JP2008009795A - Diagnostic device, line diagnosis method, and line diagnosis program - Google Patents

Abstract

In order to improve the safety of bus arbiter operation that arbitrates bus usage right requests output from multiple devices in a control device, the arbiter operation is diagnosed by a monitoring means by an external diagnostic module to improve high-speed response and safety. Provide a control device that achieves compatibility.
A signal related to arbiter arbitration is monitored by a diagnostic module, and when an abnormality due to signal fixation or arbitration control unit abnormality is detected, data transfer is safely stopped to prevent erroneous output of safety data.
[Selection] Figure 1

Description

  The present invention relates to a diagnosis apparatus, a line diagnosis method, and a line diagnosis program, and in particular, in the control field, is equipped with a bus arbiter that arbitrates permission to use a bus on a common bus composed of a plurality of bus masters, and diagnoses the bus arbiter. The present invention relates to a diagnostic apparatus, a line diagnostic method, and a line diagnostic program that are suitable for realizing both safety and high-speed bus access by providing an external diagnostic apparatus.

  In recent years, there has been a remarkable improvement in bus arbiter technology for arbitrating mastership on a common bus. In particular, common buses used in PC systems such as PCI buses and ISA buses are rapidly increasing the data transfer speed. In order to guarantee the operation of these systems, a bus arbiter that arbitrates multiple bus masters. Existence is essential.

  The operation of the bus arbiter is realized by arbitration means that selects one bus master from the bus master requests from a plurality of bus masters and grants the bus master to the bus master. The selected bus master can acquire the bus right and transfer the data onto the bus. In the arbiter system, as typified by a PCI bus, arbitration is generally performed by inputting / outputting a bus request REQ signal and a bus permission GNT signal between the master and the arbiter. At the time of arbitration operation of the arbiter, an operation is performed in which REQ signals from a plurality of masters are arbitrated according to a predetermined unique arbitration algorithm and a GNT signal is output to one master. A technique related to the bus arbiter is known, for example, in Japanese Patent Laid-Open No. 2003-099395.

JP 2003-099395 A

  Even in the control field having control devices, it is not uncommon to adopt a system using these arbiter technologies. For example, in a control plant, there is a plug-in that has an arbiter function on the backplane of the control device rack mounted in the control panel. Data transfer from the bus master is read and written using the bus. Especially in the control field where high-speed data responsiveness is required, when handling large-capacity data transfer including communication data transferred in large quantities from multiple bus masters so as not to affect the on-time performance of online software processing operations, the arbiter It is necessary to switch the arbitration of the bus master at a high speed by the operation, and high speed is required in the data transfer and the arbitration switching operation. In this case, it is possible to adopt either a unique bus or a general system bus represented by a PCI bus which is currently mainstream.

On the other hand, in the control device in the mission critical control field, not only plays a role of controlling and protecting the device by data input / output to the controlled object, but the operation of the controlling device is the device safety of the controlled object (process side) Since the cases related to the protection of human life are sufficiently considered in terms of the nature of the device and the system, there is a great demand for the safety of the system and the control device that controls it. As one trend of these measures, application to the control device of IEC61508, which is an international standard, is being promoted mainly overseas. In this functional safety standard IEC61508, the safety requirement regarding the bus arbiter is defined as a part, and by satisfying this safety requirement, it becomes possible to approach to ensuring a predetermined safety level as a control device.

  In functional safety, diagnostic operations must be performed on key functions to ensure that the control device does not go into hazardous operation. The standard also requires that the arbiter operation that plays the core role of the bus is diagnosed in the same way. The central processing unit that processes the safety data based on the input data from the control target (process side) and outputs it to the process becomes the bus master, and the safety-related data transferred on the bus is caused by erroneous output or malfunction to the control target. It is essential not to affect safe operation. Also, even if an arbiter malfunction occurs, it must be detected that an abnormality is detected, safety data output to the process is stopped within the reaction time, and safety data is not destroyed and safety data is not erroneously output to the control target. I must.

  Various diagnostic methods have been proposed as techniques for enhancing the safety of the control device. The diagnosis rate can be improved by applying microprocessor and bus diagnostics, memory, ASIC, and input / output diagnostics. In some cases, it is insufficient to cover, and in order to further improve the diagnostic rate, it is necessary to diagnose the arbiter function.

  First, as failure modes that can be considered for the arbiter, malfunctions due to the bus request signal REQ and bus permission signal GNT being locked, and malfunctions caused by abnormal operations such as the arbitration function and the state control function inside the arbiter Arbiter malfunction that occurs in When there is a failure mode that may result in a dangerous operation in which an abnormality cannot be detected when these failures occur, the safety of safety data transfer must be considered. Therefore, in order to improve the safety of the control device, it is necessary to diagnose the failure mode that may affect the safety data transfer as described above.

  As one method of diagnosis, a method of diagnosing arbiter operation by software can be considered. In the case of software diagnosis, there is the advantage that arbiter diagnosis can be performed relatively flexibly by the diagnosis operation performed by the diagnosis pattern created by the microprocessor, but the man-hours required for creating the diagnosis processing program and the diagnosis processing time during online operation increase. There is a difficulty to do. Especially in the latter case, it is necessary to temporarily stop data transfer and secure diagnostic processing time in real-time processing that performs high-speed input / output operations that require high-speed response. The on-time property cannot be secured. As a result, the real-time property of online processing that requires high-speed control may cause a fatal result, and there is a problem in securing performance.

  Another problem is that the arbiter is usually implemented by a custom LSI (ASIC), and the circuit itself for diagnosing the arbiter is realized by hardware logic in the same LSI as the arbiter. The range is difficult. If any abnormality occurs in the arbiter, it is necessary to verify whether or not the diagnostic circuit in the same LSI that diagnoses it functions normally.

  An object of the present invention is to provide a diagnosis apparatus, a line diagnosis method, and a line diagnosis program that can solve at least one of the above problems.

  In order to achieve the above object, according to the present invention, the right to use the second communication line is granted via the first communication line in the case where information relating to the controlled object is exchanged via the second communication line. An arbitration control unit that transmits and receives a signal for arbitration, and a diagnosis unit that monitors the signal of the first communication line and determines an abnormality of the arbitration unit, and the diagnosis unit determines an abnormality of the arbitration unit In this case, a signal for suppressing the communication of the second communication line is output.

  In addition, in order to increase the diagnostic rate of the control device itself, an external diagnostic device having a diagnostic means for the arbiter function is provided without depending on bus diagnostic technology or microprocessor diagnosis as a data transfer path. This is realized by safely stopping data output when an abnormality is detected.

  According to the present invention, the “line diagnostic device” is a diagnostic device composed of parts different from the system LSI incorporating the arbiter, and the bus master request REQ signal output from the bus master to the arbiter and the arbiter output to the bus master. The arbiter operation is diagnosed by monitoring the bus right grant GNT signal and other signals related to the arbiter operation.

  The monitoring timing by the diagnostic device is performed during the arbitration period before the bus transfer cycle during the online operation. As described in the above [Problems to be Solved by the Invention], in order to eliminate the performance degradation when the arbiter operation diagnosis by software is performed, the hardware of the diagnostic device is monitored during the arbitration period, and the data Prevent interruption of transfer. By monitoring the output state of the bus right grant GNT signal during the monitoring timing period, it is possible to detect whether the arbiter operation is normal or abnormal. During the arbitration period, it is usually impossible for the bus right permission signal to be output as a valid state to a plurality of bus masters at the same time. If simultaneous output occurs in this way, signal sticking or an abnormality in the bus right grant GNT signal generator in the arbiter is considered, and the arbiter function is monitored by monitoring the bus right grant GNT signal with a diagnostic device. Can be diagnosed. When such simultaneous output occurs, there is a possibility that a data collision may occur due to erroneous recognition that a plurality of bus masters have received the bus right and simultaneously outputting data onto the bus. If such a situation occurs when safety data is being transferred, the safety data will be destroyed, so when the diagnostic device detects this abnormality, it immediately protects the safety data and sends it to the bus controller. On the other hand, there is a means for outputting data to a safe side by outputting a stop instruction.

The monitoring means is an example, but other monitoring methods include arbiter status transition monitoring, bus SW control signal on / off status monitoring linked to a safety data transfer status signal on the line,
The means for improving the diagnostic rate of the arbiter by monitoring the GNT signal and the means for testing the diagnostic device by software from an external microprocessor are described in the embodiments of the present invention.

  According to the present invention, it is possible to improve the safety of the entire control device by making high-speed response and the safety of data transfer and arbitration control operations compatible without degrading the transfer performance. More specifically, the timing of data transfer during a certain online operation is monitored by a diagnostic device composed of parts different from the arbiter, and the diagnosis of an arbiter operation abnormality is not dependent on the software diagnostic process. By using hardware monitoring means, the overall safety of the control device can be secured by combining high-speed response with the safety of data transfer and arbitration control operations without degrading transfer performance by hindering data transfer on the line. It is possible to improve the performance.

  Examples of the present invention will be described below.

  FIG. 1 shows an example of the overall configuration of a control device in which a line diagnostic device according to the present invention is used. The control device includes a communication control device PO 30 that performs communication control with a central processing unit CPU 10 connected by a line 2 serving as a data transfer path, an input device 140 that serves as an interface with a control target, and an output device 150. The

  The basic operation of the control device will be described below. The central processing unit CPU 10 performs a transmission / reception operation by data transfer with the data register 33 in the communication control unit PO 30 via the line 2 61. The transmission / reception data written in the data register 33 is transmitted to the communication control device S1 via a serial line or a line 360 by parallel transmission. At the time of reception, data received via the line 3 is written into the data register 33 and read by the central processing unit CPU 10. Similarly, the central processing unit CPU 10 performs data transfer between the input data register 42 of the input device 140 and the output data register 52 of the output device 150. Process input data 43 from the control object 70 to the input device 140 is written in the input data register 42 and read from the central processing unit CPU 10. Further, the data written from the central processing unit CPU 10 to the output data register 52 in the output device 150 is output to the control object 70 as process output data 53.

  The central processing unit CPU 10 and the communication control unit PO 30 have line control units 13 and 31 for controlling data transfer to the line 2 61. The line control unit includes a line usage right request for the line 260 and a line usage right permission signal, and the arbitration control of these signals is performed by the arbitration control unit 12 in the central processing unit CPU 10. The communication control device PO 30, the input device 140, and the output device 1 50 are provided with lines SW (bus SW) 32, 41, 51. The bus SW has a switching function for electrically connecting or disconnecting the line 2 61 and the device, and the switch control signal is included in a part of the line 1 60. The switching control signal is a signal output by the arbitration control unit 12 of the central processing unit CPU 10 and is connected to the central processing unit CPU 10 on a one-to-one basis with the communication control unit PO 30, the input unit 140, and the output unit 150. To do.

  The central control unit CPU 10 or the communication control unit PO 30 can acquire the bus right in the control unit and use the line 2 61. When each control device acquires the bus right, the line arbitration control is performed by using the bus right use request signal and the bus right use permission signal of the line 1. When the central processing unit CPU 10 requests data transfer, the line control unit 13 outputs a line usage right request signal to the arbitration control unit 12, and the line control right permission signal of the line 160 output from the arbitration control unit 12 is line controlled. The unit 13 transfers the data in the data register 11 to the transfer destination via the line 261 after reception. On the other hand, the same procedure is followed when the communication control device PO 30 requests data transfer, the line control unit 31 outputs a line use right request signal to the arbitration control unit 12, and the line 160 of the line 160 output from the arbitration control unit 12. After the line control unit 31 receives the usage right permission signal, the data in the data register 33 in the communication control device PO 30 is transferred to the transfer destination via the line 2 61.

  Next, the line diagnosis apparatus 20 according to the present invention will be described below. The line diagnosis apparatus 20 monitors signals on the line 2 61 related to the data transfer and the line 1 60 related to the arbitration operation. In this embodiment, when a line use request is alternately made between the central processing unit CPU 10 having the bus use right and the communication control unit 30, the use arbitration operation of the line 2 is sent to the arbitration control unit 12 by the line 1 60 signal. Done. The monitoring unit 22 in the line diagnostic device 20 monitors the signal operation and timing related to the arbitration operation of the line 1 in conjunction with the timing signal of the line 260, and when the abnormal operation of the line 260 is detected, the line diagnostic device 20 An abnormality notification is sent to the internal operation instructing unit, and the operation instructing unit 21 performs an operation of stopping data output in response to a command to the central processing storage device CPU 10 internal line control unit 13.

  Hereinafter, the arbitration control operation timing by the line 160 and the details of the monitoring operation of the line diagnosis apparatus 20 will be described with reference to FIG.

  In FIG. 2, a configuration diagram in the line diagnostic apparatus 20, details of the arbitration control operation timing of the line 160, and a monitoring signal of the monitoring unit 22 in the line diagnostic apparatus 20 will be described. In FIG. 2, in addition to the central processing unit CPU 10 and the line diagnostic device 20 described in FIG. 1, a communication comprising a plurality of communication control devices that output a line usage right request for the line 2 61 and can use the line 2 61. A control device PO 30, a communication control device P 1 80, and a communication control device P 2 90 are configured. The breakdown of the line 160 signal related to the line arbitration control is as follows. Central operation storage device CPU 10 The line usage right request signal 98 output from the internal line control unit 13, the line usage right permission signal 97 output from the arbitration control unit 12 GNT generation unit 15, and the line output from the communication control unit PO 30 The use right request signal 36, the line use right permission signal 35 and the switch control signal 153 output from the GNT generation unit 15, the line use right request signal 86 output from the communication control device P1 80, and the GNT generation unit 15 output. From the line use right permission signal 85 and the switch control signal 155, the line use right request signal 96 output from the communication control devices P2 90... Pn, the line use right permission signal 95 and the switch control signal 154 output from the GNT generation unit 15. Line 160 is configured. In response to a GNT switching instruction (signal) 16 output from the arbitration control unit 12 and the internal arbitration unit 14, the GNT generation unit 15 sends a line use right to a single device by line arbitration control from a plurality of devices that output line use requests. An operation for issuing a permission signal is performed. The GNT switching instruction (signal) 16 is generated by the state transition output of the arbitration unit 14 in the arbitration control unit 12, and the state transition in the arbitration unit 14 is generated by the input / output signal states from the line 1 60 and the line 2 61. . A detailed timing chart will be described with reference to FIG.

The line diagnosis apparatus 20 according to the present invention is connected to a line 261 serving as a data transfer path, and is configured as a separate component from the arbitration control unit 12. The line diagnosis apparatus 20 detects an abnormal operation of the arbitration control unit by monitoring the line 1 60 and the line 2 61 and the STATE signal 23 indicating the arbitration operation state output from the arbitration unit 14 in the arbitration control unit 12. A diagnosis characterized by having means for stopping the output data when the operation instruction unit 21 outputs a command to the line control unit 13 in the central processing unit CPU 10 at the time of detecting an abnormality at the same time as having a means Device.

  In the configuration shown in FIG. 2, by monitoring all of the line 1 60 signals on which arbitration control operations are performed between the central processing unit CPU 10 and the communication control units PO 30, P1 80, P2 90, each device It is possible to detect an abnormal operation of the arbitration operation performed when a line use request is made. The diagnostic range as the diagnostic module is not limited to signal fixation diagnosis of high level or low level that can occur due to disconnection, open, or short of the signal of the line 160, but the state in the arbitration control unit 12 Transition malfunctions and functional block operation abnormalities can also be diagnosed by monitoring these signals. In particular, the arbitration control unit includes complex logic and is usually implemented by an LSI (custom ASIC). When an internal logic error or functional error occurs, a third party component other than the LSI With the configured diagnostic device, it is possible to diagnose not only the external signal sticking abnormality but also the internal operation of the arbitration control unit. Further, according to the present invention, the diagnosis of the arbitration operation is performed by the hardware of the line diagnosis device 20 without relying on the diagnosis process by software, so that the data transfer on the line 261 is not interrupted by the software diagnosis process. Diagnosis by the hardware monitoring means of the device 20 makes it possible to achieve both safety and high-speed response of data transfer and arbitration control operations without impeding the timeliness / timeliness of data in real-time control. .

  FIG. 3 shows a timing chart during normal operation of the arbitration control unit, and FIG. 4 shows data responsiveness and influence on data transfer when the arbitration control unit is diagnosed by software processing.

  An operation timing chart of the arbitration control unit during normal operation will be described with reference to FIG. In the control device composed of the central processing unit CPU 10 and the communication control unit PO 30, arbitration is performed when a line usage right request for the line 2 61 is issued simultaneously from the central processing unit CPU 10 and the communication control unit PO 30. A timing chart is shown for the STATE signal 23 indicating the arbitration state transition output from the arbitration unit 14 in the control unit 12, the state of the line use right grant signal GNT on the line 160, and the bus transfer state on the line 260.

In the STATE signal 23, there are five states T1 to T4 from the arbitration operation of the line 261 to the completion of the bus transfer. STATE = T0 is an “IDLE state”, which indicates an IDLE state before the bus arbitration operation is performed. STATE = T1 is “ARB state”, indicating that an arbitration operation based on a line usage right request signal from a plurality of devices is being performed. STATE = T2 is an “ACKWAIT state”, and is a cycle in which a line usage right grant signal GNT is issued to a device selected by the arbitration operation of the “ARB state” with the output timing of the GNT switching instruction 16 as a trigger. Indicates. FIG. 3 shows an example in which GNT is issued to the central processing unit CPU 10. STATE = T3 is “ACKBUSY state”, indicating that a device that has obtained permission to use the line is using the line 261 to transfer data. The state transition from T2 to T3 transitions on the condition for starting data transfer. FIG. 3 shows that the central processing unit CPU 10 is transferring data. TS (CPU, PO) shown here indicates the transfer source device in the parenthesis and the transfer destination device in the latter term. In FIG. 3, data transfer from the central processing unit CPU 10 to the communication control device PO 30 is performed. Indicates what is being done. STATE = T4 is a “WAIT state”, which indicates a waiting period until the transition to the IDLE state after completion of data transfer.

As shown in FIG. 3, the operation of the arbitration control unit arbitrates line usage right request signals REQ from a plurality of apparatuses at the timing of STATE = T1, and uses the line for one apparatus selected at the timing of STATE = T2. By outputting the right permission signal GNT, the operation that enables the device (the central processing unit CPU 10 in FIG. 3) that obtains the GNT to perform bus transfer is fundamental. In other words, during the STATE = T2 period, GNTs other than the central processing unit CPU 10 (GNT to the communication control unit PO 30 in FIG. 3) cannot be output at the same time. If such a situation occurs, a cause such as malfunction of the arbitration control unit 12, malfunction, or signal sticking of the line 160 may be considered. As the influence, the communication control device PO 30 has the right to use the bus. If the permission signal is erroneously detected, data transfer between the central processing unit CPU 10 and the communication control unit PO 30 is performed at the same time, and data that should be output from the central processing unit CPU 10 may be destroyed.

  As described above, as a timing chart of the line 261 at the time of normal operation composed of a control device composed of a plurality of devices that output the line usage right request REQ, the state transition from T0 to T4 controlled by the arbitration control unit 12 Are repeatedly executed, and data transfer is performed. The line diagnosis apparatus according to the present invention is one means characterized by monitoring the timing, status signal, and line 160 signal by hardware. The operation timing when the diagnosis is performed by software is shown in FIG. Shown in

  The diagnosis flow operation by software of the arbitration control unit will be described with reference to FIG. Advantages of adopting a diagnostic means by software include that it is easy to improve the diagnosis rate of a diagnosis target by generating abundant diagnostic patterns. Also in the international safety standard IEC61508, the diagnosis of signal sticking and the internal diagnosis method of the arbitration operation are defined as safety requirements regarding the arbiter, and it is also possible to perform these diagnoses using software processing. In particular, in order to improve the diagnosis rate of an LSI that implements an arbiter, it is recommended to perform up to arbiter function diagnosis and internal operation diagnosis.

  Based on the above, FIG. 4 shows a timing chart when software diagnosis is applied in combination with the normal operation of the arbitration control unit shown in FIG. On the premise of the configuration of FIG. 1, in the control device that performs data transfer between the central processing unit CPU 10 and the communication control device PO 30, diagnosis processing and data transfer operation are performed in the following procedure.

  First, the central processing unit CPU 10 performs a diagnosis process 130 for the arbitration control unit, and performs an input process A 133 based on input data from a control target. When the input process A 133 is completed, the central processing unit CPU 10 transfers the data stored in the data register 11 to the data register 33 in the communication control unit PO 30 via the line 260. Thereafter, the timing at which the communication control device P0 30 obtains the line usage right permission and performs data transfer to the line 2, and then the central processing unit CPU 10 obtains the line use right permission again and transfers the data to the line 2 A chart is shown. The line use right permission for each data transfer is switched by the arbitration operation of the arbitration control unit 12, and the data transfer is performed based on the normal operation timing chart shown in FIG. The online processing performed by the microprocessor of the normal central processing unit CPU 10 corresponds to the input processing A 133, the input processing B 134, and the arithmetic processing 135, which are in parallel with or separate from the line 261 data transfer operation. Since the processing is performed in the period, the processing by the microprocessor does not affect the data transfer of the line 2 so that the timeliness and the timeliness are not hindered. On the other hand, the diagnosis process of the arbitration control unit 12 by software corresponds to the diagnosis process 130, the diagnosis process 131, and the diagnosis process 132, which are performed by temporarily interrupting the data transfer of the line 2.

Although the fluctuation of data on-time performance is not constant depending on the frequency of software diagnosis processing, it is possible to improve the diagnosis rate, but on the other hand, there are still problems in securing high-speed response, on-time performance, and on-time data. I can say that. Therefore, according to the diagnostic method using the line diagnostic apparatus realized by the hardware monitoring means according to the present invention, it is possible to take measures against the above problem. Hereinafter, an embodiment of the line diagnosis apparatus according to the present invention will be described with reference to FIGS.

[Description of Example 1]
FIG. 5 and FIG. 6 explain one of the failure mode and abnormal operation of the arbitration control unit monitored and detected by the line diagnostic apparatus, and one of countermeasures when an abnormality is detected. In the description of FIG. 3, it has been described that a data collision may occur when the line usage right permission signal GNT output from the arbitration control unit 12 is output to a plurality of devices at the same time. The monitoring unit 22 in the line diagnosis apparatus 20 has a means for monitoring and detecting this failure mode. FIG. 5 shows a diagnosis flow at the time of simultaneous output of the line use permission signal GNT of the line diagnostic apparatus 20, and FIG. 6 shows a time chart and a countermeasure example at the time of simultaneous output of the GNT signal.

FIG. 5 shows an abnormality detection unit and a diagnosis flow of the arbitration control unit 12 of the line diagnosis apparatus 20. The monitoring unit 22 in the line diagnostic apparatus 20 monitors the line 160, and the monitoring unit 22 includes a simultaneous use CHK unit 25 for a line use right permission signal GNT. The simultaneous output CHK unit 25 monitors a plurality of simultaneous outputs of the line usage right permission signal GNT for a plurality of devices. The monitoring unit 22 enters the monitoring timing at STATE = ARB timing of the arbitration control unit 12. The monitoring unit 22 monitors all the line use right permission signals GNT on the line 160 when STATE = ACKWAIT, and monitors whether it is output as a valid state to other than one apparatus. For example, when GNT is directed to the central processing unit CPU 10, whether the GNT is not output to the other communication control device PO 30 or the other means is the same for the detection means. When the monitoring unit 22 detects the event (abnormality) of the simultaneous output, the GNT simultaneous output CHK unit 25 issues an instruction signal to the operation instruction unit 21 in the arbitration control unit 12, and the operation instruction unit 21 that has received the instruction signal An operation instruction signal is output to the control unit 13.

  FIG. 6 shows the operation timing of the first embodiment. As shown in the above description of the operation, this figure shows that the line usage right grant signal GNT to the central processing unit CPU 10 and the communication control unit PO 30 is simultaneously output. (In the time chart, they are written as GNT (CPU) and GNT (PO).) Thereby, data transfer by the central processing unit CPU 10 and the communication control unit PO 30 occurs at the same time, and data collision occurs. In the line diagnostic apparatus of the present invention, it is possible to prevent data collision by detecting the simultaneous output of the GNT signal in the STATE = ACKWAIT cycle and outputting an operation instruction signal to the line control unit 13. After receiving the operation instruction signal, the line control unit 13 can take countermeasures by outputting the switch control signal = “bus SWOFF (PO)” to the communication control device PO line SW 32 as the corresponding device.

  According to the first embodiment, it is possible to detect the simultaneous use of the line usage right permission signal GNT generated due to the occurrence of the sticking of the line 160 signal, which is considered as a failure mode, or the abnormality of the arbitration control unit 12, and to take countermeasures. It is possible to avoid data collisions and improve safety.

[Description of Example 2]
7 and 8, the failure mode and abnormal operation of the arbitration control unit monitored and detected by the line diagnosis apparatus, and another countermeasure method when an abnormality is detected will be described. FIG. 7 shows an abnormality detection means for the switch control signal and a diagnosis flow. FIG. 8 shows an abnormality detection means and a diagnosis flow of the line usage right grant signal GNT.

In FIG. 7, the arbitration control unit 12 monitoring unit 22 includes a bus SW output state CHK unit 26. The bus SW output state CHK unit 26 monitors the line 1 60 and the line 2 61. If the safety data transfer status signal = “safe data is being transferred” output from the central processing unit CPU 10 or the communication controller PO 30 as a part of the signal on the line 2 61, the safety data is being transferred. The transfer destination address slot and the on / off state of the switch control signal are compared and verified. The purpose of the output of the safety data transfer status signal = “safe data transfer” is to notify the entire control device that the safety data transfer is being performed. The types of data transferred to the line 261 are largely classified into “safety data” including input / output data and protection command data for the controlled object 70 and “general data” including communication data mainly used for monitoring and the like. Separated. The line diagnostic apparatus of the present invention is designed to protect the "safe data" transferred on the line 261 when "safe data is being transferred" is detected, when the controller itself is in the event of an abnormality related to any line or arbitration control unit. In order to prevent dangerous operation, measures are taken when diagnosis and abnormality are detected.

In FIG. 8, the monitoring controller 22 in the arbitration controller 12 has a GNT output state CHK unit 27. The GNT output state CHK unit 27 monitors the line 1 60 and the line 2 61. If the safety data transfer status signal = “safe” is indicated on the line 261, it is considered that safe data is being transferred, and the transfer destination address slot and the GNT output destination slot are compared and verified.

When an abnormality is detected in the means shown in FIGS. 7 and 8, the operation instruction unit 21 outputs an operation instruction signal to the line control unit 13. The line control unit 13 that has received the operation instruction signal recognizes that a switch control signal generated due to a certain failure mode of the arbitration control unit 12 or a GNT signal abnormality has occurred, and transitions to a stop processing state relating to the current output data. The stopping means can be considered as a method such as a current output data freeze or a safety stop by a savey shutdown signal output, but these methods are not limited to the present invention.

  According to the second embodiment, safety can be achieved by detecting and taking countermeasures against the occurrence of line 160 signal sticking that can be considered as a failure mode, or the erroneous output of a switch control signal or GNT signal caused by an abnormality in the arbitration control unit 12. Can be improved. Specifically, the means shown in FIG. 7 enables data collision avoidance when a double failure occurs when safe data protection is realized by bus SW on / off control. For example, in the case of adopting a measure for disconnecting the line SW of a device that may affect safety data by bus SW on / off control, the device side that disconnected the line SW malfunctions, and switch control to the device This means that it is possible to avoid an abnormality that may occur when a double failure occurs in which the signal becomes abnormal. In addition, the means shown in FIG. 8 can prevent a time-out due to a GNT signal output to an erroneous slot and a data collision when a double failure occurs. Contributes to safety improvements related to control operations.

[Description of Example 3]
In FIG. 9, the failure mode and abnormal operation of the arbitration control unit monitored and detected by the line diagnosis apparatus, and another countermeasure method when an abnormality is detected will be described. FIG. 9 shows an abnormality detection means and a diagnosis flow of the state change in the arbitration control unit 12 by the line diagnosis device 20.

  In FIG. 9, the monitoring unit 22 in the arbitration control unit 12 includes a state transition CHK unit 28. The state transition CHK unit 28 monitors the arbitration state transition STATE signal 23, the line 1 60, and the line 2 61 output from the arbitration control unit 12. The state transition CHK unit 28 checks the validity of the state transition order of the state transition STATE signal 23.

The state transition during normal operation performed by the arbitration unit 14 of the arbitration control unit 12 shown in FIG. 2 is as shown in FIG. Normally, as shown in FIG. 9, T0 (IDLE) 110 → T1 (ARB) 111 → T2
(ACKWAIT) 112 → T3 (ACKBUSY) 113 → T4 (WAIT) 114 is a state transition during normal operation. In this embodiment, the STATE signal 23 = 001 is output when STATE = T0, the STATE signal 23 = 002 is output when STATE = T1, and the STATE signal 23 = 011 → 100 → 101 is output in the same manner. The state transition CHK unit 28 includes CHK1 100 and CHK2 corresponding to the STATE signal 23 output at the time of the state transition.
101, CHK3 102, CHK4 103, and CHK5 104 are monitored, and when an abnormal state is detected, the same output data stopping measures as in the second embodiment are taken. CHK1 to CHK5 are realized not by software but by hardware, and a check timing is given by a switching trigger signal for switching state transition. The collation unit 29 that compares and collates the STATE signal expected values of CHK1 to CHK4 with the STATE signal 23 output from the arbitration unit 14 in FIG. 2 in the actual state transition CHK unit 28 in the monitoring unit 22, and includes a switching trigger. It has the means to perform collation by a signal.

As an example of abnormal operation, CHK1 100 = STATE = 001 and normal, CHK2
101 = STATE = 010 is normal, CHK3 102 = STATE = 100 (expected value = 011), and when a state transition abnormality is detected in the ACKWAIT state detected by CHK3 102, the GNT switching instruction (signal) 16 shown in FIG. May cause a data collision on the line 261 by simultaneously outputting the line use right grant signal GNT for a plurality of devices. When the abnormality is detected, the state transition CHK unit 28 reports to the operation instruction unit 21 as a function abnormality of the arbitration control unit 12, and takes measures to stop the output data by the method shown in the second embodiment.

According to the third embodiment, it occurs due to a state transition abnormality in the arbitration control unit 12 in the arbitration control unit 12 that can be considered as a failure mode, an internal logic state transition status bit garbled, or an LSI internal signal that realizes the arbitration control unit operation. By detecting and taking countermeasures for the state transition abnormality, it contributes to the safety improvement regarding the data transfer in the control device and the arbitration control operation as in the first embodiment.

[Description of Example 4]
The diagnostic test means of the line diagnostic apparatus will be described with reference to FIGS. FIG. 10 shows an operation flow during the diagnostic device test. FIG. 11 also shows an operation timing chart.

The control device shown in FIG. 10 includes a central processing unit CPU 10 and a line diagnosis device 20. In the central processing unit CPU 10, a microprocessor μP that generates a diagnostic test pattern used for performing a diagnostic test of the line diagnostic device 20 by software processing.
170, a diagnostic test pattern storage unit 15 for storing the generated test pattern, and a line control unit 13 for transferring the diagnostic test pattern via the line 261. Next, the configuration of the line diagnosis apparatus 20 is as follows. The line diagnostic device 20 includes a monitoring unit 22 that monitors signals on the lines 1 60 and 2 61, and a diagnostic test pattern that transfers and stores a diagnostic test pattern generated by the central processing unit CPU 10 via the line 2 61. A diagnostic control unit 125 that performs diagnostic test activation control according to software instructions by the setting unit 124 and the microprocessor 14 of the central processing unit CPU 10, and a diagnostic test activation command 122 that the diagnostic control unit performs according to the diagnostic test instructions 126 and 127. , 123 includes a switching SW-A 120 and a switching SW-B 121 for switching between a normal monitoring operation and a diagnostic test operation.

The operation flow will be described below with reference to FIG. The central processing unit CPU 10 creates a test pattern for the target line diagnostic device 20 by the microprocessor μP 170 and writes it to the diagnostic test pattern storage unit 15. The timing of writing takes a method of storing only the first time at the initial setting or updating and rewriting at every execution. As the diagnostic test pattern to be written, both a pattern in which the line diagnostic device 20 detects normality and a pattern in which the line diagnostic device 20 detects abnormality are prepared. FIG. 11 explains the contents of the test pattern details table. The test pattern information created by the microprocessor μP 170 includes a “GNT signal normal pattern” 160 that is a normal pattern and an abnormal pattern as a pattern that simulates the simultaneous output of the line usage right permission signal GNT described in the first embodiment. A “GNT signal abnormality pattern” 161 is generated and stored. Similarly, a “switch control signal normal pattern” 162 that is a normal pattern and a “switch control signal abnormal pattern” 163 that is an abnormal pattern are generated and stored as patterns that simulate the switch control signal abnormality described in the second embodiment. Similarly, as a pattern for simulating the state abnormality of the STATE signal 23 related to the state control described in the third embodiment, a “state transition STATE signal normal pattern” 164 which is a normal pattern and a “state transition STATE signal abnormality pattern” which is an abnormal pattern are used. 165 is generated and stored. The microprocessor μP 170 of the central processing unit CPU 10 sequentially reads the test patterns and writes the test patterns read out via the line 261 to the diagnostic test pattern setting unit 124 in the line diagnostic apparatus 20. When the writing of the test pattern is completed, the microprocessor μP 170 of the central processing unit CPU 10 issues a diagnostic test instruction 127 via the line 2 61 to the diagnosis control unit 125 in the line diagnostic apparatus 20. In response to this diagnostic test instruction, the diagnosis control unit 125 outputs switching instruction signals 122 and 123 to the switching SW-A 120 and the switching SW-B 121. The changeover SW-A 120 is a changeover switch for the line 2 61, and the changeover SW-B 121 is a changeover switch for the line 1 60. Both switching SWs have a role of outputting to the monitoring unit 22 by switching data and signals from the line 1 and line 2 sides and the data pattern of the diagnostic test pattern setting unit. During normal operation, SW-A 120 and SW-B 121 are connected to the line 1 60 and line 2 61 side. The switching SW-A 120 and the switching SW-B 121 switch the connection to the diagnostic test pattern setting unit 124 side by switching instruction signals 122 and 123 output from the diagnostic control unit 125 in response to the diagnostic test instruction 127. After the switching operation is completed, the test pattern data stored in the diagnostic test pattern setting unit 124 is output to the monitoring unit 22 via the switching SW-A 120 and the switching SW-B 121. After receiving the test pattern, the monitoring unit 22 performs the test operation of the monitoring unit, and writes the result to the diagnosis status unit 125 when the normal pattern is received. If an abnormal pattern is received, the result is similarly written to the diagnosis status unit 125. After completion of the diagnostic test writing, a completion notification 126 is sent to the central processing unit CPU 10 by setting a diagnostic test writing completion flag in the diagnostic status unit 125. The central processing unit CPU 10 that has received the completion notification 126 reads the result information of the diagnosis status unit 125 and performs the result determination. The expected value when writing a normal pattern is “status = normal”, and the expected value when writing an abnormal pattern is “status = abnormal”. If a result contrary to this is obtained, it is determined as a diagnostic test error. When a diagnostic test error is detected, it means that the diagnostic operation related to the arbitration control of the line diagnostic device 20 does not function normally. When the diagnostic test is abandoned, there is no problem in the normal operation, but the arbitration control unit When an abnormality occurs, an abnormality cannot be detected. Therefore, when a double failure occurs, an impact on safety can be considered. Therefore, when the central processing unit CPU 10 detects a diagnostic test error, it takes means for stopping the safety data.

Next, FIG. 12 shows an operation timing chart during the diagnostic test of the line diagnostic apparatus 20. FIG. 12 shows the timing at the time of a diagnostic test operation between the central processing unit CPU 10 and the line diagnostic device 20 according to the present invention, and between the other input device 1 and the line 261. Central processing unit CPU 10 first performs a diagnostic test on line 2 61. By outputting the line 2 diagnostic test command 140 from the central processing storage device CPU 10, the line 2 diagnostic apparatus performs the diagnostic test processing 145 for the line 2 61. When the process is completed, the central processing unit CPU 10 receives an end confirmation ACK 141 and recognizes the completion of the process. After completion of the line 2 diagnostic test process, the central processing unit CPU 10 proceeds to a diagnostic test for the line diagnostic apparatus 20 and a diagnostic test process for other apparatuses. As described with reference to FIGS. 10 and 11 of this embodiment, the central processing unit CPU 10 issues a test pattern setting 142 and issues a diagnostic test trigger command 143. Thereby, the diagnostic test operation 146, by each device,
147 is performed, and finally an end confirmation ACK 144 is received as an end confirmation to recognize the completion of the process.

  According to the fourth embodiment, the diagnostic test of the line diagnostic device 20 according to the present invention is performed by the test pattern generated by the microprocessor μP 170 of the central processing unit CPU 10 to cause a double failure. It is possible to ensure safety in the case of failure. This diagnostic test process is performed by allocating a part of software processing time to the test process in the control cycle during execution of the online process.

  In the above, each device such as the line diagnosis device 20 has been shown using a functional block diagram, but it is needless to say that the device may be constituted by a central processing unit and a program for realizing the above-described functions.

The line diagnostic equipment whole block diagram. Line diagnosis device internal configuration diagram. The state transition at the time of normal operation | movement, and a timing chart figure. Arbitration control unit by software Diagnosis example diagram. Line diagnosis apparatus FIG. Line diagnosis apparatus FIG. Line diagnosis apparatus FIG. Line diagnosis apparatus FIG. Line diagnosis apparatus FIG. Line diagnosis apparatus FIG. Line diagnosis apparatus FIG. Line diagnosis apparatus FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Central processing memory CPU, 11 ... Data register, 12 ... Arbitration control part, 13 ... Line control part (CPU), 14 ... Arbitration part, 15 ... GNT production | generation part, 16 ... GNT switching instruction, 20 ... Line diagnostic apparatus , 21 ... operation instruction section, 22 ... monitoring section, 23 ... STATE signal, 24 ... operation instruction signal, 25 ... GNT simultaneous output CHK section, 26 ... bus SW output state CHK section, 27 ...
GNT output state CHK section, 28 ... state transition CHK section, 29 ... collation section, 30 ... communication control apparatus PO, 31 ... line control section (communication control apparatus PO), 32 ... line SW (communication control apparatus PO), 33 ... Data register (communication control device PO), 35, 85, 95, 97... Line usage right permission signal GNT, 36, 86, 96, 98... Line usage right request signal REQ, 40. Input device 1), 42 ... Input data register (input device 1), 43 ... Process input data, 50 ... Output device 1, 51 ... Line SW (output device 1), 52 ... Output data register (output device 1), 53 ... Process output data, 60 ... Line 1, 61 ... Line 2,
62 ... line 3, 70 ... control target, 80 ... communication control device P1, 90 ... communication control device P2,
100 ... state transition CHK1, 101 ... state transition CHK2, 102 ... state transition CHK3,
103 ... State transition CHK4, 104 ... State transition CHK5, 110 ... State IDLE, 111 ... State ARB, 112 ... State ACKWAIT, 113 ... State ACKBUSY, 114 ... State WAIT, 120 ... Switching SW-A, 121 ... Switching SW-B 122, 123 ... switching instruction signal, 124 ... diagnostic test pattern setting unit, 125 ... diagnostic control unit / diagnostic status unit,
126: diagnostic test status confirmation, 127: diagnostic test instruction, 130, 131, 132: arbitration control unit diagnostic processing, 133: input processing A, 134: input processing B, 135: arithmetic processing, 140: line 2 diagnostic test command, 141: Termination confirmation ACK (line 2 diagnostic test command),
142 ... test pattern setting instruction, 143 ... diagnostic test trigger command, 144 ... end confirmation ACK (line 1 diagnostic test command), 145 ... diagnostic 2 diagnostic test processing, 146 ... diagnostic 1 diagnostic test processing, 147 ... input device 1 diagnostic test Processing, 153, 154, 155... Switch control signal.

Claims (16)

  An apparatus for transferring information about a control target via a second communication line, an arbitration control unit for transferring a signal for arbitrating the right to use the second communication line via the first communication line; A diagnostic unit that monitors the signal of the first communication line to determine abnormality of the arbitration unit, and the diagnostic unit suppresses communication of the second communication line when the abnormality of the arbitration unit is determined; A line diagnostic apparatus that outputs a signal to be transmitted.   2. The line diagnosis apparatus according to claim 1, wherein the first communication line includes at least part of parallel transmission, and the second communication circuit includes at least part of serial transmission.   2. The line diagnosis apparatus according to claim 1, wherein the abnormality determination is performed in conjunction with monitoring of the communication operation of the first communication line and monitoring of the communication operation of the second communication line.   2. The line diagnosis apparatus according to claim 1, wherein when a plurality of communication control apparatuses are simultaneously permitted to communicate on the second communication line, the arbitration unit is determined to be abnormal.   5. The control object information exchange according to claim 4, wherein control object information is exchanged with the central processing unit when the abnormality is determined, and is related to communication from the central processing unit. A line diagnostic apparatus characterized in that an operation stop is instructed.   The control object information is exchanged with the central processing unit via the second communication line according to claim 1, and the diagnosis unit is hardware separated from the central processing unit. A line diagnostic apparatus characterized by comprising.   Data is transmitted / received to / from the communication control device via the second communication line, and a connection device that transmits / receives information to / from the control target via the second communication line from the central processing unit, and at least part of the data is transmitted by serial transmission. An arbitration control unit that arbitrates the right to use a second communication line, a line use request, and a line in a control apparatus that exchanges information with a control target via a third communication line connected to a base or a plurality of communication control apparatuses A first communication line for communicating a use permission signal; and a line diagnosis device connected to the first communication line, monitoring the first communication line and the second communication line, and an arbitration control unit; A line having means for detecting an abnormal operation of a signal related to the first communication line, and means for instructing stop of communication of the second communication line via the second communication line after the abnormality is detected Diagnostic device.   8. The bus switch for connecting or disconnecting the path of the second communication line via the first communication line and a connection or disconnection command to the bus switch by the arbitration control unit according to claim 7. A signal is output, the first communication line is monitored by the line diagnostic device, an arbitration control unit for connecting / disconnecting a second communication line route, and detecting an abnormal operation of the output signal And a means for stopping data output by outputting an operation instruction to the second communication line control section after the abnormality is detected.   9. The plurality of devices in the first communication line use permission signal according to claim 7, wherein the first communication line use permission signal is output to each device that can use the second communication line including the central processing unit and the communication control device. In conjunction with monitoring of the safe operation signal indicating the safety data transfer output from the line control unit, and monitoring the simultaneous output to the A line diagnosis apparatus comprising: means for detecting abnormal operation due to simultaneous output of permission signals; and means for stopping data output by outputting an operation instruction to the second communication line control unit after abnormality detection .   9. The communication control device according to claim 7 or 8, wherein the central processing unit and the second communication line can be used, and an input device and an output device that control an object to be controlled via the second communication line. Monitors the output signal to be output to the bus switch in the first communication line, or the output signal that becomes the non-connection command and the transfer destination address information in the second communication line, and during the safety data transfer output by the line control unit In conjunction with the monitoring of the safe operation signal shown, the data transfer arbitration during the safe operation while suppressing the interruption of the data transfer, the output signal that becomes the connection / disconnection command to the bus switch and the transfer destination address information comparison A line diagnostic apparatus comprising: means for detecting an abnormal operation when a mismatch is detected; and means for stopping data output by outputting an operation instruction to the second communication line control unit after the abnormality is detected.   9. The first in-communication line use permission signal and the second communication line that are output to each of the central processing storage device and each device that can use the second communication line including the central communication storage device according to claim 7. The internal transfer destination address information is monitored, and in conjunction with the monitoring of the safe operation signal indicating that the safe data transfer is output from the line control unit, the use is performed during the data transfer arbitration during the safe operation without interrupting the data transfer. Means for detecting an abnormal operation when a mismatch is detected in the comparison of the permission signal and the transfer destination address information, and means for stopping data output by outputting an operation instruction to the second communication line control unit after the abnormality is detected. A line diagnostic device characterized by the above.   9. The state signal output from the arbitration control unit according to claim 7 or 8 is monitored, and the safety operation is performed without interrupting the data transfer in conjunction with the monitoring of the safety operation signal indicating the safety data transfer output from the line control unit. Means for detecting an abnormal state transition of the state signal during data transfer arbitration, and means for stopping data output by outputting an operation instruction to the second communication line control unit after the abnormality is detected. Line diagnostic equipment.   12. The abnormality in the case of an abnormal pattern according to any one of claims 7 to 11, comprising both a test pattern having a normal status as an expected value and a test pattern having an abnormal status as an expected value, generated by the microprocessor of the central processing unit. A test pattern whose operation can be detected is included, written in the line diagnostic apparatus via the second communication line, switched to a test circuit based on a diagnostic test command from the microprocessor μP, and stored in the line diagnostic apparatus. A means for performing a test of the monitoring unit; and a means for storing the diagnostic test result in the line diagnostic apparatus, reading the result from the CPU via the second communication line, and performing a test operation completion report. Line diagnostic equipment.   Information about the controlled object is exchanged via the second communication line, a signal is exchanged via the first communication line to arbitrate the right to use the second communication line, and the signal of the first communication line And diagnosing an abnormality in the arbitration unit, and when determining an abnormality in the arbitration unit, a line diagnosis method for outputting a signal for suppressing communication on the second communication line.   When the signal transmitted / received via the first communication line to mediate the right to use the second communication line is monitored, the abnormality is determined based on the monitoring, and the arbitration unit determines that the abnormality is present, A line diagnosis method for outputting a signal for suppressing communication of a second communication line. The arithmetic unit is caused to monitor a signal transmitted / received via the first communication line in order to arbitrate the right to use the second communication line, determine an abnormality based on the monitoring, and determine that the arbitration unit is abnormal If so, a line diagnosis program for outputting a signal for suppressing communication of the second communication line.

Images