JPS63238633A - Backup system in distributed system - Google Patents

Abstract

PURPOSE:To easily and quickly execute a backup at the time of a fault by a simple constitution, by storing in advance the minimum processing contents of other controller required for the time of a backup, in respective (n+k) pieces of controller. CONSTITUTION:By limiting the processing contents stored in a backup controller 5 to the processing contents of a controller 6 of a plural pieces portion, a backup of (n):(k) (1<=k<=n) can be executed, therefore, as for the processing contents for a backup, a small quantity is enough, and accordingly, as for all the controllers to be used, inexpensive one of the same kind of machine can be used. Because of a homogeneous system constitution, there is no common mode, and the system abounds in the extendability. Also, even at the time of a backup of (n):(k), the dispersibility of the system is secured. Moreover, since an output is selected between plural processing contents stored in advance in the controller, there is not time delay at the time of executing down-loading from a host computer to a low-order backup controller, and it becomes possible to cope quickly with a fault.

Description

[Detailed description of the invention] [Industrial application field] The present invention relates to a nuclear power plant that requires reliability.

The present invention relates to a digital distributed system applied to chemical systems, etc., and particularly to a backup method for a distributed system that can easily and reliably perform system backup.

[Conventional technology]

The conventional backup method for distributed systems is
As described in Publication No.-146552.

A controller consisting of an operating section and a processing section and an operating end operated by the controller form a pair, and a plurality of these are provided to constitute a distributed system, and each of these controllers is connected to a host computer via a system bus. When a lower-level controller fails, this higher-level computer takes over the processing of that controller, and directly controls the operating terminals via an analog memory provided on the output side of each controller.

[Problem that the invention seeks to solve]

In the future, distributed systems will become digital, and the mainstream will be to separate the controller section responsible for measurement and control from the input/output section such as a remote terminal unit, and connect the two through transmission via a system bus.

In a conventional digital distributed system that includes multiple components in which a controller unit and an input/output unit are integrated, the n (any number): 1 backup method, in which the upper computer backs up the failure of the lower controller, requires a large number of controllers. In the case of a large-scale system, the processing and storage contents of the host computer become enormous, making the hardware and software expensive. In addition, if the n:k (1≦k≦n) backup method is expanded to the conventional digital distributed system described above, the problem is that the upper computer part becomes a common mode in the system configuration (a mode in which a failure spreads to the entire system). There is.

Additionally, in general, a system consisting of homogeneous components that are loosely coupled (a homogeneous system) has the advantage of being more extensible.

On the other hand, there is also a method in which the processing contents of the lower controller are stored in advance in the upper computer, and when the lower controller fails, the upper computer downloads the processing contents of that controller to a backup controller, and the backup controller backs up the operation of the failed controller. However, it has the drawback that it takes time to download and cannot be used with a direct digital controller (DDC) that performs periodic control on the order of seconds.

An object of the present invention is to provide a backup method in a distributed system that can easily and quickly perform backup in the event of a failure with a simple configuration.

[Means for solving problems]

In order to achieve the above objective, it is necessary that the introduction of a backup system does not disrupt the idea of distribution and that the processing performance of each controller and the required processing capacity do not change significantly.

The present invention provides digital controllers equivalent to n digital controllers that are normally used, and stores in each of the n+k controllers in advance the minimum processing contents of other controllers that are required at the time of backup. Each healthy controller selects and shifts its own output processing content using its processing program selector based on failure information of other controllers obtained from transmission data or external contact signals.

That is, the present invention provides a remote terminal unit connected to a system bus, and n (arbitrary integer) units connected to the system bus that control the operating end via the remote terminal unit, each having different processing contents. This is a distributed system backup method that has a digital controller and (1≦k≦n) backup digital controllers for each of these n digital controllers. The processing contents to be processed by each of the multiple controllers are stored in advance, and when failure information of another controller is detected, the optimal backup time is determined based on the failure information of the other system and the controller number information. This feature is characterized in that a processing program selection amount is provided for selecting and setting the processing contents of the processing.

[Effect]

By limiting the processing content stored in the backup controller to the processing content of multiple controllers, it is possible to back up n (any integer): k (1≦k≦n), so the amount of backup processing content is small. Therefore, all the controllers used can be of the same model and inexpensive (such as a one-loop controller).

Because of the homogeneous system configuration, there is no common mode, and the system is highly expandable.

Furthermore, system dispersion is ensured even when backing up to n:.

Since the output is selected between multiple processing contents stored in advance in the same controller, there is no time delay when downloading from the higher-level computer to the lower-level backup controller, making it possible to quickly respond to failures.

〔Example〕

Hereinafter, one embodiment of the present invention will be described based on the drawings.

2 to 5 are diagrams showing a first embodiment of the present invention, FIG. 2 is a block diagram of the embodiment, FIG. 3 is a diagram for explaining the format of forwarding data, and FIG. 4 is a diagram showing a first embodiment of the present invention. 5 is an explanatory diagram of the driving pattern of the embodiment of the same collision, and FIG. 5 is a circuit diagram showing a program selector used in the embodiment.

In the embodiment shown in FIG. 2, one backup control unit 5 is provided for n=5 control units 5.

In the embodiment shown in FIG. 2, 1 is a system bus, 2 is a control computer section, 3 is a plant interface section, 4 is a bus interface section, 5 is a backup control unit, 6 is a control unit, 7 is a remote terminal unit, 8 is a processing program, and 9 is a processing program selector.

IO is a plant object. Each control unit 5, 6 has an interface 4 with the system bus 1,
It is configured to include a processing program 8 and a processing program selector 9. At all times, each control unit (CUl, CUz.

CUa, CUa+ CUa)5 is the processing P t g
P xg P a *P4. Pa is executed, processed and output. Processing results and plant information required for the processing are in the form of transmission data 11 shown in FIG. 3, and are exchanged with the plant 10 via the remote terminal unit 7 of the system bust plant interface section 3. As shown in FIG. 3, the transmission data 11 includes address information (ADDR) 12. Control information (CTL
)13. It is composed of data (DATA) 14.

Each controller cU1 (1≦i≦5) 5 stores processing programs Pi, Pt+t, and normally outputs the processing results of <Pg as shown below. Note that Po is defined as a process that indicates doing nothing.

Now, if any one of Cut (1≦i≦5) fails, the backup shown in FIG. 4 is executed by the transmission information 11 shown in FIG. 3 and the processing program selector 9 shown in FIG. 5, which will be described in detail later. driving pattern 15 becomes possible.

In the control alternative pattern 15 of FIG. 4, if the failed unit is CU x (abnormal pattern I), the backup control unit 5 is selectively shifted from PO to P1, but CUzt CU 3. The processing output from CU4 gCU s remains unchanged, and if the faulty unit
In the case of U z (abnormal pattern ■), the processing output from CU 1 is selected and shifted from P1 to P2, and the backup control unit 5 is selected and shifted from PG to Pl, and C
The processing output from Ua, CUa, and CUs remains unchanged. Also when another control unit CUI malfunctions.
The process output by control unit CU J for >i remains unchanged, and the process output from control unit CU a for j<i is selectively shifted to PJ-+Pa+x.

In order to enable this control alternative pattern 15, a processing program selector 9 using the transmission data 11 is required. Transmission data 11 includes address information 12 including the ID number of the sending C controller. Control information including transmission controller failure information 13. On the other hand, the processing program selector 9 has a data section 14 containing comparators 17 . And gate 16. It is configured to include a processing program selection gate 20. Also, 18
is the process (Pl), and 19 is the process (Pt+t).

First, the comparator 17 compares the ID number of its own controller and the ID number of the sending controller using the address information 12 of the transmission data 11. Let's assume that the ID number is C.
i of u t, and when the sending controller fails, C
If we define TL = "1" and normal CTL = "0", and define the comparator 17 to set the Dt terminal to "1" when the AI terminal input value > the Az terminal input value, the comparison The output DI of the device 17 is sent to the transmitting side control unit CU.
a.

Among all combinations of self-control units Cut, it is 1''' only when j>i. Therefore, if the transmitting control unit is abnormal at this time, CTL
= "1", and the output of the AND gate 16 is set to "1". The processing program selection gate 20 is set to S='a
When C=A 2., S=n OH C: A
When configured as a two selector for t, among the processing contents of the self-controller, when S = "1", the processing (pt ÷ 1) 1
8, when S="0", the processing result of the process (Pl) 19 is output to the system bus 1 via the bus interface 4.

The processing program selector 9 is connected to each controller CUI.
It is a common logic for each, and the symmetry of the components (controllers) of one distributed system is ensured.

Note that the cTL information 13 and ADDR information 12 in FIG. 5 can be easily provided as external contact signals by a relay circuit that detects failures in other controllers.

6 and 7 show other embodiments of the present invention.

The control unit 6 has n=5. An example is shown in which the number of backup control units is 5=2.

In FIG. 6, the difference from the embodiment in FIG. 2 is that n
=5. In addition to being a 2-unit unit, a bus controller 23 is also provided.

In FIG. 7, a counter 22 counts the number of faulty controllers at the same time. However, in the controller to be counted, the output of the ANI) gate 16 is the input of the counter 22, so cuJ(j>i, i
is the ID number of its own controller). The 2-bit output of the counter 22 is input to the processing program selection gate 20. If this processing program selection gate 20 is realized by a multiplexer (MUX), the output (Do, Dz) of the counter 22 will be "0" rl
As J r2J is updated, the processing result of Ptr Ps+xp Pm+2 is selectively output to the output data 21.

By using the embodiment of the processing program selector 9 shown in FIG. 7, the controller for Pi, Pg, Pa, Pl, and pH when CU z spontaneously fails in FIG. g CU 1 m CU a * C
U 4 #CUa), and in addition to this, CUa
When the controller fails, the controller responsible for operation (CU-z(P
t)yCUO(Pa) *CUx(Pa)
t CU8 (Pl) + CUIS (P6), and while ensuring dispersion in which each process is output by one individual controller, backup operation is possible in case of failure of up to two controllers.

FIG. 1 is a system configuration diagram that generalizes the above idea in the form of n:. In FIG.

The backup control unit 5 is k (1≦k≦n
) units are prepared, and 6 (arbitrary integer) control units are prepared.

Various methods can be considered regarding the timing of switching processing programs. The bus controller 23 shown in the embodiment of FIG. 6 sets the transmission order of each node as CU1, CU2, etc.
・CU7. If it is defined as RTUt, an example is a method in which when the bus controller 23 detects an abnormality in the control unit 6 or 6 based on the transmission data 11, the transmission is redone from the CU i. Since the transmission data 11 is immediately transmitted to each control unit 5 or 6, the output signal is transmitted to the remote terminal unit 7 according to the allocation of the processing program at the time of backup by the operation of the processing program selector 9.

Control unit 5 is shown in FIGS. 8 and 9 with n=12
An example in which the number of backup control units 6 is 4 is shown. It can be seen that, as in the above embodiment, control can be continued by shifting the controller in charge of processing when a maximum of four controllers fail simultaneously.

To realize Figures 8 and 9, the pagoda can be created by expanding the logic in Figure 7. P 1 , P sex, P
sex.

This can be realized by a multiplexer (MUX) that selects one process from the five processes P c+a and P L+4. According to this logic, a C with an ID number greater than its own ID number, that is, i for Cut
When CU U fails, the processing content of CU i is shifted. The mechanism of this shift will be explained with reference to FIG. When the system is operating normally, processes P1 to P12 are executed by CU t "" CU t x. Now, if CU a breaks down, II 411 will connect a controller with a higher ID number than its own, that is, CU-s~
The processing of CU a is shifted, and before the failure of CU 4, the processing of CU a is shifted.
t = Processes P1 to P executed by CU 4
4 is now executed by CU o = CU a. Following CUa, CU e + CU -a +C
Even if Ua fails and fails simultaneously), a similar shift is performed and n=12. It can be seen that the system with 4 = 4 can withstand the failure of four microcontrollers at the same time.

According to this embodiment, backup in a digital distributed system can be realized at low cost without centrally storing information at the time of backup in a host computer. In a distributed system that uses 100 inexpensive models such as one-loop controllers as backup controllers, it is sufficient to prepare two or three of the same model. huge amount of processing,
There is no need for a host computer that requires storage capacity.

In addition, this system has homogeneous components (controller)
Because it is a homogeneous system, system expansion is extremely easy. for example.

In FIG. 2, when adding one controller, it is only necessary to connect this controller to the system bus 1 and load the new processing program P6 into the CU s and the new CUB.

Also, as is clear from the system configuration diagrams such as Figure 1, n
: System distribution is ensured even during backup operation.

Regarding the switching of processing output in response to a failure, since the backup processing contents are stored in each controller in advance, there is no need for loading work between computers, and the switching is quick.

The complicated hard interlocks for switching in the event of a failure, which were a problem in conventional systems, have been solved with future digital distributed systems in mind, where the controller section is separated from the input/output section and the two are connected via a system bus. Therefore, it is not necessary for the present invention.

〔Effect of the invention〕

As described above, the present invention has the advantage of providing a simple backup system that is inexpensive, quick to respond to failures, and essentially homogeneous.

[Brief explanation of drawings]

FIG. 1 is a block diagram showing a general system configuration for backing up to n=5 according to the present invention, and FIG. A system configuration diagram showing an example in which ==1, Figure 3 is a diagram showing the format of a message that transmits the operating status of each controller in the example, and Figure 4 is a diagram showing the format of a message that transmits the operating status of each controller in the same example. FIG. 5 is a circuit diagram showing a processing program selector that enables processing during backup in the same embodiment, and FIG. 6 is an explanatory diagram showing an operation pattern when n=5. 7 is a circuit diagram showing a processing program selector used in the embodiment of FIG. 6, and FIGS. 8 and 9 are system configuration diagrams showing an embodiment when n=2 in FIG. 12. FIG. 4 is an explanatory diagram shown to explain an example when 4 is set. 1... System bus, 5... Backup control unit, 6... Control unit, 7...
・Remote terminal unit, 8... Processing program, 9... Processing program selector, 11... Failure information transmission data, 12... Address information, 13... Control information, 15... Backup time Operation pattern, 16...AND gate, 17...Comparator, 20
...Processing program selection gate.

Claims (1)

[Claims] 1. A remote terminal unit connected to the system bus, and n (arbitrary integer) units connected to the system bus that control the operating end via the remote terminal unit, each having different processing contents. digital controllers, and k for these n digital controllers.
A distributed system backup method having (1≦k≦n) backup digital controllers, in which each of the n+k controllers is processed by a plurality of other controllers when the system is normal. The contents are stored in advance, and when other controller failure information is detected, processing program selection that selects and sets the optimal backup processing contents based on the failure information of other systems and the controller number information within the controller. A backup method in a distributed system characterized by the provision of a device. 2. The processing program selector sets n controllers as CU_1, CU_2,...CU_n, and sets k backup controllers as CU_-_k...CU_
0, and controller CU_i (1≦
When the processing content to be processed in i≦n) is P_i, by setting the maximum number of processes to be stored in each controller to k+1, in the event of a failure of the controllers within k, P_i
1. A backup method in a distributed system according to claim 1, characterized in that the system is configured such that n healthy controllers that output processing contents of P_n can be reset.