JPH0799516B2 - Multiple control method for computer controller - Google Patents

Description

Description: BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a multiplex system control method for multiplexing computers in a computer control system in order to improve its reliability.

[Background of the Invention]

Generally, multiplexing is performed to increase the reliability of the control system. For example, in the case of a triple system, even if one computer fails, the remaining two computers are synchronized by synchronizing with a plurality of computers and constantly comparing the address bus and the data bus of the computer and making a majority vote. There is a device that can continue the calculation control as it is if there is no failure and the collation on the bus is the same.

The problem of configuring a multiple system by such a method is, first of all, how to synchronize each computer,
Secondly, how to synchronize (match) the input data with each computer, and thirdly, how to make the comparison and majority circuit fail-safe (to prevent an error from being detected). The problem is solved by providing a special input synchronization and output comparison circuit, but the increase in the circuit for that is inevitable. In particular, while the complexity increases as the number of systems increases, the synchronization of the first computer is performed by synchronizing the clocks of the computers. Therefore, a common clock is used. As a result, the failure of the clock causes a problem in connection with the system failure.

In addition to the above problems, in the collation majority method over such a detailed operation, one computer in charge is out of order,
When it becomes necessary to maintain it, it is difficult to repair it without affecting other operating computers.Also, when the system is restored after repairing, it is a system It is necessary to stop the whole and restart the initialization.

The above-mentioned problems exist in the method of synchronizing and matching to detect a failure, and the method of selecting data that is considered to be correct by majority voting. A method that relies on a failure and error detection circuit built into the computer is used, but in this case, the reliability depends on the failure detection capability, so a high degree of reliability is required. It cannot be used in the system.

As described above, in order to realize a highly reliable computer control system, a method for realizing it without constructing a special mechanism for synchronizing timings, matching data, etc. is desired in configuring a multiplex system. ing.

[Object of the Invention]

In view of the problems of the conventional multiplex system, the object of the present invention is to construct and control a highly reliable multiplex system without providing a special mechanism such as clock synchronization of a multiple system computer or matching of input data matching buses. To provide.

[Outline of Invention]

When multiple systems are operated asynchronously on a multi-system computer, even if they are processed by the same program, the calculation results may differ between the systems due to the shift of input information due to the shift of the operation timing. If the computer is normal, each calculation result is correct, and the system operates correctly regardless of which system is used for control. Therefore, it is possible to determine whether the result is valid or not, and if it is determined to be valid, the result of any system may be used for control. The problem to be solved here is to determine whether or not a different result is correct depending on the difference in timing, or to realize it, and to ensure that only the correct result is added to the controlled object. I will do it.

Therefore, the present invention is to connect a plurality of computers with a data transmission line, and to input data independently in each computer, and
The combination calculated according to the data is transmitted to all other computers, and each computer stores the received data in a memory in a different area for each computer that transmitted the data, and in a time series manner. When storing past data and comparing data from multiple computers, it is correct if either the most recently arrived data or the immediately preceding data matches the other. If not, it is characterized by determining the faulty system by determining that it is wrong and disconnecting the system.

More specifically, in a multi-system computer that cyclically controls an object by a plurality of systems each including a control device having an input unit, a communication unit, a processing unit, an output unit, and an output selection unit independently of each system, It is a multiple system control method of a computer controller having steps.

(1) A first step of connecting a plurality of control devices with a communication line and inputting data from a control target at a predetermined timing in each system, (2) data including at least the input data via a communication means The second step of exchanging data between the two systems, and (3) comparing and collating the input data of the exchanged plural systems at the above timing, and if a discrepancy occurs as a result of the comparison and collation, trace back to the data one cycle before. The third step of comparing and collating and if the data does not match again is regarded as a failure and disconnecting the system, (4) If the system has a failure in the third step, it is considered to be a failure. If the input data of the system that did not exist is not considered to have a failure in the system, a predetermined process is performed based on the input data input in the first step to obtain the output data. (5) Fifth step of exchanging the obtained output data by communication means, (6) Sixth step of comparing and collating the exchanged output data of each system, and controlling output of the coincident output data. (7) A seventh step of selecting the plurality of control outputs by a collation selection logic and outputting the selected control outputs to a control target.

Example of Invention

An embodiment of the present invention will be described below with reference to FIGS.

FIG. 1 shows the configuration of a triple system computer control system for carrying out the present invention. 1A, 1B and 1C are each a single computer control device, and 2A, 2B and 2C are respective computer control devices 1A, 1B,
A multiple output control device added to 1C, 3 is a control target controlled by 1A, 1B, 1C, 4 is a state input line for detecting the state of the control target, and 6A, 6B, 6C are respectively Transmission lines for exchanging data by connecting the computer control devices 1A, 1B, 1C to each other, 7 is a control output line for controlling the controlled object 3,
8 is a command device for giving instructions to the computer control device, and 9 is 8
It is a command line for transmitting the command from 1A, 1B, 1C.

FIG. 2 shows a detailed configuration of the single computer control device 1A in FIG. 1, 101 is a processing device CPU, 102 is its input / output bus, 103 is a timer, and 104 to 106 are process input control devices. PIU, 107 is a process output unit POU, 108 is a communication control unit CCU, and the other computer control units 1B, 1C have the same configuration as 1A.

In the single computer control device 1A of FIG. 2, the CPU 101 is
The U104 and 105 are used to input a command and a process state, and necessary processing is performed based on the command and the process state, and the POU 107 outputs a control command for the process.

At this time, the timer 103 gives a reference time for performing sampling control in the CPU.
The timing pulse from the CPU enters as an interrupt of the CPU 101, and the CPU enables periodic sampling control by the interrupt. Further, the communication control unit CCU 108 exchanges data with the computer control units 1B and 1C of the other system, synchronizes the control output, and discriminates the abnormal system.

FIG. 3 is a computer control device 1 (1
A, 1B, 1C) shows an outline of the flow of control performed in the process input device PIU104 ~ 106, the data input from the input / output data area of the specified memory, after the CCU108. Sent to other systems via. This transmission data includes not only the input data but also the result processed by the system. On the other hand, the data transmitted from another system is received by the CCU 108 and stored in the memory area corresponding to that system. From the input / output data and the received data sent from other systems, the processing results of the respective computer control devices are read out, and if they match each other, then the value is determined. According to, the result to be output is selected, and the output for the process is output through the output control unit POU107. On the other hand, the process input data is read out from the input / output data and the received data sent from the other system, each is compared, and if they match, the value is determined, and if they do not match, the predetermined value is determined. After selecting according to the rule, processing is performed according to the data and the result is calculated, the processing result of the input / output data is updated.

FIG. 4 shows the details of the above processing. FIG. 4 shows the relationship between input / output data, processed data, input / output data, processed data, and input / output data.

First, newly input process data (including commands)
Are stored and updated in the Din (t) and Dof (t) areas of the input / output table together with the output feedback data.
Send the updated I / O table to another system. The new processing result D'out (t-Δt) issued in the previous processing is compared with the processing result (same format) of the other system sent from the other system, and if they match, the value is output. At the same time, the output result of the input / output data is updated to the output result of Dout (t). If they do not match, a majority vote is selected from them, the same is output, and Dout (t) is updated. The input data Din (t) and the input data transmitted from another system are collated, and if they match, the value is processed according to the value, and the processing result is the new processing result D'out of the input / output data. In addition to updating and storing in (t), the processing result of one cycle before is transferred to the old processing result D'out (t-Δt), and if the input data and the data of the other system do not match, a majority decision is made from them. Similar processing is performed according to the selected result. By repeating the above processing in synchronization with the timer 103, the multiple system control is performed.

For simplification of the above processing, FIG. 5 shows a sequence chart in the double system, and shows a case where the double systems 1A and 1B are normal and completely synchronized. Here, the processing of input transmission of each system is started by a timer interrupt, and the process state entered above the input transmission is taken in. The two numerical values in (,) are (Din (t ),
Din (t-Δt) is represented and the processing result ""
Indicates the value of the result. For simplicity, it is assumed that the input is represented by 1,0 and the output is represented by 1,0, and the output is "1" when the input is 1 and "0" when the input is 0.
In this case, input ivy input t ₁ 1 is output at t _2, 1A, 1B
Since both are "1", the output of the internal system becomes "1".

On the other hand, if 1A and 1B are not synchronized with each other, the input data and the output data are inconsistent with each other, and the timing is also different.

FIG. 6 shows a case where 1A and 1B are not synchronized and the timings are different. In FIG. 6, first, considering the case where the input of the process changes from 0 to 1 at the timing of t _1A , it is not observed on the 1B side at that timing,
The input is recognized as 0 state. However, the input data is transmitted to the 1B side, is recognized by the 1B side at the timing of t _1B , and at that time, the 1B side has already recognized that the process input has changed from 0 to 1. ing. However, at the timing of t _1A , in processing, the input recognition on the 1A side is 1, and the input sent from the 1B side remains 0, so a discrepancy occurs between them and the processing is In the case of a triple system, the majority decision from that will be 2
In the case of a heavy system, the process is performed based on the matching past input data, or the safe side is selected and the process is performed. FIG. 6 shows a case where the same data as the past input data is used.

On the other hand, regarding output, in addition to the output processing that operates after data transmission in each system, by executing the output processing even when data is transmitted from another system,
Synchronized with the output timing of each system,
By performing collation, judgment, and output with the same data, it is possible to match the recognition of the output control of each system. The output process indicated by the broken line in FIG. 6 is an output process activated by the reception of data from another system, and the output data of the own system is collated with the latest data transmitted previously. In other words, each system makes a decision based on the most recent common data that it recognizes, so if each system does not fail, output processing can be performed under the same recognition, and the rules for that process are If they are the same, you should get the same output.

At the timing of t in FIG. 6, if the processing result of each system is disagreement between "0" and "1", it shows disagreement with the system of 1A and 2A, and in this case, do not output. Therefore, when the next synchronization has a coincidence and is normally operating, the next synchronization always coincides and is output.

As a result, compared with the case of operating in synchronization in FIG. 5, there is a one-cycle delay from the change of the input to the change of the output, but the correct result is output even if the respective systems are not synchronized.

On the other hand, when a failure occurs in one of the multiplex systems, in regard to how to distinguish it from the mismatch of processing results that occurs when the timing is normal and the timing is different, Since there is a difference for one cycle, if a mismatch occurs, the failure and the timing mismatch can be discriminated by assuming that the result of the previous cycle is normal, and the result is a failure. The system can be detected. For the sake of simplicity, the control processing sequence has been described for the case of the double system, but it is obvious that the same structure can be applied to the case of the triple system.

The above is a case where the input signal is a digital signal which is simply represented by "1" and "0". However, many general control systems handle continuous quantities (analog quantities), and analog quantities are used as input signals. In this case (via the analog digital converter), not only the signal timing deviation but also the input timing deviation and the measurement error cause a difference in the input value.
It is extremely difficult to match the value in each system of the multiplex system.

Such a phenomenon also occurs in a clock synchronization type multiplex system.

Even in this case, if there is no failure in each system constituting the multiplex system, it is not an error to use the result of any system.

However, due to the above reason, a discrepancy in input data occurs, and it is not possible to match them even if they are compared retrospectively in the past.

For example, consider the case where an analog signal is displayed in binary.

FIG. 7 shows the input timing, the output timing, and the output result in the case of the dual system, where the input sample values of the A system and the B system are ◯ and
Shown with Δ. Since the input values differ depending on the timing in this way, it is not possible to collate the A and B systems as they are, but the results obtained for each system are shown. Select and output.

The selection rule at this time is that if the result sent from the other system has a value between the current result of the own system and the result one sample before, it is determined that the result of the other system is correct. Then, the value is selected, the value and the result of the own system are sent to the other system, and the selection result is output.

On the other hand, the system to which the result is sent outputs the value selected and output if the value to be output matches the final result of its own system (it should be the same if there is no failure). FIG. 7 shows the operation in time series.

FIG. 8 shows the case of the triple system, and the procedure is the same as the double system, but for example, the A system obtains the result for the input value,
When matching with other systems, it becomes a problem which of the other B system and C system should be selected. In this case, if the value of the result of the B system and the C system is included between the present time and the result of the previous sample, the A system judges that there is no failure, and shows the value close to the present time (latest result). Select.

On the other hand, the B system and the C system judge the result of the B system sent from the A system and the selection result of the B system, and the other system (in the case of the B system, the C system,
(Or vice versa), select the matching one from the results already sent (because there is the same information in A, B, C systems, there is always a matching one) and output it.

In the case of FIG. 8, what is selected at the sample time of A is the result of the C system.

The above is the case where the input value changes linearly, but when the input value does not monotonically increase, as shown in FIG. 9, when viewed at the sample time of A, the value of the B system is one sample before. There are cases where it does not fall within the value of. In this case, the point of the value _A't estimated from the value before the change is used as the predicted value, and A _t , A
range of the value of the B system are surrounded Te _t-1, A _'t Niyotsu is regarded as normal if are entering a port, if not entering a port (B ") can be by connexion resolve the logical regarded as abnormal .

Next, a means for giving the result output from each system to the controlled object will be described.

In Fig. 1, control commands output from each system 1A, 1B, 1C
5A, 5B, 5C must be selected by some means and given to the controlled object as a unified control command. 2A, 2B, 2C in FIG. 1 are multiple output control devices,
The output from each system 1A, 1B, 1C is selected by majority, and the faulty system is detected and isolated.

The output command 7 here has the same value as the outputs 5A, 5B, 5C of the respective systems unless there is a failure in the respective systems, as is clear from the above-mentioned output synchronization. ,
If a failure occurs and each output has a difference,
Selected by majority vote. However, in the case of many output lines, it is 2A, 2B, and
2C becomes complicated and reliability is reduced. Therefore, in 2A, 2B, 2C, each computer control device
Since 1A, 1B, 1C can detect faults in its own system and other systems, it outputs the normal and abnormal status of each system detected there.
By including in A, 5B, and 5C, the normal / abnormal state is determined by a majority vote, and the selective output and the abnormal system are disconnected.

In addition, the output 7 selected as described above is given as an input to each system, and when an erroneous result is output due to a failure of 2A, 2B, 2C, the purpose is to promptly detect it. It was done.

In the above method, since the coupling of each system is sparse,
Even if a failure occurs in one system, it can be arbitrarily separated and maintained.Since there is no common element such as the clock like the synchronization method, the failure of the common element does not directly lead to the system failure. Unlike the method, it greatly improves reliability and maintainability.

〔The invention's effect〕

According to the present invention, the common clock required for the synchronization system can be achieved by accurately synchronizing the multiple systems and enabling input and output data collation without adding a special device. It is possible to configure multiple systems with a simple device, to loosely couple each system, and to have majority logic independently in each system, thereby separating and maintaining in process control state. The result is that reliability and maintainability are improved by what is possible, and that it can be realized at low cost.

[Brief description of drawings]

FIG. 1 is an overall configuration diagram of an embodiment of the system of the present invention,
FIG. 2 is a block diagram of an embodiment of the computer controller of part of FIG. 1, FIG. 3 is a diagram showing an outline of processing contents in the computer controller, and FIG. 4 is a format of processing data. FIG. 5 shows a processing procedure, FIG. 5 shows a processing sequence at the time of synchronization, FIG. 6 shows a processing sequence when timings are deviated, and FIGS. 7 to 9 show input timing and output timing. It is a figure which shows the relationship of. 1A, 1B, 1C ... Computer control device, 2A, 2B, 2C ... Multiple system output control device, 3 ... Control object, 8 ... Command device, 101 ...
Processing devices, 104 to 106 ... Process input device, 107 ... Process output device, 108 ... Communication control device.

Continuation of front page (56) Reference JP-A-55-108057 (JP, A) JP-A-55-143657 (JP, A) JP-A-55-18729 (JP, A)

Claims (8)

[Claims] 1. A multiple system calculation control device for periodically controlling an object by a plurality of systems each comprising a control device having an input means, a communication means, a processing means, an output means, and an output selection means, independently of each system. A first step of connecting the plurality of control devices with a communication line and inputting data from a controlled object at a predetermined timing in each system, and including data including at least the input data between the systems via a communication means. The second step of exchanging with each other, the input data of the exchanged systems are compared and collated at the above timing, and if a mismatch occurs as a result of the comparison and collation, the data of one cycle before is compared and collated, and the data does not coincide again. In that case, the third step of separating the system that generated the data by considering it as a failure, and if the system has a failure in the third step, is it not considered as a failure? If the input data of the input system is not regarded as having a failure, the predetermined processing is performed based on the input data input in the first step,
A fourth step of obtaining output data, a fifth step of exchanging the obtained output data by a communication means, a sixth step of comparing and collating the output data of the exchanged systems, and a control output of the coincident output data, A multiple system control method for a computer controller, comprising: a seventh step of selecting the plurality of control outputs by collation logic and outputting the selected control outputs to a control target. 2. In the sixth step, when a mismatch occurs in the comparison and comparison of data, the comparison and verification is performed by going back to the data one cycle before, and when the data does not match again, the system issuing the data is regarded as a failure. The multiple system control method for a computer control device according to claim 1, which includes a process of considering and separating. 3. In the third step, when comparing and collating the input data, a predetermined error is allowed in the input data and the error between the data to be compared and collated is within the allowable error. The multiple system control method for a computer control device according to claim 1, which includes processing deemed to be performed. 4. The method according to claim 1, wherein the second step comprises a process of integrating input data and output data into one data and exchanging the data into one data. 5. The method according to claim 1, wherein the fifth step comprises a process of integrating input data and output data into one data and exchanging the data into one data. 6. The multiple system control of a computer controller according to claim 1, wherein said sixth step comprises a process of outputting the selected data together with a system selection output indicating one of the systems which generated the selected data. Method. 7. The method according to claim 1, wherein the seventh step includes a process of selecting a control output by a majority logic of the system selection output outputted from a control device in each system of triple system or more. System control method for computer control device of the present invention. 8. The seventh step comprises a process of feeding back the control output selected by the majority logic to each control device again, and the control output is collated with the control output output from each control device to perform control. The method for controlling a multiple system of a computer controller according to claim 1, further comprising a process for detecting an output error.