CN1877471B - Task management device and method for control device - Google Patents

Abstract

A task management device, an input/output control device, an information control device, a task management method, an input/output control method, and an information control method for a control device, wherein a processing result of an interchangeable operation is inputted to a common data processing object for a plurality of processors, and an operation instruction signal for outputting an operation instruction signal to one processor is outputted such that operation timings of the one processor and the other processor are different after a start signal is received from the one processor. The computational effect of one processor is then compared to the other. With this configuration, both miniaturization and high performance and safety can be achieved for a plurality of processors, and high reliability can be achieved.

Description

Task management device and method for control device

technical field

The present invention relates to a task management device of a control device, an input and output control device, an information control device, a task management method of the control device, an input and output control method, and an information control method.

Background technique

Driven by technological progress in the electronics and information fields, and the complexity and compounding of functions in a single device, the application range of programmable electronic devices has widened, and at the same time, the required reliability has also increased.

In order to achieve generally known high reliability, it includes multiplexing of programmable electronic devices and multiplexing of multiple processors.

As a multiplexing of programmable electronic devices, a configuration of a normal system and a backup system is known. Availability can be increased by switching to a backup system when the primary system detects a failure.

On the other hand, Japanese Unexamined Patent Publication No. 2004-234144 discloses a technique for improving security as a programmable electronic device using a plurality of processors.

In addition, in processing facilities with high potential risks, such as nuclear energy facilities and chemical facilities, in order to reduce the impact on operators and the surrounding environment in case of emergency, passive measures using protective equipment such as partitions and emergency stop devices are adopted. Active countermeasures such as safety devices. Among them, control means such as safety devices are realized by conventional electromagnetic and mechanical means such as relays. However, in recent years, with the technical development of programmable control devices typified by programmable logic controllers (PLCs), there has been an increased need to use them as control units of safety control systems.

IEC61508-1～7, "Functional Safety of electrical/electronic/programmable electronic safety-related systems" part1-part7 (referred to as IEC 61508) is an international standard released in response to the above trends, which stipulates that in a part of the safety control system Necessary in the case of using electrical/electronic/programmable electronic devices. In IEC61508, Safety Integrity Level (SIL: Safety Integrity Level) is defined as a capability scale of a safety control system, and requirements corresponding to levels from 1 to 4 are specified. It indicates that the higher the SIL, the greater the degree to which potential hazards posed by the handling equipment can be reduced. That is, it means how reliably predetermined safety control can be performed when an abnormality of the processing facility is detected.

The safety control device is required to be inactive under normal operating conditions, but to be activated immediately when the processing equipment is abnormal. For this reason, it is very important to perform self-diagnosis frequently, to continuously check its own sanity. In a safety control system requiring a high SIL, in order to minimize the probability of the system not operating due to an undetected fault, it is necessary to implement a wide range and high-precision self-diagnosis.

In IEC61508, the self-diagnosis technology applied to each type of the element components constituting the safety control device is introduced, and the effectiveness of each technology is expressed in the form of diagnosis rate. The diagnosis rate indicates the ratio of the failures that can be detected by using the diagnosis technology among all the failures of each component. For example, using the RAM diagnosis technique "abraham" described in US Patent No. 6779128, a diagnosis rate of up to 99% can be claimed.

In addition, as a method of detecting a failure of a processor, which is one of the constituent elements, it is effective to use a plurality of processors to monitor the consistency of mutual output results.

As a method of mutually diagnosing a plurality of processors, it is effective to simultaneously execute the same control process on each processor and confirm that the outputs match.

As a representative example, as described in JP-A-6-290066, the following method is exemplified: using two processors to execute synchronously, and to make the input value the same information as the output Consistent method to confirm processor sanity.

Contents of the invention

Reliability elements required for programmable electronic devices include usability and safety, but usability is important in device control, and safety is important in device protection. Since the implementation methods of these two elements are contradictory (antinomies), it is difficult to satisfy usability and security at the same time. It is possible to separate the device part responsible for availability from the device part responsible for safety, but this not only increases the size of the device, but also reduces the reliability of the human element due to duplication and complexity of operation and maintenance work.

Usability and security are among the elements of reliability required of programmable electronic devices. In the control of equipment, availability is important, and in the protection of equipment, security is important. There are many parts in which the realization methods of these two elements are contradictory.

For this reason, it is currently common sense to separate the part of the device responsible for usability from the part of the device responsible for security. Therefore, not only the size of the device is increased, but also the operation and maintenance operations are repeated and complicated, and the reliability of the human element is reduced.

In a control system requiring high safety, as described in JP-A-6-290066 (Patent Document 1), the following method is adopted: the soundness of the processors is confirmed by comparing the outputs of a plurality of processors, In the case of , it is output to the back-stage memory and IO.

Using this method, while making the operation timing of each processor consistent, the control input information is also checked to deliver the same value to each processor, thereby making the output consistent.

However, as the control object becomes more complicated, the processor becomes more high-performance. In a control system composed of multiple processors, even if one clock is input to multiple processors, it cannot be guaranteed that the respective output clocks will be at the same frequency. , The phase is the same.

In this way, in future control devices composed of a plurality of processors, it will be difficult to synchronize the outputs of the processors. Therefore, in the process of diagnosing the soundness of the processors by comparing the outputs of the plurality of processors, There is a need for a method of collating the output regardless of whether the output of the processor is synchronous or asynchronous. In addition, in order to compare the outputs of the processors, one process must be executed in a plurality of processors, so that the processing performance of each processor is reduced by half compared with normal processing.

On the other hand, in programmable electronic devices, in addition to reliability such as security, it is also required to execute network processing at high speed, or normal control processing that does not require reliability such as comparison between outputs of processors, and Improve convenience. In particular, when it is desired to execute control processing at high speed or to execute network processing that handles a large amount of data, it is necessary to divide the programmable electronic device that executes these processing and the programmable electronic device that executes processing that requires reliability. device.

It is an object of the present invention to provide an apparatus and a method which can solve any of the above-mentioned problems. Specifically, an object of the present invention is to achieve high reliability while taking into account both miniaturization and high performance of the device and safety by using a plurality of processors.

The object of the present invention is to provide a highly reliable programmable electronic device, in which a plurality of processors are used, and both the miniaturization and high performance of the device and safety are taken into account.

In order to achieve the above object, the present invention is constituted as follows: for a common data processing object, the processing results of at least two systems that are calculated in a mutually interchangeable manner are input, and after receiving a start signal from one of the at least two systems , outputting an operation instruction signal to the at least two systems.

Alternatively, for a common data processing object, the processing results of at least two systems that are calculated in a mutually interchangeable manner are input, and for different data processing objects, input is the result of performing different calculation processes by at least two systems. As a result of the processing, a switching signal indicating whether the at least two systems have performed different calculation processing or multiple calculation processing in an interchangeable manner is output, and the signal indicates that the at least two systems have performed different calculation processing In the case of , it is determined that the output of at least one of the different processing results of the at least two systems is permitted.

Alternatively, for a common data processing object, the processing results of at least two systems that can be calculated in an interchangeable manner are input, and the identification data for identifying the data processing object of a specified system in the at least two systems is stored. to the first identification data area; storing identification data for identifying the data processing object of any other system of the at least two systems in the second identification data area; processing as a specified system of the at least two systems The first processing data of the result is stored in the first processing data area; and the second processing data which is the processing result of any other system in the at least two systems is stored in the second processing data area, wherein, in the comparison place While comparing the first identification data and the second identification data, the first processing data is compared with the second processing data.

Alternatively, it may be configured as follows: for a common data processing object, the input is the processing result after performing multiple calculations in an interchangeable manner by at least two systems, and for different data processing objects, the input is different processing results executed by at least two systems. The processing result after the processing is calculated, and a switching signal indicating whether the at least two systems have performed different calculation processing or performed the calculation processing in an interchangeable manner is output.

More specifically, in a programmable electronic device having an input/output device, a plurality of processors, and a memory, an operation mode switching unit of a plurality of processors, an output comparison unit of a plurality of processors, and a table The memory write protection unit in the predetermined area operates and stops the output collating unit in response to the output of the operation mode switching unit, and activates the memory write protection unit when the output collating unit is stopped.

According to this configuration, by independently operating a plurality of processors when the output collating means is stopped, it is possible to improve the control calculation performance and prevent erroneous writing of outputs that affect safety. And it can prevent the dangerous side signal output caused by the erroneous operation of the processor when the output comparison unit is in operation, so that the reliability can be improved.

In addition, a timer is provided in the operation mode switching unit, and the first timer is started according to a collation operation start command, and is reset by a collation operation start signal from a plurality of processors. The second timer is reset and activated by the collation operation start signal from the plurality of processors, and when the output of the two timers exceeds the set range, an abnormal output is performed.

With this configuration, it is possible to detect the stop of the output collating means, thereby improving reliability.

In addition, a bus diagnosis unit for diagnosing bonded disconnection of the bus is provided, the bus diagnosis is started on the condition that all independent operations of the plurality of processors are completed, and the operation start condition of the comparison process is based on the normal completion of the diagnosis. In this way, it is possible to prevent not only the calculation malfunction of the processor but also the output of dangerous-side signals due to a bus failure, thereby improving reliability.

This output collating unit has: an independent operation end detection unit from a plurality of processors; a unit that sets a predetermined time difference and sends an operation start command of the collating operation program to the multiple processors; and waits for the execution of the next step of the collating program. an instruction output unit; a holding unit for holding signals for comparison processing from a plurality of processors; and a comparison and comparison processing unit for signals for comparison processing held in the holding unit, and the output comparison unit operates independently of a plurality of processors All completion is the condition, and the program operation starts. The standby command given to the preceding action processor is released when the output to the holding unit is completed. In addition, the standby command given to the subsequent action processor is released when the comparison process is completed.

With this configuration, the capacity for holding the signal for comparison signal processing from the preceding action processor can be reduced. In addition, by performing pipeline processing for each operation of calculation, storage, and comparison processing, speed-up can be realized.

Or it may be configured as follows: when a request for a relatively high-reliability operation occurs, at least one of the plurality of processors is instructed to switch from a relatively low-reliability operation to a relatively high-reliability operation operation, causing a plurality of processors to perform the same operation, and comparing the operation results of the plurality of processors, and permitting output of data related to the operation of the processors based on the comparison result.

In this way, high reliability can be realized at the same time as compactness, high performance and safety can be achieved.

In addition to security-type reliability, it is possible to execute network processing at high speed and normal control processing that does not require verification between outputs of processors, thereby improving convenience.

Description of drawings

Figure 1 is the overall structure diagram.

Fig. 2 is a detailed diagram of an action switching unit.

Fig. 3 is an explanatory diagram of the operation of each part.

Fig. 4 is the structure of the computer system of the present invention.

Fig. 5 is a state transition diagram showing the operation of the system bus interface unit of the present invention.

Fig. 6 is a state transition diagram showing the operation of the error detection unit of the present invention.

FIG. 7 is a time chart showing processing operations of two processors of the present invention.

Detailed ways

Next, embodiments of the present invention will be described with reference to the drawings.

Fig. 1 shows the structure of an embodiment of the present invention.

First, an overview of the overall configuration and the operation of each part will be described.

In this figure, the programmable electronic device has 2 processors. System A processor 1 and system B processor 2 are connected to external access unit 5 via buffer 3 and buffer 4 respectively, and external access unit 5 is connected to input and output devices and memory.

The A-system processor 1 and the B-system processor 2 alternately operate in two modes, a comparison mode and an independent mode, via the operation mode switching unit 6 .

In the collation mode, the same program is executed on the A system processor 1 and the B system processor 2 . When outputting to the external access unit 5 , the consistency of the data from the A system processor 1 and the B system processor 2 is confirmed by the data holding unit 7 and the output collating unit 8 . When input from the external access unit 5 , the same data is input to the A system processor 1 and the B system processor 2 by the data synchronization unit 9 . Both the output data and the input data are input and output to the external access unit 5 via the collation buffer unit 10 .

The data holding unit 7 , the output collating unit 8 , the synchronizing unit 9 , and the collating buffer unit 10 all operate and output signals on the condition that the collating mode command 601 is at H level.

In the independent mode, different programs are independently executed on the A system processor 1 and the B system processor 2 . The input and output of the system A processor 1 are input and output to the external unit 5 via the buffer 3 . The protection table 12 operates in the independent mode, and prohibits writing when the address data of the buffer 3 is within the protection range of a predefined physical address page. Similarly, the input and output of the B system processor 2 are input and output to the external unit via the buffer 4 , but the protection table 13 prohibits the writing of the protection range.

Output switch units 14 and 15 output the input signals from registers 104 and 204 to output buffers 3 and 4 only when output 605 of NOT circuit 604 is at H level.

Hereinafter, details of the operation of each part will be described using FIG. 1 and FIG. 3 .

Initially, according to an instruction from the operating system 101 of the A-system processor 1, a collation mode start command 102 (at H level) is issued to the operation mode switching unit 6 (t1). The operation mode switching unit 6 that has received the comparison mode start instruction 102 is established (t2) with the completion signal 103 of the comparison mode from the A system processor, and the preparation completion signal 203 from the B system processor is simultaneously established (H level) ( t3) is the condition, output (H level) collation mode command 601 (t4). Thus, the system A processor starts the comparison mode operation (t5). When the control mode operation 105 rises, the ready signal is reset (t6).

Here, the collating mode preparation completion signals 103 and 203 are output on the condition that the individual mode calculations of the A system processor 1 and the B system processor are completed and the cache memory is cleared. Thereby, it is possible to avoid a variation in calculation time due to a difference in program operation before the start of the collation mode.

The collation mode command 601 is directly input to the A system processor 1, and on the other hand, a signal 603 delayed by a set time (Td) by the timing circuit 602 is input to the B system processor 2 (t7). As a result, the B system processor starts the comparison mode operation (t8). When the control mode operation 205 rises, the ready signal is reset (t9).

By setting the delay time to two bus cycles of the operation mode switching unit 6, it is possible to minimize the operation delay due to collation while always making the operation of the processor of the A system take the lead.

Next, the collation operation of the output data will be described.

The output of the register 104 of the A system processor 1 is written in the register 701 of the data holding unit 7 . When writing to the register 701 is completed, the write wait signal 702 is released, so that rewriting to the register 104 of the processor of the A system can be performed.

On the other hand, after the comparison circuit 801 of the output collation unit 8 confirms the consistency between the write control signal W of the register 204 of the B system processor 2 and the write control signal W of the register 701, the output to the collation buffer unit 10 The register 11 outputs a write control signal W. At the same time, the wait signal 802 is released, so that the comparison circuit 803 can output.

After the address signal 701 from the A system processor 1 and the address signal 204 from the B system processor 2 held in the register 701 are confirmed to be consistent by the comparison circuit 803, output to the register 11 of the collation buffer unit 10 address signal. At the same time, the wait signal 804 is released, so that the comparison circuit 804 can output.

After the comparison circuit 805 confirms that the data 701 from the A system processor 1 and the data 204 from the B system processor 2 held in the register 701 are consistent, a data signal is output to the register 11 of the collation buffer unit 10 . At the same time, the wait signal 806 from the output collating unit 8 is released, so that rewriting of the register 204 of the B system processor 2 can be performed.

Next, the distribution operation of input data will be described. The read control signal R of the register 104 of the A system processor 1 is transmitted to the external access unit 5 via the read control signal R of the register 11 of the collation buffer unit 10, and the address signal and data signal are read into the register via the register 11. 104.

Then, the register 11 is transferred to the register 901 of the data synchronization unit 9 . The comparison circuit 902 compares the read control signal R of the register 901 with the read control signal R of the register 204 of the B system processor 2, and when they match, the wait signal 903 is released. The address signal of the register 901 and the address signal of the register 204 are compared by the comparison circuit 904 . When both match, the wait signal 905 is released, the gate circuit 906 operates, and the data signal of the register 901 is transferred to the register 204 . After the data is transferred, the wait signal 907 is released, so that the collation buffer unit 10 can be rewritten.

After detecting that the calculation of the comparison mode of the A system processor ends (t10) and the calculation of the comparison mode of the B system processor ends (t11), the comparison mode command 601 becomes L level (t12), due to the AND circuit 620, The collating mode command 630 also changes to the L level at the same time. Thereby, the independent operation mode starts (t14).

In the embodiment of Fig. 2, the following situation is shown: at the moment (t15) when the A system processor independent mode operation 106 ends (t14) and the comparison mode start command 102 rises again, the B system processor independent operation mode 206 continues . In this case, after detecting the end of the system B processor independent mode operation 206 (t16), the self-diagnosis operation of the collation circuit is started (t17). After the self-diagnosis operation is completed, the system A processor collation mode ready 103 and the system B processor collation mode ready 203 become H level (t18). Therefore, there is an effect that the safety of the collation circuit can be improved by performing the self-diagnosis operation of the collation circuit before the collation mode operation.

The output switching units 14 and 15 are composed of respective gate circuits 141-144, 151-154, and when the inversion signal 605 of the control mode command 601 is H level, the registers 104 and 204 and the buffer 3 and the buffer 4 can be executed. input and output.

The protection tables 12 and 13 are configured to act when the inversion signal 605 of the comparison mode command 601 is H level, refer to the address signals 121 and 131, and output the access protection signals 122 and 132 when they are in the specified physical address range, and use the band negation Circuit gates 123 and 133 to prevent writing to the protected range.

Thereby, in the calculation in the independent mode, the calculation result in the collation mode can be protected without being affected.

Fig. 2 shows another embodiment of the present invention.

The timer 609 is started by the set pulse signal 607 detected by the rising detector 606 which receives the collation mode start command 102 from the operating system 101 of the A system processor 1 . The collation pattern ready signal 103 from the A system processor and 203 from the B system processor are input to the AND circuit 607, and the timer 609 is reset by the output signal 608. The output 610 of the timer 609 is input to the comparator 611, and when the output 610 exceeds the set range, an abnormal output 612 is output. A blockage of the activation of the control action is thus detected.

A timer 615 is provided, which is reset and simultaneously started by a pulse signal output from a rise detector 613 to which an output signal 608 of an AND circuit 607 is input.

The output 616 of the timer 615 is input to the comparator 617, and when the output 616 exceeds the setting range, an abnormality output 618 is output. In this way, an abnormality in the comparison operation cycle is detected.

In the above embodiment, it may be configured as follows: a bus diagnosis unit with a disconnection due to bonding of the diagnosis bus can start the bus diagnosis on the condition that all the independent operations of the plurality of processors are completed, and the normal end of the diagnosis is a comparison process. The action start condition. In this way, not only the calculation malfunction of the processor can be prevented, but also the dangerous side signal output due to the bus failure can be prevented, and the reliability can be improved.

This output collating unit has: an independent operation end detection unit from a plurality of processors; a unit that sets a predetermined time difference and sends an operation start command of the collating operation program to the multiple processors; and waits for the execution of the next step of the collating program. an instruction output unit; a holding unit for holding signals for comparison processing from a plurality of processors; and a comparison and comparison processing unit for signals for comparison processing held in the holding unit, and the output comparison unit operates independently of a plurality of processors All completion is the condition, and the program operation starts. The standby command given to the preceding action processor is released when the output to the holding unit is completed. In addition, the standby command given to the subsequent action processor is released when the comparison process is completed.

With this configuration, the capacity for holding the signal for comparison signal processing from the preceding action processor can be reduced. In addition, by performing pipeline processing for each operation of calculation, storage, and comparison processing, speed-up can be realized.

Next, other embodiments will be described, but when the description is conceptually described, the CPU output comparison with the following function is realized: In a control device that requires high reliability and high performance, when high reliability is required, multiple processors operate , a function of checking the output of the processor to confirm the soundness of the processor by diagnosing the processor; and a function of the processor performing independent processing to realize performance improvement.

More specifically, it is characterized by the following points.

(1) There are a plurality of processors in one control device, and there is: a unit for judging whether the IO to be accessed by each processor expects a highly reliable control result; a unit for comparing outputs of a plurality of processors and judging agreement; and at least Only when the output results of multiple processors are consistent, the processors are allowed to access the IO expecting highly reliable control results, and in the case of individual processors performing access, make them wait until other processors output the same The cell that outputs the result.

(2) The plurality of processors included in one control device includes: means for processing and executing different functions for each processor; and means for interrupting processing by other processors from the processor.

(3) The processor that executes the processing output to the IO requiring reliability has means that interrupts the processing of other processors and executes the processing outputting to the IO requiring reliability, using means for interrupting the processing in other processors.

(Example 1)

Embodiments of the present invention will be described below using the drawings. The configuration of the control system as the first embodiment of the present invention is shown in FIG. 4 . Here, a case where there are two processors is described, but in an actual embodiment, the number of processors is not limited, and the present invention is not limited thereto.

The control system described here assumes that it is connected to a memory circuit, so it is not particularly indicated.

The system A processor 1001 performs control tasks, and the system B processor 1003 performs communication tasks. In addition, the A-system processor 1001 and the B-system processor 1003 do not need to perform synchronous operations at the same frequency and the same phase.

The system A processor 1001 outputs the system A processor bus 1050 composed of address signals and data signals. In addition, the system A processor 1001 issues a bus start signal 1051 at the start of bus access. The system A interface unit 1002 continues to issue the system A wait signal 1052 until the system A bus ready signal 1067 or the system A interrupt control ready signal 1068 is issued. When system A processor 1001 performs a write access, system A processor 1001 continues outputting addresses and data to system A processor bus 1050 while system A wait signal 1052 is issued. In the case that the A system processor executes reading, the A system processor 1001 outputs the address to the A system processor bus 1050 during the period when the A system wait signal 1052 is issued, and continues to wait for the read data. When the A system wait signal 1052 is canceled , the data value on the A system processor bus 1050 is taken in as a read value.

The same applies to the system B. The system B processor 1003 outputs the system B processor bus 1055 including address signals and data signals. Also, the system B processor 1003 issues a bus start signal 1057 when bus access starts. The system B interface unit 1004 continues to issue the system B wait signal 1056 until the system B bus ready signal 1065 or the system B interrupt control ready signal 1069 is issued. When the system B processor 1003 performs write access, the system B processor 1003 continues to output addresses and data to the system B processor bus 1055 while the wait signal 1057 is issued. In the case that the B system processor 1003 executes the reading, the B system processor 1003 outputs the address to the B system processor bus 1055 during the period when the waiting signal 1056 is issued, continues to wait for the read data, and when the waiting signal 1056 is cancelled, the B Data values on the system processor bus 1055 are fetched as read values.

The system A area judging part 1013 has the function of judging whether the currently accessed device is a highly reliable IO 1018 according to the address value of the system A processor bus 1050, and when the system A processor 1001 accesses the highly reliable IO 1018, a System highly reliable access signal 1060.

The system B area judging part 1014 has the function of judging whether the currently accessed device is a highly reliable IO 1018 according to the address value of the system B processor bus 1055. When the system B processor 1003 accesses the highly reliable IO 1018, a B System high reliability access signal 1061.

The comparison unit 1015 has the function of comparing the A system processor bus 1050 and the B system processor bus 1055, and the address, write or read access type, and write data of the A system processor bus 1050 and B system processor bus 1055. A comparison is performed, and if they match, a comparison result match signal 1062 is issued.

The system bus interface unit 1016 accesses the high-reliability system bus 1017 via the system bus 1017 according to the system A processor bus 1050 , the system B processor bus 1055 , the system A high-reliability access signal 1060 , the system B high-reliability access signal 1061 , and the comparison result agreement signal 1062 . IO1018, common IO 1020, network IO 1022.

The high-reliability IO 1018 is connected to an input-output device 1019 requiring reliability.

Ordinary IO 1020 is connected to the input and output device 1021 of ordinary reliability.

The network IO 1022 is an interface with the network 1023, and is a device that issues a network interrupt 1066 and expects processing from the processor when processing executed by the processor, such as reception processing, is required.

The error detection unit 1012 has the following functions: according to the system A highly reliable access signal 1060, the system B highly reliable access signal 1061, and the comparison result coincidence signal 1062, it is judged whether the A system processor 1001 and the B system processor 1003 are operating normally or whether an error has occurred. Fault. When it is judged that a failure has occurred, a failure report signal 1064 is issued.

The interrupt control section 1005 has a function of controlling the A system interrupt signal 1053 given to the A system processor 1001 and the interrupt signal 1054 given to the B system processor 1003, and the A system interrupt request register 1006 for issuing the A system interrupt signal 1053, and A system interrupt factor register 1008 indicating an interrupt factor is constituted. In addition, a B system interrupt request register 1007 for issuing a B system interrupt signal 1054, and a B system interrupt factor register 1009 indicating an interrupt factor are also provided.

It is configured so that interrupts can be independently provided to the A system processor 1001 and the B system processor 1003 . System A interrupt request register 1006 , system A interrupt factor register 1008 , system B interrupt request register 1007 , and system B interrupt factor register 1009 are configured to be accessible from system A processor 1001 and system B processor 1003 .

In addition, a failure report signal 1064 and a network interruption 1066 are input from the outside. The A-system interrupt signal 1053 transmits an interrupt generated from the A-system interrupt request register 1006 or an interrupt generated by the fault report signal 1064 . Here, the interrupt generated by the fault report signal 1064 has priority over the interrupt generated from the A system interrupt request register 1006 .

The system B interrupt signal 1054 transmits an interrupt generated from the system B interrupt request register 1007 or an interrupt generated by a network interrupt 1066 or a fault report signal 1064 . Here, the interrupt generated by the fault report signal 1064 has priority over the interrupt generated from the B system interrupt request register 1007 , and the interrupt generated from the B system interrupt request register 1007 has priority over the network interrupt 1066 . That is, in order of priority, there are interrupts generated by the fault report signal 1064 , interrupts generated from the B system interrupt request register 1007 , and network interrupts 1066 .

FIG. 5 is a state transition diagram illustrating the operating state of the system bus interface unit 1016. As shown in FIG.

The system bus interface unit 1016 has four states shown in FIG. 5 .

The state 1200 represents an idle state, and represents a state in which neither the system A processor 1001 nor the system B processor 1003 accesses the system bus 1017 .

State 1201 represents the access state of the processor of system A, which means that the processor of system A 1001 accesses the common IO 1018.

The state 1202 represents the access state of the processor of the B system, and represents that the processor of the B system 1003 accesses the network IO 1022.

State 1203 represents the state of A system and B system processor accessing highly reliable IO 1018.

The transition condition 1204 from the state 1200 to the state 1201 is established under the condition that the system A processor 1001 starts to perform access and the system A high reliability access signal 1060 is not issued.

The transition condition 1206 from the state 1200 to the state 1202 is established under the condition that the A system processor 1001 does not start to perform access, the B system processor 1003 starts to perform an access, and the B system high reliability access signal 1061 is not issued.

The transition condition 1208 from state 1200 to state 1203 is when system A processor 1001 starts to perform access, system A high-reliability access signal 1060 is issued, and system B processor 1003 starts to perform access, system B high-reliability access signal 1061 is issued, and The condition that the comparison result match signal 1062 is issued is satisfied. This condition represents that the A system processor 1001 and the B system processor 1003 access the same address of the highly reliable IO 1018 together.

Transition condition 1205 is established due to the report indicating the end of the access sent from the common IO 1020 via the system bus 1017; transition condition 1207 is established due to the report indicating the end of the access sent from the network IO 1022 via the system bus 1017; Reliable IO 1018 is established via system bus 1017 reporting that access is complete.

Due to this state transition, the system bus interface unit 1016 permits the connection to the system bus 1017 at the request of the system A processor 1001 and the system B processor 1003 based on the determination results of the system A area determination unit 1013 and the system B area determination unit 1014. Access to any one of the highly reliable IO1018, common IO 1020, and network IO 1022. In particular, for the access of the high-reliability IO 1018, the conversion condition 1208 indicating that the A system processor 1001 and the B system processor 1003 jointly access the same address of the high-reliability IO 1018 must be established.

In addition, system A bus ready signal 1067 is issued when transition condition 1205 and transition condition 1209 are met, and system B bus ready signal 1065 is issued when transition condition 1207 and transition condition 1209 are met.

FIG. 6 is a state transition diagram showing the operation of the error detection unit 1012 .

State 1300 is an idle state, which means that neither the A system processor nor the B system processor accesses the state of the highly reliable IO 1018.

State 1301 is a state in which system A processor 1001 accesses highly reliable IO 1018 and waits until system B processor 1003 outputs the same output as its own processor.

State 1302 is a state in which system A processor 1001 accesses highly reliable IO 1018 and waits until system B processor 1003 outputs the same output as its own processor, but after a certain period of time, it is judged to be a timeout error state.

State 1303 is a state in which the A system processor 1001 and the B system processor 1003 have accessed the highly reliable IO 1018, but the output of each processor is inconsistent, and it is judged to be an error state.

State 1305 is a state in which system B processor 1003 accesses highly reliable IO 1018 and waits until system A processor 1001 outputs the same output as its own processor.

State 1304 is that the B system processor 1003 accesses the highly reliable IO 1018 and waits until the A system processor 1001 outputs the same output as its own processor, but after a certain period of time, it is judged to be a state of timeout error.

The transition condition 1306 is established under the condition that the system A high-reliability access signal 1060 is sent out and the system B high-reliability access signal 1061 is not sent out.

The conversion condition 1307 is established under the condition that the system B high reliability access signal 1061 is issued and the comparison result match signal 1062 is issued.

The transition condition 1309 is established under the condition that the system B high reliability access signal 1061 is issued and the comparison result match signal 1062 is not issued.

The transition condition 1308 is satisfied when the transition conditions 1307 and 1309 are not satisfied and a certain period of time has elapsed.

The transition condition 1316 is established under the condition that the system B high-reliability access signal 1061 is sent out and the system A high-reliability access signal 1060 is not sent out.

The conversion condition 1315 is established under the condition that the system A high reliability access signal 1060 is issued and the comparison result match signal 1062 is issued.

The conversion condition 1312 is satisfied under the condition that the system A high-reliability access signal 1060 is issued, the system B high-reliability access signal 1061 is issued, and the comparison result match signal 1062 is not issued.

The transition condition 1313 is satisfied when the transition conditions 1315 and 1312 are not satisfied and a certain period of time has elapsed.

The conversion condition 1317 is established under the condition that the system A high-reliability access signal 1060 is issued, the system B high-reliability access signal 1061 is issued, and the comparison result match signal 1062 is not issued.

Transition conditions 1310 , 1311 , 1314 are always true, which means that a transition to state 1300 occurs in the next cycle after the transition to states 1302 , 1303 , 1304 .

The error detection unit 1012 manages the access state of the high-reliability IO 1018 by the A system processor 1001 and the B system processor 1003, and the output of the processor that accesses the high-reliability IO 1018 is inconsistent with the output of the processor of other systems Under the situation of, or under the situation that other processors do not access high reliability IO 1018 within a certain period of time, transition to state 1302, 1303, 1304, send fault report signal 1064 when this state 1302, 1303, 1304.

After the fault report signal 1064 is sent out, the highly reliable IO 1018 recognizes that a fault has occurred, and switches the output to a safe state. Here, the so-called safe state includes a state where the current output is maintained, or a state that is the same as when the power supply is turned off, and it differs for each object to be controlled. In addition, after a failure occurs, the error detection unit 1012 reports a failure interruption to the A system processor 1001 and the B system processor 1003 using the interrupt signals 1053 and 1054 . The processor receiving the fault interrupt promptly interrupts processing of the status quo and performs fault processing.

FIG. 7 is a timing chart showing the processing operations of the system A processor 1001 and the system B processor 1003 when they are normal.

Processor 1001 of system A processes tasks sequentially from control task 0, and executes a startup task for starting a high-reliability task of processor B after finishing the processing of the last control task n. This startup task accesses the B system interrupt request register 1997 inside the interrupt control unit 1005, causes the B system processor 1003 to interrupt, and ends. Next, the A-system processor 1001 executes a high-reliability task. The high-reliability task performs control on the input-output device 1019 connected to the high-reliability IO 1018 and requires reliability. The system A processor 1001 periodically executes a series of processes from the control task 0 to the high-reliability task.

On the other hand, the system B processor 1003 sequentially processes the communication tasks according to the network interrupts generated from the network IO 1022, and after receiving the interrupt due to the startup task executed by the system A processor 1001, executes the same high reliable task. Therefore, the A-system processor 1001 and the B-system processor 1003 execute the same process, so that the outputs of the two processors can be guaranteed to be consistent. System B processor 1003 processes communication tasks sequentially according to the network interrupt 1066 that occurs from network IO 1022 after the processing of the high-reliability task ends. After receiving and processing the interrupt, the system B processor 1003 accesses the interrupt control unit 1005 to clear the interrupt factor.

In addition, the interrupt control unit 1005 shields the network interrupt 1066 with low priority when the interrupt that occurs due to accessing the system B interrupt request register 1007 enters the system B processor 1003. Therefore, during the execution of the high-reliability task by the system B processor 1003, Network interrupt 1066 does not enter, thereby not interrupting processing.

As described above, when performing processing for ensuring reliability, multiple processors are used to perform processing, multiple output results are compared, and output is performed only when they match, thereby improving reliability. processing, multiple processors operate independently, thereby improving processing performance.

Claims (6)

1. the task management device of a control device, for common data processing object, with the result by at least 2 systems' execution is input, described result is obtained with mutual interchangeable mode computing by described 2 systems at least, for different data processing objects, with the result carried out by at least 2 systems after nonidentity operation is handled is input, it is characterized in that described task management device has:

Signal output unit, output expression are to be carried out different calculation process, or carried out the switching signal of calculation process in interchangeable mode by described at least 2 systems; And licence units, carried out by at least 2 systems under the situation that nonidentity operation handles at described signal indication, allow at least 1 among the different disposal result of described at least 2 systems of output,

Importing with normal control mode, is to be handled by the nonidentity operation that at least 2 systems carry out as stand-alone mode for different data processing object,

Under the situation of at least 2 systems, if the address of bringing influence for the operation result of normal control mode then utilizes the outputting data signals as the result under the stand-alone mode to suppress described address is write as the stand-alone mode action.

2. the task management device of control device as claimed in claim 1 is characterized in that, described licence units by will with described result send here write target data and specified data compares, judge that output allows.

3. the task management device of control device as claimed in claim 2, it is characterized in that, also has the unit of by the described result of importing of sequential storage, also exporting the result of this storage in proper order, wherein, with described specified data relatively be to carry out at the described result of output in order.

4. the task management device of a control device, for common data processing object, input has been carried out the result after the calculation process by at least 2 systems in interchangeable mode, and for different data processing objects, input has been carried out result after nonidentity operation is handled by at least 2 systems, it is characterized in that described task management device has:

Signal output unit, output expression are to be carried out that nonidentity operation is handled or carried out the switching signal of calculation process in interchangeable mode by described at least 2 systems,

Importing with normal control mode, is to be handled by the nonidentity operation that at least 2 systems carry out as stand-alone mode for different data processing object,

Under the situation of at least 2 systems, if the address of bringing influence for the operation result of normal control mode then utilizes the outputting data signals as the result under the stand-alone mode to suppress described address is write as the stand-alone mode action.

5. the task management method of a control device, for common data processing object, input is with mutual interchangeable mode computing, the result of at least 2 systems, for different data processing objects, input has been carried out the result that nonidentity operation is handled by at least 2 systems, the output expression is to carry out the switching signal that calculation process was handled or carried out in interchangeable mode in nonidentity operation by described at least 2 systems, carry out under the situation of nonidentity operation processing by at least 2 systems at described signal indication, be judged as at least 1 among the different disposal result who allows described at least 2 systems of output

Importing with normal control mode, is to be handled by the nonidentity operation that at least 2 systems carry out as stand-alone mode for different data processing object,

Under the situation of at least 2 systems, if the address of bringing influence for the operation result of normal control mode then utilizes the outputting data signals as the result under the stand-alone mode to suppress described address is write as the stand-alone mode action.

6. the task management method of a control device, for common data processing object, input is with results mutual interchangeable mode computing, at least 2 systems, will be used for discerning the recognition data that described at least 2 systems stipulate the data processing object of system and store the 1st recognition data zone into; To be used for discerning described at least 2 systems arbitrarily the recognition data of the data processing object of another system store the 2nd recognition data zone into; To store the 1st deal with data zone into as the 1st deal with data of stipulating the result of system at least in described 2 systems; And will store the 2nd deal with data zone into as the 2nd deal with data of the result of any another system in described at least 2 systems, wherein, in described the 1st recognition data of contrast and described the 2nd recognition data, also contrast described the 1st deal with data and described the 2nd deal with data, to allow data output

Importing with normal control mode, is to be handled by the nonidentity operation that at least 2 systems carry out as stand-alone mode for different data processing object,

Under the situation of at least 2 systems, if the address of bringing influence for the operation result of normal control mode then utilizes the outputting data signals as the result under the stand-alone mode to suppress described address is write as the stand-alone mode action.

Images