JPS59211101A - N:1 back-up system of control system - Google Patents

Abstract

PURPOSE:To exclude a relay contact which is necessary to switch the connection between a back-up muCPU and other muCPU by using a communication circuit to transfer the information needed for back-up. CONSTITUTION:If a fault arises at an arithmetic control part ALUi of a muCPU of a certain station at the time of operation, a signal SA2 showing the generation of the fault is transmitted to a communication interface part ICi. The part ICi does not transmit the signal SA2 to an error accepting part but transmits it to a communication circuit CO via a transmission part like a normal signal. Thus other stations, an operator console POC and a back-up muCPUb fetch the signal SA2 through their reception parts respectively and understand that a fault arises at the muCPUi. At the same time, the control part of the part ICi of the faulty station changes the control contents in reply to the singal SA2. Then the information is transferred between the muCPUb and the faulty station via the circuit CO, and a back-up operation is carried out.

Description

DETAILED DESCRIPTION OF THE INVENTION (Field of Application) The present invention relates to an n-to-1 backup method for control systems, and particularly for control systems that can simplify the hardware configuration and improve reliability. ) is rapidly expanding in use.

Among them, the necessary control functions are carried out by multiple μ-CPs.
This is divided into sizes that can be handled by humans, so that the degree of impact in the event of a failure in an individual μ-CPU is divided into sizes that can be handled by humans.

Figure 1 shows the conventional multiple μ-CP without backup.
This is an electronic control device composed of U.

The μ-CPUs, ~μ-CPUn share control functions and are coupled to the process input/output device PO via the process input/output buffers Pi/ol ~Pi/on.

On the other hand, the n μ-CPUs are connected to the operator's console POC through a communication line CO, and the nine μ-CPUs built in each μ-CPU, ~μ1 CPUn, and poc can be freely connected to the communication interface. It is a way to exchange information.

Therefore, although the system shown in FIG. 1 is an electronic control device made up of a plurality of μ-CPUs, it has the same functionality as if it were made up of one μ-10PU.

At the same time, it is divided into multiple μ-CPUs, ~ μ-CPUn.

Since it is composed of a group of assigned functions, it has the advantage of being able to easily introduce methods such as manual backup, which is completely reasonable for human maintenance.

In this way, when a control system is configured with n μ-CPUs, in case each μ-CPU fails, the failed μ-CPU is backed up and the entire control operation is controlled. Various methods have been proposed for continuation.

Most of these proposals include (1) Duplicating the calculation unit (2) Duplicating the memory (3) Adding an ECC (error detection and correction) function to the memory (4) Improving the Pi/O unit (process input/output 7777 unit) Duplication (5) n units of μ with one backup μ CPU
They tend to be processed using redundant methods such as 10 PU backups.

The above methods (1) to (4) are technically easy at first glance, but they are not necessarily advantageous in terms of cost efficiency, so it is recommended to back up n μ10 PUs with one μ-CPU. The method (5) mentioned above has attracted attention, and various methods have already been proposed. Typical methods are broadly divided into (1) a method in which switching is performed at a dividing point between Pi/O and μ-CPU, and (2) a method in which switching is performed including Pi/O.

In these systems, a switching circuit is added to the 811 to SnI signal section between the μ-cpU' and the Pi/O, and the signal of the backup μ-CPU is transferred to the Pi/O where the fault occurs.

By switching to and inputting, the μ1 CPU is backed up.

For this reason, the reliability of the system is concentrated in the switching section, and the electromagnetic relays that make up this section are one of the most important parts.

However, electromagnetic relays have drawbacks such as poor contact and wear of the contacts, and long response time delays.

Furthermore, in the conventional system, what is connected to the 200 μm PU is a Vo device (typewriter, CRT, etc.), and compared to the output of other μm CPUs, the 200 μm
Since the characteristics of the output signals of the CPU are different, it is difficult to apply the same type of switching circuit.
There is a drawback in that a protection method such as independent duplication must be adopted for the mCPU.

(Purpose) The purpose of the present invention is to integrate n μm CPUs with one μm CPU.
Our objective is to propose a new control system n:1 backup system that can back up not only 200 μm CPUs but also 200 μm CPUs.

(Summary) In order to achieve the above object, the present invention adopts a method of switching the signal section between the μm CPU and Pilo, and communicates the calculation results (control signals, etc.) by the backup μ-CPH. μm to be backed up via line
The feature is that the data is configured to bypass the CPU and directly transfer to the corresponding Pllo. (Embodiment) The present invention will be described in detail below with reference to the drawings.

FIG. 2 is a block diagram of an embodiment of the present invention. In this figure, the same reference numerals as in FIG. 1 represent the same or equivalent parts.

In addition, μ-CPUb in the figure is #-CPU, ~ μ-CP
If a failure occurs in the μm CPU built in the Un or POC, the μm is used as a backup.
It is a CPU.

In the present invention, when a failure occurs in a certain μmCPU, this is notified to the backup μmCPU, K, and the calculation results (control signals, etc.) performed by the backup μ-CPUb are sent to the failure via the communication line Co. Bypassing a certain μm CPU, the corresponding Pi
I am trying to send it directly to LO.

This will be further explained in detail with reference to FIG. Figure 3 shows
It is a block diagram showing the connection relationship between a certain μm CPU and a μ-CPU for POC Oyohi backup, and their configuration. Note that in this figure, the second
The same reference numerals as in the figures indicate the same or equivalent parts.

poc is the arithmetic control unit ALU of the μm CPU, and the memory circuit M
, a communication interface Ic, an Llo II interface It, and an input/output device V.

In addition, the first μmCPUi and the backup μm
-CPIJb are arithmetic control units ALUi and AL, respectively.
Uyu memory circuit M1. Mb1 and communication interface I
It is composed of ei+Ieb, etc. Furthermore, μm CPU,
is provided with a secondary interface Ipl for driving the process input/output interface Pi10.

Note that SA in the same figure is a steady signal used inside each μm CPU, and SA2 is a stationary signal used inside each μm CPU.
This is a signal to warn of an abnormality in the U.

The arithmetic control unit ALU executes SA! according to instructions stored in advance in the memory circuit MK. The signal is transferred to the M1 communication interface Ic and the malicious device interface II to cause them to perform the scheduled operation.

On the other hand, the control μ-CPU 3 performs arithmetic control according to the contents of the instruction array in the memory circuit, and transmits the results to Pl/'os via the interface Ip.
It is further transmitted from PVoi to the process input/output device Po.

The backup μm CPU is clearly shown in FIG. 3, and has a configuration in which It and ilo are removed from the POC, as described above. ALIJb′! in the figure! ! : When an abnormality occurs in the SA or ALU, the SA signal is transmitted to the Ic of the poc and the Icb of the μmCPUb via the IcI.

Furthermore, re and IC as communication interfaces
The details of the configuration of Icb 1 (or Icb) are shown in FIG.

As is clear from this figure, the internal configurations of the interface sections Ic and Ict can be exactly the same, so corresponding parts are designated by the same reference numerals in FIG.

In the figure, Ib1 is the interface gate of the steady signal SA, C8 is the control unit in each interface, and Ccl is the communication (
(transmission, reception) control section, R1 is a reception section, and SI is a transmission section. The error receiving section E receives the can section abnormality signal 5EIb1.
This is, for example, an OR circuit that accepts 5EC1 and 5ECc.

When any of the abnormal signals described above is received, the electromagnetic relays RYE and RYE are deenergized. As a result, the corresponding output contact X-RYE is closed, the output end of the transmitter S1 and the input end of the receiver R1 are short-circuited, and the corresponding interface is bypassed.

During normal operation, electromagnetic relay RYE is energized, so its corresponding output contact X-RYE is open. Therefore, the signal on the communication line Co is received by the receiver R1 of the interface of a certain station, and the signal SAR+
As soon as the signal is transmitted to the communication control unit Cc), it is determined whether or not it is a signal that should be received by the own station. , takes the signal into S as 1.

This signal SA, is normally the memory circuit M(-+
or M, , M, etc.).

On the other hand, if the signal is not a signal that should be received by the own station, it is retransmitted as is from the transmitter S to the communication line CO.

During operation, the μm CPU of a certain station, the arithmetic control unit AL
When an abnormality occurs in U, a signal S indicating that
1, which generates A and transmits it to the control unit C3. At this time, C
1 does not transmit the signal SA to the error receiving section E1, but sends it out to the communication line Co via the transmitting section S1 in the same way as in the case of a normal signal.

As a result, the ordinary receiving section R of the other station, the poc, and the backup μ-CPU receives this together with the other normal signal SA, and can know that a failure has occurred in the station.

At the same time, the control unit C of the communication interface ■c1 of the failed station
8 changes its control content in response to the signal SA2, and transfers the operation of the memory circuit M1 and ALU within its own station to the ALU of the backup μm CPU 5 and Mb, as will be described in detail later.

That is, information is exchanged between the backup μm CPU and the failed station via the communication line Co, and a backup operation is performed.

In other words, the arithmetic control unit ALU (or A
LU, ) death and/or memory circuit M (or Ml)
Even if the interface Ic (or Ie,
), the interface Icb is maintained between the arithmetic control unit ALUb of the backup μ-CPUb and the memory circuit Mb.
and exchange information via the communication line Co, i
In order to shift to a backup mode such as a dual-speed mode that allows continued control of the 10 devices (or process input/output device Po), there are 21 methods that can be roughly divided into 21 meters.

First, the first method will be explained with reference to the flowchart in FIG. 5 and the memory map (format) in the tlSa diagram.

Step S1 in FIG. 5 is Yeshi2ize processing, in which the communication interface Ie (represented by IC, IC, etc.) is set to an initial state when the power is turned on.

Step S2 is a process of acquiring the state of the μm CPU, in which the presence or absence of a signal SAW indicating an abnormality in the arithmetic processing @ALU (or ALU) is monitored.

In step S3, the abnormal signal SA! If not, that is, if ALUC or ALLIρ is normal, the process proceeds to step S4, where information SAl is transmitted to M (or M,) and stored.

After the transmission, it is checked in step S5 whether or not it has operated normally. If the operation is normal, step S
The process branches at 6 and returns to step S2.

On the other hand, if the operation is abnormal, a signal 5ECI to that effect is sent.
(see FIG. 4), branching to step s7 and activating relay RYE.

This causes relay contacts X-RYE, A (closed,
The input end of the receiving section R0 and the output end of the transmitting section S1 are connected to the communication line C.
o and the station becomes bypassed.

Therefore, it is completely prevented that the station in which the fault has occurred has an adverse effect on other stations. Note that the above processing is exactly the same as the conventional method.

If it is determined in step S3 that the abnormal signal SAI has occurred, the process branches to step S8.

The section ALU (or ALU,) and the memory circuit M (ttake Ml) are separated, and the interface Ic (or ALU) is disconnected.
, I cl ) to the interface It (or Ipl
) to be connected exclusively.

Through the above processing, the arithmetic control unit and storage circuit of the failed station have been replaced by the arithmetic control unit ALU and storage circuit Mb of the backup μ-CPUb.

That is, the data calculated by the backup μ-CPUb is transferred to the failed station via the communication line Co and the interface Ie (or Icl),
Used to control the input/output equipment or process input/output devices.

In this case, the storage circuit Mb of the backup μ-CPUb has an area O81 for storing system knots and an area Ih for storing the initial processing program, as shown in FIG. An area 5Tbl for storing instructions for checking the performance is provided, and each μmC1)U, -μ-CPUn and PO
an area M having the same capacity J1 and content as the common memory of C;
-M, , M are provided. .

Therefore, an abnormality occurs in the ALU of a certain μm CPU, and an abnormality signal SA! is generated, the backup μ-CPUb that receives this performs a predetermined operation based on the instructions and information in the memory area corresponding to the μmCPU of the faulty station, and transmits the obtained result information to the communication. It is transmitted via circuit Co 2 and interface Iebt to Ic (or Ict) of the faulty station to control Vo equipment or process input/output device Po.

As described above, the backup μ-CPU is created.

is the ALU (t or ALU,) included in the faulty station
and M (or Ml), and can be backed up.

In this case, it goes without saying that the data to be stored in each memory area M, -Mn, and M needs to be updated as appropriate so that the latest data is always stored. For this reason, it is preferable not to update fixed data, but to periodically update only possible data.

In the first method described above, the backup μmCPUb
The problem is that the required capacity becomes enormous because the memory circuit Mb must have the same capacity and content memory area as the memory circuits of all other μm CPUs (that is, all the μm CPUs that it is trying to back up). There is.

The second method makes it possible to save the capacity of the storage circuit of the backup μ-CPUb.] Below, with reference to the flowchart of FIG. 7 and the memory map (format) of FIG. 8, This second method will be explained. In these figures, the same reference numerals as in FIGS. 5 and 6 represent the same parts.

As is clear from comparing FIG. 7 with FIG. 5, the second method is the same as the first method with steps 89 to S11 added, so here we will explain the steps in these steps. Only the processing procedure will be explained.

Step S9: The number of branching in step S3 - that is, the number of times it is determined that the abnormal signal SAt has occurred is counted.

Step SIO: Determine whether the count value is 75β1. When the count value is 11, that is, if the process is performed immediately after the abnormality signal SA is generated, the process advances to step 811.

On the other hand, if the count value force β1 is a dog, in other words, if the processing is not performed immediately after the occurrence of the abnormal signal SA2, step S8→
The process of S5 is performed.゛Step 811...Memory circuit of the faulty station (M or M,
) is read out and transferred to the storage circuit of the backup μm CPU.

In this case, the storage circuit Mb of the backup μ-CPUb
As shown in Figure 8, each μ-C in the system
A memory area M (M,) is provided with a capacity corresponding to the capacity of one memory circuit Mt or M of P'U.

Therefore, in step S11 described above, the contents of the memory circuit of the faulty station are read and the backup μmCPUh
By storing data in the memory area M (M, ) of
The backup μm CPU can now execute on its behalf.

As is clear from the above explanation, the second method is effective when the storage circuit of the faulty station has an error correction function and the reliability of the stored contents is high. , the backup μ-CPU, and the capacity of the storage circuit to be provided can be significantly reduced.

(Effects) As is clear from the above description, according to the present invention, the following effects are achieved.

(1) Since information necessary for backup is exchanged using a communication line, the configuration is simplified.

In other words, since there is no need for relay contacts to switch the connection wiring between the backup μ-CPU and other μ-CPUs, the amount of wiring and the number of switching contacts can be significantly reduced and reliability can be improved. I can do it.

[Brief explanation of the drawing]

Fig. 1 is a block diagram showing an example of a conventional electronic control device using multiple μ-CPUs, Fig. 2 is a schematic block diagram of an embodiment of the present invention, and Fig. 3 shows a part of Fig. 2. 4 is a detailed block diagram of a further part of FIG. 3, FIG. 5 is a flowchart showing an example of the backup method of the present invention, and FIG. 6 is a backup method suitable for the case of FIG. 7 is a flowchart showing another example of the backup method of the present invention, and FIG. 8 is a memory circuit in the backup μ-CPUb suitable for the case of FIG. 7. This is the memory map (format) of POC...Operator console, μ-CPU,
~μ-CPUm...microcomputer, μ-CP
Ub...Microcomputer for buffer rough, co
...Communication circuit, PIlo, ~P110n...Process input/output buffer, Po...Professional top two output device,
Ic, Icl. Ieb...Communication Interface Attorney Michihito Hiraki Figure 1 Figure 2 Figure 3 11 Ooo□ a Figure 4 Figure 5 Figure 6

Claims (3)

[Claims] (1) A plurality of microcomputers for controlling process input/output devices, an operator's console for monitoring and operating each of the microcomputers, and a backup system for backing up the microcomputers. This is an n-to-one backup control system in which backup microcomputers are connected to a common communication circuit through their respective communication interfaces, and if a failure occurs in the arithmetic control section of one of the microcomputers. When the microcomputer is connected to the communication line via the communication interface,
In addition to transmitting an abnormal signal indicating that a failure has occurred, the arithmetic control unit and storage circuit of the backup microcomputer are connected via the communication line and communication interface.
By connecting exclusively to the local station, information is exchanged between the two, and the calculations, controls, etc. that should be performed by the calculation control unit and storage circuit of the local station are transferred to the calculation control unit and storage circuit of the backup microcomputer. An n-to-one backup system for a control system, which is characterized by substituting the control system. (2) The memory circuit of the backup microcomputer has a capacity at least equal to the capacity of the memory circuit of the microcomputer to be backed up, and always stores the same contents as the memory circuit of the microcomputer to be backed up. A patented n-to-one backup method that is characterized by: (3) The storage circuit of the backup microcomputer has a capacity at least equal to the capacity of one of the storage circuits of the microcomputer to be backed up, and when an abnormal signal of the microcomputer to be backed up is detected, the corresponding An n-to-one backup system for a control system as set forth in Patent No. 1, wherein the contents of a memory circuit of a microcomputer are transferred to and stored in a memory circuit of the backup microcomputer.