WO2023157365A1 - Functional safety device - Google Patents

Functional safety device Download PDF

Info

Publication number
WO2023157365A1
WO2023157365A1 PCT/JP2022/035644 JP2022035644W WO2023157365A1 WO 2023157365 A1 WO2023157365 A1 WO 2023157365A1 JP 2022035644 W JP2022035644 W JP 2022035644W WO 2023157365 A1 WO2023157365 A1 WO 2023157365A1
Authority
WO
WIPO (PCT)
Prior art keywords
central processing
processing unit
voltage monitoring
voltage
unit
Prior art date
Application number
PCT/JP2022/035644
Other languages
French (fr)
Japanese (ja)
Inventor
茂倫 高野
純利 川崎
泰生 山口
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Publication of WO2023157365A1 publication Critical patent/WO2023157365A1/en

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • G05B9/03Safety arrangements electric with multiple-channel loop, i.e. redundant control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F1/00Details not covered by groups G06F3/00 - G06F13/00 and G06F21/00
    • G06F1/26Power supply means, e.g. regulation thereof
    • G06F1/30Means for acting in the event of power-supply failure or interruption, e.g. power-supply fluctuations

Definitions

  • This disclosure relates to functional safety devices.
  • two series of processing units are provided to detect abnormalities in the power supply voltage, and the power supply voltage supplied to one processing unit is monitored by the other processing unit. is known to ensure safety.
  • two voltage monitoring circuits each including an AD converter monitor power supply voltages supplied to two MPUs, respectively, and when an abnormality in the power supply voltage is detected, a function is provided to notify the occurrence of the abnormality.
  • a programmable logic controller is disclosed.
  • the controller described in Patent Document 1 does not have a function to check the operation of the voltage monitoring circuit, so if an abnormality occurs in the voltage monitoring circuit before an abnormality occurs in the power supply voltage, an abnormality in the voltage value is detected. I had a problem that I could't do it.
  • an object of the present disclosure is to provide a functional safety device capable of detecting an abnormality that occurs in a circuit that monitors the power supply voltage before an abnormality occurs in the power supply voltage.
  • a functional safety device includes a plurality of central processing units that can communicate with each other, a power generation unit that generates a power supply voltage to be supplied to the plurality of central processing units, and corresponding to each of the central processing units.
  • a plurality of voltage monitoring circuits provided to monitor whether the power supply voltage supplied to each central processing unit is overvoltage or undervoltage; a plurality of switches for cutting off supply of the power supply voltage to the plurality of central processing units when the power supply voltage supplied to the central processing units is overvoltage or undervoltage; a plurality of cutoff confirmation circuits for outputting to each of the central processing units a cutoff confirmation signal indicating that the supply of the power supply voltage to the plurality of central processing units has been cut off;
  • the other central processing unit transmits a cutoff notification signal instructing cutoff of the supply of the power supply voltage. The signal is output to the voltage monitoring circuit corresponding to the processing unit
  • an abnormality occurring in the voltage monitoring circuit can be detected before an abnormality occurs in the power supply voltage. can be detected.
  • FIG. 1 is a block diagram schematically showing a configuration example of a functional safety device and its periphery according to Embodiment 1;
  • FIG. 1 is a block diagram showing a configuration example of a functional safety device according to Embodiment 1;
  • FIG. FIG. 7 is a block diagram showing a configuration example of a functional safety device according to Embodiment 2;
  • FIG. 11 is a block diagram showing a configuration example of a functional safety device and its periphery according to Embodiment 3;
  • FIG. 11 is a block diagram schematically showing a configuration example of a functional safety device and its periphery according to Embodiment 4;
  • FIG. 1 is a block diagram schematically showing a configuration example of a functional safety device 101 and its periphery according to Embodiment 1. As shown in FIG.
  • the functional safety device 101 is communicatively connected to the detection unit 102 and the drive unit 113.
  • the drive unit 113 is controlled according to commands output from the functional safety device 101 .
  • the detection unit 102 detects the surrounding environment of the driving unit 113 .
  • Functional safety device 101 includes first input section 103, second input section 104, first arithmetic processing section 105, second arithmetic processing section 106, first voltage supply section 107, and second voltage supply section 108. , a first voltage monitoring unit 109 , a second voltage monitoring unit 110 , a first output unit 111 , and a second output unit 112 .
  • the detection unit 102 may be a product that detects that a user has entered a restricted area during operation on a production line in a factory. A signal for notifying that effect is transmitted to the functional safety device 101 .
  • the drive unit 113 may be a product that repeatedly moves a driven object on a factory production line, and drives according to the control command output by the functional safety device 101 .
  • the first input unit 103 and the second input unit 104 convert the signal received from the detection unit 102 into a format that can be input to the first arithmetic processing unit 105 and the second arithmetic processing unit 106 respectively, and 105 and the second arithmetic processing unit 106 .
  • a program created by the user is registered in advance in the first arithmetic processing unit 105 and the second arithmetic processing unit 106 .
  • the first arithmetic processing unit 105 and the second arithmetic processing unit 106 use a program created by the user and the signals received from the first input unit 103 and the second input unit 104 so that the outputs correspond to the inputs. , and outputs the calculated control command to the first output unit 111 and the second output unit 112 .
  • two arithmetic processing units 105 and 106 are provided in order to prevent the drive unit 113 from generating a control command that causes an erroneous operation. is guaranteed.
  • First voltage supply unit 107 and second voltage supply unit 108 are provided corresponding to first arithmetic processing unit 105 and second arithmetic processing unit 106, respectively. Generates the required power supply voltage.
  • the first voltage monitoring unit 109 and the second voltage monitoring unit 110 monitor whether the power supply voltages supplied to the first voltage supply unit 107 and the second voltage supply unit 108 are overvoltage or undervoltage, respectively.
  • Safety is ensured by taking measures to prevent the power supply voltage from being supplied to the first arithmetic processing unit 105 and the second arithmetic processing unit 106 .
  • the first output unit 111 and the second output unit 112 convert the signals received from the first arithmetic processing unit 105 and the second arithmetic processing unit 106, respectively, into formats that can be input to the driving unit 113, and output the converted signals to the driving unit 113. .
  • the components on the transmitting side and the receiving side conform to the functional safety standard IEC61508, so that the communication path between the transmitting side and the receiving side does not conform to IEC61508.
  • a black channel may be employed.
  • the detection unit 102 detects the user's entry into the functional safety device 101 when the user enters the restricted area while repeatedly moving the driven object on the production line of the factory. Notify that you have entered a prohibited area.
  • the functional safety device 101 can ensure the safety of the user by taking measures to safely stop the drive unit 113 .
  • An abnormality occurs in the first voltage supply unit 107 or the second voltage supply unit 108 that supplies the power supply voltage to the first arithmetic processing unit 105 and the second arithmetic processing unit 106 of the functional safety device 101, and the output is overvoltage or undervoltage. Then, the arithmetic processing unit to which the power supply voltage is supplied cannot perform correct arithmetic operations. Therefore, even though the detection unit 102 notifies the functional safety device 101 that the user has entered the restricted area, there is a possibility that the drive unit 113 cannot be stopped safely.
  • the functional safety device 101 is designed to solve such problems, and will be described in detail below.
  • FIG. 2 is a block diagram showing a configuration example of the functional safety device 101 according to Embodiment 1, and is a detailed diagram of the main part of the functional safety device 101 shown in FIG.
  • the functional safety device 101 includes a power generation unit 204, a first central processing unit 205, a second central processing unit 206, a first voltage monitoring circuit 207, and a second voltage monitoring circuit 208. , a first switch 209 , a second switch 210 , a first cutoff confirmation circuit 211 , and a second cutoff confirmation circuit 212 .
  • the power generation unit 204 corresponds to the first voltage supply unit 107 and the second voltage supply unit 108 .
  • the first central processing unit 205 corresponds to the first arithmetic processing unit 105
  • the second central processing unit 206 corresponds to the second arithmetic processing unit 106 .
  • the first voltage monitoring circuit 207, the first switch 209, and the first disconnection confirmation circuit 211 correspond to the first voltage monitoring unit 109
  • the second voltage monitoring circuit 208, the second switch 210, and the second disconnection confirmation circuit 212 correspond to the first voltage monitoring unit 109. corresponds to the second voltage monitoring unit 110 .
  • a power generation unit 204 converts a reference voltage 201 supplied to the functional safety device 101 into a voltage value to generate a supply voltage 203 as a power supply voltage to be supplied to the first central processing unit 205 and the second central processing unit 206. do.
  • the generated supply voltage 203 is directly supplied to the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 as the monitoring voltage 202 .
  • the supply voltage 203 is supplied to the first central processing unit 205 via the first switch 209 and the first cutoff confirmation circuit 211, and is also supplied to the first central processing unit 205 via the second switch 210 and the second cutoff confirmation circuit. It is supplied to the second central processing unit 206 .
  • the second voltage monitoring circuit 208 detects an overvoltage or a low voltage. A cutoff notification 1 that is a signal is output to the second voltage monitoring circuit 208 .
  • the second central processing unit 206 When the second central processing unit 206 starts to check the operation of the first voltage monitoring circuit 207 as a circuit for monitoring the voltage value, the second central processing unit 206 controls the first voltage monitoring circuit 207 to pseudo-detect an overvoltage or a low voltage. A cutoff notification 2 as a signal is output to the first voltage monitoring circuit 207 .
  • the first voltage monitoring circuit 207 determines whether the monitoring voltage 202 is overvoltage or undervoltage based on the difference between the reference voltage 201 supplied to the functional safety device 101 and the monitoring voltage 202 which is the supply voltage 203 supplied to the first central processing unit 205 .
  • the first switch 209 cuts off the supply voltage 203 supplied to the first central processing unit 205 when it is determined that a voltage is generated and when the cutoff notification 2 is input from the second central processing unit 206.
  • a shutoff command 1 which is a signal for switching, is output to the first switch 209 .
  • the second voltage monitoring circuit 208 determines whether the monitoring voltage 202 is overvoltage or undervoltage based on the difference between the reference voltage 201 supplied to the functional safety device 101 and the monitoring voltage 202 which is the supply voltage 203 supplied to the second central processing unit 206 .
  • the second switch 210 cuts off the supply voltage 203 supplied to the second central processing unit 206 when it is determined that a voltage is generated and when the cutoff notification 1 is input from the first central processing unit 205.
  • a shutoff command 2 which is a signal for switching, is output to the second switch 210 .
  • the first switch 209 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 1 is input from the first voltage monitoring circuit 207 .
  • the second switch 210 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 2 is input from the second voltage monitoring circuit 208 .
  • the first shutdown confirmation circuit 211 monitors the voltage supplied to the first central processing unit 205 and the second central processing unit 206 via the first switch 209 .
  • the first cutoff confirmation circuit 211 detects that the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is cut off by the first switch 209, the first central processing unit 205 and the second central processing unit 206 It outputs to the first central processing unit 205 a cutoff confirmation 1, which is a signal indicating that the supply of the supply voltage 203 to the second central processing unit 206 has been cut off.
  • the second shutdown confirmation circuit 212 monitors the voltage supplied to the first central processing unit 205 and the second central processing unit 206 via the second switch 210 .
  • the second cutoff confirmation circuit 212 detects that the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is cut off by the second switch 210, the first central processing unit 205 and the second central processing unit 206 It outputs to the second central processing unit 206 a cutoff confirmation 2, which is a signal indicating that the supply of the supply voltage 203 to the second central processing unit 206 has been cut off.
  • the first central processing unit 205 and the second central processing unit 206 are communicating with each other, and one central processing unit outputs a cutoff notification.
  • the other central processing unit determines that the operation of the voltage monitoring circuit corresponding to the other central processing unit is normal by confirming that the interruption confirmation has been output.
  • the functional safety device 101 detects that an overvoltage or undervoltage has occurred in the monitoring voltage 202. is detected to prevent the abnormal voltage from being continuously supplied to the first central processing unit 205 and the second central processing unit 206.
  • the first is when the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 operate normally.
  • the second case is when the first voltage monitoring circuit 207 fails and only the second voltage monitoring circuit 208 operates normally.
  • a third case is when the second voltage monitoring circuit 208 fails and only the first voltage monitoring circuit 207 operates normally.
  • the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 after voltage value conversion by the power generation unit 204 is used as the monitoring voltage 202 by the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 . and supplied to A first voltage monitoring circuit 207 and a second voltage monitoring circuit 208 determine whether overvoltage or undervoltage occurs in the monitoring voltage 202 from the difference between the reference voltage 201 and the monitoring voltage 202 supplied to the functional safety device 101 . to decide.
  • the first voltage monitoring circuit 207 determines that the monitored voltage 202 is overvoltage or undervoltage, it outputs a cutoff command 1 to the first switch 209 . Further, when the second voltage monitoring circuit 208 determines that the monitored voltage 202 is overvoltage or undervoltage, it outputs a cutoff command 2 to the second switch 210 .
  • the first switch 209 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 1 is input from the first voltage monitoring circuit 207 . Further, the second switch 210 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 2 is input from the second voltage monitoring circuit 208 .
  • a first switch 209 and a second switch 210 cut off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 so that the first central processing unit 205 and the second central processing unit 206 to avoid continuous supply of abnormal voltage to
  • the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 after voltage value conversion by the power generation unit 204 is used as the monitoring voltage 202 by the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 . and supplied to A first voltage monitoring circuit 207 and a second voltage monitoring circuit 208 determine whether overvoltage or undervoltage occurs in the monitoring voltage 202 from the difference between the reference voltage 201 and the monitoring voltage 202 supplied to the functional safety device 101 . to decide.
  • the second voltage monitoring circuit 208 determines that the monitored voltage 202 is overvoltage or undervoltage, it outputs a cutoff command 2 to the second switch 210 . Since the first voltage monitoring circuit 207 has lost the function of determining overvoltage or low voltage due to the failure, it does not output the cutoff command 1 to the first switch 209 .
  • the second switch 210 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 2 is input from the second voltage monitoring circuit 208 .
  • the first switch 209 does not cut off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 because the cutoff command 1 is not input from the first voltage monitoring circuit 207 .
  • the second cutoff confirmation circuit 212 Since the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is cut off by the second switch 210, the second cutoff confirmation circuit 212 sends the cutoff confirmation 2 to the second central processing unit. 206. On the other hand, since the supply of the voltage 203 to the first central processing unit 205 and the second central processing unit 206 is not cut off by the first switch 209, the first cutoff confirmation circuit 211 sends the cutoff confirmation 1 to the first central processing unit. No output to processor 205 .
  • the first central processing unit 205 and the second central processing unit 206 are in mutual communication, and the second interruption confirmation circuit 212 sends an interruption confirmation 2 from the second central processing unit 206 to the first central processing unit 205.
  • the fact that it has been input is transmitted, and the first shutdown confirmation circuit 211 transmits to the second central processing unit 206 from the first shutdown confirmation circuit 211 that shutdown confirmation 1 is not input.
  • the first central processing unit 205 and the second central processing unit 206 detect that the monitoring voltage 202 is overvoltage or undervoltage, and the second voltage monitoring circuit 208 is operating normally.
  • the monitoring circuit 207 determines that it is not operating normally.
  • the first central processing unit 205 and the second central processing unit 206 avoid continuous supply of abnormal voltage to the first central processing unit 205 and the second central processing unit 206 by stopping their own operations.
  • the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 after voltage value conversion by the power generation unit 204 is used as the monitoring voltage 202 by the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 . and supplied to A first voltage monitoring circuit 207 and a second voltage monitoring circuit 208 determine whether overvoltage or undervoltage occurs in the monitoring voltage 202 from the difference between the reference voltage 201 and the monitoring voltage 202 supplied to the functional safety device 101 . to decide.
  • the first voltage monitoring circuit 207 determines that the monitored voltage 202 is overvoltage or undervoltage, it outputs a cutoff command 1 to the first switch 209 . Since the second voltage monitoring circuit 208 has lost the function of determining overvoltage or undervoltage due to the failure, it does not output the cutoff command 2 to the second switch 210 .
  • the first switch 209 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 1 is input from the first voltage monitoring circuit 207 .
  • second switch 210 does not cut off supply of supply voltage 203 to first central processing unit 205 and second central processing unit 206 because cutoff command 2 is not input from second voltage monitoring circuit 208 .
  • the first cutoff confirmation circuit 211 sends the cutoff confirmation 1 to the first central processing unit.
  • the second cutoff confirmation circuit 212 sends the cutoff confirmation 2 to the second central processing unit. Do not output to processor.
  • the first central processing unit 205 and the second central processing unit 206 are in mutual communication, and the first interruption confirmation circuit 211 sends an interruption confirmation 1 from the first central processing unit 205 to the second central processing unit 206.
  • the second central processing unit 206 transmits to the first central processing unit 205 that the interruption confirmation 2 is not input from the second interruption confirmation circuit 212 .
  • the first central processing unit 205 and the second central processing unit 206 detect that the monitoring voltage 202 is overvoltage or undervoltage, and the first voltage monitoring circuit 207 is operating normally.
  • the monitoring circuit 208 determines that it is not operating normally.
  • the first central processing unit 205 and the second central processing unit 206 avoid continuous supply of abnormal voltage to the first central processing unit 205 and the second central processing unit 206 by stopping their own operations.
  • the functional safety device 101 checks the operation of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 .
  • the flow of operation for confirming the operation of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 is shown.
  • the operation check of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 is performed at regular intervals during the start-up of the functional safety device 101 and during operation.
  • the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the first voltage monitoring circuit 207", and the first central processing unit 205 confirms that "the first central processing unit 205 has not input shutdown confirmation 1 from the first shutdown confirmation circuit 211".
  • the second central processing unit 206 outputs cut-off notification 2 to the first voltage monitoring circuit 207 .
  • the first voltage monitoring circuit 207 outputs a shutdown command 1 to the first switch 209 when a shutdown notification 2 is input from the second central processing unit 206 .
  • the first switch 209 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 1 is input from the first voltage monitoring circuit 207 . At this time, the supply voltage 203 is supplied to the first central processing unit 205 and the second central processing unit 206 via the second switch 210 and the second cutoff confirmation circuit 212 .
  • the first cutoff confirmation circuit 211 When the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is cut off by the first switch 209, the first cutoff confirmation circuit 211 outputs cutoff confirmation 1 to the first central processing unit 205. do.
  • the first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the second central processing unit 206 sends a shutdown notification 2 to the first voltage monitoring circuit 207 for the first central processing unit 205.
  • the first central processing unit 205 transmits to the second central processing unit 206 that the interruption confirmation 1 has been input from the first interruption confirmation circuit 211 .
  • first central processing unit 205 and second central processing unit 206 From the content of mutual communication between first central processing unit 205 and second central processing unit 206, first central processing unit 205 and second central processing unit 206 confirm the operation of first voltage monitoring circuit 207 normally. I judge.
  • the first central processing unit 205 confirms that "the first central processing unit 205 has not output the shutdown notification 1 to the second voltage monitoring circuit 208", and the second central processing unit 206 confirms that "the second central processing unit 206 has not input the shutdown confirmation 2 from the second shutdown confirmation circuit 212".
  • the first central processing unit 205 outputs a cutoff notification 1 to the second voltage monitoring circuit 208 .
  • the second voltage monitoring circuit 208 outputs a shutdown command 2 to the second switch 210 when the shutdown notification 1 is input from the first central processing unit 205 .
  • the second switch 210 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 2 is input from the second voltage monitoring circuit 208 . At this time, the supply voltage 203 is supplied to the first central processing unit 205 and the second central processing unit 206 via the first switch 209 and the first cutoff confirmation circuit 211 .
  • the second cut-off confirmation circuit 212 When the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is cut off by the second switch 210, the second cut-off confirmation circuit 212 outputs cut-off confirmation 2 to the second central processing unit 206. do.
  • the first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the first central processing unit 205 sends a shutdown notification 1 to the second voltage monitoring circuit 208 for the second central processing unit 206.
  • the second central processing unit 206 transmits to the first central processing unit 205 that the interruption confirmation 2 has been input from the second interruption confirmation circuit 212 .
  • the first central processing unit 205 and the second central processing unit 206 confirm the operation of the second voltage monitoring circuit 208 normally. I judge.
  • the functional safety device 101 includes a plurality of central processing units that can communicate with each other, a power generation unit 204 that generates a power supply voltage to be supplied to the plurality of central processing units, and each central processing unit.
  • a plurality of voltage monitoring circuits provided corresponding to each processing unit and monitoring whether the power supply voltage supplied to each central processing unit is overvoltage or undervoltage;
  • a plurality of switches for cutting off the supply of the power supply voltage to the plurality of central processing units, and provided with a plurality of cutoff confirmation circuits for outputting to each central processing unit a cutoff confirmation signal indicating that supply of power supply voltage to the plurality of central processing units has been cut off, and among the plurality of central processing units,
  • one central processing unit starts to check the operation of the voltage monitoring circuit corresponding to the other central processing unit, it outputs a cutoff notification signal instructing to cut off the supply of the power supply voltage to the voltage monitoring circuit corresponding to the other central processing unit.
  • another central processing unit confirms whether or not a shutdown confirmation signal is output from the voltage monitoring circuit based on the shutdown notification signal.
  • the plurality of central processing units includes a first central processing unit 205 and a second central processing unit 206
  • the plurality of voltage monitoring circuits is a first voltage monitoring circuit corresponding to the first central processing unit 205. 207 and a second voltage monitoring circuit 208 corresponding to the second central processing unit 206, the plurality of switches corresponding to the first central processing unit 205 and the second central processing unit 206. and a second switch 210 that connects to the second switch 210.
  • the plurality of disconnection confirmation circuits include a first disconnection confirmation circuit 211 corresponding to the first central processing unit 205 and a second disconnection confirmation circuit 212 corresponding to the second central processing unit 206. contains.
  • FIG. 3 is a block diagram showing a configuration example of the functional safety device 101 according to Embodiment 2, and is a detailed diagram of the main part of the functional safety device 101 shown in FIG.
  • the same components as those described in the first embodiment are denoted by the same reference numerals, and the description thereof is omitted.
  • ⁇ Configuration of functional safety device> a configuration in which there are two central processing units is shown, but products that require even higher safety, such as those used in power plants, have three or more central processing units, If two or more of the three match, then the matching operation result is adopted.
  • the second embodiment a configuration in which there are three central processing units and a flow of checking the operation of the voltage monitoring circuit will be described.
  • the functional safety device 101 has a third central processing unit 307, a third voltage monitoring circuit 309, a third switch 311, and a third 3 cutoff confirmation circuit 313 is added.
  • the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the first voltage monitoring circuit 207"
  • the third central processing unit 307 confirms that "the third central processing unit 307 has not output the shutdown notification 3 to the first voltage monitoring circuit 207”
  • the first central processing unit 205 confirms that "the first central processing unit 205 has 211 has not been entered.
  • the second central processing unit 206 outputs a cutoff notification 2 to the first voltage monitoring circuit 207
  • the third central processing unit 307 outputs a cutoff notification 3 to the first voltage monitoring circuit 207 .
  • the first voltage monitoring circuit 207 outputs a shutdown command 1 to the first switch 209 when a shutdown notification 2 is input from the second central processing unit 206 and a shutdown notification 3 is input from the third central processing unit 307 .
  • the first central processing unit 205, the second central processing unit 206, and the third central processing unit 307 are in mutual communication, and the second central processing unit 206 to the first central processing unit 205 receives a first voltage monitoring signal.
  • the third central processing unit 307 notifies the first central processing unit 205 of the output of the cutoff notification 2 to the circuit 207, the output of the cutoff notification 3 to the first voltage monitoring circuit 207 is transmitted from the third central processing unit 307 to the first central processing unit 205, First central processing unit 205 transmits to second central processing unit 206 and third central processing unit 307 that interruption confirmation 1 has been input from first interruption confirmation circuit 211 .
  • the first central processing unit 205 confirms that “the first central processing unit 205 has not output the shutdown notification 1 to the second voltage monitoring circuit 208”, and the third central processing unit 307 confirms that "the third central processing unit 307 has not output the shutdown notification 3 to the second voltage monitoring circuit 208", and the second central processing unit 206 confirms that "the second central processing unit 206 has 212 has not been entered.
  • the second voltage monitoring circuit 208 can output to the second switch 210 the shutdown command 2 that is output when the second voltage monitoring circuit 208 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the first central processing unit 205 outputs a shutdown notification 1 to the second voltage monitoring circuit 208 , and the third central processing unit 307 outputs a shutdown notification 3 to the second voltage monitoring circuit 208 .
  • the second voltage monitoring circuit 208 outputs a shutdown command 2 to the second switch 210 when a shutdown notification 1 is input from the first central processing unit 205 and a shutdown notification 3 is input from the third central processing unit 307 .
  • the first central processing unit 205, the second central processing unit 206, and the third central processing unit 307 are in mutual communication, and the first central processing unit 205 to the second central processing unit 206 receives a second voltage monitoring signal.
  • the third central processing unit 307 transmits to the second central processing unit 206 that the cutoff notification 1 has been output to the circuit 208, the output of the cutoff notification 3 to the second voltage monitoring circuit 208 is transmitted, Second central processing unit 206 notifies first central processing unit 205 and third central processing unit 307 that shutdown confirmation 2 has been input from second shutdown confirmation circuit 212 .
  • the first central processing unit 205 confirms that "the first central processing unit 205 has not output the shutdown notification 1 to the third voltage monitoring circuit 309", and the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the third voltage monitoring circuit 309", and the third central processing unit 307 confirms that "the third central processing unit 307 has 313 has not been entered as shutdown confirmation 3”.
  • the third voltage monitoring circuit 309 can output to the third switch 311 the shutdown command 3 that is output when the third voltage monitoring circuit 309 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the first central processing unit 205 outputs a shutdown notification 1 to the third voltage monitoring circuit 309 , and the second central processing unit 206 outputs a shutdown notification 2 to the third voltage monitoring circuit 309 .
  • the third voltage monitoring circuit 309 outputs a shutdown command 3 to the third switch 311 when a shutdown notification 1 is input from the first central processing unit 205 and a shutdown notification 2 is input from the second central processing unit 206 .
  • the third switch 311 cuts the supply voltage 203 supplied to the first central processing unit 205, the second central processing unit 206, and the third central processing unit 307 when the shutdown command 3 is input from the third voltage monitoring circuit 309. Cut off. At this time, the supply voltage 203 is supplied to the first central processing unit 205 , the second central processing unit 206 and the third central processing unit 307 via the first interruption confirmation circuit 211 and the second interruption confirmation circuit 212 .
  • the first central processing unit 205, the second central processing unit 206, and the third central processing unit 307 are in mutual communication, and the third voltage monitoring unit 307 is sent from the first central processing unit 205 to the third central processing unit 307.
  • the second central processing unit 206 transmits to the third central processing unit 307 that the cutoff notification 1 has been output to the circuit 309, the output of the cutoff notification 2 to the third voltage monitoring circuit 309 is transmitted, 3.
  • the central processing unit 307 transmits to the first central processing unit 205 and the second central processing unit 206 that the interruption confirmation 3 has been input from the third interruption confirmation circuit 313 .
  • the plurality of central processing units include first central processing unit 205, second central processing unit 206, and third central processing unit 307, and a plurality of The voltage monitoring circuits include a first voltage monitoring circuit 207 corresponding to the first central processing unit 205, a second voltage monitoring circuit 208 corresponding to the second central processing unit 206, and a third voltage monitoring circuit 208 corresponding to the third central processing unit 307.
  • the plurality of switches are a first switch 209 corresponding to the first central processing unit 205; a second switch 210 corresponding to the second central processing unit 206; and a corresponding third switch 311
  • the plurality of disconnection confirmation circuits are a first disconnection confirmation circuit 211 corresponding to the first central processing unit 205 and a second disconnection confirmation circuit 212 corresponding to the second central processing unit 206 .
  • a third cutoff confirmation circuit 313 corresponding to the third central processing unit 307.
  • the first voltage monitoring circuit 207, the second voltage monitoring circuit 208, and the third voltage monitoring circuit 309 one voltage monitoring circuit is , and starts checking its own operation by receiving cut-off notifications output from two central processing units that do not support this.
  • the operation check is started after two interruption notifications are input to the voltage monitoring circuit, when one central processing unit erroneously outputs the interruption notification, the voltage monitoring circuit It is possible to suppress unintended operation confirmation of the circuit.
  • FIG. 4 is a block diagram showing a configuration example of a functional safety device and its periphery according to Embodiment 3, and is a detailed view of the configuration shown in FIG.
  • the same components as those described in Embodiments 1 and 2 are denoted by the same reference numerals, and descriptions thereof are omitted.
  • the functional safety device 101 has a detection unit 102, a first input unit 103, a second input unit 104, and a first output unit in addition to the configuration shown in FIG. 111, a second output section 112, and a driving section 113 are added.
  • a first switch 209 and a second switch 210 cut off the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 so that the first central processing unit 205 and the second central processing unit 206 and the supply voltage 203 is no longer supplied between the first central processing unit 205 and the first input unit 103, between the second central processing unit 206 and the second input unit 104, between the first central processing unit 205 and the second input unit 104, 1 output unit 111 and communication between second central processing unit 206 and second output unit 112 are disconnected.
  • the drive unit 113 determines that an abnormality has occurred in the first central processing unit 205 and the second central processing unit 206 due to the disconnection of communication, and safely stops itself.
  • the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the first voltage monitoring circuit 207", and the first central processing unit 205 confirms that "the first central processing unit 205 has not input shutdown confirmation 1 from the first shutdown confirmation circuit 211".
  • the second central processing unit 206 outputs cut-off notification 2 to the first voltage monitoring circuit 207 .
  • the first voltage monitoring circuit 207 Since the first voltage monitoring circuit 207 is out of order, it does not output the shutdown command 1 to the first switch 209 even if the shutdown notification 2 is input from the second central processing unit 206 .
  • the first switch 209 does not cut off the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 because the cutoff command 1 is not input from the first voltage monitoring circuit 207 .
  • the first cut-off confirmation circuit 211 Since the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 is not cut off by the first switch 209, the first cut-off confirmation circuit 211 does not output the cut-off confirmation 1 to the first central processing unit 205. .
  • the first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the second central processing unit 206 sends a shutdown notification 2 to the first voltage monitoring circuit 207 for the first central processing unit 205. It is transmitted to the second central processing unit 206 from the first central processing unit 205 to inform that the first interruption confirmation circuit 211 has not input the interruption confirmation 1 .
  • the first voltage monitoring circuit 207 of the first central processing unit 205 and the second central processing unit 206 is operating normally. judge not.
  • the drive unit 113 determines that an abnormality has occurred in the first central processing unit 205 and the second central processing unit 206 due to the disconnection of communication, and safely stops itself.
  • the first central processing unit 205 confirms that "the first central processing unit 205 has not output the shutdown notification 1 to the second voltage monitoring circuit 208", and the second central processing unit 206 confirms that "the second central processing unit 206 has not input the shutdown confirmation 2 from the second shutdown confirmation circuit 212".
  • the first central processing unit 205 outputs a cutoff notification 1 to the second voltage monitoring circuit 208 .
  • the second voltage monitoring circuit 208 Since the second voltage monitoring circuit 208 is out of order, it does not output the shutdown command 2 to the second switch 210 even if the shutdown notification 1 is input from the first central processing unit 205 .
  • the second switch 210 does not cut off the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 because the cutoff command 2 is not input from the second voltage monitoring circuit 208 .
  • the second cut-off confirmation circuit 212 Since the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 is not cut off by the second switch 210, the second cut-off confirmation circuit 212 does not output the cut-off confirmation 2 to the second central processing unit 206. .
  • the first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the first central processing unit 205 sends a shutdown notification 1 to the second voltage monitoring circuit 208 for the second central processing unit 206.
  • Second central processing unit 206 notifies first central processing unit 205 that second interruption confirmation circuit 212 has not input interruption confirmation 2 .
  • first central processing unit 205 and second central processing unit 206 From the content of mutual communication between first central processing unit 205 and second central processing unit 206, first central processing unit 205 and second central processing unit 206 confirm that second voltage monitoring circuit 208 is operating normally. judge not.
  • the first central processing unit 205 and the second central processing unit 206 stop their activation by themselves so that between the first central processing unit 205 and the first input unit 103, the second central processing unit 206 and the second input unit 104, between the first central processing unit 205 and the first output unit 111, and between the second central processing unit 206 and the second output unit 112 are disconnected.
  • the drive unit 113 determines that an abnormality has occurred in the first central processing unit 205 and the second central processing unit 206 due to the disconnection of communication, and safely stops itself.
  • the plurality of central processing units detect the driving unit 113 controlled according to the command output from the functional safety device 101 and the surrounding environment of the driving unit 113.
  • the plurality of central processing units can communicate with the driving unit 113 and the detection unit 102 . 102 is disconnected.
  • FIG. 5 is a block diagram schematically showing a configuration example of the functional safety device 101 and its periphery according to the fourth embodiment.
  • the same components as those described in Embodiments 1 to 3 are denoted by the same reference numerals, and descriptions thereof are omitted.
  • the functional safety device 101 is communicably connected to the detection unit 102 , the driving unit 113 and the user interface unit 501 .
  • the drive unit 113 is controlled according to commands output from the functional safety device 101 .
  • the detection unit 102 detects the surrounding environment of the driving unit 113 .
  • the user interface unit 501 enables a program created by the user of the functional safety device 101 to be registered in the functional safety device 101 and to notify the user of the functional safety device 101 of the operating state of the functional safety device 101. do.
  • the functional safety device 101 is configured by combining three devices: an input device 502, an arithmetic device 503, and an output device 504.
  • the input device 502 includes a first input section 103, a second input section 104, a first voltage supply section 505, a second voltage supply section 506, a first voltage monitoring section 507, and a second voltage monitoring section 508. It has
  • Arithmetic device 503 includes first arithmetic processing unit 105, second arithmetic processing unit 106, first voltage supply unit 107, second voltage supply unit 108, first voltage monitoring unit 109, and second voltage monitoring unit. 110.
  • the output device 504 includes a first output section 111, a second output section 112, a first voltage supply section 509, a second voltage supply section 510, a first voltage monitoring section 511, and a second voltage monitoring section 512. It has
  • the detection unit 102 may be a product that detects that a user has entered a restricted area during operation on a production line in a factory. A signal for notifying that effect is transmitted to the functional safety device 101 .
  • the drive unit 113 may be a product that repeatedly moves a driven object on a factory production line, and drives according to the control command output by the functional safety device 101 .
  • the input device 502 and the arithmetic device 503 have one communication path, and the first input unit 103 of the input device 502 and the first arithmetic processing unit 105 of the arithmetic device 503 communicate.
  • the first input unit 103 converts the signal received from the detection unit 102 into a format that can be input to the first arithmetic processing unit 105 and outputs the signal to the first arithmetic processing unit 105 .
  • two input units 103 and 104 are provided in order to diagnose that the first input unit 103 is not performing incorrect input processing. Guaranteed.
  • the first voltage supply section 505 and the second voltage supply section 506 are provided corresponding to the first input section 103 and the second input section 104, respectively, and the first voltage supply section 505 and the second voltage supply section 506 are required. Generates a power supply voltage that
  • a first voltage monitoring unit 507 and a second voltage monitoring unit 508 monitor whether the power supply voltage supplied to the first voltage supply unit 505 and the second voltage supply unit 506 is overvoltage or undervoltage, respectively.
  • Safety is ensured by taking measures to prevent the power supply voltage from being supplied to the 1st input section 103 and the 2nd input section 104 .
  • the arithmetic device 503 and the output device 504 have one communication path, and the first arithmetic processing unit 105 of the arithmetic device 503 and the first output unit 111 of the output device 504 communicate.
  • a program created by the user is registered in advance in the first arithmetic processing unit 105 .
  • the first arithmetic processing unit 105 uses the program created by the user and the signal received from the first input unit 103 to calculate a control command for the driving unit 113 so as to produce an output corresponding to the input. It outputs the control command to the first output unit 111 .
  • two arithmetic processing units 105 and 106 are provided in order to prevent the drive unit 113 from generating a control command that causes an erroneous operation. Guaranteed.
  • First voltage supply unit 107 and second voltage supply unit 108 are provided corresponding to first arithmetic processing unit 105 and second arithmetic processing unit 106, respectively. Generates the required power supply voltage.
  • the first voltage monitoring unit 109 and the second voltage monitoring unit 110 monitor whether the power supply voltages supplied to the first voltage supply unit 107 and the second voltage supply unit 108 are overvoltage or undervoltage, respectively.
  • Safety is ensured by taking measures to prevent the power supply voltage from being supplied to the first arithmetic processing unit 105 and the second arithmetic processing unit 106 .
  • the first output unit 111 converts the signal received from the first arithmetic processing unit 105 into a format that can be input to the driving unit 113 and outputs the converted signal to the driving unit 113 .
  • two output units 111 and 112 are provided for diagnosing whether the first output unit 111 is not performing an erroneous output process. Guaranteed.
  • the first voltage supply section 509 and the second voltage supply section 510 are provided corresponding to the first output section 111 and the second output section 112, respectively, and the first voltage supply section 509 and the second voltage supply section 510 are required. Generates a power supply voltage that
  • a first voltage monitoring unit 511 and a second voltage monitoring unit 512 monitor whether the power supply voltage supplied to the first voltage supply unit 509 and the second voltage supply unit 510, respectively, is overvoltage or undervoltage.
  • Safety is ensured by taking measures to prevent the power supply voltage from being supplied to the first output section 111 and the second output section 112 .
  • the components on the transmitting side and the receiving side conform to the functional safety standard IEC61508, so that the communication path between the transmitting side and the receiving side does not conform to IEC61508.
  • a black channel may be employed.
  • the detection unit 102 detects the user's entry into the functional safety device 101 when the user enters the restricted area while repeatedly moving the driven object on the production line of the factory. Notify that you have entered a prohibited area.
  • the functional safety device 101 can ensure the safety of the user by taking measures to safely stop the drive unit 113 .
  • the power supply voltage supplied to the first voltage supply unit 505 or the second voltage supply unit 506 that supplies the power supply voltage to the first input unit 103 and the second input unit 104 of the functional safety device 101 is overvoltage or undervoltage
  • the power supply voltage supplied to the first voltage supply unit 509 or the second voltage supply unit 510 that supplies the power supply voltage to the first output unit 111 and the second output unit 112 of the functional safety device 101 is overvoltage or undervoltage.
  • the functional safety device 101 is designed to solve such problems, and will be described in detail below.
  • each of the input device 502, the arithmetic device 503, and the output device 504 includes a power generation unit 204, a first central processing unit 205, a second central processing unit 206, and a first voltage monitoring circuit. 207 , a second voltage monitoring circuit 208 , a first switch 209 , a second switch 210 , a first cutoff confirmation circuit 211 , and a second cutoff confirmation circuit 212 .
  • the power generation section 204 corresponds to the first voltage supply section 505 and the second voltage supply section 506 .
  • a first central processing unit 205 corresponds to the first input unit 103 and a second central processing unit 206 corresponds to the second input unit 104 .
  • the first voltage monitoring circuit 207, the first switch 209, and the first disconnection confirmation circuit 211 correspond to the first voltage monitoring unit 507, and the second voltage monitoring circuit 208, the second switch 210, and the second disconnection confirmation circuit 212 correspond to the first voltage monitoring unit 507. corresponds to the second voltage monitoring unit 508 .
  • the power generation unit 204 corresponds to the first voltage supply unit 107 and the second voltage supply unit 108 .
  • the first central processing unit 205 corresponds to the first arithmetic processing unit 105
  • the second central processing unit 206 corresponds to the second arithmetic processing unit 106 .
  • the first voltage monitoring circuit 207, the first switch 209, and the first disconnection confirmation circuit 211 correspond to the first voltage monitoring unit 109
  • the second voltage monitoring circuit 208, the second switch 210, and the second disconnection confirmation circuit 212 correspond to the first voltage monitoring unit 109. corresponds to the second voltage monitoring unit 110 .
  • the power generation unit 204 corresponds to the first voltage supply unit 509 and the second voltage supply unit 510 .
  • the first central processing unit 205 corresponds to the first output unit 111 and the second central processing unit 206 corresponds to the second output unit 112 .
  • the first voltage monitoring circuit 207, the first switch 209, and the first cutoff confirmation circuit 211 correspond to the first voltage monitoring unit 511, and the second voltage monitoring circuit 208, the second switch 210, and the second cutoff confirmation circuit 212 correspond to the first voltage monitoring unit 511. corresponds to the second voltage monitoring unit 512 .
  • the input device 502 and the output device 504 of the functional safety device 101 confirm the operation of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 .
  • the flow of operation for checking the operation when an abnormality occurs in the first voltage monitoring circuit 207 or the second voltage monitoring circuit 208 is shown.
  • the operation check of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 is performed at regular intervals during the start-up of the functional safety device 101 and during operation.
  • the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the first voltage monitoring circuit 207", and the first central processing unit 205 confirms that "the first central processing unit 205 has not input shutdown confirmation 1 from the first shutdown confirmation circuit 211".
  • the second central processing unit 206 outputs cut-off notification 2 to the first voltage monitoring circuit 207 .
  • the first voltage monitoring circuit 207 Since the first voltage monitoring circuit 207 is out of order, it does not output the shutdown command 1 to the first switch 209 even if the shutdown notification 2 is input from the second central processing unit 206 .
  • the first switch 209 does not receive the cutoff command 1 from the first voltage monitoring circuit 207, two paths from the monitored voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 Among them, the path passing through the first switch 209 and the first cutoff confirmation circuit 211 is not cut off.
  • the first switch 209 and the first cutoff confirmation circuit 211 are selected. Since the route through which it passes is not blocked, the first shutdown confirmation circuit 211 does not output shutdown confirmation 1 to the first central processing unit 205 .
  • the first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the second central processing unit 206 sends a shutdown notification 2 to the first voltage monitoring circuit 207 for the first central processing unit 205. It is transmitted to the second central processing unit 206 from the first central processing unit 205 to inform that the first interruption confirmation circuit 211 has not input the interruption confirmation 1 .
  • the first voltage monitoring circuit 207 of the first central processing unit 205 and the second central processing unit 206 is operating normally. judge not.
  • the first central processing unit 205 of the input device 502 notifies the first central processing unit 205 of the arithmetic device 503 that the first voltage monitoring circuit 207 of the input device 502 is abnormal.
  • the arithmetic device 503 notifies the user interface unit 501 that the first voltage monitoring circuit 207 of the input device 502 is abnormal.
  • the user interface unit 501 notifies the user of the functional safety device 101 that an abnormality has occurred in the first voltage monitoring circuit 207 of the input device 502 of the functional safety device 101 based on the notification received from the arithmetic device 503 . .
  • the first central processing unit 205 and the second central processing unit 206 of the input device 502 stop operating by themselves, so that the first input unit 103 of the input device 502 and the first arithmetic processing unit of the arithmetic unit 503 105 is disconnected. After that, the communication between the first arithmetic processing unit 105 of the arithmetic device 503 and the first output unit 111 of the output device 504 is disconnected, and further, the communication between the first output unit 111 of the output device 504 and the driving unit 113 is disconnected. Communication is lost.
  • the timing at which the first central processing unit 205 and the second central processing unit 206 of the input device 502 stop their operation is determined by the first central processing unit 205 of the input device 502 , after notifying the first voltage monitoring circuit 207 that an abnormality has occurred.
  • the drive unit 113 determines that an abnormality has occurred in the functional safety device 101 due to the disconnection of communication, and safely stops itself.
  • the first central processing unit 205 confirms that "the first central processing unit 205 has not output the shutdown notification 1 to the second voltage monitoring circuit 208", and the second central processing unit 206 confirms that "the second central processing unit 206 has not input the shutdown confirmation 2 from the second shutdown confirmation circuit 212".
  • the first central processing unit 205 outputs a cutoff notification 1 to the second voltage monitoring circuit 208 .
  • the second voltage monitoring circuit 208 Since the second voltage monitoring circuit 208 is out of order, it does not output the shutdown command 2 to the second switch 210 even if the shutdown notification 1 is input from the first central processing unit 205 .
  • the second switch 210 does not receive the shutdown command 2 from the second voltage monitoring circuit 208, two paths from the monitored voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 Among them, the path passing through the second switch 210 and the second cutoff confirmation circuit 212 is not cut off.
  • the second switch 210 and the second cutoff confirmation circuit 212 are selected. Since the path through which it passes is not cut off, the second cutoff confirmation circuit 212 does not output cutoff confirmation 2 to the second central processing unit 206 .
  • the first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the first central processing unit 205 sends a shutdown notification 1 to the second voltage monitoring circuit 208 for the second central processing unit 206.
  • Second central processing unit 206 notifies first central processing unit 205 that second interruption confirmation circuit 212 has not input interruption confirmation 2 .
  • first central processing unit 205 and second central processing unit 206 From the content of mutual communication between first central processing unit 205 and second central processing unit 206, first central processing unit 205 and second central processing unit 206 confirm that second voltage monitoring circuit 208 is operating normally. judge not.
  • the first central processing unit 205 of the input device 502 notifies the first central processing unit 205 of the arithmetic device 503 that the second voltage monitoring circuit 208 of the input device 502 is abnormal.
  • the arithmetic device 503 notifies the user interface unit 501 that the second voltage monitoring circuit 208 of the input device 502 is abnormal.
  • the user interface unit 501 notifies the user of the functional safety device 101 that an abnormality has occurred in the second voltage monitoring circuit 208 of the input device 502 of the functional safety device 101 based on the notification received from the arithmetic device 503 . .
  • the first central processing unit 205 and the second central processing unit 206 of the input device 502 stop operating by themselves, so that the first input unit 103 of the input device 502 and the first arithmetic processing unit of the arithmetic unit 503 105 is disconnected. After that, the communication between the first arithmetic processing unit 105 of the arithmetic device 503 and the first output unit 111 of the output device 504 is disconnected, and further, the communication between the first output unit 111 of the output device 504 and the driving unit 113 is disconnected. Communication is lost.
  • the timing at which the first central processing unit 205 and the second central processing unit 206 of the input device 502 stop their operation is determined by the first central processing unit 205 of the input device 502 , after notifying the second voltage monitoring circuit 208 that an abnormality has occurred.
  • the drive unit 113 determines that an abnormality has occurred in the functional safety device 101 due to the disconnection of communication, and safely stops itself.
  • the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the first voltage monitoring circuit 207", and the first central processing unit 205 confirms that "the first central processing unit 205 has not input shutdown confirmation 1 from the first shutdown confirmation circuit 211".
  • the second central processing unit 206 outputs cut-off notification 2 to the first voltage monitoring circuit 207 .
  • the first voltage monitoring circuit 207 Since the first voltage monitoring circuit 207 is out of order, it does not output the shutdown command 1 to the first switch 209 even if the shutdown notification 2 is input from the second central processing unit 206 .
  • the first switch 209 does not receive the cutoff command 1 from the first voltage monitoring circuit 207, two paths from the monitored voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 Among them, the path passing through the first switch 209 and the first cutoff confirmation circuit 211 is not cut off.
  • the first switch 209 and the first cutoff confirmation circuit 211 are selected. Since the route through which it passes is not blocked, the first shutdown confirmation circuit 211 does not output shutdown confirmation 1 to the first central processing unit 205 .
  • the first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the second central processing unit 206 sends a shutdown notification 2 to the first voltage monitoring circuit 207 for the first central processing unit 205. It is transmitted to the second central processing unit 206 from the first central processing unit 205 to inform that the first interruption confirmation circuit 211 has not input the interruption confirmation 1 .
  • the first voltage monitoring circuit 207 of the first central processing unit 205 and the second central processing unit 206 is operating normally. judge not.
  • the first central processing unit 205 of the output device 504 notifies the first central processing unit 205 of the arithmetic device 503 that the first voltage monitoring circuit 207 of the output device 504 is abnormal.
  • the arithmetic device 503 notifies the user interface unit 501 that the first voltage monitoring circuit 207 of the output device 504 is abnormal.
  • the user interface unit 501 notifies the user of the functional safety device 101 that the first voltage monitoring circuit 207 of the output device 504 of the functional safety device 101 has failed. .
  • the first central processing unit 205 and the second central processing unit 206 of the output device 504 stop their operations, so that the first output unit 111 of the output device 504 and the first arithmetic processing unit of the arithmetic unit 503 105 and communication between the first output unit 111 of the output device 504 and the drive unit 113 are disconnected.
  • the timing at which the first central processing unit 205 and the second central processing unit 206 of the output device 504 stop themselves is determined by the first central processing unit 205 of the output device 504 , after notifying the first voltage monitoring circuit 207 that an abnormality has occurred.
  • the drive unit 113 determines that an abnormality has occurred in the functional safety device 101 due to the disconnection of communication, and safely stops itself.
  • the first central processing unit 205 confirms that "the first central processing unit 205 has not output the shutdown notification 1 to the second voltage monitoring circuit 208", and the second central processing unit 206 confirms that "the second central processing unit 206 has not input the shutdown confirmation 2 from the second shutdown confirmation circuit 212".
  • the first central processing unit 205 outputs a cutoff notification 1 to the second voltage monitoring circuit 208 .
  • the second voltage monitoring circuit 208 Since the second voltage monitoring circuit 208 is out of order, it does not output the shutdown command 2 to the second switch 210 even if the shutdown notification 1 is input from the first central processing unit 205 .
  • the second switch 210 does not receive the shutdown command 2 from the second voltage monitoring circuit 208, two paths from the monitored voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 Among them, the path passing through the second switch 210 and the second cutoff confirmation circuit 212 is not cut off.
  • the second switch 210 and the second cutoff confirmation circuit 212 are selected. Since the path through which it passes is not cut off, the second cutoff confirmation circuit 212 does not output cutoff confirmation 2 to the second central processing unit 206 .
  • the first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the first central processing unit 205 sends a shutdown notification 1 to the second voltage monitoring circuit 208 for the second central processing unit 206.
  • Second central processing unit 206 notifies first central processing unit 205 that second interruption confirmation circuit 212 has not input interruption confirmation 2 .
  • first central processing unit 205 and second central processing unit 206 From the content of mutual communication between first central processing unit 205 and second central processing unit 206, first central processing unit 205 and second central processing unit 206 confirm that second voltage monitoring circuit 208 is operating normally. judge not.
  • the first central processing unit 205 of the output device 504 notifies the first central processing unit 205 of the arithmetic device 503 that the second voltage monitoring circuit 208 of the output device 504 is abnormal.
  • the arithmetic device 503 notifies the user interface unit 501 that the second voltage monitoring circuit 208 of the output device 504 is abnormal.
  • the user interface unit 501 notifies the user of the functional safety device 101 that the second voltage monitoring circuit 208 of the output device 504 of the functional safety device 101 has failed. .
  • the first central processing unit 205 and the second central processing unit 206 of the output device 504 stop their operations, so that the first output unit 111 of the output device 504 and the first arithmetic processing unit of the arithmetic unit 503 105 and communication between the first output unit 111 of the output device 504 and the drive unit 113 are disconnected.
  • the timing at which the first central processing unit 205 and the second central processing unit 206 of the output device 504 stop themselves is determined by the first central processing unit 205 of the output device 504 , after notifying the second voltage monitoring circuit 208 that an abnormality has occurred.
  • the drive unit 113 determines that an abnormality has occurred in the functional safety device 101 due to the disconnection of communication, and safely stops itself.
  • the device including the first voltage supply section, the second voltage supply section, the first voltage monitoring section, and the second voltage monitoring section is the input device Only the arithmetic device 502 and the arithmetic device 503, or only the arithmetic device 503 and the output device 504 may be used.
  • the input device 502, the arithmetic device 503, and the output device 504 are all provided with a plurality of central processing units, a plurality of voltage monitoring circuits, a plurality of switches, and a plurality of interruption confirmation circuits. If at least one or more of the input device 502, the arithmetic device 503, and the output device 504 has a plurality of central processing units, a plurality of voltage monitoring circuits, a plurality of switches, and a plurality of interruption confirmation circuits good.
  • the plurality of central processing units detect the driving unit 113 controlled according to the command output from the functional safety device 101 and the surrounding environment of the driving unit 113. and a user interface unit 501 that notifies the user of the operating state of the functional safety device 101.
  • the functional safety device 101 includes an input device 502 that receives a signal from the detection unit 102 and an input device 502 that receives a signal from the detection unit 102.
  • the input device 502 is composed of an arithmetic device 503 that calculates a command for the driving unit 113 using the signal received from the device 502, and an output device 504 that outputs the command received from the arithmetic device 503 to the driving unit 113.
  • At least one or more devices include a plurality of central processing units, a plurality of voltage monitoring circuits, a plurality of switches, and a plurality of shutdown confirmation circuits. At least one or more devices comprising a voltage monitoring circuit, a plurality of switches, and a plurality of cutoff confirmation circuits, when the power supply voltage is overvoltage or undervoltage, or when an abnormality occurs in the voltage monitoring circuit, The user is notified of the location where the abnormality has occurred via the user interface unit 501, and communication with the drive unit 113 and the detection unit 102 is cut off.
  • 101 functional safety device 102 detection unit, 113 drive unit, 204 power generation unit, 205 first central processing unit, 206 second central processing unit, 207 first voltage monitoring circuit, 208 second voltage monitoring circuit, 209 first switch , 210 second switch, 211 first shutdown confirmation circuit, 212 second shutdown confirmation circuit, 307 third central processing unit, 309 third voltage monitoring circuit, 311 third switch, 313 third shutdown confirmation circuit, 501 user interface unit , 502 input device, 503 arithmetic device, 504 output device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Power Sources (AREA)

Abstract

The objective of the present invention is to provide a functional safety device that is able to detect an abnormality occurring in a circuit monitoring a power supply voltage before an abnormality in the power supply voltage occurs. This functional safety device (101) comprises a plurality of central processing devices (205, 206), a power supply generation unit (204), a plurality of voltage monitoring circuits (207, 208), a plurality of switches (209, 210), and a plurality of shutoff confirmation circuits (211, 212), wherein, when one central processing device among the plurality of central processing devices (205, 206) begins an operation confirmation for the voltage monitoring circuit corresponding to the other central processing device, said one central processing device outputs, to the voltage monitoring circuit corresponding to the other central processing device, a shutoff notification commanding a shutoff of the supply of the power supply voltage, and the other central processing device confirms whether the shutoff confirmation has been output, on the basis of the shutoff notification from the relevant voltage monitoring circuit.

Description

機能安全装置Functional safety device
 本開示は、機能安全装置に関するものである。 This disclosure relates to functional safety devices.
 機能安全の準拠が求められる製品では、電源電圧の異常を検知するために、2つの系列の演算処理部が設けられ、一方の演算処理部へ供給される電源電圧を他方の演算処理部が監視することで、安全を担保することが知られている。 In products that require compliance with functional safety, two series of processing units are provided to detect abnormalities in the power supply voltage, and the power supply voltage supplied to one processing unit is monitored by the other processing unit. is known to ensure safety.
 例えば、特許文献1には、ADコンバータを含む2つの電圧監視回路が2つのМPUに供給される電源電圧をそれぞれ監視し、電源電圧の異常が検知されたときに異常の発生を通知する機能を有するプログラマブルコントローラ(Programmable Logic Controller)が開示されている。 For example, in Patent Document 1, two voltage monitoring circuits each including an AD converter monitor power supply voltages supplied to two MPUs, respectively, and when an abnormality in the power supply voltage is detected, a function is provided to notify the occurrence of the abnormality. A programmable logic controller is disclosed.
特開2019-71001号公報Japanese Patent Application Laid-Open No. 2019-71001
 しかしながら、特許文献1に記載のコントローラには、電圧監視回路の動作確認を行う機能がないため、電源電圧に異常が発生する前に電圧監視回路に異常が発生した場合、電圧値の異常を検知することができないという問題があった。 However, the controller described in Patent Document 1 does not have a function to check the operation of the voltage monitoring circuit, so if an abnormality occurs in the voltage monitoring circuit before an abnormality occurs in the power supply voltage, an abnormality in the voltage value is detected. I had a problem that I couldn't do it.
 そこで、本開示は、電源電圧に異常が発生する前に、電源電圧を監視する回路に発生する異常を検知することが可能な機能安全装置を提供することを目的とする。 Therefore, an object of the present disclosure is to provide a functional safety device capable of detecting an abnormality that occurs in a circuit that monitors the power supply voltage before an abnormality occurs in the power supply voltage.
 本開示に係る機能安全装置は、互いに通信可能な複数の中央処理装置と、複数の前記中央処理装置に供給される電源電圧を生成する電源生成部と、各前記中央処理装置にそれぞれ対応して設けられ、各前記中央処理装置に供給される前記電源電圧が過電圧または低電圧であるかどうかをそれぞれ監視する複数の電圧監視回路と、各前記中央処理装置にそれぞれ対応して設けられ、複数の前記中央処理装置に供給される前記電源電圧が過電圧または低電圧である場合、複数の前記中央処理装置への前記電源電圧の供給を遮断する複数のスイッチと、各前記中央処理装置にそれぞれ対応して設けられ、複数の前記中央処理装置への前記電源電圧の供給が遮断されたことを示す遮断確認信号を各前記中央処理装置へそれぞれ出力する複数の遮断確認回路とを備え、複数の前記中央処理装置のうち、一の前記中央処理装置は他の前記中央処理装置に対応する前記電圧監視回路の動作確認を開始する際、前記電源電圧の供給遮断を指示する遮断通知信号を他の前記中央処理装置に対応する前記電圧監視回路へ出力し、他の前記中央処理装置は、当該電圧監視回路から前記遮断通知信号に基づいて前記遮断確認信号が出力されているかどうかを確認する。 A functional safety device according to the present disclosure includes a plurality of central processing units that can communicate with each other, a power generation unit that generates a power supply voltage to be supplied to the plurality of central processing units, and corresponding to each of the central processing units. a plurality of voltage monitoring circuits provided to monitor whether the power supply voltage supplied to each central processing unit is overvoltage or undervoltage; a plurality of switches for cutting off supply of the power supply voltage to the plurality of central processing units when the power supply voltage supplied to the central processing units is overvoltage or undervoltage; a plurality of cutoff confirmation circuits for outputting to each of the central processing units a cutoff confirmation signal indicating that the supply of the power supply voltage to the plurality of central processing units has been cut off; When one of the central processing units among the processing units starts checking the operation of the voltage monitoring circuit corresponding to the other central processing unit, the other central processing unit transmits a cutoff notification signal instructing cutoff of the supply of the power supply voltage. The signal is output to the voltage monitoring circuit corresponding to the processing unit, and the other central processing unit confirms whether the shutdown confirmation signal is output from the voltage monitoring circuit based on the shutdown notification signal.
 本開示によれば、例えば機能安全装置の起動時と、稼働中において一定周期で、電圧監視回路の動作確認を行うことで、電源電圧に異常が発生する前に、電圧監視回路に発生する異常を検知することができる。 According to the present disclosure, for example, by checking the operation of the voltage monitoring circuit at the startup of the functional safety device and at regular intervals during operation, an abnormality occurring in the voltage monitoring circuit can be detected before an abnormality occurs in the power supply voltage. can be detected.
 この開示の目的、特徴、局面、および利点は、以下の詳細な説明と添付図面とによって、より明白となる。 The objects, features, aspects, and advantages of this disclosure will become more apparent with the following detailed description and accompanying drawings.
実施の形態1に係る機能安全装置およびその周辺の構成例を概略的に示すブロック図である。1 is a block diagram schematically showing a configuration example of a functional safety device and its periphery according to Embodiment 1; FIG. 実施の形態1に係る機能安全装置の構成例を示すブロック図である。1 is a block diagram showing a configuration example of a functional safety device according to Embodiment 1; FIG. 実施の形態2に係る機能安全装置の構成例を示すブロック図である。FIG. 7 is a block diagram showing a configuration example of a functional safety device according to Embodiment 2; 実施の形態3に係る機能安全装置およびその周辺の構成例を示すブロック図である。FIG. 11 is a block diagram showing a configuration example of a functional safety device and its periphery according to Embodiment 3; 実施の形態4に係る機能安全装置およびその周辺の構成例を概略的に示すブロック図である。FIG. 11 is a block diagram schematically showing a configuration example of a functional safety device and its periphery according to Embodiment 4;
 <実施の形態1>
 <機能安全装置およびその周辺の概略構成>
 実施の形態1について、図面を用いて以下に説明する。先ず、機能安全装置101およびその周辺の構成例について概略的に説明する。図1は、実施の形態1に係る機能安全装置101およびその周辺の構成例を概略的に示すブロック図である。 <Embodiment 1>
<Schematic configuration of functional safety device and its surroundings>
Embodiment 1 will be described below with reference to the drawings. First, a configuration example of the functional safety device 101 and its periphery will be schematically described. FIG. 1 is a block diagram schematically showing a configuration example of a functional safety device 101 and its periphery according to Embodiment 1. As shown in FIG.
 図1に示すように、機能安全装置101は、検知部102と、駆動部113に対して通信可能に接続されている。駆動部113は、機能安全装置101から出力された指令に従って制御される。検知部102は、駆動部113の周辺環境を検知する。 As shown in FIG. 1, the functional safety device 101 is communicatively connected to the detection unit 102 and the drive unit 113. The drive unit 113 is controlled according to commands output from the functional safety device 101 . The detection unit 102 detects the surrounding environment of the driving unit 113 .
 機能安全装置101は、第1入力部103と、第2入力部104と、第1演算処理部105と、第2演算処理部106と、第1電圧供給部107と、第2電圧供給部108と、第1電圧監視部109と、第2電圧監視部110と、第1出力部111と、第2出力部112とを備えている。 Functional safety device 101 includes first input section 103, second input section 104, first arithmetic processing section 105, second arithmetic processing section 106, first voltage supply section 107, and second voltage supply section 108. , a first voltage monitoring unit 109 , a second voltage monitoring unit 110 , a first output unit 111 , and a second output unit 112 .
 検知部102は、工場の生産ラインにおいて稼働中に使用者が立ち入り禁止区域内に侵入したことを検知する製品であってもよく、使用者が立ち入り禁止区域内に侵入したことを検知したとき、その旨を通知するための信号を機能安全装置101へ送信する。 The detection unit 102 may be a product that detects that a user has entered a restricted area during operation on a production line in a factory. A signal for notifying that effect is transmitted to the functional safety device 101 .
 駆動部113は、工場の生産ライン上で繰り返し駆動物を動かす製品であってもよく、機能安全装置101が出力する制御指令に従って駆動する。 The drive unit 113 may be a product that repeatedly moves a driven object on a factory production line, and drives according to the control command output by the functional safety device 101 .
 第1入力部103および第2入力部104は、検知部102から受け取った信号をそれぞれ第1演算処理部105および第2演算処理部106に入力できる形式に変換して、それぞれ第1演算処理部105および第2演算処理部106へ出力する。 The first input unit 103 and the second input unit 104 convert the signal received from the detection unit 102 into a format that can be input to the first arithmetic processing unit 105 and the second arithmetic processing unit 106 respectively, and 105 and the second arithmetic processing unit 106 .
 第1演算処理部105および第2演算処理部106には、使用者が作成したプログラムがあらかじめ登録されている。第1演算処理部105および第2演算処理部106は、使用者が作成したプログラムと第1入力部103および第2入力部104から受け取った信号とを用いて、入力に応じた出力となるように駆動部113に対する制御指令を演算し、演算された制御指令を第1出力部111および第2出力部112へ出力する。 A program created by the user is registered in advance in the first arithmetic processing unit 105 and the second arithmetic processing unit 106 . The first arithmetic processing unit 105 and the second arithmetic processing unit 106 use a program created by the user and the signals received from the first input unit 103 and the second input unit 104 so that the outputs correspond to the inputs. , and outputs the calculated control command to the first output unit 111 and the second output unit 112 .
 機能安全装置101では、駆動部113が誤った動作を行う制御指令を生成しないようにするために、2つの演算処理部105,106が設けられ、これらの演算処理結果を照合することで、安全を担保している。 In the functional safety device 101, two arithmetic processing units 105 and 106 are provided in order to prevent the drive unit 113 from generating a control command that causes an erroneous operation. is guaranteed.
 第1電圧供給部107および第2電圧供給部108は、それぞれ第1演算処理部105および第2演算処理部106に対応して設けられ、第1演算処理部105および第2演算処理部106が必要とする電源電圧を生成する。 First voltage supply unit 107 and second voltage supply unit 108 are provided corresponding to first arithmetic processing unit 105 and second arithmetic processing unit 106, respectively. Generates the required power supply voltage.
 第1電圧監視部109および第2電圧監視部110は、それぞれ第1電圧供給部107および第2電圧供給部108に供給される電源電圧が過電圧または低電圧であるかどうかを監視する。第1電圧監視部109および第2電圧監視部110は、それぞれ第1電圧供給部107および第2電圧供給部108から供給される電源電圧が過電圧または低電圧であることを検知した場合、それぞれ第1演算処理部105および第2演算処理部106に電源電圧が供給されないように処置を行うことで安全を担保する。 The first voltage monitoring unit 109 and the second voltage monitoring unit 110 monitor whether the power supply voltages supplied to the first voltage supply unit 107 and the second voltage supply unit 108 are overvoltage or undervoltage, respectively. When the first voltage monitoring unit 109 and the second voltage monitoring unit 110 detect that the power supply voltages supplied from the first voltage supply unit 107 and the second voltage supply unit 108 are overvoltage or undervoltage, respectively, Safety is ensured by taking measures to prevent the power supply voltage from being supplied to the first arithmetic processing unit 105 and the second arithmetic processing unit 106 .
 第1出力部111および第2出力部112は、それぞれ第1演算処理部105および第2演算処理部106から受け取った信号を駆動部113に入力できる形式に変換して、駆動部113へ出力する。 The first output unit 111 and the second output unit 112 convert the signals received from the first arithmetic processing unit 105 and the second arithmetic processing unit 106, respectively, into formats that can be input to the driving unit 113, and output the converted signals to the driving unit 113. .
 各構成要素間の通信では、送信側と受信側の構成要素が機能安全規格IEC61508に適合することにより、送信側と受信側との間の通信経路はIEC61508への準拠を問わない手法である、ブラックチャネルを採用してもよい。 In communication between each component, the components on the transmitting side and the receiving side conform to the functional safety standard IEC61508, so that the communication path between the transmitting side and the receiving side does not conform to IEC61508. A black channel may be employed.
 機能安全装置101が作動すると、工場の生産ライン上で繰り返し駆動物を動かしている最中に使用者が立ち入り禁止区域内に侵入した場合に、検知部102が機能安全装置101に使用者が立ち入り禁止区域内に侵入したことを通知する。そして、機能安全装置101は、駆動部113を安全に停止させる処置を行うことで、使用者の安全を担保することができる。 When the functional safety device 101 is activated, the detection unit 102 detects the user's entry into the functional safety device 101 when the user enters the restricted area while repeatedly moving the driven object on the production line of the factory. Notify that you have entered a prohibited area. The functional safety device 101 can ensure the safety of the user by taking measures to safely stop the drive unit 113 .
 機能安全装置101の第1演算処理部105および第2演算処理部106に電源電圧を供給する第1電圧供給部107または第2電圧供給部108に異常が発生し、その出力が過電圧または低電圧になると、その電源電圧が供給された演算処理部は正しく演算を行うことができない。そのため、検知部102が機能安全装置101に使用者が立ち入り禁止区域内に侵入したことを通知したにもかかわらず、駆動部113を安全に停止させることができない恐れがあった。機能安全装置101は、このような問題を解決するためになされたものであり、以下に詳細に説明する。 An abnormality occurs in the first voltage supply unit 107 or the second voltage supply unit 108 that supplies the power supply voltage to the first arithmetic processing unit 105 and the second arithmetic processing unit 106 of the functional safety device 101, and the output is overvoltage or undervoltage. Then, the arithmetic processing unit to which the power supply voltage is supplied cannot perform correct arithmetic operations. Therefore, even though the detection unit 102 notifies the functional safety device 101 that the user has entered the restricted area, there is a possibility that the drive unit 113 cannot be stopped safely. The functional safety device 101 is designed to solve such problems, and will be described in detail below.
 <機能安全装置の構成>
 図2は、実施の形態1に係る機能安全装置101の構成例を示すブロック図であり、図1に示した機能安全装置101の主要部を詳細化した図である。 <Configuration of functional safety device>
FIG. 2 is a block diagram showing a configuration example of the functional safety device 101 according to Embodiment 1, and is a detailed diagram of the main part of the functional safety device 101 shown in FIG.
 図2に示すように、機能安全装置101は、電源生成部204と、第1中央処理装置205と、第2中央処理装置206と、第1電圧監視回路207と、第2電圧監視回路208と、第1スイッチ209と、第2スイッチ210と、第1遮断確認回路211と、第2遮断確認回路212とを備えている。 As shown in FIG. 2, the functional safety device 101 includes a power generation unit 204, a first central processing unit 205, a second central processing unit 206, a first voltage monitoring circuit 207, and a second voltage monitoring circuit 208. , a first switch 209 , a second switch 210 , a first cutoff confirmation circuit 211 , and a second cutoff confirmation circuit 212 .
 ここで、図2と図1の構成要素の関係について説明する。電源生成部204は、第1電圧供給部107と第2電圧供給部108に相当する。第1中央処理装置205は、第1演算処理部105に相当し、第2中央処理装置206は、第2演算処理部106に相当する。第1電圧監視回路207と第1スイッチ209と第1遮断確認回路211とは、第1電圧監視部109に相当し、第2電圧監視回路208と第2スイッチ210と第2遮断確認回路212とは、第2電圧監視部110に相当する。 Here, the relationship between the components in FIGS. 2 and 1 will be explained. The power generation unit 204 corresponds to the first voltage supply unit 107 and the second voltage supply unit 108 . The first central processing unit 205 corresponds to the first arithmetic processing unit 105 , and the second central processing unit 206 corresponds to the second arithmetic processing unit 106 . The first voltage monitoring circuit 207, the first switch 209, and the first disconnection confirmation circuit 211 correspond to the first voltage monitoring unit 109, and the second voltage monitoring circuit 208, the second switch 210, and the second disconnection confirmation circuit 212 correspond to the first voltage monitoring unit 109. corresponds to the second voltage monitoring unit 110 .
 電源生成部204は、機能安全装置101に供給される基準電圧201を電圧値変換して、第1中央処理装置205および第2中央処理装置206に供給される電源電圧としての供給電圧203を生成する。生成された供給電圧203は、監視電圧202として、第1電圧監視回路207および第2電圧監視回路208に直接供給される。また、供給電圧203は、第1スイッチ209と第1遮断確認回路211とを経由して第1中央処理装置205に供給され、かつ、第2スイッチ210と第2遮断確認回路とを経由して第2中央処理装置206に供給される。 A power generation unit 204 converts a reference voltage 201 supplied to the functional safety device 101 into a voltage value to generate a supply voltage 203 as a power supply voltage to be supplied to the first central processing unit 205 and the second central processing unit 206. do. The generated supply voltage 203 is directly supplied to the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 as the monitoring voltage 202 . In addition, the supply voltage 203 is supplied to the first central processing unit 205 via the first switch 209 and the first cutoff confirmation circuit 211, and is also supplied to the first central processing unit 205 via the second switch 210 and the second cutoff confirmation circuit. It is supplied to the second central processing unit 206 .
 第1中央処理装置205は、電圧値を監視する回路としての第2電圧監視回路208の動作確認を開始する際に、第2電圧監視回路208が過電圧または低電圧を疑似的に検知するための信号である遮断通知1を、第2電圧監視回路208へ出力する。 When the first central processing unit 205 starts to check the operation of the second voltage monitoring circuit 208 as a circuit for monitoring the voltage value, the second voltage monitoring circuit 208 detects an overvoltage or a low voltage. A cutoff notification 1 that is a signal is output to the second voltage monitoring circuit 208 .
 第2中央処理装置206は、電圧値を監視する回路としての第1電圧監視回路207の動作確認を開始する際に、第1電圧監視回路207が過電圧または低電圧を疑似的に検知するための信号である遮断通知2を、第1電圧監視回路207へ出力する。 When the second central processing unit 206 starts to check the operation of the first voltage monitoring circuit 207 as a circuit for monitoring the voltage value, the second central processing unit 206 controls the first voltage monitoring circuit 207 to pseudo-detect an overvoltage or a low voltage. A cutoff notification 2 as a signal is output to the first voltage monitoring circuit 207 .
 第1電圧監視回路207は、機能安全装置101に供給される基準電圧201と第1中央処理装置205に供給される供給電圧203である監視電圧202との差分から、監視電圧202に過電圧または低電圧が発生していると判断した場合と、第2中央処理装置206から遮断通知2が入力された場合に、第1中央処理装置205に供給される供給電圧203を第1スイッチ209が遮断するための信号である遮断指令1を第1スイッチ209へ出力する。 The first voltage monitoring circuit 207 determines whether the monitoring voltage 202 is overvoltage or undervoltage based on the difference between the reference voltage 201 supplied to the functional safety device 101 and the monitoring voltage 202 which is the supply voltage 203 supplied to the first central processing unit 205 . The first switch 209 cuts off the supply voltage 203 supplied to the first central processing unit 205 when it is determined that a voltage is generated and when the cutoff notification 2 is input from the second central processing unit 206. A shutoff command 1, which is a signal for switching, is output to the first switch 209 .
 第2電圧監視回路208は、機能安全装置101に供給される基準電圧201と第2中央処理装置206に供給される供給電圧203である監視電圧202との差分から、監視電圧202に過電圧または低電圧が発生していると判断した場合と、第1中央処理装置205から遮断通知1が入力された場合に、第2中央処理装置206に供給される供給電圧203を第2スイッチ210が遮断するための信号である遮断指令2を、第2スイッチ210へ出力する。 The second voltage monitoring circuit 208 determines whether the monitoring voltage 202 is overvoltage or undervoltage based on the difference between the reference voltage 201 supplied to the functional safety device 101 and the monitoring voltage 202 which is the supply voltage 203 supplied to the second central processing unit 206 . The second switch 210 cuts off the supply voltage 203 supplied to the second central processing unit 206 when it is determined that a voltage is generated and when the cutoff notification 1 is input from the first central processing unit 205. A shutoff command 2, which is a signal for switching, is output to the second switch 210 .
 第1スイッチ209は、第1電圧監視回路207から遮断指令1が入力された場合に、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給を遮断する。 The first switch 209 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 1 is input from the first voltage monitoring circuit 207 .
 第2スイッチ210は、第2電圧監視回路208から遮断指令2が入力された場合に、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給を遮断する。 The second switch 210 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 2 is input from the second voltage monitoring circuit 208 .
 第1遮断確認回路211は、第1スイッチ209を介して第1中央処理装置205と第2中央処理装置206へ供給される電圧を監視する。第1遮断確認回路211は、第1スイッチ209によって第1中央処理装置205と第2中央処理装置206への供給電圧203の供給が遮断されたことを検知した場合、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給が遮断されたことを示す信号である遮断確認1を第1中央処理装置205へ出力する。 The first shutdown confirmation circuit 211 monitors the voltage supplied to the first central processing unit 205 and the second central processing unit 206 via the first switch 209 . When the first cutoff confirmation circuit 211 detects that the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is cut off by the first switch 209, the first central processing unit 205 and the second central processing unit 206 It outputs to the first central processing unit 205 a cutoff confirmation 1, which is a signal indicating that the supply of the supply voltage 203 to the second central processing unit 206 has been cut off.
 第2遮断確認回路212は、第2スイッチ210を介して第1中央処理装置205と第2中央処理装置206へ供給される電圧を監視する。第2遮断確認回路212は、第2スイッチ210によって第1中央処理装置205と第2中央処理装置206への供給電圧203の供給が遮断されたことを検知した場合、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給が遮断されたことを示す信号である遮断確認2を第2中央処理装置206へ出力する。 The second shutdown confirmation circuit 212 monitors the voltage supplied to the first central processing unit 205 and the second central processing unit 206 via the second switch 210 . When the second cutoff confirmation circuit 212 detects that the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is cut off by the second switch 210, the first central processing unit 205 and the second central processing unit 206 It outputs to the second central processing unit 206 a cutoff confirmation 2, which is a signal indicating that the supply of the supply voltage 203 to the second central processing unit 206 has been cut off.
 第1中央処理装置205と第2中央処理装置206とは相互通信を行っており、一方の中央処理装置は遮断通知を出力する。他方の中央処理装置は、遮断確認が出力されていることを確認することで、他方の中央処理装置に対応する電圧監視回路の動作が正常であると判断する。 The first central processing unit 205 and the second central processing unit 206 are communicating with each other, and one central processing unit outputs a cutoff notification. The other central processing unit determines that the operation of the voltage monitoring circuit corresponding to the other central processing unit is normal by confirming that the interruption confirmation has been output.
 <機能安全装置の動作>
 次に、機能安全装置101の動作の流れについて説明する。以降の説明では、第1電圧監視回路207と第2電圧監視回路208の状態が次の3つのいずれかとなっている場合において、機能安全装置101が監視電圧202に過電圧または低電圧が発生したことを検知して、第1中央処理装置205と第2中央処理装置206に異常電圧が供給され続けないように動作する流れを示す。 <Functional safety device operation>
Next, the operation flow of the functional safety device 101 will be described. In the following description, when the states of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 are any of the following three states, the functional safety device 101 detects that an overvoltage or undervoltage has occurred in the monitoring voltage 202. is detected to prevent the abnormal voltage from being continuously supplied to the first central processing unit 205 and the second central processing unit 206. FIG.
 1つ目は、第1電圧監視回路207と第2電圧監視回路208が正常に動作する場合である。2つ目は、第1電圧監視回路207が故障して第2電圧監視回路208のみが正常に動作する場合である。3つ目は、第2電圧監視回路208が故障して第1電圧監視回路207のみが正常に動作する場合である。 The first is when the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 operate normally. The second case is when the first voltage monitoring circuit 207 fails and only the second voltage monitoring circuit 208 operates normally. A third case is when the second voltage monitoring circuit 208 fails and only the first voltage monitoring circuit 207 operates normally.
 先ず、第1電圧監視回路207と第2電圧監視回路208が正常に動作する場合について説明する。 First, the case where the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 operate normally will be described.
 電源生成部204によって電圧値変換された第1中央処理装置205と第2中央処理装置206に供給される供給電圧203は、監視電圧202として、第1電圧監視回路207と第2電圧監視回路208とに供給される。第1電圧監視回路207と第2電圧監視回路208は、機能安全装置101に供給される基準電圧201と監視電圧202との差分から、監視電圧202に過電圧または低電圧が発生しているかどうかを判断する。 The supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 after voltage value conversion by the power generation unit 204 is used as the monitoring voltage 202 by the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 . and supplied to A first voltage monitoring circuit 207 and a second voltage monitoring circuit 208 determine whether overvoltage or undervoltage occurs in the monitoring voltage 202 from the difference between the reference voltage 201 and the monitoring voltage 202 supplied to the functional safety device 101 . to decide.
 第1電圧監視回路207は、監視電圧202に過電圧または低電圧が発生していると判断した場合、第1スイッチ209へ遮断指令1を出力する。また、第2電圧監視回路208は、監視電圧202に過電圧または低電圧が発生していると判断した場合、第2スイッチ210へ遮断指令2を出力する。 When the first voltage monitoring circuit 207 determines that the monitored voltage 202 is overvoltage or undervoltage, it outputs a cutoff command 1 to the first switch 209 . Further, when the second voltage monitoring circuit 208 determines that the monitored voltage 202 is overvoltage or undervoltage, it outputs a cutoff command 2 to the second switch 210 .
 第1スイッチ209は、第1電圧監視回路207から遮断指令1が入力されたとき、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給を遮断する。また、第2スイッチ210は、第2電圧監視回路208から遮断指令2が入力されたとき、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給を遮断する。 The first switch 209 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 1 is input from the first voltage monitoring circuit 207 . Further, the second switch 210 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 2 is input from the second voltage monitoring circuit 208 .
 第1スイッチ209と第2スイッチ210が、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給を遮断することによって、第1中央処理装置205と第2中央処理装置206とに異常電圧が供給され続けることを回避する。 A first switch 209 and a second switch 210 cut off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 so that the first central processing unit 205 and the second central processing unit 206 to avoid continuous supply of abnormal voltage to
 次に、第1電圧監視回路207が故障して第2電圧監視回路208のみが正常に動作する場合について説明する。 Next, a case where the first voltage monitoring circuit 207 fails and only the second voltage monitoring circuit 208 operates normally will be described.
 電源生成部204によって電圧値変換された第1中央処理装置205と第2中央処理装置206に供給される供給電圧203は、監視電圧202として、第1電圧監視回路207と第2電圧監視回路208とに供給される。第1電圧監視回路207と第2電圧監視回路208は、機能安全装置101に供給される基準電圧201と監視電圧202との差分から、監視電圧202に過電圧または低電圧が発生しているかどうかを判断する。 The supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 after voltage value conversion by the power generation unit 204 is used as the monitoring voltage 202 by the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 . and supplied to A first voltage monitoring circuit 207 and a second voltage monitoring circuit 208 determine whether overvoltage or undervoltage occurs in the monitoring voltage 202 from the difference between the reference voltage 201 and the monitoring voltage 202 supplied to the functional safety device 101 . to decide.
 第2電圧監視回路208は、監視電圧202に過電圧または低電圧が発生していると判断した場合、第2スイッチ210へ遮断指令2を出力する。第1電圧監視回路207は、故障により過電圧または低電圧を判断する機能を喪失しているため、第1スイッチ209へ遮断指令1を出力しない。 When the second voltage monitoring circuit 208 determines that the monitored voltage 202 is overvoltage or undervoltage, it outputs a cutoff command 2 to the second switch 210 . Since the first voltage monitoring circuit 207 has lost the function of determining overvoltage or low voltage due to the failure, it does not output the cutoff command 1 to the first switch 209 .
 第2スイッチ210は、第2電圧監視回路208から遮断指令2が入力されたとき、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給を遮断する。一方、第1スイッチ209は、第1電圧監視回路207から遮断指令1が入力されないため、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給を遮断しない。 The second switch 210 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 2 is input from the second voltage monitoring circuit 208 . On the other hand, the first switch 209 does not cut off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 because the cutoff command 1 is not input from the first voltage monitoring circuit 207 .
 第2遮断確認回路212は、第2スイッチ210によって第1中央処理装置205と第2中央処理装置206への供給電圧203の供給が遮断されていることから、遮断確認2を第2中央処理装置206へ出力する。一方、第1遮断確認回路211は、第1スイッチ209によって第1中央処理装置205と第2中央処理装置206への供給電圧203の供給が遮断されていないことから、遮断確認1を第1中央処理装置205へ出力しない。 Since the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is cut off by the second switch 210, the second cutoff confirmation circuit 212 sends the cutoff confirmation 2 to the second central processing unit. 206. On the other hand, since the supply of the voltage 203 to the first central processing unit 205 and the second central processing unit 206 is not cut off by the first switch 209, the first cutoff confirmation circuit 211 sends the cutoff confirmation 1 to the first central processing unit. No output to processor 205 .
 第1中央処理装置205と第2中央処理装置206とは相互通信を行っており、第2中央処理装置206から第1中央処理装置205に対しては第2遮断確認回路212から遮断確認2が入力されていることを伝達し、第1中央処理装置205から第2中央処理装置206に対しては第1遮断確認回路211から遮断確認1が入力されていないことを伝達する。 The first central processing unit 205 and the second central processing unit 206 are in mutual communication, and the second interruption confirmation circuit 212 sends an interruption confirmation 2 from the second central processing unit 206 to the first central processing unit 205. The fact that it has been input is transmitted, and the first shutdown confirmation circuit 211 transmits to the second central processing unit 206 from the first shutdown confirmation circuit 211 that shutdown confirmation 1 is not input.
 相互通信により第1中央処理装置205と第2中央処理装置206は、監視電圧202に過電圧または低電圧が発生しており第2電圧監視回路208は正常に動作している一方で、第1電圧監視回路207は正常に動作していないと判断する。 Through mutual communication, the first central processing unit 205 and the second central processing unit 206 detect that the monitoring voltage 202 is overvoltage or undervoltage, and the second voltage monitoring circuit 208 is operating normally. The monitoring circuit 207 determines that it is not operating normally.
 第1中央処理装置205と第2中央処理装置206は、自身の作動を停止することによって、第1中央処理装置205と第2中央処理装置206に異常電圧が供給され続けることを回避する。 The first central processing unit 205 and the second central processing unit 206 avoid continuous supply of abnormal voltage to the first central processing unit 205 and the second central processing unit 206 by stopping their own operations.
 次に、第2電圧監視回路208が故障して第1電圧監視回路207のみが正常に動作する場合について説明する。 Next, a case where the second voltage monitoring circuit 208 fails and only the first voltage monitoring circuit 207 operates normally will be described.
 電源生成部204によって電圧値変換された第1中央処理装置205と第2中央処理装置206に供給される供給電圧203は、監視電圧202として、第1電圧監視回路207と第2電圧監視回路208とに供給される。第1電圧監視回路207と第2電圧監視回路208は、機能安全装置101に供給される基準電圧201と監視電圧202との差分から、監視電圧202に過電圧または低電圧が発生しているかどうかを判断する。 The supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 after voltage value conversion by the power generation unit 204 is used as the monitoring voltage 202 by the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 . and supplied to A first voltage monitoring circuit 207 and a second voltage monitoring circuit 208 determine whether overvoltage or undervoltage occurs in the monitoring voltage 202 from the difference between the reference voltage 201 and the monitoring voltage 202 supplied to the functional safety device 101 . to decide.
 第1電圧監視回路207は、監視電圧202に過電圧または低電圧が発生していると判断したとき、第1スイッチ209へ遮断指令1を出力する。第2電圧監視回路208は、故障により過電圧または低電圧を判断する機能を喪失しているため、第2スイッチ210へ遮断指令2を出力しない。 When the first voltage monitoring circuit 207 determines that the monitored voltage 202 is overvoltage or undervoltage, it outputs a cutoff command 1 to the first switch 209 . Since the second voltage monitoring circuit 208 has lost the function of determining overvoltage or undervoltage due to the failure, it does not output the cutoff command 2 to the second switch 210 .
 第1スイッチ209は、第1電圧監視回路207から遮断指令1が入力されたとき、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給を遮断する。一方、第2スイッチ210は、第2電圧監視回路208から遮断指令2が入力されないため、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給を遮断しない。 The first switch 209 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 1 is input from the first voltage monitoring circuit 207 . On the other hand, second switch 210 does not cut off supply of supply voltage 203 to first central processing unit 205 and second central processing unit 206 because cutoff command 2 is not input from second voltage monitoring circuit 208 .
 第1遮断確認回路211は、第1スイッチ209によって第1中央処理装置205と第2中央処理装置206への供給電圧203の供給が遮断されていることから、遮断確認1を第1中央処理装置へ出力する。一方、第2遮断確認回路212は、第2スイッチ210によって第1中央処理装置205と第2中央処理装置206への供給電圧203の供給が遮断されていないことから、遮断確認2を第2中央処理装置へ出力しない。 Since the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is cut off by the first switch 209, the first cutoff confirmation circuit 211 sends the cutoff confirmation 1 to the first central processing unit. Output to On the other hand, since the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is not cut off by the second switch 210, the second cutoff confirmation circuit 212 sends the cutoff confirmation 2 to the second central processing unit. Do not output to processor.
 第1中央処理装置205と第2中央処理装置206とは相互通信を行っており、第1中央処理装置205から第2中央処理装置206に対しては第1遮断確認回路211から遮断確認1が入力されていることを伝達し、第2中央処理装置206から第1中央処理装置205に対しては第2遮断確認回路212から遮断確認2が入力されていないことを伝達する。相互通信により第1中央処理装置205と第2中央処理装置206は、監視電圧202に過電圧または低電圧が発生しており第1電圧監視回路207は正常に動作している一方で、第2電圧監視回路208は正常に動作していないと判断する。 The first central processing unit 205 and the second central processing unit 206 are in mutual communication, and the first interruption confirmation circuit 211 sends an interruption confirmation 1 from the first central processing unit 205 to the second central processing unit 206. The second central processing unit 206 transmits to the first central processing unit 205 that the interruption confirmation 2 is not input from the second interruption confirmation circuit 212 . Through mutual communication, the first central processing unit 205 and the second central processing unit 206 detect that the monitoring voltage 202 is overvoltage or undervoltage, and the first voltage monitoring circuit 207 is operating normally. The monitoring circuit 208 determines that it is not operating normally.
 第1中央処理装置205と第2中央処理装置206は、自身の作動を停止することによって、第1中央処理装置205と第2中央処理装置206に異常電圧が供給され続けることを回避する。 The first central processing unit 205 and the second central processing unit 206 avoid continuous supply of abnormal voltage to the first central processing unit 205 and the second central processing unit 206 by stopping their own operations.
 <電圧監視回路の動作確認>
 次に、電圧監視回路の動作確認について説明する。機能安全装置101は、第1電圧監視回路207と第2電圧監視回路208の動作確認を行う。以降の説明では、第1電圧監視回路207と第2電圧監視回路208の動作確認について動作の流れを示す。なお、第1電圧監視回路207と第2電圧監視回路208の動作確認は、機能安全装置101の起動時と、稼働中において一定周期で実施される。 <Checking the operation of the voltage monitoring circuit>
Next, operation confirmation of the voltage monitoring circuit will be described. The functional safety device 101 checks the operation of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 . In the following description, the flow of operation for confirming the operation of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 is shown. The operation check of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 is performed at regular intervals during the start-up of the functional safety device 101 and during operation.
 先ず、第1電圧監視回路207の動作確認をする場合について説明する。動作確認を開始する前に、第2中央処理装置206は「第2中央処理装置206が第1電圧監視回路207へ遮断通知2を出力していないこと」を確認し、第1中央処理装置205は「第1中央処理装置205が第1遮断確認回路211から遮断確認1が入力されていないこと」を確認する。 First, the case of checking the operation of the first voltage monitoring circuit 207 will be described. Before starting the operation check, the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the first voltage monitoring circuit 207", and the first central processing unit 205 confirms that "the first central processing unit 205 has not input shutdown confirmation 1 from the first shutdown confirmation circuit 211".
 第1電圧監視回路207が監視電圧202に過電圧または低電圧が発生していることを検知した際に出力する遮断指令1を、第1電圧監視回路207が第1スイッチ209へ出力できることを確認するために、第2中央処理装置206は第1電圧監視回路207へ遮断通知2を出力する。 Confirm that the first voltage monitoring circuit 207 can output the cutoff command 1 to the first switch 209 when the first voltage monitoring circuit 207 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the second central processing unit 206 outputs cut-off notification 2 to the first voltage monitoring circuit 207 .
 第1電圧監視回路207は、第2中央処理装置206から遮断通知2が入力されたとき、第1スイッチ209へ遮断指令1を出力する。 The first voltage monitoring circuit 207 outputs a shutdown command 1 to the first switch 209 when a shutdown notification 2 is input from the second central processing unit 206 .
 第1スイッチ209は、第1電圧監視回路207から遮断指令1が入力されたとき、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給を遮断する。このとき、第1中央処理装置205と第2中央処理装置206には、第2スイッチ210と第2遮断確認回路212経由で供給電圧203が供給される。 The first switch 209 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 1 is input from the first voltage monitoring circuit 207 . At this time, the supply voltage 203 is supplied to the first central processing unit 205 and the second central processing unit 206 via the second switch 210 and the second cutoff confirmation circuit 212 .
 第1スイッチ209によって第1中央処理装置205と第2中央処理装置206への供給電圧203の供給が遮断されたとき、第1遮断確認回路211は第1中央処理装置205へ遮断確認1を出力する。 When the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is cut off by the first switch 209, the first cutoff confirmation circuit 211 outputs cutoff confirmation 1 to the first central processing unit 205. do.
 第1中央処理装置205と第2中央処理装置206とは相互通信を行っており、第2中央処理装置206から第1中央処理装置205に対しては第1電圧監視回路207へ遮断通知2を出力したことを伝達し、第1中央処理装置205から第2中央処理装置206に対しては第1遮断確認回路211から遮断確認1が入力されていることを伝達する。 The first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the second central processing unit 206 sends a shutdown notification 2 to the first voltage monitoring circuit 207 for the first central processing unit 205. The first central processing unit 205 transmits to the second central processing unit 206 that the interruption confirmation 1 has been input from the first interruption confirmation circuit 211 .
 第1中央処理装置205と第2中央処理装置206との相互通信における伝達内容から、第1中央処理装置205と第2中央処理装置206は第1電圧監視回路207の動作確認が正常に行われたと判断する。 From the content of mutual communication between first central processing unit 205 and second central processing unit 206, first central processing unit 205 and second central processing unit 206 confirm the operation of first voltage monitoring circuit 207 normally. I judge.
 次に、第2電圧監視回路208の動作確認をする場合について説明する。動作確認を開始する前に、第1中央処理装置205は「第1中央処理装置205が第2電圧監視回路208へ遮断通知1を出力していないこと」を確認し、第2中央処理装置206は「第2中央処理装置206が第2遮断確認回路212から遮断確認2が入力されていないこと」を確認する。 Next, the case of checking the operation of the second voltage monitoring circuit 208 will be described. Before starting the operation check, the first central processing unit 205 confirms that "the first central processing unit 205 has not output the shutdown notification 1 to the second voltage monitoring circuit 208", and the second central processing unit 206 confirms that "the second central processing unit 206 has not input the shutdown confirmation 2 from the second shutdown confirmation circuit 212".
 第2電圧監視回路208が監視電圧202に過電圧または低電圧が発生していることを検知した際に出力する遮断指令2を、第2電圧監視回路208が第2スイッチ210へ出力できることを確認するために、第1中央処理装置205は第2電圧監視回路208へ遮断通知1を出力する。 Confirm that the second voltage monitoring circuit 208 can output to the second switch 210 the shutdown command 2 that is output when the second voltage monitoring circuit 208 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the first central processing unit 205 outputs a cutoff notification 1 to the second voltage monitoring circuit 208 .
 第2電圧監視回路208は、第1中央処理装置205から遮断通知1が入力されたとき、第2スイッチ210へ遮断指令2を出力する。 The second voltage monitoring circuit 208 outputs a shutdown command 2 to the second switch 210 when the shutdown notification 1 is input from the first central processing unit 205 .
 第2スイッチ210は、第2電圧監視回路208から遮断指令2が入力されたとき、第1中央処理装置205と第2中央処理装置206への供給電圧203の供給を遮断する。このとき、第1中央処理装置205と第2中央処理装置206には、第1スイッチ209と第1遮断確認回路211経由で供給電圧203が供給される。 The second switch 210 cuts off the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 when the cutoff command 2 is input from the second voltage monitoring circuit 208 . At this time, the supply voltage 203 is supplied to the first central processing unit 205 and the second central processing unit 206 via the first switch 209 and the first cutoff confirmation circuit 211 .
 第2スイッチ210によって第1中央処理装置205と第2中央処理装置206への供給電圧203の供給が遮断されたとき、第2遮断確認回路212は第2中央処理装置206へ遮断確認2を出力する。 When the supply of the supply voltage 203 to the first central processing unit 205 and the second central processing unit 206 is cut off by the second switch 210, the second cut-off confirmation circuit 212 outputs cut-off confirmation 2 to the second central processing unit 206. do.
 第1中央処理装置205と第2中央処理装置206とは相互通信を行っており、第1中央処理装置205から第2中央処理装置206に対しては第2電圧監視回路208へ遮断通知1を出力したことを伝達し、第2中央処理装置206から第1中央処理装置205に対しては第2遮断確認回路212から遮断確認2が入力されていることを伝達する。 The first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the first central processing unit 205 sends a shutdown notification 1 to the second voltage monitoring circuit 208 for the second central processing unit 206. The second central processing unit 206 transmits to the first central processing unit 205 that the interruption confirmation 2 has been input from the second interruption confirmation circuit 212 .
 第1中央処理装置205と第2中央処理装置206との相互通信における伝達内容から、第1中央処理装置205と第2中央処理装置206は第2電圧監視回路208の動作確認が正常に行われたと判断する。 From the content of mutual communication between the first central processing unit 205 and the second central processing unit 206, the first central processing unit 205 and the second central processing unit 206 confirm the operation of the second voltage monitoring circuit 208 normally. I judge.
 <効果>
 以上のように、実施の形態1に係る機能安全装置101は、互いに通信可能な複数の中央処理装置と、複数の中央処理装置に供給される電源電圧を生成する電源生成部204と、各中央処理装置にそれぞれ対応して設けられ、各中央処理装置に供給される電源電圧が過電圧または低電圧であるかどうかをそれぞれ監視する複数の電圧監視回路と、各中央処理装置にそれぞれ対応して設けられ、複数の中央処理装置に供給される電源電圧が過電圧または低電圧である場合、複数の中央処理装置への電源電圧の供給を遮断する複数のスイッチと、各中央処理装置にそれぞれ対応して設けられ、複数の中央処理装置への電源電圧の供給が遮断されたことを示す遮断確認信号を各中央処理装置へそれぞれ出力する複数の遮断確認回路とを備え、複数の中央処理装置のうち、一の中央処理装置は他の中央処理装置に対応する電圧監視回路の動作確認を開始する際、電源電圧の供給遮断を指示する遮断通知信号を他の中央処理装置に対応する電圧監視回路へ出力し、他の中央処理装置は、当該電圧監視回路から遮断通知信号に基づいて遮断確認信号が出力されているかどうかを確認する。 <effect>
As described above, the functional safety device 101 according to the first embodiment includes a plurality of central processing units that can communicate with each other, a power generation unit 204 that generates a power supply voltage to be supplied to the plurality of central processing units, and each central processing unit. a plurality of voltage monitoring circuits provided corresponding to each processing unit and monitoring whether the power supply voltage supplied to each central processing unit is overvoltage or undervoltage; When the power supply voltage supplied to the plurality of central processing units is overvoltage or undervoltage, a plurality of switches for cutting off the supply of the power supply voltage to the plurality of central processing units, and provided with a plurality of cutoff confirmation circuits for outputting to each central processing unit a cutoff confirmation signal indicating that supply of power supply voltage to the plurality of central processing units has been cut off, and among the plurality of central processing units, When one central processing unit starts to check the operation of the voltage monitoring circuit corresponding to the other central processing unit, it outputs a cutoff notification signal instructing to cut off the supply of the power supply voltage to the voltage monitoring circuit corresponding to the other central processing unit. Then, another central processing unit confirms whether or not a shutdown confirmation signal is output from the voltage monitoring circuit based on the shutdown notification signal.
 具体的には、複数の中央処理装置は、第1中央処理装置205と第2中央処理装置206とを含み、複数の電圧監視回路は、第1中央処理装置205に対応する第1電圧監視回路207と、第2中央処理装置206に対応する第2電圧監視回路208とを含み、複数のスイッチは、第1中央処理装置205に対応する第1スイッチ209と、第2中央処理装置206に対応する第2スイッチ210とを含み、複数の遮断確認回路は、第1中央処理装置205に対応する第1遮断確認回路211と、第2中央処理装置206に対応する第2遮断確認回路212とを含んでいる。 Specifically, the plurality of central processing units includes a first central processing unit 205 and a second central processing unit 206, and the plurality of voltage monitoring circuits is a first voltage monitoring circuit corresponding to the first central processing unit 205. 207 and a second voltage monitoring circuit 208 corresponding to the second central processing unit 206, the plurality of switches corresponding to the first central processing unit 205 and the second central processing unit 206. and a second switch 210 that connects to the second switch 210. The plurality of disconnection confirmation circuits include a first disconnection confirmation circuit 211 corresponding to the first central processing unit 205 and a second disconnection confirmation circuit 212 corresponding to the second central processing unit 206. contains.
 したがって、例えば機能安全装置101の起動時と、稼働中において一定周期で、第1電圧監視回路207と第2電圧監視回路208の動作確認を行うことで、電源電圧に異常が発生する前に、第1電圧監視回路207と第2電圧監視回路208に発生する異常を検知することができる。 Therefore, for example, by checking the operation of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 at the start-up of the functional safety device 101 and at regular intervals during operation, it is possible to prevent an abnormality from occurring in the power supply voltage. Abnormalities occurring in the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 can be detected.
 <実施の形態2>
 次に、実施の形態2に係る機能安全装置101について説明する。図3は、実施の形態2に係る機能安全装置101の構成例を示すブロック図であり、図1に示した機能安全装置101の主要部を詳細化した図である。なお、実施の形態2において、実施の形態1で説明したものと同一の構成要素については同一符号を付して説明は省略する。 <Embodiment 2>
Next, the functional safety device 101 according to Embodiment 2 will be described. FIG. 3 is a block diagram showing a configuration example of the functional safety device 101 according to Embodiment 2, and is a detailed diagram of the main part of the functional safety device 101 shown in FIG. In the second embodiment, the same components as those described in the first embodiment are denoted by the same reference numerals, and the description thereof is omitted.
 <機能安全装置の構成>
 実施の形態1では、中央処理装置が2つの場合の構成を示したが、さらに高い安全性が要求される、例えば発電所に採用される製品は、中央処理装置を3つ以上備え、演算結果が3つのうちの2つ以上が一致しているとき、一致した演算結果を採用している。実施の形態2では、中央処理装置が3つの場合の構成と、電圧監視回路の動作確認を行うときの流れについて説明する。 <Configuration of functional safety device>
In the first embodiment, a configuration in which there are two central processing units is shown, but products that require even higher safety, such as those used in power plants, have three or more central processing units, If two or more of the three match, then the matching operation result is adopted. In the second embodiment, a configuration in which there are three central processing units and a flow of checking the operation of the voltage monitoring circuit will be described.
 図3に示すように、実施の形態2に係る機能安全装置101は、図2の構成に対して、第3中央処理装置307と、第3電圧監視回路309と、第3スイッチ311と、第3遮断確認回路313とを追加した構成である。 As shown in FIG. 3, the functional safety device 101 according to the second embodiment has a third central processing unit 307, a third voltage monitoring circuit 309, a third switch 311, and a third 3 cutoff confirmation circuit 313 is added.
 <電圧監視回路の動作確認>
 次に、実施の形態2における第1電圧監視回路207の動作確認をする場合の動作と実施の形態1の場合の動作との違いについて説明する。 <Checking the operation of the voltage monitoring circuit>
Next, the difference between the operation for confirming the operation of the first voltage monitoring circuit 207 in the second embodiment and the operation in the first embodiment will be described.
 動作確認を開始する前に、第2中央処理装置206は「第2中央処理装置206が第1電圧監視回路207へ遮断通知2を出力していないこと」を確認し、第3中央処理装置307は「第3中央処理装置307が第1電圧監視回路207へ遮断通知3を出力していないこと」を確認し、第1中央処理装置205は「第1中央処理装置205が第1遮断確認回路211から遮断確認1が入力されていないこと」を確認する。 Before starting the operation check, the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the first voltage monitoring circuit 207", and the third central processing unit 307 confirms that "the third central processing unit 307 has not output the shutdown notification 3 to the first voltage monitoring circuit 207", and the first central processing unit 205 confirms that "the first central processing unit 205 has 211 has not been entered.
 第1電圧監視回路207が監視電圧202に過電圧または低電圧が発生していることを検知した際に出力する遮断指令1を、第1電圧監視回路207が第1スイッチ209へ出力できることを確認するために、第2中央処理装置206は第1電圧監視回路207へ遮断通知2を出力し、第3中央処理装置307は第1電圧監視回路207へ遮断通知3を出力する。 Confirm that the first voltage monitoring circuit 207 can output the cutoff command 1 to the first switch 209 when the first voltage monitoring circuit 207 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the second central processing unit 206 outputs a cutoff notification 2 to the first voltage monitoring circuit 207 , and the third central processing unit 307 outputs a cutoff notification 3 to the first voltage monitoring circuit 207 .
 第1電圧監視回路207は、第2中央処理装置206から遮断通知2が入力され、第3中央処理装置307から遮断通知3が入力されたとき、第1スイッチ209へ遮断指令1を出力する。 The first voltage monitoring circuit 207 outputs a shutdown command 1 to the first switch 209 when a shutdown notification 2 is input from the second central processing unit 206 and a shutdown notification 3 is input from the third central processing unit 307 .
 第1中央処理装置205と第2中央処理装置206と第3中央処理装置307とは相互通信を行っており、第2中央処理装置206から第1中央処理装置205に対しては第1電圧監視回路207へ遮断通知2を出力したことを伝達し、第3中央処理装置307から第1中央処理装置205に対しては第1電圧監視回路207へ遮断通知3を出力したことを伝達し、第1中央処理装置205から第2中央処理装置206と第3中央処理装置307とに対しては第1遮断確認回路211から遮断確認1が入力されていることを伝達する。 The first central processing unit 205, the second central processing unit 206, and the third central processing unit 307 are in mutual communication, and the second central processing unit 206 to the first central processing unit 205 receives a first voltage monitoring signal. The third central processing unit 307 notifies the first central processing unit 205 of the output of the cutoff notification 2 to the circuit 207, the output of the cutoff notification 3 to the first voltage monitoring circuit 207 is transmitted from the third central processing unit 307 to the first central processing unit 205, First central processing unit 205 transmits to second central processing unit 206 and third central processing unit 307 that interruption confirmation 1 has been input from first interruption confirmation circuit 211 .
 第1中央処理装置205と第2中央処理装置206と第3中央処理装置307との相互通信における伝達内容から、第1中央処理装置205と第2中央処理装置206と第3中央処理装置307は第1電圧監視回路207の動作確認が正常に行われたと判断する。 From the content of mutual communication between the first central processing unit 205, the second central processing unit 206 and the third central processing unit 307, the first central processing unit 205, the second central processing unit 206 and the third central processing unit 307 It is determined that the operation check of the first voltage monitoring circuit 207 has been performed normally.
 次に、実施の形態2における第2電圧監視回路の動作確認をする場合の動作と実施の形態1の場合の動作との違いについて説明する。 Next, the difference between the operation for checking the operation of the second voltage monitoring circuit in the second embodiment and the operation in the first embodiment will be described.
 動作確認を開始する前に、第1中央処理装置205は「第1中央処理装置205が第2電圧監視回路208へ遮断通知1を出力していないこと」を確認し、第3中央処理装置307は「第3中央処理装置307が第2電圧監視回路208へ遮断通知3を出力していないこと」を確認し、第2中央処理装置206は「第2中央処理装置206が第2遮断確認回路212から遮断確認2が入力されていないこと」を確認する。 Before starting the operation check, the first central processing unit 205 confirms that “the first central processing unit 205 has not output the shutdown notification 1 to the second voltage monitoring circuit 208”, and the third central processing unit 307 confirms that "the third central processing unit 307 has not output the shutdown notification 3 to the second voltage monitoring circuit 208", and the second central processing unit 206 confirms that "the second central processing unit 206 has 212 has not been entered.
 第2電圧監視回路208が監視電圧202に過電圧または低電圧が発生していることを検知した際に出力する遮断指令2を、第2電圧監視回路208が第2スイッチ210へ出力できることを確認するために、第1中央処理装置205は第2電圧監視回路208へ遮断通知1を出力し、第3中央処理装置307は第2電圧監視回路208へ遮断通知3を出力する。 Confirm that the second voltage monitoring circuit 208 can output to the second switch 210 the shutdown command 2 that is output when the second voltage monitoring circuit 208 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the first central processing unit 205 outputs a shutdown notification 1 to the second voltage monitoring circuit 208 , and the third central processing unit 307 outputs a shutdown notification 3 to the second voltage monitoring circuit 208 .
 第2電圧監視回路208は、第1中央処理装置205から遮断通知1が入力され、第3中央処理装置307から遮断通知3が入力されたとき、第2スイッチ210へ遮断指令2を出力する。 The second voltage monitoring circuit 208 outputs a shutdown command 2 to the second switch 210 when a shutdown notification 1 is input from the first central processing unit 205 and a shutdown notification 3 is input from the third central processing unit 307 .
 第1中央処理装置205と第2中央処理装置206と第3中央処理装置307とは相互通信を行っており、第1中央処理装置205から第2中央処理装置206に対しては第2電圧監視回路208へ遮断通知1を出力したことを伝達し、第3中央処理装置307から第2中央処理装置206に対しては第2電圧監視回路208へ遮断通知3を出力したことを伝達し、第2中央処理装置206から第1中央処理装置205と第3中央処理装置307とに対しては第2遮断確認回路212から遮断確認2が入力されていることを伝達する。 The first central processing unit 205, the second central processing unit 206, and the third central processing unit 307 are in mutual communication, and the first central processing unit 205 to the second central processing unit 206 receives a second voltage monitoring signal. The third central processing unit 307 transmits to the second central processing unit 206 that the cutoff notification 1 has been output to the circuit 208, the output of the cutoff notification 3 to the second voltage monitoring circuit 208 is transmitted, Second central processing unit 206 notifies first central processing unit 205 and third central processing unit 307 that shutdown confirmation 2 has been input from second shutdown confirmation circuit 212 .
 第1中央処理装置205と第2中央処理装置206と第3中央処理装置307との相互通信における伝達内容から、第1中央処理装置205と第2中央処理装置206と第3中央処理装置307は第2電圧監視回路208の動作確認が正常に行われたと判断する。 From the content of mutual communication between the first central processing unit 205, the second central processing unit 206 and the third central processing unit 307, the first central processing unit 205, the second central processing unit 206 and the third central processing unit 307 It is determined that the operation confirmation of the second voltage monitoring circuit 208 has been performed normally.
 次に、第3電圧監視回路309の動作確認をする場合について説明する。第3電圧監視回路309は実施の形態1の構成には含まれていないため、第3電圧監視回路309の動作確認の流れを全て説明する。 Next, the case of checking the operation of the third voltage monitoring circuit 309 will be described. Since the third voltage monitoring circuit 309 is not included in the configuration of the first embodiment, the entire flow of checking the operation of the third voltage monitoring circuit 309 will be described.
 動作確認を開始する前に、第1中央処理装置205は「第1中央処理装置205が第3電圧監視回路309へ遮断通知1を出力していないこと」を確認し、第2中央処理装置206は「第2中央処理装置206が第3電圧監視回路309へ遮断通知2を出力していないこと」を確認し、第3中央処理装置307は「第3中央処理装置307が第3遮断確認回路313から遮断確認3が入力されていないこと」を確認する。 Before starting the operation check, the first central processing unit 205 confirms that "the first central processing unit 205 has not output the shutdown notification 1 to the third voltage monitoring circuit 309", and the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the third voltage monitoring circuit 309", and the third central processing unit 307 confirms that "the third central processing unit 307 has 313 has not been entered as shutdown confirmation 3”.
 第3電圧監視回路309が監視電圧202に過電圧または低電圧が発生していることを検知した際に出力する遮断指令3を、第3電圧監視回路309が第3スイッチ311へ出力できることを確認するために、第1中央処理装置205は第3電圧監視回路309へ遮断通知1を出力し、第2中央処理装置206は第3電圧監視回路309へ遮断通知2を出力する。 It is confirmed that the third voltage monitoring circuit 309 can output to the third switch 311 the shutdown command 3 that is output when the third voltage monitoring circuit 309 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the first central processing unit 205 outputs a shutdown notification 1 to the third voltage monitoring circuit 309 , and the second central processing unit 206 outputs a shutdown notification 2 to the third voltage monitoring circuit 309 .
 第3電圧監視回路309は、第1中央処理装置205から遮断通知1が入力され、第2中央処理装置206から遮断通知2が入力されたとき、第3スイッチ311へ遮断指令3を出力する。 The third voltage monitoring circuit 309 outputs a shutdown command 3 to the third switch 311 when a shutdown notification 1 is input from the first central processing unit 205 and a shutdown notification 2 is input from the second central processing unit 206 .
 第3スイッチ311は、第3電圧監視回路309から遮断指令3が入力されたとき、第1中央処理装置205と第2中央処理装置206と第3中央処理装置307に供給される供給電圧203を遮断する。このとき、第1中央処理装置205と第2中央処理装置206と第3中央処理装置307には、第1遮断確認回路211と第2遮断確認回路212経由で供給電圧203が供給される。 The third switch 311 cuts the supply voltage 203 supplied to the first central processing unit 205, the second central processing unit 206, and the third central processing unit 307 when the shutdown command 3 is input from the third voltage monitoring circuit 309. Cut off. At this time, the supply voltage 203 is supplied to the first central processing unit 205 , the second central processing unit 206 and the third central processing unit 307 via the first interruption confirmation circuit 211 and the second interruption confirmation circuit 212 .
 第3スイッチ311によって第1中央処理装置205と第2中央処理装置206と第3中央処理装置307に供給される供給電圧203が遮断されたとき、第3遮断確認回路313は第3中央処理装置307へ遮断確認3を出力する。 When the supply voltage 203 supplied to the first central processing unit 205, the second central processing unit 206 and the third central processing unit 307 is cut off by the third switch 311, the third cut-off confirmation circuit 313 A shutdown confirmation 3 is output to 307 .
 第1中央処理装置205と第2中央処理装置206と第3中央処理装置307とは相互通信を行っており、第1中央処理装置205から第3中央処理装置307に対しては第3電圧監視回路309へ遮断通知1を出力したことを伝達し、第2中央処理装置206から第3中央処理装置307に対しては第3電圧監視回路309へ遮断通知2を出力したことを伝達し、第3中央処理装置307から第1中央処理装置205と第2中央処理装置206とに対しては第3遮断確認回路313から遮断確認3が入力されていることを伝達する。 The first central processing unit 205, the second central processing unit 206, and the third central processing unit 307 are in mutual communication, and the third voltage monitoring unit 307 is sent from the first central processing unit 205 to the third central processing unit 307. The second central processing unit 206 transmits to the third central processing unit 307 that the cutoff notification 1 has been output to the circuit 309, the output of the cutoff notification 2 to the third voltage monitoring circuit 309 is transmitted, 3. The central processing unit 307 transmits to the first central processing unit 205 and the second central processing unit 206 that the interruption confirmation 3 has been input from the third interruption confirmation circuit 313 .
 第1中央処理装置205と第2中央処理装置206と第3中央処理装置307との相互通信における伝達内容から、第1中央処理装置205と第2中央処理装置206と第3中央処理装置307は第3電圧監視回路309の動作確認が正常に行われたと判断する。 From the content of mutual communication between the first central processing unit 205, the second central processing unit 206 and the third central processing unit 307, the first central processing unit 205, the second central processing unit 206 and the third central processing unit 307 It is determined that the operation confirmation of the third voltage monitoring circuit 309 has been performed normally.
 <効果>
 以上のように、実施の形態2に係る機能安全装置101では、複数の中央処理装置は、第1中央処理装置205と第2中央処理装置206と第3中央処理装置307とを含み、複数の電圧監視回路は、第1中央処理装置205に対応する第1電圧監視回路207と、第2中央処理装置206に対応する第2電圧監視回路208と、第3中央処理装置307に対応する第3電圧監視回路309とを含み、複数のスイッチは、第1中央処理装置205に対応する第1スイッチ209と、第2中央処理装置206に対応する第2スイッチ210と、第3中央処理装置307に対応する第3スイッチ311とを含み、複数の遮断確認回路は、第1中央処理装置205に対応する第1遮断確認回路211と、第2中央処理装置206に対応する第2遮断確認回路212と、第3中央処理装置307に対応する第3遮断確認回路313とを含み、第1電圧監視回路207、第2電圧監視回路208、および第3電圧監視回路309のうち、一の電圧監視回路は、これに対応していない2つの中央処理装置から出力された遮断通知を受信することで自身の動作確認を開始する。 <effect>
As described above, in functional safety device 101 according to Embodiment 2, the plurality of central processing units include first central processing unit 205, second central processing unit 206, and third central processing unit 307, and a plurality of The voltage monitoring circuits include a first voltage monitoring circuit 207 corresponding to the first central processing unit 205, a second voltage monitoring circuit 208 corresponding to the second central processing unit 206, and a third voltage monitoring circuit 208 corresponding to the third central processing unit 307. a voltage monitoring circuit 309; the plurality of switches are a first switch 209 corresponding to the first central processing unit 205; a second switch 210 corresponding to the second central processing unit 206; and a corresponding third switch 311 , the plurality of disconnection confirmation circuits are a first disconnection confirmation circuit 211 corresponding to the first central processing unit 205 and a second disconnection confirmation circuit 212 corresponding to the second central processing unit 206 . , and a third cutoff confirmation circuit 313 corresponding to the third central processing unit 307. Among the first voltage monitoring circuit 207, the second voltage monitoring circuit 208, and the third voltage monitoring circuit 309, one voltage monitoring circuit is , and starts checking its own operation by receiving cut-off notifications output from two central processing units that do not support this.
 したがって、実施の形態1の効果に加えて、電圧監視回路に2つの遮断通知が入力されてから動作確認を開始するため、一の中央処理装置が誤って遮断通知を出力したときに、電圧監視回路の意図しない動作確認が実施されることを抑制できる。 Therefore, in addition to the effect of the first embodiment, since the operation check is started after two interruption notifications are input to the voltage monitoring circuit, when one central processing unit erroneously outputs the interruption notification, the voltage monitoring circuit It is possible to suppress unintended operation confirmation of the circuit.
 <実施の形態3>
 次に、実施の形態3に係る機能安全装置101について説明する。図4は、実施の形態3に係る機能安全装置およびその周辺の構成例を示すブロック図であり、図1に示した構成を詳細化した図である。なお、実施の形態3において、実施の形態1,2で説明したものと同一の構成要素については同一符号を付して説明は省略する。 <Embodiment 3>
Next, the functional safety device 101 according to Embodiment 3 will be described. FIG. 4 is a block diagram showing a configuration example of a functional safety device and its periphery according to Embodiment 3, and is a detailed view of the configuration shown in FIG. In addition, in Embodiment 3, the same components as those described in Embodiments 1 and 2 are denoted by the same reference numerals, and descriptions thereof are omitted.
 <機能安全装置の構成>
 実施の形態1では、中央処理装置に供給される供給電圧に過電圧または低電圧が発生していることを検知した場合、中央処理装置に供給される供給電圧を遮断することで、中央処理装置に異常電圧が供給され続けないように動作させることを説明した。また、実施の形態1および実施の形態2では、各電圧監視回路の動作確認の流れを説明した。 <Configuration of functional safety device>
In the first embodiment, when it is detected that the supply voltage supplied to the central processing unit is overvoltage or undervoltage, the supply voltage supplied to the central processing unit is cut off so that the central processing unit I explained that it should be operated so that the abnormal voltage would not continue to be supplied. Further, in the first and second embodiments, the flow of checking the operation of each voltage monitoring circuit has been described.
 実施の形態3では、中央処理装置に接続されている入力部または出力部との通信にブラックチャネルを採用する構成において、中央処理装置に供給される電圧に過電圧または低電圧が発生していることを検知した場合と、各電圧監視回路の動作確認で異常と判断された場合とに、中央処理装置は接続相手との通信を切断することによって、接続相手が中央処理装置の異常を認識し、駆動部を安全に停止させる動作の流れを説明する。なお、中央処理装置に供給される供給電圧に過電圧または低電圧が発生していることを検知した場合の動作は、第1電圧監視回路207と第2電圧監視回路208が正常に動作する場合についてのみ説明する。 In the third embodiment, in a configuration that employs a black channel for communication with an input unit or an output unit connected to the central processing unit, overvoltage or undervoltage occurs in the voltage supplied to the central processing unit. is detected, and when the operation check of each voltage monitoring circuit determines that there is an abnormality, the central processing unit cuts off the communication with the connection partner so that the connection partner recognizes the abnormality of the central processing unit. A flow of operations for safely stopping the driving unit will be described. Note that the operation when it is detected that the supply voltage supplied to the central processing unit is overvoltage or undervoltage is the case where the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 operate normally. only explained.
 図4に示すように、実施の形態3に係る機能安全装置101は、図2の構成に対して、検知部102と、第1入力部103と、第2入力部104と、第1出力部111と、第2出力部112と、駆動部113とを追加した構成である。 As shown in FIG. 4, the functional safety device 101 according to Embodiment 3 has a detection unit 102, a first input unit 103, a second input unit 104, and a first output unit in addition to the configuration shown in FIG. 111, a second output section 112, and a driving section 113 are added.
 <電圧監視回路の動作確認>
 次に、実施の形態3における中央処理装置に供給される供給電圧203に過電圧または低電圧が発生していることを検知した場合の動作と、実施の形態1の場合との動作の違いについて説明する。 <Checking the operation of the voltage monitoring circuit>
Next, the operation when it is detected that the supply voltage 203 supplied to the central processing unit in the third embodiment is overvoltage or undervoltage, and the difference between the operation in the case of the first embodiment will be described. do.
 第1スイッチ209と第2スイッチ210が、第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203を遮断することによって、第1中央処理装置205と第2中央処理装置206とに供給電圧203が供給されなくなり、第1中央処理装置205と第1入力部103との間、第2中央処理装置206と第2入力部104との間、第1中央処理装置205と第1出力部111との間、および第2中央処理装置206と第2出力部112との間の通信が切断される。 A first switch 209 and a second switch 210 cut off the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 so that the first central processing unit 205 and the second central processing unit 206 and the supply voltage 203 is no longer supplied between the first central processing unit 205 and the first input unit 103, between the second central processing unit 206 and the second input unit 104, between the first central processing unit 205 and the second input unit 104, 1 output unit 111 and communication between second central processing unit 206 and second output unit 112 are disconnected.
 駆動部113は、通信の切断によって第1中央処理装置205と第2中央処理装置206に異常が発生したと判断し、自身を安全に停止させる。 The drive unit 113 determines that an abnormality has occurred in the first central processing unit 205 and the second central processing unit 206 due to the disconnection of communication, and safely stops itself.
 次に、第1電圧監視回路207の動作確認で異常と判断された場合について説明する。第1電圧監視回路207の動作確認で異常と判断された場合の流れは、実施の形態1で説明していないため、第1電圧監視回路207の動作確認の流れを全て説明する。 Next, the case where the operation check of the first voltage monitoring circuit 207 determines that there is an abnormality will be described. Since the flow when it is determined that the operation of the first voltage monitoring circuit 207 is abnormal is not described in the first embodiment, the entire flow of operation confirmation of the first voltage monitoring circuit 207 will be described.
 動作確認を開始する前に、第2中央処理装置206は「第2中央処理装置206が第1電圧監視回路207へ遮断通知2を出力していないこと」を確認し、第1中央処理装置205は「第1中央処理装置205が第1遮断確認回路211から遮断確認1が入力されていないこと」を確認する。 Before starting the operation check, the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the first voltage monitoring circuit 207", and the first central processing unit 205 confirms that "the first central processing unit 205 has not input shutdown confirmation 1 from the first shutdown confirmation circuit 211".
 第1電圧監視回路207が監視電圧202に過電圧または低電圧が発生していることを検知した際に出力する遮断指令1を、第1電圧監視回路207が第1スイッチ209へ出力できることを確認するために、第2中央処理装置206は第1電圧監視回路207へ遮断通知2を出力する。 Confirm that the first voltage monitoring circuit 207 can output the cutoff command 1 to the first switch 209 when the first voltage monitoring circuit 207 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the second central processing unit 206 outputs cut-off notification 2 to the first voltage monitoring circuit 207 .
 第1電圧監視回路207は故障しているため、第2中央処理装置206から遮断通知2が入力されても、第1スイッチ209へ遮断指令1を出力しない。 Since the first voltage monitoring circuit 207 is out of order, it does not output the shutdown command 1 to the first switch 209 even if the shutdown notification 2 is input from the second central processing unit 206 .
 第1スイッチ209は、第1電圧監視回路207から遮断指令1が入力されないため、第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203を遮断しない。 The first switch 209 does not cut off the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 because the cutoff command 1 is not input from the first voltage monitoring circuit 207 .
 第1スイッチ209によって第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203が遮断されないため、第1遮断確認回路211は第1中央処理装置205へ遮断確認1を出力しない。 Since the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 is not cut off by the first switch 209, the first cut-off confirmation circuit 211 does not output the cut-off confirmation 1 to the first central processing unit 205. .
 第1中央処理装置205と第2中央処理装置206とは相互通信を行っており、第2中央処理装置206から第1中央処理装置205に対しては第1電圧監視回路207へ遮断通知2を出力したことを伝達し、第1中央処理装置205から第2中央処理装置206に対しては第1遮断確認回路211から遮断確認1が入力されていないことを伝達する。 The first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the second central processing unit 206 sends a shutdown notification 2 to the first voltage monitoring circuit 207 for the first central processing unit 205. It is transmitted to the second central processing unit 206 from the first central processing unit 205 to inform that the first interruption confirmation circuit 211 has not input the interruption confirmation 1 .
 第1中央処理装置205と第2中央処理装置206との相互通信における伝達内容から、第1中央処理装置205と第2中央処理装置206は第1電圧監視回路207の動作が正常に行われていないと判断する。 According to the content of mutual communication between the first central processing unit 205 and the second central processing unit 206, the first voltage monitoring circuit 207 of the first central processing unit 205 and the second central processing unit 206 is operating normally. judge not.
 第1中央処理装置205と第2中央処理装置206は自身で作動を停止させることによって、第1中央処理装置205と第1入力部103との間、第2中央処理装置206と第2入力部104との間、第1中央処理装置205と第1出力部111との間、および第2中央処理装置206と第2出力部112との間の通信が切断される。 By stopping the operation of the first central processing unit 205 and the second central processing unit 206 themselves, a 104, between the first central processing unit 205 and the first output unit 111, and between the second central processing unit 206 and the second output unit 112 are disconnected.
 駆動部113は、通信の切断によって第1中央処理装置205と第2中央処理装置206に異常が発生したと判断し、自身を安全に停止させる。 The drive unit 113 determines that an abnormality has occurred in the first central processing unit 205 and the second central processing unit 206 due to the disconnection of communication, and safely stops itself.
 次に、第2電圧監視回路208の動作確認で異常と判断された場合について説明する。第2電圧監視回路208の動作確認で異常と判断された場合の流れは、実施の形態1で説明していないため、第2電圧監視回路208の動作確認の流れを全て説明する。 Next, the case where the operation check of the second voltage monitoring circuit 208 determines that there is an abnormality will be described. Since the flow when the operation check of the second voltage monitoring circuit 208 determines that there is an abnormality is not described in the first embodiment, the entire operation check flow of the second voltage monitoring circuit 208 will be described.
 動作確認を開始する前に、第1中央処理装置205は「第1中央処理装置205が第2電圧監視回路208へ遮断通知1を出力していないこと」を確認し、第2中央処理装置206は「第2中央処理装置206が第2遮断確認回路212から遮断確認2が入力されていないこと」を確認する。 Before starting the operation check, the first central processing unit 205 confirms that "the first central processing unit 205 has not output the shutdown notification 1 to the second voltage monitoring circuit 208", and the second central processing unit 206 confirms that "the second central processing unit 206 has not input the shutdown confirmation 2 from the second shutdown confirmation circuit 212".
 第2電圧監視回路208が監視電圧202に過電圧または低電圧が発生していることを検知した際に出力する遮断指令2を、第2電圧監視回路208が第2スイッチ210へ出力できることを確認するために、第1中央処理装置205は第2電圧監視回路208へ遮断通知1を出力する。 Confirm that the second voltage monitoring circuit 208 can output to the second switch 210 the shutdown command 2 that is output when the second voltage monitoring circuit 208 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the first central processing unit 205 outputs a cutoff notification 1 to the second voltage monitoring circuit 208 .
 第2電圧監視回路208は故障しているため、第1中央処理装置205から遮断通知1が入力されても、第2スイッチ210へ遮断指令2を出力しない。 Since the second voltage monitoring circuit 208 is out of order, it does not output the shutdown command 2 to the second switch 210 even if the shutdown notification 1 is input from the first central processing unit 205 .
 第2スイッチ210は、第2電圧監視回路208から遮断指令2が入力されないため、第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203を遮断しない。 The second switch 210 does not cut off the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 because the cutoff command 2 is not input from the second voltage monitoring circuit 208 .
 第2スイッチ210によって第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203が遮断されないため、第2遮断確認回路212は第2中央処理装置206へ遮断確認2を出力しない。 Since the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 is not cut off by the second switch 210, the second cut-off confirmation circuit 212 does not output the cut-off confirmation 2 to the second central processing unit 206. .
 第1中央処理装置205と第2中央処理装置206とは相互通信を行っており、第1中央処理装置205から第2中央処理装置206に対しては第2電圧監視回路208へ遮断通知1を出力したことを伝達し、第2中央処理装置206から第1中央処理装置205に対しては第2遮断確認回路212から遮断確認2が入力されていないことを伝達する。 The first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the first central processing unit 205 sends a shutdown notification 1 to the second voltage monitoring circuit 208 for the second central processing unit 206. Second central processing unit 206 notifies first central processing unit 205 that second interruption confirmation circuit 212 has not input interruption confirmation 2 .
 第1中央処理装置205と第2中央処理装置206との相互通信における伝達内容から、第1中央処理装置205と第2中央処理装置206は第2電圧監視回路208の動作が正常に行われていないと判断する。 From the content of mutual communication between first central processing unit 205 and second central processing unit 206, first central processing unit 205 and second central processing unit 206 confirm that second voltage monitoring circuit 208 is operating normally. judge not.
 第1中央処理装置205と第2中央処理装置206は自身で起動を停止することによって、第1中央処理装置205と第1入力部103との間、第2中央処理装置206と第2入力部104との間、第1中央処理装置205と第1出力部111との間、および第2中央処理装置206と第2出力部112との間の通信が切断される。 The first central processing unit 205 and the second central processing unit 206 stop their activation by themselves so that between the first central processing unit 205 and the first input unit 103, the second central processing unit 206 and the second input unit 104, between the first central processing unit 205 and the first output unit 111, and between the second central processing unit 206 and the second output unit 112 are disconnected.
 駆動部113は、通信の切断によって第1中央処理装置205と第2中央処理装置206に異常が発生したと判断し、自身を安全に停止させる。 The drive unit 113 determines that an abnormality has occurred in the first central processing unit 205 and the second central processing unit 206 due to the disconnection of communication, and safely stops itself.
 なお、実施の形態3の構成について、実施の形態2の場合のように3つの中央処理装置を備えた機能安全装置101に採用することも可能である。 It should be noted that it is also possible to adopt the configuration of the third embodiment to the functional safety device 101 having three central processing units as in the case of the second embodiment.
 <効果>
 以上のように、実施の形態3に係る機能安全装置101では、複数の中央処理装置は、機能安全装置101から出力された指令に従って制御される駆動部113と、駆動部113の周辺環境を検知する検知部102に対して通信可能であり、複数の中央処理装置は、電源電圧が過電圧または低電圧である場合、または電圧監視回路に異常が発生している場合に、駆動部113および検知部102との通信を切断する。 <effect>
As described above, in the functional safety device 101 according to the third embodiment, the plurality of central processing units detect the driving unit 113 controlled according to the command output from the functional safety device 101 and the surrounding environment of the driving unit 113. When the power supply voltage is overvoltage or undervoltage, or when an abnormality occurs in the voltage monitoring circuit, the plurality of central processing units can communicate with the driving unit 113 and the detection unit 102 . 102 is disconnected.
 したがって、実施の形態1の効果に加えて、中央処理装置と通信可能な駆動部113について安全に動作を停止させることができる。 Therefore, in addition to the effects of the first embodiment, it is possible to safely stop the operation of the drive unit 113 that can communicate with the central processing unit.
 <実施の形態4>
 実施の形態4について、図面を用いて以下に説明する。図5は、実施の形態4に係る機能安全装置101およびその周辺の構成例を概略的に示すブロック図である。なお、実施の形態4において、実施の形態1~3で説明したものと同一の構成要素については同一符号を付して説明は省略する。 <Embodiment 4>
Embodiment 4 will be described below with reference to the drawings. FIG. 5 is a block diagram schematically showing a configuration example of the functional safety device 101 and its periphery according to the fourth embodiment. In Embodiment 4, the same components as those described in Embodiments 1 to 3 are denoted by the same reference numerals, and descriptions thereof are omitted.
 <機能安全装置およびその周辺の概略構成>
 図5に示すように、機能安全装置101は、検知部102と、駆動部113と、ユーザーインターフェース部501に対して通信可能に接続されている。駆動部113は、機能安全装置101から出力された指令に従って制御される。検知部102は、駆動部113の周辺環境を検知する。ユーザーインターフェース部501は、機能安全装置101の使用者が作成したプログラムを機能安全装置101に登録することと、機能安全装置101の使用者に機能安全装置101の動作状態を通知することを可能にする。 <Schematic configuration of functional safety device and its surroundings>
As shown in FIG. 5 , the functional safety device 101 is communicably connected to the detection unit 102 , the driving unit 113 and the user interface unit 501 . The drive unit 113 is controlled according to commands output from the functional safety device 101 . The detection unit 102 detects the surrounding environment of the driving unit 113 . The user interface unit 501 enables a program created by the user of the functional safety device 101 to be registered in the functional safety device 101 and to notify the user of the functional safety device 101 of the operating state of the functional safety device 101. do.
 機能安全装置101は、入力装置502と、演算装置503と、出力装置504との3つの装置を組み合わせて構成されている。 The functional safety device 101 is configured by combining three devices: an input device 502, an arithmetic device 503, and an output device 504.
 入力装置502は、第1入力部103と、第2入力部104と、第1電圧供給部505と、第2電圧供給部506と、第1電圧監視部507と、第2電圧監視部508とを備えている。 The input device 502 includes a first input section 103, a second input section 104, a first voltage supply section 505, a second voltage supply section 506, a first voltage monitoring section 507, and a second voltage monitoring section 508. It has
 演算装置503は、第1演算処理部105と、第2演算処理部106と、第1電圧供給部107と、第2電圧供給部108と、第1電圧監視部109と、第2電圧監視部110とを備えている。 Arithmetic device 503 includes first arithmetic processing unit 105, second arithmetic processing unit 106, first voltage supply unit 107, second voltage supply unit 108, first voltage monitoring unit 109, and second voltage monitoring unit. 110.
 出力装置504は、第1出力部111と、第2出力部112と、第1電圧供給部509と、第2電圧供給部510と、第1電圧監視部511と、第2電圧監視部512とを備えている。 The output device 504 includes a first output section 111, a second output section 112, a first voltage supply section 509, a second voltage supply section 510, a first voltage monitoring section 511, and a second voltage monitoring section 512. It has
 検知部102は、工場の生産ラインにおいて稼働中に使用者が立ち入り禁止区域内に侵入したことを検知する製品であってもよく、使用者が立ち入り禁止区域内に侵入したことを検知したとき、その旨を通知するための信号を機能安全装置101へ送信する。 The detection unit 102 may be a product that detects that a user has entered a restricted area during operation on a production line in a factory. A signal for notifying that effect is transmitted to the functional safety device 101 .
 駆動部113は、工場の生産ライン上で繰り返し駆動物を動かす製品であってもよく、機能安全装置101が出力する制御指令に従って駆動する。 The drive unit 113 may be a product that repeatedly moves a driven object on a factory production line, and drives according to the control command output by the functional safety device 101 .
 入力装置502と演算装置503とは1つの通信経路を備えており、入力装置502の第1入力部103と演算装置503の第1演算処理部105とが通信する。 The input device 502 and the arithmetic device 503 have one communication path, and the first input unit 103 of the input device 502 and the first arithmetic processing unit 105 of the arithmetic device 503 communicate.
 第1入力部103は、検知部102から受け取った信号を第1演算処理部105に入力できる形式に変換して、第1演算処理部105へ出力する。 The first input unit 103 converts the signal received from the detection unit 102 into a format that can be input to the first arithmetic processing unit 105 and outputs the signal to the first arithmetic processing unit 105 .
 入力装置502では、第1入力部103が誤った入力処理をしていないことを診断するために、2つの入力部103,104が設けられ、これらの入力処理結果を照合することで、安全を担保している。 In the input device 502, two input units 103 and 104 are provided in order to diagnose that the first input unit 103 is not performing incorrect input processing. Guaranteed.
 第1電圧供給部505および第2電圧供給部506は、それぞれ第1入力部103および第2入力部104に対応して設けられ、第1電圧供給部505および第2電圧供給部506が必要とする電源電圧を生成する。 The first voltage supply section 505 and the second voltage supply section 506 are provided corresponding to the first input section 103 and the second input section 104, respectively, and the first voltage supply section 505 and the second voltage supply section 506 are required. Generates a power supply voltage that
 第1電圧監視部507および第2電圧監視部508は、それぞれ第1電圧供給部505および第2電圧供給部506に供給される電源電圧が過電圧または低電圧であるかどうかを監視する。第1電圧監視部507および第2電圧監視部508は、それぞれ第1電圧供給部505および第2電圧供給部506から供給される電源電圧が過電圧または低電圧であることを検知した場合、それぞれ第1入力部103および第2入力部104に電源電圧が供給されないように処置を行うことで安全を担保する。 A first voltage monitoring unit 507 and a second voltage monitoring unit 508 monitor whether the power supply voltage supplied to the first voltage supply unit 505 and the second voltage supply unit 506 is overvoltage or undervoltage, respectively. When the first voltage monitoring unit 507 and the second voltage monitoring unit 508 detect that the power supply voltages supplied from the first voltage supply unit 505 and the second voltage supply unit 506 are overvoltage or undervoltage, respectively, Safety is ensured by taking measures to prevent the power supply voltage from being supplied to the 1st input section 103 and the 2nd input section 104 .
 演算装置503と出力装置504とは1つの通信経路を備えており、演算装置503の第1演算処理部105と出力装置504の第1出力部111とが通信する。 The arithmetic device 503 and the output device 504 have one communication path, and the first arithmetic processing unit 105 of the arithmetic device 503 and the first output unit 111 of the output device 504 communicate.
 第1演算処理部105には、使用者が作成したプログラムがあらかじめ登録されている。第1演算処理部105は、使用者が作成したプログラムと第1入力部103から受け取った信号とを用いて、入力に応じた出力となるように駆動部113に対する制御指令を演算し、演算された制御指令を第1出力部111へ出力する。 A program created by the user is registered in advance in the first arithmetic processing unit 105 . The first arithmetic processing unit 105 uses the program created by the user and the signal received from the first input unit 103 to calculate a control command for the driving unit 113 so as to produce an output corresponding to the input. It outputs the control command to the first output unit 111 .
 演算装置503では、駆動部113が誤った動作を行う制御指令を生成しないようにするために、2つの演算処理部105,106が設けられ、これらの演算処理結果を照合することで、安全を担保している。 In the arithmetic unit 503, two arithmetic processing units 105 and 106 are provided in order to prevent the drive unit 113 from generating a control command that causes an erroneous operation. Guaranteed.
 第1電圧供給部107および第2電圧供給部108は、それぞれ第1演算処理部105および第2演算処理部106に対応して設けられ、第1演算処理部105および第2演算処理部106が必要とする電源電圧を生成する。 First voltage supply unit 107 and second voltage supply unit 108 are provided corresponding to first arithmetic processing unit 105 and second arithmetic processing unit 106, respectively. Generates the required power supply voltage.
 第1電圧監視部109および第2電圧監視部110は、それぞれ第1電圧供給部107および第2電圧供給部108に供給される電源電圧が過電圧または低電圧であるかどうかを監視する。第1電圧監視部109および第2電圧監視部110は、それぞれ第1電圧供給部107および第2電圧供給部108から供給される電源電圧が過電圧または低電圧であることを検知した場合、それぞれ第1演算処理部105および第2演算処理部106に電源電圧が供給されないように処置を行うことで安全を担保する。 The first voltage monitoring unit 109 and the second voltage monitoring unit 110 monitor whether the power supply voltages supplied to the first voltage supply unit 107 and the second voltage supply unit 108 are overvoltage or undervoltage, respectively. When the first voltage monitoring unit 109 and the second voltage monitoring unit 110 detect that the power supply voltages supplied from the first voltage supply unit 107 and the second voltage supply unit 108 are overvoltage or undervoltage, respectively, Safety is ensured by taking measures to prevent the power supply voltage from being supplied to the first arithmetic processing unit 105 and the second arithmetic processing unit 106 .
 第1出力部111は、第1演算処理部105から受け取った信号を駆動部113に入力できる形式に変換して、駆動部113へ出力する。 The first output unit 111 converts the signal received from the first arithmetic processing unit 105 into a format that can be input to the driving unit 113 and outputs the converted signal to the driving unit 113 .
 出力装置504では、第1出力部111が誤った出力処理をしていないことを診断するために、2つの出力部111,112が設けられ、これらの出力処理結果を照合することで、安全を担保している。 In the output device 504, two output units 111 and 112 are provided for diagnosing whether the first output unit 111 is not performing an erroneous output process. Guaranteed.
 第1電圧供給部509および第2電圧供給部510は、それぞれ第1出力部111および第2出力部112に対応して設けられ、第1電圧供給部509および第2電圧供給部510が必要とする電源電圧を生成する。 The first voltage supply section 509 and the second voltage supply section 510 are provided corresponding to the first output section 111 and the second output section 112, respectively, and the first voltage supply section 509 and the second voltage supply section 510 are required. Generates a power supply voltage that
 第1電圧監視部511および第2電圧監視部512は、それぞれ第1電圧供給部509および第2電圧供給部510に供給される電源電圧が過電圧または低電圧であるかどうかを監視する。第1電圧監視部511および第2電圧監視部512は、それぞれ第1電圧供給部509および第2電圧供給部510から供給される電源電圧が過電圧または低電圧であることを検知した場合、それぞれ第1出力部111および第2出力部112に電源電圧が供給されないように処置を行うことで安全を担保する。 A first voltage monitoring unit 511 and a second voltage monitoring unit 512 monitor whether the power supply voltage supplied to the first voltage supply unit 509 and the second voltage supply unit 510, respectively, is overvoltage or undervoltage. When the first voltage monitoring unit 511 and the second voltage monitoring unit 512 detect that the power supply voltages supplied from the first voltage supply unit 509 and the second voltage supply unit 510 are overvoltage or undervoltage, respectively, Safety is ensured by taking measures to prevent the power supply voltage from being supplied to the first output section 111 and the second output section 112 .
 各構成要素間の通信では、送信側と受信側の構成要素が機能安全規格IEC61508に適合することにより、送信側と受信側との間の通信経路はIEC61508への準拠を問わない手法である、ブラックチャネルを採用してもよい。 In communication between each component, the components on the transmitting side and the receiving side conform to the functional safety standard IEC61508, so that the communication path between the transmitting side and the receiving side does not conform to IEC61508. A black channel may be employed.
 機能安全装置101が作動すると、工場の生産ライン上で繰り返し駆動物を動かしている最中に使用者が立ち入り禁止区域内に侵入した場合に、検知部102が機能安全装置101に使用者が立ち入り禁止区域内に侵入したことを通知する。そして、機能安全装置101は、駆動部113を安全に停止させる処置を行うことで、使用者の安全を担保することができる。 When the functional safety device 101 is activated, the detection unit 102 detects the user's entry into the functional safety device 101 when the user enters the restricted area while repeatedly moving the driven object on the production line of the factory. Notify that you have entered a prohibited area. The functional safety device 101 can ensure the safety of the user by taking measures to safely stop the drive unit 113 .
 機能安全装置101の第1入力部103および第2入力部104に電源電圧を供給する第1電圧供給部505または第2電圧供給部506に供給される電源電圧が過電圧または低電圧であるかどうかを監視する第1電圧監視部507または第2電圧監視部508に異常が発生した場合に、機能安全装置101による駆動部113の制御を安全に停止させる仕組みはあるものの、機能安全装置101のどの機能が異常となったため機能安全装置101が駆動部113の制御を停止したのか使用者は特定することができない。 Whether the power supply voltage supplied to the first voltage supply unit 505 or the second voltage supply unit 506 that supplies the power supply voltage to the first input unit 103 and the second input unit 104 of the functional safety device 101 is overvoltage or undervoltage Although there is a mechanism for safely stopping the control of the drive unit 113 by the functional safety device 101 when an abnormality occurs in the first voltage monitoring unit 507 or the second voltage monitoring unit 508 that monitors the The user cannot identify whether the functional safety device 101 has stopped controlling the drive unit 113 because of the malfunction.
 同様に、機能安全装置101の第1出力部111および第2出力部112に電源電圧を供給する第1電圧供給部509または第2電圧供給部510に供給される電源電圧が過電圧または低電圧であるかどうかを監視する第1電圧監視部511または第2電圧監視部512に異常が発生した場合に、機能安全装置101による駆動部113の制御を安全に停止させる仕組みはあるものの、機能安全装置101のどの機能が異常となったため機能安全装置101が駆動部113の制御を停止したのか使用者は特定することができない。機能安全装置101は、このような問題を解決するためになされたものであり、以下に詳細に説明する。 Similarly, if the power supply voltage supplied to the first voltage supply unit 509 or the second voltage supply unit 510 that supplies the power supply voltage to the first output unit 111 and the second output unit 112 of the functional safety device 101 is overvoltage or undervoltage. Although there is a mechanism for safely stopping the control of the driving unit 113 by the functional safety device 101 when an abnormality occurs in the first voltage monitoring unit 511 or the second voltage monitoring unit 512 that monitors whether the functional safety device The user cannot specify which function of 101 has become abnormal and the functional safety device 101 has stopped controlling the drive unit 113 . The functional safety device 101 is designed to solve such problems, and will be described in detail below.
 <機能安全装置の構成>
 図2を用いて、機能安全装置101を構成する、入力装置502、演算装置503、および出力装置504の構成について説明する。 <Configuration of functional safety device>
The configurations of the input device 502, the arithmetic device 503, and the output device 504, which constitute the functional safety device 101, will be described with reference to FIG.
 図2に示すように、入力装置502、演算装置503、および出力装置504の各々は、電源生成部204と、第1中央処理装置205と、第2中央処理装置206と、第1電圧監視回路207と、第2電圧監視回路208と、第1スイッチ209と、第2スイッチ210と、第1遮断確認回路211と、第2遮断確認回路212とを備えている。 As shown in FIG. 2, each of the input device 502, the arithmetic device 503, and the output device 504 includes a power generation unit 204, a first central processing unit 205, a second central processing unit 206, and a first voltage monitoring circuit. 207 , a second voltage monitoring circuit 208 , a first switch 209 , a second switch 210 , a first cutoff confirmation circuit 211 , and a second cutoff confirmation circuit 212 .
 ここで、図2と図5の構成要素の関係について説明する。先ず、図2と図5における入力装置502の構成要素の関係について説明する。電源生成部204は、第1電圧供給部505と、第2電圧供給部506に相当する。第1中央処理装置205は、第1入力部103に相当し、第2中央処理装置206は、第2入力部104に相当する。第1電圧監視回路207と第1スイッチ209と第1遮断確認回路211とは、第1電圧監視部507に相当し、第2電圧監視回路208と第2スイッチ210と第2遮断確認回路212とは、第2電圧監視部508に相当する。 Here, the relationship between the components in FIGS. 2 and 5 will be explained. First, the relationship between the components of the input device 502 in FIGS. 2 and 5 will be described. The power generation section 204 corresponds to the first voltage supply section 505 and the second voltage supply section 506 . A first central processing unit 205 corresponds to the first input unit 103 and a second central processing unit 206 corresponds to the second input unit 104 . The first voltage monitoring circuit 207, the first switch 209, and the first disconnection confirmation circuit 211 correspond to the first voltage monitoring unit 507, and the second voltage monitoring circuit 208, the second switch 210, and the second disconnection confirmation circuit 212 correspond to the first voltage monitoring unit 507. corresponds to the second voltage monitoring unit 508 .
 次に、図2と図5における演算装置503の構成要素の関係について説明する。電源生成部204は、第1電圧供給部107と、第2電圧供給部108に相当する。第1中央処理装置205は、第1演算処理部105に相当し、第2中央処理装置206は、第2演算処理部106に相当する。第1電圧監視回路207と第1スイッチ209と第1遮断確認回路211とは、第1電圧監視部109に相当し、第2電圧監視回路208と第2スイッチ210と第2遮断確認回路212とは、第2電圧監視部110に相当する。 Next, the relationship between the components of the computing device 503 in FIGS. 2 and 5 will be described. The power generation unit 204 corresponds to the first voltage supply unit 107 and the second voltage supply unit 108 . The first central processing unit 205 corresponds to the first arithmetic processing unit 105 , and the second central processing unit 206 corresponds to the second arithmetic processing unit 106 . The first voltage monitoring circuit 207, the first switch 209, and the first disconnection confirmation circuit 211 correspond to the first voltage monitoring unit 109, and the second voltage monitoring circuit 208, the second switch 210, and the second disconnection confirmation circuit 212 correspond to the first voltage monitoring unit 109. corresponds to the second voltage monitoring unit 110 .
 最後に、図2と図5における出力装置504の構成要素の関係について説明する。電源生成部204は、第1電圧供給部509と、第2電圧供給部510に相当する。第1中央処理装置205は、第1出力部111に相当し、第2中央処理装置206は、第2出力部112に相当する。第1電圧監視回路207と第1スイッチ209と第1遮断確認回路211とは、第1電圧監視部511に相当し、第2電圧監視回路208と第2スイッチ210と第2遮断確認回路212とは、第2電圧監視部512に相当する。 Finally, the relationship between the components of the output device 504 in FIGS. 2 and 5 will be described. The power generation unit 204 corresponds to the first voltage supply unit 509 and the second voltage supply unit 510 . The first central processing unit 205 corresponds to the first output unit 111 and the second central processing unit 206 corresponds to the second output unit 112 . The first voltage monitoring circuit 207, the first switch 209, and the first cutoff confirmation circuit 211 correspond to the first voltage monitoring unit 511, and the second voltage monitoring circuit 208, the second switch 210, and the second cutoff confirmation circuit 212 correspond to the first voltage monitoring unit 511. corresponds to the second voltage monitoring unit 512 .
 図2の各構成要素は、段落0028~段落0037に記載した動作をするため、ここではその説明を省略する。 Since each component in FIG. 2 operates as described in paragraphs 0028 to 0037, the description thereof is omitted here.
 <電圧監視回路の動作確認>
 次に、電圧監視回路の動作確認について説明する。機能安全装置101の入力装置502と出力装置504とは、第1電圧監視回路207と第2電圧監視回路208の動作確認を行う。以降の説明では、第1電圧監視回路207あるいは第2電圧監視回路208に異常が発生している場合の動作確認について動作の流れを示す。なお、第1電圧監視回路207と第2電圧監視回路208の動作確認は、機能安全装置101の起動時と、稼働中において一定周期で実施される。 <Checking the operation of the voltage monitoring circuit>
Next, operation confirmation of the voltage monitoring circuit will be described. The input device 502 and the output device 504 of the functional safety device 101 confirm the operation of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 . In the following description, the flow of operation for checking the operation when an abnormality occurs in the first voltage monitoring circuit 207 or the second voltage monitoring circuit 208 is shown. The operation check of the first voltage monitoring circuit 207 and the second voltage monitoring circuit 208 is performed at regular intervals during the start-up of the functional safety device 101 and during operation.
 初めに、機能安全装置101の入力装置502における動作確認について動作の流れを説明する。 First, the flow of operation for confirming the operation of the input device 502 of the functional safety device 101 will be described.
 先ず、第1電圧監視回路207の動作確認で異常と判断された場合について説明する。動作確認を開始する前に、第2中央処理装置206は「第2中央処理装置206が第1電圧監視回路207へ遮断通知2を出力していないこと」を確認し、第1中央処理装置205は「第1中央処理装置205が第1遮断確認回路211から遮断確認1が入力されていないこと」を確認する。 First, the case where the operation check of the first voltage monitoring circuit 207 determines that there is an abnormality will be described. Before starting the operation check, the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the first voltage monitoring circuit 207", and the first central processing unit 205 confirms that "the first central processing unit 205 has not input shutdown confirmation 1 from the first shutdown confirmation circuit 211".
 第1電圧監視回路207が監視電圧202に過電圧または低電圧が発生していることを検知した際に出力する遮断指令1を、第1電圧監視回路207が第1スイッチ209へ出力できることを確認するために、第2中央処理装置206は第1電圧監視回路207へ遮断通知2を出力する。 Confirm that the first voltage monitoring circuit 207 can output the cutoff command 1 to the first switch 209 when the first voltage monitoring circuit 207 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the second central processing unit 206 outputs cut-off notification 2 to the first voltage monitoring circuit 207 .
 第1電圧監視回路207は故障しているため、第2中央処理装置206から遮断通知2が入力されても、第1スイッチ209へ遮断指令1を出力しない。 Since the first voltage monitoring circuit 207 is out of order, it does not output the shutdown command 1 to the first switch 209 even if the shutdown notification 2 is input from the second central processing unit 206 .
 第1スイッチ209は、第1電圧監視回路207から遮断指令1が入力されないため、監視電圧202から第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203までの2つの経路のうち、第1スイッチ209と第1遮断確認回路211とを経由する経路を遮断しない。 Since the first switch 209 does not receive the cutoff command 1 from the first voltage monitoring circuit 207, two paths from the monitored voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 Among them, the path passing through the first switch 209 and the first cutoff confirmation circuit 211 is not cut off.
 第1スイッチ209によって監視電圧202から第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203までの2つの経路のうち、第1スイッチ209と第1遮断確認回路211とを経由する経路が遮断されないため、第1遮断確認回路211は第1中央処理装置205へ遮断確認1を出力しない。 Of the two paths from the monitoring voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 by the first switch 209, the first switch 209 and the first cutoff confirmation circuit 211 are selected. Since the route through which it passes is not blocked, the first shutdown confirmation circuit 211 does not output shutdown confirmation 1 to the first central processing unit 205 .
 第1中央処理装置205と第2中央処理装置206とは相互通信を行っており、第2中央処理装置206から第1中央処理装置205に対しては第1電圧監視回路207へ遮断通知2を出力したことを伝達し、第1中央処理装置205から第2中央処理装置206に対しては第1遮断確認回路211から遮断確認1が入力されていないことを伝達する。 The first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the second central processing unit 206 sends a shutdown notification 2 to the first voltage monitoring circuit 207 for the first central processing unit 205. It is transmitted to the second central processing unit 206 from the first central processing unit 205 to inform that the first interruption confirmation circuit 211 has not input the interruption confirmation 1 .
 第1中央処理装置205と第2中央処理装置206との相互通信における伝達内容から、第1中央処理装置205と第2中央処理装置206は第1電圧監視回路207の動作が正常に行われていないと判断する。 According to the content of mutual communication between the first central processing unit 205 and the second central processing unit 206, the first voltage monitoring circuit 207 of the first central processing unit 205 and the second central processing unit 206 is operating normally. judge not.
 入力装置502の第1中央処理装置205は、演算装置503の第1中央処理装置205に、入力装置502の第1電圧監視回路207に異常が発生していることを通知する。演算装置503は、ユーザーインターフェース部501に、入力装置502の第1電圧監視回路207に異常が発生していることを通知する。ユーザーインターフェース部501は、演算装置503から受け取った通知に基づいて、機能安全装置101のうち入力装置502の第1電圧監視回路207に異常が発生したことを機能安全装置101の使用者に通知する。 The first central processing unit 205 of the input device 502 notifies the first central processing unit 205 of the arithmetic device 503 that the first voltage monitoring circuit 207 of the input device 502 is abnormal. The arithmetic device 503 notifies the user interface unit 501 that the first voltage monitoring circuit 207 of the input device 502 is abnormal. The user interface unit 501 notifies the user of the functional safety device 101 that an abnormality has occurred in the first voltage monitoring circuit 207 of the input device 502 of the functional safety device 101 based on the notification received from the arithmetic device 503 . .
 並行して、入力装置502の第1中央処理装置205と第2中央処理装置206は自身で作動を停止させることによって、入力装置502の第1入力部103と演算装置503の第1演算処理部105との間の通信が切断される。その後、演算装置503の第1演算処理部105と出力装置504の第1出力部111との間の通信が切断され、さらに、出力装置504の第1出力部111と駆動部113との間の通信が切断される。 At the same time, the first central processing unit 205 and the second central processing unit 206 of the input device 502 stop operating by themselves, so that the first input unit 103 of the input device 502 and the first arithmetic processing unit of the arithmetic unit 503 105 is disconnected. After that, the communication between the first arithmetic processing unit 105 of the arithmetic device 503 and the first output unit 111 of the output device 504 is disconnected, and further, the communication between the first output unit 111 of the output device 504 and the driving unit 113 is disconnected. Communication is lost.
 入力装置502の第1中央処理装置205と第2中央処理装置206が自身で作動を停止させるタイミングは、入力装置502の第1中央処理装置205が、演算装置503の第1中央処理装置205に、第1電圧監視回路207に異常が発生していることを通知した後である。 The timing at which the first central processing unit 205 and the second central processing unit 206 of the input device 502 stop their operation is determined by the first central processing unit 205 of the input device 502 , after notifying the first voltage monitoring circuit 207 that an abnormality has occurred.
 駆動部113は、通信の切断によって機能安全装置101に異常が発生したと判断し、自身を安全に停止させる。 The drive unit 113 determines that an abnormality has occurred in the functional safety device 101 due to the disconnection of communication, and safely stops itself.
 次に、第2電圧監視回路208の動作確認で異常と判断された場合について説明する。動作確認を開始する前に、第1中央処理装置205は「第1中央処理装置205が第2電圧監視回路208へ遮断通知1を出力していないこと」を確認し、第2中央処理装置206は「第2中央処理装置206が第2遮断確認回路212から遮断確認2が入力されていないこと」を確認する。 Next, the case where the operation check of the second voltage monitoring circuit 208 determines that there is an abnormality will be described. Before starting the operation check, the first central processing unit 205 confirms that "the first central processing unit 205 has not output the shutdown notification 1 to the second voltage monitoring circuit 208", and the second central processing unit 206 confirms that "the second central processing unit 206 has not input the shutdown confirmation 2 from the second shutdown confirmation circuit 212".
 第2電圧監視回路208が監視電圧202に過電圧または低電圧が発生していることを検知した際に出力する遮断指令2を、第2電圧監視回路208が第2スイッチ210へ出力できることを確認するために、第1中央処理装置205は第2電圧監視回路208へ遮断通知1を出力する。 Confirm that the second voltage monitoring circuit 208 can output to the second switch 210 the shutdown command 2 that is output when the second voltage monitoring circuit 208 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the first central processing unit 205 outputs a cutoff notification 1 to the second voltage monitoring circuit 208 .
 第2電圧監視回路208は故障しているため、第1中央処理装置205から遮断通知1が入力されても、第2スイッチ210へ遮断指令2を出力しない。 Since the second voltage monitoring circuit 208 is out of order, it does not output the shutdown command 2 to the second switch 210 even if the shutdown notification 1 is input from the first central processing unit 205 .
 第2スイッチ210は、第2電圧監視回路208から遮断指令2が入力されないため、監視電圧202から第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203までの2つの経路のうち、第2スイッチ210と第2遮断確認回路212とを経由する経路を遮断しない。 Since the second switch 210 does not receive the shutdown command 2 from the second voltage monitoring circuit 208, two paths from the monitored voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 Among them, the path passing through the second switch 210 and the second cutoff confirmation circuit 212 is not cut off.
 第2スイッチ210によって監視電圧202から第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203までの2つの経路のうち、第2スイッチ210と第2遮断確認回路212とを経由する経路が遮断されないため、第2遮断確認回路212は第2中央処理装置206へ遮断確認2を出力しない。 Of the two paths from the monitoring voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 by the second switch 210, the second switch 210 and the second cutoff confirmation circuit 212 are selected. Since the path through which it passes is not cut off, the second cutoff confirmation circuit 212 does not output cutoff confirmation 2 to the second central processing unit 206 .
 第1中央処理装置205と第2中央処理装置206とは相互通信を行っており、第1中央処理装置205から第2中央処理装置206に対しては第2電圧監視回路208へ遮断通知1を出力したことを伝達し、第2中央処理装置206から第1中央処理装置205に対しては第2遮断確認回路212から遮断確認2が入力されていないことを伝達する。 The first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the first central processing unit 205 sends a shutdown notification 1 to the second voltage monitoring circuit 208 for the second central processing unit 206. Second central processing unit 206 notifies first central processing unit 205 that second interruption confirmation circuit 212 has not input interruption confirmation 2 .
 第1中央処理装置205と第2中央処理装置206との相互通信における伝達内容から、第1中央処理装置205と第2中央処理装置206は第2電圧監視回路208の動作が正常に行われていないと判断する。 From the content of mutual communication between first central processing unit 205 and second central processing unit 206, first central processing unit 205 and second central processing unit 206 confirm that second voltage monitoring circuit 208 is operating normally. judge not.
 入力装置502の第1中央処理装置205は、演算装置503の第1中央処理装置205に、入力装置502の第2電圧監視回路208に異常が発生していることを通知する。演算装置503は、ユーザーインターフェース部501に、入力装置502の第2電圧監視回路208に異常が発生していることを通知する。ユーザーインターフェース部501は、演算装置503から受け取った通知に基づいて、機能安全装置101のうち入力装置502の第2電圧監視回路208に異常が発生したことを機能安全装置101の使用者に通知する。 The first central processing unit 205 of the input device 502 notifies the first central processing unit 205 of the arithmetic device 503 that the second voltage monitoring circuit 208 of the input device 502 is abnormal. The arithmetic device 503 notifies the user interface unit 501 that the second voltage monitoring circuit 208 of the input device 502 is abnormal. The user interface unit 501 notifies the user of the functional safety device 101 that an abnormality has occurred in the second voltage monitoring circuit 208 of the input device 502 of the functional safety device 101 based on the notification received from the arithmetic device 503 . .
 並行して、入力装置502の第1中央処理装置205と第2中央処理装置206は自身で作動を停止させることによって、入力装置502の第1入力部103と演算装置503の第1演算処理部105との間の通信が切断される。その後、演算装置503の第1演算処理部105と出力装置504の第1出力部111との間の通信が切断され、さらに、出力装置504の第1出力部111と駆動部113との間の通信が切断される。 At the same time, the first central processing unit 205 and the second central processing unit 206 of the input device 502 stop operating by themselves, so that the first input unit 103 of the input device 502 and the first arithmetic processing unit of the arithmetic unit 503 105 is disconnected. After that, the communication between the first arithmetic processing unit 105 of the arithmetic device 503 and the first output unit 111 of the output device 504 is disconnected, and further, the communication between the first output unit 111 of the output device 504 and the driving unit 113 is disconnected. Communication is lost.
 入力装置502の第1中央処理装置205と第2中央処理装置206が自身で作動を停止させるタイミングは、入力装置502の第1中央処理装置205が、演算装置503の第1中央処理装置205に、第2電圧監視回路208に異常が発生していることを通知した後である。 The timing at which the first central processing unit 205 and the second central processing unit 206 of the input device 502 stop their operation is determined by the first central processing unit 205 of the input device 502 , after notifying the second voltage monitoring circuit 208 that an abnormality has occurred.
 駆動部113は、通信の切断によって機能安全装置101に異常が発生したと判断し、自身を安全に停止させる。 The drive unit 113 determines that an abnormality has occurred in the functional safety device 101 due to the disconnection of communication, and safely stops itself.
 続いて、機能安全装置101の出力装置504における動作確認について動作の流れを説明する。 Next, the flow of operation for checking the operation of the output device 504 of the functional safety device 101 will be described.
 先ず、第1電圧監視回路207の動作確認で異常と判断された場合について説明する。動作確認を開始する前に、第2中央処理装置206は「第2中央処理装置206が第1電圧監視回路207へ遮断通知2を出力していないこと」を確認し、第1中央処理装置205は「第1中央処理装置205が第1遮断確認回路211から遮断確認1が入力されていないこと」を確認する。 First, the case where the operation check of the first voltage monitoring circuit 207 determines that there is an abnormality will be described. Before starting the operation check, the second central processing unit 206 confirms that "the second central processing unit 206 has not output the shutdown notification 2 to the first voltage monitoring circuit 207", and the first central processing unit 205 confirms that "the first central processing unit 205 has not input shutdown confirmation 1 from the first shutdown confirmation circuit 211".
 第1電圧監視回路207が監視電圧202に過電圧または低電圧が発生していることを検知した際に出力する遮断指令1を、第1電圧監視回路207が第1スイッチ209へ出力できることを確認するために、第2中央処理装置206は第1電圧監視回路207へ遮断通知2を出力する。 Confirm that the first voltage monitoring circuit 207 can output the cutoff command 1 to the first switch 209 when the first voltage monitoring circuit 207 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the second central processing unit 206 outputs cut-off notification 2 to the first voltage monitoring circuit 207 .
 第1電圧監視回路207は故障しているため、第2中央処理装置206から遮断通知2が入力されても、第1スイッチ209へ遮断指令1を出力しない。 Since the first voltage monitoring circuit 207 is out of order, it does not output the shutdown command 1 to the first switch 209 even if the shutdown notification 2 is input from the second central processing unit 206 .
 第1スイッチ209は、第1電圧監視回路207から遮断指令1が入力されないため、監視電圧202から第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203までの2つの経路のうち、第1スイッチ209と第1遮断確認回路211とを経由する経路を遮断しない。 Since the first switch 209 does not receive the cutoff command 1 from the first voltage monitoring circuit 207, two paths from the monitored voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 Among them, the path passing through the first switch 209 and the first cutoff confirmation circuit 211 is not cut off.
 第1スイッチ209によって監視電圧202から第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203までの2つの経路のうち、第1スイッチ209と第1遮断確認回路211とを経由する経路が遮断されないため、第1遮断確認回路211は第1中央処理装置205へ遮断確認1を出力しない。 Of the two paths from the monitoring voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 by the first switch 209, the first switch 209 and the first cutoff confirmation circuit 211 are selected. Since the route through which it passes is not blocked, the first shutdown confirmation circuit 211 does not output shutdown confirmation 1 to the first central processing unit 205 .
 第1中央処理装置205と第2中央処理装置206とは相互通信を行っており、第2中央処理装置206から第1中央処理装置205に対しては第1電圧監視回路207へ遮断通知2を出力したことを伝達し、第1中央処理装置205から第2中央処理装置206に対しては第1遮断確認回路211から遮断確認1が入力されていないことを伝達する。 The first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the second central processing unit 206 sends a shutdown notification 2 to the first voltage monitoring circuit 207 for the first central processing unit 205. It is transmitted to the second central processing unit 206 from the first central processing unit 205 to inform that the first interruption confirmation circuit 211 has not input the interruption confirmation 1 .
 第1中央処理装置205と第2中央処理装置206との相互通信における伝達内容から、第1中央処理装置205と第2中央処理装置206は第1電圧監視回路207の動作が正常に行われていないと判断する。 According to the content of mutual communication between the first central processing unit 205 and the second central processing unit 206, the first voltage monitoring circuit 207 of the first central processing unit 205 and the second central processing unit 206 is operating normally. judge not.
 出力装置504の第1中央処理装置205は、演算装置503の第1中央処理装置205に、出力装置504の第1電圧監視回路207に異常が発生していることを通知する。演算装置503は、ユーザーインターフェース部501に、出力装置504の第1電圧監視回路207に異常が発生していることを通知する。ユーザーインターフェース部501は、演算装置503から受け取った通知に基づいて、機能安全装置101のうち出力装置504の第1電圧監視回路207に異常が発生したことを機能安全装置101の使用者に通知する。 The first central processing unit 205 of the output device 504 notifies the first central processing unit 205 of the arithmetic device 503 that the first voltage monitoring circuit 207 of the output device 504 is abnormal. The arithmetic device 503 notifies the user interface unit 501 that the first voltage monitoring circuit 207 of the output device 504 is abnormal. Based on the notification received from the arithmetic device 503, the user interface unit 501 notifies the user of the functional safety device 101 that the first voltage monitoring circuit 207 of the output device 504 of the functional safety device 101 has failed. .
 並行して、出力装置504の第1中央処理装置205と第2中央処理装置206は自身で作動を停止させることによって、出力装置504の第1出力部111と演算装置503の第1演算処理部105との間の通信と、出力装置504の第1出力部111と駆動部113との間の通信とが切断される。 At the same time, the first central processing unit 205 and the second central processing unit 206 of the output device 504 stop their operations, so that the first output unit 111 of the output device 504 and the first arithmetic processing unit of the arithmetic unit 503 105 and communication between the first output unit 111 of the output device 504 and the drive unit 113 are disconnected.
 出力装置504の第1中央処理装置205と第2中央処理装置206が自身で作動を停止させるタイミングは、出力装置504の第1中央処理装置205が、演算装置503の第1中央処理装置205に、第1電圧監視回路207に異常が発生していることを通知した後である。 The timing at which the first central processing unit 205 and the second central processing unit 206 of the output device 504 stop themselves is determined by the first central processing unit 205 of the output device 504 , after notifying the first voltage monitoring circuit 207 that an abnormality has occurred.
 駆動部113は、通信の切断によって機能安全装置101に異常が発生したと判断し、自身を安全に停止させる。 The drive unit 113 determines that an abnormality has occurred in the functional safety device 101 due to the disconnection of communication, and safely stops itself.
 次に、第2電圧監視回路208の動作確認で異常と判断された場合について説明する。動作確認を開始する前に、第1中央処理装置205は「第1中央処理装置205が第2電圧監視回路208へ遮断通知1を出力していないこと」を確認し、第2中央処理装置206は「第2中央処理装置206が第2遮断確認回路212から遮断確認2が入力されていないこと」を確認する。 Next, the case where the operation check of the second voltage monitoring circuit 208 determines that there is an abnormality will be described. Before starting the operation check, the first central processing unit 205 confirms that "the first central processing unit 205 has not output the shutdown notification 1 to the second voltage monitoring circuit 208", and the second central processing unit 206 confirms that "the second central processing unit 206 has not input the shutdown confirmation 2 from the second shutdown confirmation circuit 212".
 第2電圧監視回路208が監視電圧202に過電圧または低電圧が発生していることを検知した際に出力する遮断指令2を、第2電圧監視回路208が第2スイッチ210へ出力できることを確認するために、第1中央処理装置205は第2電圧監視回路208へ遮断通知1を出力する。 Confirm that the second voltage monitoring circuit 208 can output to the second switch 210 the shutdown command 2 that is output when the second voltage monitoring circuit 208 detects that the monitored voltage 202 is overvoltage or undervoltage. Therefore, the first central processing unit 205 outputs a cutoff notification 1 to the second voltage monitoring circuit 208 .
 第2電圧監視回路208は故障しているため、第1中央処理装置205から遮断通知1が入力されても、第2スイッチ210へ遮断指令2を出力しない。 Since the second voltage monitoring circuit 208 is out of order, it does not output the shutdown command 2 to the second switch 210 even if the shutdown notification 1 is input from the first central processing unit 205 .
 第2スイッチ210は、第2電圧監視回路208から遮断指令2が入力されないため、監視電圧202から第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203までの2つの経路のうち、第2スイッチ210と第2遮断確認回路212とを経由する経路を遮断しない。 Since the second switch 210 does not receive the shutdown command 2 from the second voltage monitoring circuit 208, two paths from the monitored voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 Among them, the path passing through the second switch 210 and the second cutoff confirmation circuit 212 is not cut off.
 第2スイッチ210によって監視電圧202から第1中央処理装置205と第2中央処理装置206へ供給される供給電圧203までの2つの経路のうち、第2スイッチ210と第2遮断確認回路212とを経由する経路が遮断されないため、第2遮断確認回路212は第2中央処理装置206へ遮断確認2を出力しない。 Of the two paths from the monitoring voltage 202 to the supply voltage 203 supplied to the first central processing unit 205 and the second central processing unit 206 by the second switch 210, the second switch 210 and the second cutoff confirmation circuit 212 are selected. Since the path through which it passes is not cut off, the second cutoff confirmation circuit 212 does not output cutoff confirmation 2 to the second central processing unit 206 .
 第1中央処理装置205と第2中央処理装置206とは相互通信を行っており、第1中央処理装置205から第2中央処理装置206に対しては第2電圧監視回路208へ遮断通知1を出力したことを伝達し、第2中央処理装置206から第1中央処理装置205に対しては第2遮断確認回路212から遮断確認2が入力されていないことを伝達する。 The first central processing unit 205 and the second central processing unit 206 are in communication with each other, and the first central processing unit 205 sends a shutdown notification 1 to the second voltage monitoring circuit 208 for the second central processing unit 206. Second central processing unit 206 notifies first central processing unit 205 that second interruption confirmation circuit 212 has not input interruption confirmation 2 .
 第1中央処理装置205と第2中央処理装置206との相互通信における伝達内容から、第1中央処理装置205と第2中央処理装置206は第2電圧監視回路208の動作が正常に行われていないと判断する。 From the content of mutual communication between first central processing unit 205 and second central processing unit 206, first central processing unit 205 and second central processing unit 206 confirm that second voltage monitoring circuit 208 is operating normally. judge not.
 出力装置504の第1中央処理装置205は、演算装置503の第1中央処理装置205に、出力装置504の第2電圧監視回路208に異常が発生していることを通知する。演算装置503は、ユーザーインターフェース部501に、出力装置504の第2電圧監視回路208に異常が発生していることを通知する。ユーザーインターフェース部501は、演算装置503から受け取った通知に基づいて、機能安全装置101のうち出力装置504の第2電圧監視回路208に異常が発生したことを機能安全装置101の使用者に通知する。 The first central processing unit 205 of the output device 504 notifies the first central processing unit 205 of the arithmetic device 503 that the second voltage monitoring circuit 208 of the output device 504 is abnormal. The arithmetic device 503 notifies the user interface unit 501 that the second voltage monitoring circuit 208 of the output device 504 is abnormal. Based on the notification received from the arithmetic unit 503, the user interface unit 501 notifies the user of the functional safety device 101 that the second voltage monitoring circuit 208 of the output device 504 of the functional safety device 101 has failed. .
 並行して、出力装置504の第1中央処理装置205と第2中央処理装置206は自身で作動を停止させることによって、出力装置504の第1出力部111と演算装置503の第1演算処理部105との間の通信と、出力装置504の第1出力部111と駆動部113との間の通信とが切断される。 At the same time, the first central processing unit 205 and the second central processing unit 206 of the output device 504 stop their operations, so that the first output unit 111 of the output device 504 and the first arithmetic processing unit of the arithmetic unit 503 105 and communication between the first output unit 111 of the output device 504 and the drive unit 113 are disconnected.
 出力装置504の第1中央処理装置205と第2中央処理装置206が自身で作動を停止させるタイミングは、出力装置504の第1中央処理装置205が、演算装置503の第1中央処理装置205に、第2電圧監視回路208に異常が発生していることを通知した後である。 The timing at which the first central processing unit 205 and the second central processing unit 206 of the output device 504 stop themselves is determined by the first central processing unit 205 of the output device 504 , after notifying the second voltage monitoring circuit 208 that an abnormality has occurred.
 駆動部113は、通信の切断によって機能安全装置101に異常が発生したと判断し、自身を安全に停止させる。 The drive unit 113 determines that an abnormality has occurred in the functional safety device 101 due to the disconnection of communication, and safely stops itself.
 なお、実施の形態4の構成について、実施の形態2の場合のように3つの中央処理装置を備えた機能安全装置101に採用することも可能である。 It should be noted that it is also possible to adopt the configuration of the fourth embodiment to the functional safety device 101 having three central processing units as in the case of the second embodiment.
 また、入力装置502と演算装置503と出力装置504とのうち、第1電圧供給部と第2電圧供給部と第1電圧監視部と第2電圧監視部とを備えている装置は、入力装置502と演算装置503のみ、あるいは、演算装置503と出力装置504のみでも構わない。 Further, among the input device 502, the arithmetic device 503, and the output device 504, the device including the first voltage supply section, the second voltage supply section, the first voltage monitoring section, and the second voltage monitoring section is the input device Only the arithmetic device 502 and the arithmetic device 503, or only the arithmetic device 503 and the output device 504 may be used.
 また上記では、入力装置502と演算装置503と出力装置504の全ての装置が複数の中央処理装置と複数の電圧監視回路と複数のスイッチと複数の遮断確認回路とを備える場合について説明したが、入力装置502と演算装置503と出力装置504とのうち、少なくとも1つ以上の装置が、複数の中央処理装置と複数の電圧監視回路と複数のスイッチと複数の遮断確認回路とを備えていればよい。 In the above description, the input device 502, the arithmetic device 503, and the output device 504 are all provided with a plurality of central processing units, a plurality of voltage monitoring circuits, a plurality of switches, and a plurality of interruption confirmation circuits. If at least one or more of the input device 502, the arithmetic device 503, and the output device 504 has a plurality of central processing units, a plurality of voltage monitoring circuits, a plurality of switches, and a plurality of interruption confirmation circuits good.
 <効果>
 以上のように、実施の形態4に係る機能安全装置101では、複数の中央処理装置は、機能安全装置101から出力された指令に従って制御される駆動部113と、駆動部113の周辺環境を検知する検知部102と、機能安全装置101の動作状態を使用者に通知するユーザーインターフェース部501に対して通信可能であり、機能安全装置101は、検知部102から信号を受け取る入力装置502と、入力装置502から受け取った信号を用いて駆動部113に対する指令を演算する演算装置503と、演算装置503から受け取った指令を駆動部113へ出力する出力装置504とで構成され、入力装置502、演算装置503、および出力装置504のうち、少なくとも1つ以上の装置は、複数の中央処理装置と複数の電圧監視回路と複数のスイッチと複数の遮断確認回路とを備え、複数の中央処理装置と複数の電圧監視回路と複数のスイッチと複数の遮断確認回路とを備えた少なくとも1つ以上の装置は、電源電圧が過電圧または低電圧である場合、または電圧監視回路に異常が発生している場合に、ユーザーインターフェース部501を介して異常が発生した個所を使用者に通知し、かつ、駆動部113および検知部102との通信を切断する。 <effect>
As described above, in the functional safety device 101 according to the fourth embodiment, the plurality of central processing units detect the driving unit 113 controlled according to the command output from the functional safety device 101 and the surrounding environment of the driving unit 113. and a user interface unit 501 that notifies the user of the operating state of the functional safety device 101. The functional safety device 101 includes an input device 502 that receives a signal from the detection unit 102 and an input device 502 that receives a signal from the detection unit 102. The input device 502 is composed of an arithmetic device 503 that calculates a command for the driving unit 113 using the signal received from the device 502, and an output device 504 that outputs the command received from the arithmetic device 503 to the driving unit 113. 503 and the output device 504, at least one or more devices include a plurality of central processing units, a plurality of voltage monitoring circuits, a plurality of switches, and a plurality of shutdown confirmation circuits. At least one or more devices comprising a voltage monitoring circuit, a plurality of switches, and a plurality of cutoff confirmation circuits, when the power supply voltage is overvoltage or undervoltage, or when an abnormality occurs in the voltage monitoring circuit, The user is notified of the location where the abnormality has occurred via the user interface unit 501, and communication with the drive unit 113 and the detection unit 102 is cut off.
 したがって、機能安全装置101における異常が発生している箇所の特定が容易となるため、使用者が機能安全装置101の異常を検出してから動作を復旧させるまでの時間を短縮できるようになる。 Therefore, since it becomes easy to identify the location where an abnormality has occurred in the functional safety device 101, it is possible for the user to shorten the time from detecting an abnormality in the functional safety device 101 to restoring the operation.
 この開示は詳細に説明されたが、上記した説明は、すべての局面において、例示であって、限定的なものではない。例示されていない無数の変形例が、想定され得るものと解される。 Although this disclosure has been described in detail, the above description is, in all aspects, illustrative and not restrictive. It is understood that innumerable variations not illustrated can be envisaged.
 なお、各実施の形態を自由に組み合わせたり、各実施の形態を適宜、変形、省略することが可能である。 It should be noted that each embodiment can be freely combined, modified, or omitted as appropriate.
 101 機能安全装置、102 検知部、113 駆動部、204 電源生成部、205 第1中央処理装置、206 第2中央処理装置、207 第1電圧監視回路、208 第2電圧監視回路、209 第1スイッチ、210 第2スイッチ、211 第1遮断確認回路、212 第2遮断確認回路、307 第3中央処理装置、309 第3電圧監視回路、311 第3スイッチ、313 第3遮断確認回路、501 ユーザーインターフェース部、502 入力装置、503 演算装置、504 出力装置。 101 functional safety device, 102 detection unit, 113 drive unit, 204 power generation unit, 205 first central processing unit, 206 second central processing unit, 207 first voltage monitoring circuit, 208 second voltage monitoring circuit, 209 first switch , 210 second switch, 211 first shutdown confirmation circuit, 212 second shutdown confirmation circuit, 307 third central processing unit, 309 third voltage monitoring circuit, 311 third switch, 313 third shutdown confirmation circuit, 501 user interface unit , 502 input device, 503 arithmetic device, 504 output device.

Claims (5)

  1.  互いに通信可能な複数の中央処理装置と、
     複数の前記中央処理装置に供給される電源電圧を生成する電源生成部と、
     各前記中央処理装置にそれぞれ対応して設けられ、各前記中央処理装置に供給される前記電源電圧が過電圧または低電圧であるかどうかをそれぞれ監視する複数の電圧監視回路と、
     各前記中央処理装置にそれぞれ対応して設けられ、複数の前記中央処理装置に供給される前記電源電圧が過電圧または低電圧である場合、複数の前記中央処理装置への前記電源電圧の供給を遮断する複数のスイッチと、
     各前記中央処理装置にそれぞれ対応して設けられ、複数の前記中央処理装置への前記電源電圧の供給が遮断されたことを示す遮断確認信号を各前記中央処理装置へそれぞれ出力する複数の遮断確認回路と、を備え、
     複数の前記中央処理装置のうち、一の前記中央処理装置は他の前記中央処理装置に対応する前記電圧監視回路の動作確認を開始する際、前記電源電圧の供給遮断を指示する遮断通知信号を他の前記中央処理装置に対応する前記電圧監視回路へ出力し、
     他の前記中央処理装置は、当該電圧監視回路から前記遮断通知信号に基づいて前記遮断確認信号が出力されているかどうかを確認する、機能安全装置。     a plurality of central processing units communicable with each other;
    a power generator that generates a power supply voltage to be supplied to the plurality of central processing units;
    a plurality of voltage monitoring circuits provided corresponding to each of the central processing units and respectively monitoring whether the power supply voltage supplied to each of the central processing units is overvoltage or undervoltage;
    provided corresponding to each of the central processing units, and cuts off supply of the power supply voltage to the plurality of central processing units when the power supply voltage supplied to the plurality of central processing units is overvoltage or low voltage; a plurality of switches for
    a plurality of cutoff confirmations provided corresponding to each of the central processing units, respectively, for outputting to each of the central processing units a cutoff confirmation signal indicating that the supply of the power supply voltage to the plurality of central processing units has been cut off; a circuit;
    When one of the plurality of central processing units starts to check the operation of the voltage monitoring circuit corresponding to another central processing unit, it sends a cutoff notification signal instructing to cut off the supply of the power supply voltage. output to the voltage monitoring circuit corresponding to another central processing unit;
    The functional safety device, wherein the other central processing unit confirms whether or not the disconnection confirmation signal is output from the voltage monitoring circuit based on the disconnection notification signal.
  2.  複数の前記中央処理装置は、第1中央処理装置と第2中央処理装置とを含み、
     複数の前記電圧監視回路は、前記第1中央処理装置に対応する第1電圧監視回路と、前記第2中央処理装置に対応する第2電圧監視回路とを含み、
     複数の前記スイッチは、前記第1中央処理装置に対応する第1スイッチと、前記第2中央処理装置に対応する第2スイッチとを含み、
     複数の前記遮断確認回路は、前記第1中央処理装置に対応する第1遮断確認回路と、前記第2中央処理装置に対応する第2遮断確認回路とを含む、請求項1に記載の機能安全装置。     the plurality of central processing units includes a first central processing unit and a second central processing unit;
    the plurality of voltage monitoring circuits includes a first voltage monitoring circuit corresponding to the first central processing unit and a second voltage monitoring circuit corresponding to the second central processing unit;
    the plurality of switches includes a first switch corresponding to the first central processing unit and a second switch corresponding to the second central processing unit;
    2. The functional safety according to claim 1, wherein the plurality of interruption confirmation circuits includes a first interruption confirmation circuit corresponding to the first central processing unit and a second interruption confirmation circuit corresponding to the second central processing unit. Device.
  3.  複数の前記中央処理装置は、第1中央処理装置と第2中央処理装置と第3中央処理装置とを含み、
     複数の前記電圧監視回路は、前記第1中央処理装置に対応する第1電圧監視回路と、前記第2中央処理装置に対応する第2電圧監視回路と、前記第3中央処理装置に対応する第3電圧監視回路とを含み、
     複数の前記スイッチは、前記第1中央処理装置に対応する第1スイッチと、前記第2中央処理装置に対応する第2スイッチと、前記第3中央処理装置に対応する第3スイッチとを含み、
     複数の前記遮断確認回路は、前記第1中央処理装置に対応する第1遮断確認回路と、前記第2中央処理装置に対応する第2遮断確認回路と、前記第3中央処理装置に対応する第3遮断確認回路とを含み、
     前記第1電圧監視回路、前記第2電圧監視回路、および前記第3電圧監視回路のうち、一の前記電圧監視回路は、これに対応していない2つの前記中央処理装置から出力された前記遮断通知信号を受信することで自身の前記動作確認を開始する、請求項1に記載の機能安全装置。     the plurality of central processing units includes a first central processing unit, a second central processing unit and a third central processing unit;
    The plurality of voltage monitoring circuits includes a first voltage monitoring circuit corresponding to the first central processing unit, a second voltage monitoring circuit corresponding to the second central processing unit, and a second voltage monitoring circuit corresponding to the third central processing unit. 3 voltage monitoring circuit;
    the plurality of switches includes a first switch corresponding to the first central processing unit, a second switch corresponding to the second central processing unit, and a third switch corresponding to the third central processing unit;
    The plurality of shutdown confirmation circuits include a first shutdown confirmation circuit corresponding to the first central processing unit, a second shutdown confirmation circuit corresponding to the second central processing unit, and a third shutdown confirmation circuit corresponding to the third central processing unit. 3 including a cutoff confirmation circuit,
    Of the first voltage monitoring circuit, the second voltage monitoring circuit, and the third voltage monitoring circuit, one of the voltage monitoring circuits receives the interruption output from the two central processing units that do not correspond to it. 2. The functional safety device according to claim 1, wherein said operation confirmation of itself is initiated by receiving a notification signal.
  4.  複数の前記中央処理装置は、前記機能安全装置から出力された指令に従って制御される駆動部と、前記駆動部の周辺環境を検知する検知部に対して通信可能であり、
     複数の前記中央処理装置は、前記電源電圧が過電圧または低電圧である場合、または前記電圧監視回路に異常が発生している場合に、前記駆動部および前記検知部との通信を切断する、請求項1から請求項3のいずれか1項に記載の機能安全装置。     The plurality of central processing units are capable of communicating with a driving unit controlled according to a command output from the functional safety device and a detecting unit detecting a surrounding environment of the driving unit,
    wherein the plurality of central processing units cut off communication with the drive unit and the detection unit when the power supply voltage is overvoltage or undervoltage, or when an abnormality occurs in the voltage monitoring circuit. A functional safety device according to any one of claims 1 to 3.
  5.  複数の前記中央処理装置は、前記機能安全装置から出力された指令に従って制御される駆動部と、前記駆動部の周辺環境を検知する検知部と、前記機能安全装置の動作状態を使用者に通知するユーザーインターフェース部に対して通信可能であり、
     前記機能安全装置は、前記検知部から信号を受け取る入力装置と、前記入力装置から受け取った前記信号を用いて前記駆動部に対する前記指令を演算する演算装置と、前記演算装置から受け取った前記指令を前記駆動部へ出力する出力装置とで構成され、
     前記入力装置、前記演算装置、および前記出力装置のうち、少なくとも1つ以上の装置は、複数の前記中央処理装置と複数の前記電圧監視回路と複数の前記スイッチと複数の前記遮断確認回路とを備え、
     複数の前記中央処理装置と複数の前記電圧監視回路と複数の前記スイッチと複数の前記遮断確認回路とを備えた少なくとも1つ以上の前記装置は、前記電源電圧が過電圧または低電圧である場合、または前記電圧監視回路に異常が発生している場合に、前記ユーザーインターフェース部を介して異常が発生した個所を前記使用者に通知し、かつ、前記駆動部および前記検知部との通信を切断する、請求項1に記載の機能安全装置。     The plurality of central processing units include a drive unit controlled according to commands output from the functional safety device, a detection unit that detects the surrounding environment of the drive unit, and notifies the operating state of the functional safety device to the user. It is possible to communicate with the user interface part that
    The functional safety device includes an input device that receives a signal from the detection unit, an arithmetic device that calculates the command for the driving unit using the signal received from the input device, and the command received from the arithmetic device. and an output device that outputs to the drive unit,
    At least one or more of the input device, the arithmetic device, and the output device includes a plurality of the central processing units, a plurality of the voltage monitoring circuits, a plurality of the switches, and a plurality of the shutdown confirmation circuits. prepared,
    At least one or more of the devices comprising a plurality of the central processing units, a plurality of the voltage monitoring circuits, a plurality of the switches, and a plurality of the cut-off confirmation circuits, when the power supply voltage is overvoltage or undervoltage, Alternatively, when an abnormality occurs in the voltage monitoring circuit, the user is notified of the location of the abnormality via the user interface unit, and communication with the drive unit and the detection unit is cut off. , a functional safety device according to claim 1.
PCT/JP2022/035644 2022-02-17 2022-09-26 Functional safety device WO2023157365A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2022-023100 2022-02-17
JP2022023100 2022-02-17

Publications (1)

Publication Number Publication Date
WO2023157365A1 true WO2023157365A1 (en) 2023-08-24

Family

ID=87578258

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/035644 WO2023157365A1 (en) 2022-02-17 2022-09-26 Functional safety device

Country Status (1)

Country Link
WO (1) WO2023157365A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014204570A (en) * 2013-04-05 2014-10-27 三菱電機株式会社 Power supply monitoring device and power supply monitoring method
JP2019071001A (en) * 2017-10-11 2019-05-09 オムロン株式会社 Safety controller
JP2019101515A (en) * 2017-11-29 2019-06-24 ルネサスエレクトロニクス株式会社 Semiconductor device and power supply monitoring method therefor
JP2020021308A (en) * 2018-08-01 2020-02-06 株式会社ジェイテクト Power source monitoring device and power source monitoring method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014204570A (en) * 2013-04-05 2014-10-27 三菱電機株式会社 Power supply monitoring device and power supply monitoring method
JP2019071001A (en) * 2017-10-11 2019-05-09 オムロン株式会社 Safety controller
JP2019101515A (en) * 2017-11-29 2019-06-24 ルネサスエレクトロニクス株式会社 Semiconductor device and power supply monitoring method therefor
JP2020021308A (en) * 2018-08-01 2020-02-06 株式会社ジェイテクト Power source monitoring device and power source monitoring method

Similar Documents

Publication Publication Date Title
JP3944156B2 (en) Emergency stop circuit
JP2004148488A (en) Robot control device
JP7398620B2 (en) Breaking circuit diagnostic device
JP6222362B2 (en) Power converter
KR102413474B1 (en) diagnostic device
JP7014140B2 (en) Electromagnetic brake control device and control device
WO2018155423A1 (en) Motor control device and motor control system
WO2018155424A1 (en) Motor control device
WO2023157365A1 (en) Functional safety device
KR101617134B1 (en) Motor control device and motor control system
JP6334436B2 (en) Mutual monitoring module for vehicles
JP4845779B2 (en) DC output circuit with failure detection function
JP4881702B2 (en) Motor control device
US10965226B2 (en) Power conversion apparatus and power conversion system
TWI434159B (en) Dual system control device
JP2006323551A (en) Plant control system
KR101603248B1 (en) Method and apparatus for operating a emergency generator
WO2020262031A1 (en) On-vehicle control device
JP2017220842A (en) Duplex switching system
JP2006344023A (en) Control unit
JP2017228159A (en) Control device, and control method for control device
JP2005004554A (en) Safe relay system, input expansion unit for safe relay system, master unit for safe relay system, and method for controlling safe relay
JP2009137431A (en) Power supply path trouble diagnosis device of external power supply type controller
JP2006093938A (en) Transmission switching device
JPH08263102A (en) Abnormality monitor device for cpu

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22927259

Country of ref document: EP

Kind code of ref document: A1