to the standby state of this part is partially changed (corresponding step number is indicated by the suffix A). Or it has been deleted.

6 is different from that in FIG. 3 in the processing of the control device, when there is an abnormality in the self-diagnosis of the operating system control device 1A in FIG.
There is a hold command and a standby switching command, but the steps in Fig. 6
Since there is only one transmission unit 6A to be switched in S10A, this standby switching command is deleted on the assumption that the transmission unit 6A has not failed. Further, in the standby system control device 1B of FIG. 3, there is an operation switching command from the active system control device 1A to the standby system control device 1B. When this is confirmed, the transmission unit 6B of the input / output device 5 is instructed in step S20. On the other hand, there is a hold command and an operation switching command, but for the same reason, step S2 in FIG.
0A has only one transmission unit 6A that should be switched, so the transmission unit
Assuming that 6A is not broken, instead of transmitting section 6B,
6A is held, the I / O unit of the input / output device 5 is held, and the operation switching command of the transmission unit 6B is deleted.

In the input / output device transmission section processing of FIG. 7, the difference from FIG. 4 is that for the same reason that there is only one transmission section 6A, first, the transmission section 6A of the input / output apparatus 5 is an active system or a standby system. There is no need to check whether it is a system, it must always be an active system. Therefore, step S31 and the processing as a standby system of the transmission unit 6B of the input / output device of FIG. 5 are unnecessary and have been deleted. Next, in FIG. 4, there is both a hold command and a standby switching command confirmation from the operating system control device 1A to the transmission unit 6A of the input / output device 5 in step S36, but in step S36A in FIG. The standby switching command confirmation is deleted. Therefore, in step S37A, is there a command for the hold command in step S36A? Will be judged. Is there a hold command in step S37A? Yes and abnormality in control device diagnosis in step S35A? If Yes, in step S42A (corresponding to the processing in steps S42 and S45 in FIG. 4), a hold command is issued to the I / O unit of the input / output device 5, and the hold is performed.

Further, for the same reason that the transmission unit 6A of the input / output device 5 has only the active system, the transmission unit 6B of the standby system input / output device in steps S43, S44, S46, S47 corresponding to FIG.
The confirmation of the standby switching command from and the switching from the active system to the standby system have been deleted.

[0037]

As described above, according to the present invention, since the output hold command is issued to the input / output device during the duplexing switching period of the control device, even if the control device outputs incorrect output data. Even if the data is transmitted, the final data before the duplex switching is held in the input / output device without being used in the input / output device, and in principle, erroneous output during the duplex switching period can be prevented.

[Brief description of drawings]

FIG. 1 is a functional circuit diagram showing a configuration example of a dual control system in which a control device is dual and an I / O transmission path is dual according to an embodiment of the present invention.

FIG. 2 is a functional circuit diagram showing a configuration example of a redundant control system in which an I / O transmission path is not redundant according to another embodiment of the present invention.

FIG. 3 is a flowchart illustrating a method of switching the redundant control system in FIG. 1 and explaining processing contents of a control device for an active system and a standby system.

FIG. 4 is a flow chart for explaining the switching method of the redundant control system of FIG. 1 and for explaining the processing contents of the input / output device of the operating system.

5 is a flowchart illustrating a method of switching the redundant control system in FIG. 1 and explaining processing contents of an input / output device of a standby system.

FIG. 6 is a flowchart for explaining a method of switching the redundant control system in FIG. 2 and for explaining processing contents of a control device for an active system / a standby system.

FIG. 7 is a flowchart for explaining a switching method of the redundant control system in FIG. 2 and for explaining processing contents of the input / output device.

[Explanation of symbols]

 1A, 1B control device 2A, 2B control unit 3A, 3B transmission unit 4A, 4B, 6A, 6B transmission unit 5 I / O device 7A to 7N I / O unit 8 control device transmission line 9a, 9b I / O transmission line S1 ~ S61 Program step S10A, S20A, S36A, S37A, S42A Program step

Claims (4)

[Claims] 1. A pair of control devices, a transmission section for performing data transmission with these control devices, and a plurality of I's.
And / or an input / output device including an I / O unit, the control devices are connected by an inter-control device transmission path, and the control device and the input / output device are Connected by an / O transmission line, one control unit operates as an operating system, the other control unit operates as a standby system, and the control unit between the operating system and the standby system is connected via the inter-control unit transmission line. By data transmission,
In a redundant control system in which data is constantly equalized, when switching the control operation of the control unit from the control unit in the operating system to the control unit in the standby system, the input / output device receives a hold command and this switching period In the middle, put the output of the I / O unit of the input / output device in the hold state, and after the switching is completed, receive the hold release command from the control unit switched to the active system, and release the output hold of the I / O unit. A characteristic method for switching the redundant control system. 2. The method for switching a redundant control system according to claim 1, wherein the hold command for the input / output device is issued from a control device operating as an operating system. . 3. The method of switching a redundant control system according to claim 1, wherein the controller that operates as a standby system detects a failure of the operating system controller, and the hold command of the input / output device is detected. Is issued from the control device of the above. 4. The method of switching a redundant control system according to claim 1, wherein the input / output device hold command detects a failure of the transmission system of the operating system control device by the transmission section of the input / output device, From the transmission part of the device,
A method for switching a redundant control system, characterized in that a hold command is issued to the I / O section.