JP2017021712A - Multiplex control apparatus - Google Patents

Abstract

A multiplexing control apparatus capable of coping with a double failure by a function of an output unit or the like is provided. According to one embodiment, a multiplexing control apparatus converts first to Nth input units (N ≧ 3) for converting an input signal into an input value and outputting the input value, and the input value. To generate an output value, and output the output value, the first to Nth arithmetic units, and convert the output value into an output signal, and output the output signal to the majority unit, the first to Nth outputs A part. Each output unit converts the output value into first and second signals, and supplies the first and second signals to the first and second circuits of each output unit, respectively. Further, the second circuit of the Xth output unit (X = 1 to N) outputs the second signal to the first circuit of the Yth output unit (Y = 1 to N). Further, the first circuit of the X-th output unit receives the second signal from the second circuit of the Z-th output unit (Z = 1 to N) and receives at least one of the first and second signals. Output as the output signal. [Selection] Figure 2

Description

  Embodiments described herein relate generally to a multiplexing control apparatus.

  Generally, a control device that controls a power plant or the like needs to continue control without erroneous output even if a single failure of the control device occurs. For this reason, such a control device often uses a triple or higher multiplexing architecture so that the control can be continued without error even in the event of a single failure. Such a control device is called a multiplexing control device.

  FIG. 15 is a block diagram showing an example of the configuration of the conventional multiplexing control apparatus 2.

  The multiplexing control device 2 in FIG. 15 is a triple control device, and is connected to the input devices 1A to 1C and the output device 3. The multiplexing control device 2 includes input units 10A to 10C, calculation units 20A to 20C, output units 30A to 30C, and a majority decision unit 40. In addition, the calculation units 20A to 20C include calculation processing units 21A to 21C, diagnosis units 22A to 22C, and communication units 23A to 23C, respectively. The multiplexing control device 2 includes an A system including an input unit 10A, an arithmetic unit 20A, and an output unit 30A, a B system including an input unit 10B, an arithmetic unit 20B, and an output unit 30B, an input unit 10C, and an arithmetic unit. There are three C systems including 20C and an output unit 30C.

  The input units 10A to 10C receive input signals from the input devices 1A to 1C, convert the received input signals into input values, and output the input values to the input value lines 51A to 51C. The arithmetic units 20A to 20C receive input values from the input value lines 51A to 51C, calculate the received input values, generate output values, and output the output values to the output value lines 52A to 52C. The output units 30A to 30C receive output values from the output value lines 52A to 52C, convert the received output values into output signals, and output the output signals to the output signal lines 53A to 53C.

  The arithmetic processing unit 21A calculates an input value from the input unit 10A to generate an output value, and outputs the output value to the output value line 52A. The same applies to the arithmetic processing units 21B and 21C.

  The communication units 23A and 23B are connected to each other via a network 55A. The communication units 23B and 23C are connected to each other via a network 55B. The communication units 23C and 23A are connected to each other via a network 55C.

  The communication unit 23A supplies the input value from the input unit 10A and the output value generated by the arithmetic processing unit 21A to the communication units 23B and 23C via the networks 55A and 55C. Further, the communication unit 23A receives an input value from the input unit 10B and an output value generated by the arithmetic processing unit 21B from the communication unit 23B via the network 55A. Further, the communication unit 23A receives the input value from the input unit 10B and the output value generated by the arithmetic processing unit 21C from the communication unit 23C via the network 55C. The same applies to the communication units 23B and 23C.

  The diagnosis unit 22A performs a diagnosis process using the input value received from the input unit 11A, the output value generated by the arithmetic processing unit 21A, and the input value and output value received from the communication units 23B and 23C. The same applies to the diagnosis units 22B and 22C.

  The majority decision unit 40 receives the output signals from the output signal lines 53A to 53C, performs a majority decision to take a majority decision of the received output signals, and outputs the output signal selected by the majority decision as a system output signal. The system output signal is output to the output device 3 via the system output signal line 54. The majority decision unit 40 performs a “2 out of 3” majority operation for selecting a system output signal that matches two or more output signals from the three output signals. The operation of the output device 3 is controlled by this system output signal.

  As a result, the multiplexing control device 2 can continue the control with the correct output even if a failure occurs in one of the input units 10A to 10C, the calculation units 20A to 20C, and the output units 30A to 30C. Can do. The reason is that although one of the output units 30A to 30C cannot perform correct output due to this failure, the other two can perform correct output, so that the multiplexing control device 2 can perform correct output by majority vote.

  As described above, the multiplexing control device 2 needs to continue control even if such a single failure occurs. Even when the first failure occurs, the multiplexing control device 2 is required to continue the control while maintaining the failure state. In this case, if an unexpected second failure occurs, an abnormality may occur in the output of the multiplexing control device 2 by the following mechanism.

  FIG. 16 is a table for explaining the operation of the multiplexing control device 2 of FIG.

  When the first failure occurs in the output unit 30A, the majority output 40 has a large number of normal outputs 2 to 1, and the system output signal has a normal value due to the majority. However, when the second failure occurs in the output unit 30B while the first failure state is maintained, the majority output 40 has a large number of abnormal outputs 2 to 1, and the system output signal becomes an abnormal value due to the majority. .

  FIG. 17 is a block diagram showing another example of the configuration of the conventional multiplexing control device 2.

  In FIG. 17, in order to solve such a problem of double failure, the majority decision result is obtained by the majority decision unit 40 so that the abnormal output is not majority by detecting information about the fault system and inputting it to the majority decision unit 40. To operate. Specifically, the fault system detection unit 61 inputs information on which output unit of the output units 30 </ b> A to 30 </ b> C has failed to the majority decision unit 40 via the signal line 62. As a result, the majority decision unit 40 can operate the output, and can output a safety signal for the controlled device (output device 3) to be in a safe state even in the event of a double failure.

Japanese Patent No. 4701203 JP 2011-216002 A

  However, in the multiplexing control device 2 of FIG. 17, the function of inputting the fault system information from the fault system detection unit 61 and the function of operating the majority result are required for the majority unit 40. Therefore, the majority decision unit 40 in FIG. 17 needs to be configured as a device having a complicated calculation function.

  On the other hand, the output units 30A to 30C of the power plant multiplexing control device 2 need to be designed in accordance with various output signal specifications of the power plant. However, when the majority decision unit 40 is provided with a complicated calculation function as shown in FIG. 17, it is difficult to prepare the majority decision unit 40 suitable for various output signal specifications. Therefore, in this case, it is difficult to provide the multiplexing control device 2 that can be applied at various places in the power plant.

  Therefore, an object of the present invention is to provide a multiplexing control apparatus that can cope with a double failure by a function of an output unit or the like.

  According to one embodiment, the multiplexing control apparatus includes first to Nth input units (N is an integer of 3 or more) that converts an input signal into an input value and outputs the input value. The apparatus further includes first to Nth computing units that compute the input value to generate an output value and output the output value. The apparatus further includes first to Nth output units that convert the output value into an output signal and output the output signal to a majority decision unit that performs a majority decision on the output signal. Furthermore, each output unit includes first and second circuits, converts the output value into first and second signals, and supplies the first and second signals to the first and second circuits, respectively. Further, the second circuit of the X-th output unit (X is an integer from 1 to N) receives the second signal generated by the X-th output unit, and receives the received second signal as a Y-th output unit ( Y is an integer from 1 to N different from X). Further, the first circuit of the X-th output unit receives the first signal generated by the X-th output unit, and the Z-th output unit (Z is an integer from 1 to N different from X and Y). The second signal is received from the second circuit, and at least one of the received first and second signals is output to the majority decision unit as the output signal.

It is a block diagram which shows the structure of the multiplexing control apparatus of 1st Embodiment. It is a block diagram which shows the structure of the output part of the multiplexing control apparatus of 1st Embodiment. It is a sequence diagram which shows operation | movement of the multiplexing control apparatus of 1st Embodiment. It is another sequence diagram which shows the operation | movement of the multiplexing control apparatus of 1st Embodiment. It is a table | surface for demonstrating the operation | movement at the time of the failure of the multiplexing control apparatus of 1st Embodiment. It is a block diagram which shows the structure of the output part of the multiplexing control apparatus of 2nd Embodiment. It is a table | surface for demonstrating the failure of the multiplexing control apparatus of 2nd Embodiment. It is a block diagram which shows the structure of the calculating part of the multiplexing control apparatus of 3rd Embodiment. It is a table | surface for demonstrating the failure of the multiplexing control apparatus of 3rd Embodiment. It is a block diagram which shows the structure of the output part of the multiplexing control apparatus of 4th Embodiment. It is a table | surface for demonstrating operation | movement of the multiplexing control apparatus of 4th Embodiment. It is a table | surface for demonstrating operation | movement of the multiplexing control apparatus of 7th Embodiment. It is a table | surface for demonstrating operation | movement of the multiplexing control apparatus of 7th Embodiment. It is a block diagram which shows the structure of the calculating part of the multiplexing control apparatus of 8th Embodiment. It is a block diagram which shows the example of a structure of the conventional multiplexing control apparatus. 16 is a table for explaining the operation of the multiplexing control apparatus of FIG. It is a block diagram which shows another example of a structure of the conventional multiplexing control apparatus.

  Embodiments of the present invention will be described below with reference to the drawings.

  1 to 14, the same or similar components as those shown in FIGS. 15 and 17 are denoted by the same reference numerals, and the description overlapping with the description of FIGS. 15 and 17 is omitted.

(First embodiment)
FIG. 1 is a block diagram showing the configuration of the multiplexing control device 2 of the first embodiment.

  The multiplexing control device 2 in FIG. 1 includes input units 10A to 10C that are examples of first to Nth input units (N is an integer of 3 or more), and an arithmetic unit 20A that is an example of first to Nth arithmetic units. To 20C, output units 30A to 30C, which are examples of the first to Nth output units, and a majority decision unit 40. The calculation units 20A to 20C include calculation processing units 21A to 21C, diagnosis units 22A to 22C, and communication units 23A to 23C, respectively.

  The input unit 10A converts the input signal received from the input device 1A into an input value, and outputs the input value to the input value line 51A. The computing unit 20A computes the input value received from the input value line 51A to generate an output value, and outputs this output value to the output value line 52A. The calculation unit 20A receives the output value generated by the calculation unit 20C from the network 55C and outputs the output value to the output value line 52A. The output unit 30A converts the output value received from the output value line 52A into an output signal, and outputs this output signal to the output signal line 53A.

  Similarly, the input unit 10B converts the input signal received from the input device 1B into an input value, and outputs the input value to the input value line 51B. The computing unit 20B computes the input value received from the input value line 51B to generate an output value, and outputs this output value to the output value line 52B. In addition, the calculation unit 20B receives the output value generated by the calculation unit 20A from the network 55A, and outputs the output value to the output value line 52B. The output unit 30B converts the output value received from the output value line 52B into an output signal, and outputs this output signal to the output signal line 53B.

  Similarly, the input unit 10C converts the input signal received from the input device 1C into an input value, and outputs the input value to the input value line 51C. The computing unit 20C computes the input value received from the input value line 51C to generate an output value, and outputs this output value to the output value line 52C. The calculation unit 20C receives the output value generated by the calculation unit 20B from the network 55B, and outputs the output value to the output value line 52C. The output unit 30C converts the output value received from the output value line 52C into an output signal, and outputs this output signal to the output signal line 53C.

  The majority decision unit 40 receives the output signals from the output signal lines 53A to 53C, performs a majority decision to take a majority decision of the received output signals, and outputs the output signal selected by the majority decision as a system output signal. The system output signal is output to the output device 3 via the system output signal line 54. The majority decision unit 40 performs a “2 out of 3” majority operation for selecting a system output signal that matches two or more output signals from the three output signals. The operation of the output device 3 is controlled by this system output signal.

  Examples of the input signal are a signal indicating the operation content of the switch and the button, a signal indicating the temperature and pressure measured by the temperature sensor and the pressure sensor, and a signal indicating the speed and rotation speed of the device. The input devices 1A to 1C of the present embodiment supply the same input signal to the input units 10A to 10C. The input signal may be a digital signal, an analog signal, or a pulse signal.

  When the input signal is a digital signal, the input units 10A to 10C convert the input signal into an input value, for example, by digital filtering of the input signal. When the input signal is an analog signal, the input units 10A to 10C convert the input signal into an input value by A / D (analog / digital) conversion of the input signal, for example. When the input signal is a pulse signal, the input units 10A to 10C, for example, convert the input signal into an input value by counting the number of pulses.

  On the other hand, examples of the output device 3 are a motor and a valve in a power plant. An example of the output value is a value indicating a digital output condition for operating the motor or the valve. For example, the output units 30A to 30C convert the output value into an output signal by binarizing the output value.

  The multiplexing control device 2 of FIG. 1 further includes signal lines 56A to 56C. The signal line 56A is connected to the output units 30A and 30B, and is connected in series with the output signal line 53A. The signal line 56B is connected to the output units 30B and 30C, and is connected in series with the output signal line 53B. The signal line 56C is connected to the output units 30C and 30A, and is connected in series with the output signal line 53C. Details of the signal lines 56A to 56C will be described with reference to FIG.

  FIG. 2 is a block diagram illustrating a configuration of the output units 30A to 30C of the multiplexing control device 2 of the first embodiment.

  Each of the output units 30A to 30C includes main output circuits 31A to 31C which are examples of the first circuit, and sub output circuits 32A to 32C which are examples of the second circuit. The main output circuits 31A to 31C are connected to the majority decision unit 40 by output signal lines 53A to 53C, respectively. The main output circuit 31A and the sub output circuit 32B are connected to each other by a signal line 56A. The main output circuit 31B and the sub output circuit 32C are connected to each other by a signal line 56B. The main output circuit 31C and the sub output circuit 32A are connected to each other by a signal line 56C. The sub output circuits 32A to 32C are connected to a fixed potential (for example, ground potential) by signal lines 57A to 57C, respectively.

  Furthermore, the output units 30A to 30C include test units 36A to 36C, respectively. Details of the test units 36A to 36C will be described in the seventh embodiment.

  The output unit 30A receives the output value generated by the calculation unit 20A and the output value generated by the calculation unit 20C from the output value line 52A. The output unit 30A converts the former output value into a main output signal that is an example of the first signal, and supplies the main output signal to the main output circuit 31A. The output unit 30A further converts the latter output value into a sub output signal that is an example of the second signal, and supplies the sub output signal to the sub output circuit 32A.

  Similarly, the output unit 30B receives the output value generated by the calculation unit 20B and the output value generated by the calculation unit 20A from the output value line 52B. The output unit 30B converts the former output value into a main output signal that is an example of the first signal, and supplies the main output signal to the main output circuit 31B. The output unit 30B further converts the latter output value into a sub output signal that is an example of the second signal, and supplies the sub output signal to the sub output circuit 32B.

  Similarly, the output unit 30C receives the output value generated by the calculation unit 20C and the output value generated by the calculation unit 20B from the output value line 52C. The output unit 30C converts the former output value into a main output signal that is an example of the first signal, and supplies the main output signal to the main output circuit 31C. The output unit 30C further converts the latter output value into a sub output signal that is an example of the second signal, and supplies the sub output signal to the sub output circuit 32C.

  The main output signal and the sub output signal of the present embodiment are signals having the same function as the above-described output signal. For example, when the output signal is a binary signal indicating a digital output condition, the main output signal and the sub output signal are also binary signals indicating a digital output condition. Both the main output signal and the sub output signal of this embodiment can function as the above-described output signal.

  The main output circuits 31A to 31C and the sub output circuits 32A to 32C of the present embodiment function as switches for the output signal lines 53A to 53C and the signal lines 56A to 56C, respectively, and enter the safe state according to the main output signal and the sub output signal. Take two switch states in the dangerous state.

  The safe side state of the switch indicates, for example, a state where the signal line is released and a state where the signal line is opened. On the other hand, the dangerous state of the switch indicates, for example, a connection state of signal lines and a state where the signal lines are closed. In this case, the state of each switch when the output units 30A to 30C are turned off corresponds to the safe side state. An example of the system output signal in this case is a control signal for supplying power to the motor that drives the power plant. The reason is that such motors are generally safer when the power is cut off and at a standstill than when the motor is powered and in an operating state.

  In the present embodiment, the signal line release state is the safe side state, but the signal line connection state may be a safe side state. An example of the system output signal in this case is a control signal for supplying electric power to the solenoid valve in the power plant. The reason is that such a solenoid valve is generally safer in a state where it can be operated with power supplied, rather than in a state where it cannot operate because the power is cut off. An example of such a case will be described in the sixth embodiment.

  Hereinafter, an operation in which the output units 30A to 30C output an output signal will be described using the operation of the output unit 30A as an example. In the following description, the output unit 30A is an example of the Xth output unit (X is an integer of 1 to N). The output unit 30C is an example of a Y-th output unit (Y is an integer from 1 to N different from X). The output unit 30B is an example of a Zth output unit (Z is an integer from 1 to N different from X and Y). The calculation unit 20A is an example of an Xth calculation unit corresponding to the Xth output unit. The calculation unit 20C is an example of a Yth calculation unit corresponding to the Yth output unit. The following description applies not only to the output unit 30A but also to the output units 30B and 30C.

  The sub output circuit 32A of the output unit 30A receives the sub output signal generated by the output unit 30A. The secondary output signal has one of a first value indicating a released state and a second value indicating a connected state. An example of the first value is high and an example of the second value is low. When the sub output signal has the first value, the sub output circuit 32A is in a released state. As a result, the sub output signal having the first value is output from the sub output circuit 32A to the main output circuit 31C of the output unit 30C via the signal line 56C. On the other hand, when the sub output signal has the second value, the sub output circuit 32A is in a connected state. As a result, the secondary output signal having the second value is output from the secondary output circuit 32A to the main output circuit 31C of the output unit 30C via the signal line 56C.

  The main output circuit 31A of the output unit 30A receives the main output signal generated by the output unit 30A. The main output signal also has one of a first value indicating a released state and a second value indicating a connected state. As described above, the first value example is high and the second value example is low. When the main output signal has the first value, the main output circuit 31A is released. As a result, the main output signal having the first value is output as an output signal from the main output circuit 31A to the majority decision unit 54 via the output signal line 53A. On the other hand, when the main output signal has the second value, the main output circuit 31A is in a connected state. As a result, the main output signal having the second value is output as an output signal from the main output circuit 31A to the majority decision unit 54 via the output signal line 53A.

  Further, the main output circuit 31A of the output unit 30A receives the sub output signal from the sub output circuit 32B of the output unit 30B via the signal line 56A. As described above, the signal line 56A is connected in series to the output signal line 53A. Therefore, when the sub output signal has the first value, the sub output signal having the first value is output as an output signal from the main output circuit 31A to the majority decision unit 54 via the output signal line 53A. On the other hand, when the secondary output signal has the second value, the secondary output signal having the second value is output as an output signal from the main output circuit 31A to the majority decision unit 54 via the output signal line 53A.

  In the present embodiment, an example of the first value indicating the release state is a positive voltage, and an example of the second value indicating the connection state is a zero voltage. Therefore, when at least one of the main output circuit 31A and the sub output circuit 32B is released, the output signal line 53A is released. On the other hand, when both the main output circuit 31A and the sub output circuit 32B are connected, the output signal line 53A is connected. As described above, the state of the output signal line 53A of the output unit 30A can be operated not only by the output unit 30A itself by the main output circuit 31A but also by the auxiliary output circuit 32B. Similarly, the state of the output signal line 53B can be operated by the output units 30B and 30C, and the state of the output signal line 53C can be operated by the output units 30C and 30A.

  When only the main output circuit 31A is in the released state among the main output circuit 31A and the sub output circuit 32B, the main output signal having the first value becomes the output signal of the output signal line 53A. When only the sub output circuit 32B is in the released state among the main output circuit 31A and the sub output circuit 32B, the sub output signal having the first value becomes the output signal of the output signal line 53A. On the other hand, when both the main output circuit 31A and the sub output circuit 32B are in the released state, the combined signal of the main output signal having the first value and the sub output signal having the first value is the output signal of the output signal line 53A. It becomes.

  FIG. 3 is a sequence diagram showing the operation of the multiplexing control device 2 of the first embodiment. FIG. 3 shows a sequence diagram focusing on the handling of the output signal line 53A.

  First, the input units 10A and 10B convert an input signal into an input value (steps S1A and S1B). Next, the arithmetic units 20A and 20B generate output values from the input values (steps S2A and S2B). Next, arithmetic units 20A and 20B (and 20C) exchange the generated output values with each other (steps S3A and S3B). Next, each of the arithmetic units 20A and 20B transmits the generated output value and the exchanged output value to the output units 30A and 30B (steps S4A and S4B).

  Next, the output unit 30A performs main output processing on the main output circuit 31A, and the output unit 30B performs sub output processing on the sub output circuit 32B (steps S5A and S5B). Specifically, the output unit 30A converts the output value into a main output signal and supplies the main output signal to the main output circuit 31A. On the other hand, the output unit 30B converts the output value into a sub output signal and supplies the sub output signal to the sub output circuit 32B. As a result, the output signal line 53A is released or connected.

  When there is no failure in the output units 30A and 30B, the main output circuit 31A and the sub output circuit 32B operate in synchronization, and the state of the output signal line 53A is determined by the states of the main output circuit 31A and the sub output circuit 32B. The The same applies to the output signal lines 53B and 53C.

  FIG. 4 is another sequence diagram showing the operation of the multiplexing control device 2 of the first embodiment. FIG. 4 shows a sequence diagram focusing on the handling of the output signal lines 53A to 53C.

  The processes in steps S1A to S5C in FIG. 4 are performed in the same manner as the processes in steps S1A to S5B in FIG. As a result, the output signal lines 53A to 53C are brought into a released state or a connected state by output signals from the output units 30A to 30C. Next, the majority decision unit 40 performs a majority decision on these output signals and outputs a system output signal (steps S6 and S7).

  FIG. 5 is a table for explaining the operation at the time of failure of the multiplexing control device 2 of the first embodiment.

  FIG. 5 shows the state of the signal lines 53A, 53B, 53C, 54 when an abnormality occurs in the output unit 30A, and the state of the signal lines 53A, 53B, 53C, 54 when an abnormality occurs in the output units 30A, 30B. It shows. The former corresponds to a single failure (single failure), and the latter corresponds to a double failure.

  First, when the first failure occurs in the output unit 30A, the main output circuit 31A and the sub output circuit 32A are in an incorrect output state. However, since the state of the signal line 53A depends not only on the main output circuit 31A but also on the sub output circuit 32B, it becomes a correct state. Similarly, since the state of the signal line 53C depends not only on the sub output circuit 32A but also on the main output circuit 31C, it becomes a correct state. On the other hand, the state of the signal line 53B is correct because it does not depend on the main output circuit 31A or the sub output circuit 32A.

  Thus, when the first failure occurs in the output unit 30A, the signal lines 53A to 53C are all in the correct state. Therefore, the state of the system output signal line 54 is also correct.

  Next, when the second failure occurs in the output unit 30B without eliminating the first failure, the signal line 53A enters an incorrect state. However, the remaining signal lines 53B and 53C are kept in the correct state. Therefore, in the majority decision unit 40, the normal output becomes a majority of 2 to 1, and the system output signal line 54 is in a correct state.

  As described above, the output units 30A to 30C of the present embodiment include the main output circuits 31A to 31C and the sub output circuits 32A to 32C, respectively, and the output signal lines 53A to 53C are connected to the main outputs in different output units. Controlled by circuit and sub-output circuit. Therefore, according to the present embodiment, even when a double failure occurs in the output units 30A to 30C, an output signal with a large number of normal outputs can be supplied to the majority decision unit 40.

  Therefore, in this embodiment, for example, even if the majority voting unit 40 having a simple configuration is employed without having a complicated configuration in the majority voting unit 40, safe control is continued even when the multiplexing control device 2 has a double failure. can do. As described above, according to the present embodiment, it is possible to provide the multiplexing control device 2 that can cope with a double failure by the functions of the output units 30A to 30C and the like.

  Further, the main output circuits 31A to 31C of this embodiment handle the safe side state (release state) of the main output signal and the sub output signal by OR operation, and the dangerous side state (connection state) of the main output signal and the sub output signal. Is handled with an AND operation. Therefore, in this embodiment, when the system output signal is in an incorrect state, the ratio of the system output signal erroneously entering the dangerous side state is decreased, and the ratio of the system output signal erroneously entering the safe side state is increased. it can. Therefore, according to this embodiment, it becomes possible to improve the safety | security at the time of the failure of the multiplexing control apparatus 2. FIG.

(Second Embodiment)
FIG. 6 is a block diagram illustrating a configuration of the output unit 30A of the multiplexing control device 2 according to the second embodiment. The following description also applies to the output units 30B and 30C.

  The output unit 30A of the present embodiment includes a main output circuit 31A, a sub output circuit 32A, a diagnosis input unit 33A that is an example of a diagnosis unit, and a determination unit 34A that is an example of a first determination unit.

  The diagnosis input unit 33A diagnoses the value of the signal on the signal line 56A. Thereby, it is diagnosed whether the value of this signal is the first value or the second value. As described above, the signal line 56A is connected in series with the output signal line 53A. Therefore, the signal value on the signal line 56A is the same as the signal value on the output signal line 53A. Therefore, the diagnosis input unit 33A can diagnose the value of the output signal supplied from the output unit 30A to the majority decision unit 40 by diagnosing the value of the signal on the signal line 56A. The diagnosis input unit 33A is configured by a circuit element such as a photocoupler.

  The determination unit 34A detects a failure in the output units 30A and 30B based on the value of the main output signal generated by the output unit 30A and the value of the output signal diagnosed by the diagnosis input unit 33A. For example, when the value of the main output signal is different from the value of the output signal, it is determined that a failure has occurred in the output units 30A and 30B. The reason is that the value of this output signal depends on the main output signal from the output unit 30A and the sub output signal from the output unit 30B. The determination unit 34A includes, for example, a logical operation element such as an MPU (Micro Processing Unit) or an FPGA (Field Programmable Gate Array).

  FIG. 7 is a table for explaining a failure of the multiplexing control device 2 of the second embodiment.

  FIG. 7 shows all patterns in which it is determined by the determination unit 34A that a failure has occurred when failure factors are limited to the output circuits 30A to 30C. In this case, when only the main output circuit 31A of the main output circuit 31A and the diagnostic input circuit 33A is abnormal, when only the diagnostic input circuit 33A of the main output circuit 31A and the diagnostic input circuit 33A is abnormal, There may be cases where the line 56A is abnormal. When the signal line 56A is abnormal, since the output signal of the output signal line 53A is abnormal, the main output circuit 31A and / or the sub output circuit 32B are abnormal.

  As described above, in this embodiment, the output unit 30A can detect not only a failure caused by the output unit 30A but also a failure caused by the output unit 30B. Therefore, according to the present embodiment, it is possible for each output unit to detect a failure of another output unit, thereby improving the failure detection performance. Note that an example of a method of using the failure detection result of this embodiment will be described in an embodiment described later.

(Third embodiment)
FIG. 8 is a block diagram illustrating a configuration of the arithmetic unit 20A of the multiplexing control device 2 according to the third embodiment. The following description also applies to the arithmetic units 20B and 20C.

  As described above, the calculation unit 20A of the present embodiment includes the calculation processing unit 21A, the diagnosis unit 22A, and the communication unit 23A (not shown). The calculation unit 20A of the present embodiment further includes an inter-system determination unit 24A that is an example of a second determination unit.

  The output units 30A to 30C of the present embodiment have the same configuration as the output unit 30A of the second embodiment. The output unit 30A supplies the failure detection result of the determination unit 34A to the arithmetic unit 20A via the output value line 52A. Thereby, the arithmetic unit 20A can acquire the failure detection result from the output unit 30A. Similarly, the arithmetic units 20B and 20C can acquire the failure detection results from the output units 30B and 30C, respectively. Furthermore, the arithmetic units 20A to 20C exchange these failure detection results via the networks 55A to 55C. Thereby, the inter-system determination unit 24A of the calculation unit 20A can acquire the failure detection results by the output units 30A to 30C. The same applies to the arithmetic units 20B and 20C.

  The failure detection result by the output unit 30A (determination unit 34A) indicates the detection result of the failure in the output units 30A and 30B. Similarly, the failure detection result by the output unit 30B indicates the failure detection result by the output units 30B and 30C, and the failure detection result by the output unit 30C indicates the failure detection result by the output units 30C and 30A. Therefore, the inter-system determination unit 24A of the present embodiment can identify the failure location of the output units 30A to 30C based on these failure detection results. For example, when the failure detection results by the output units 30A and 30C indicate the occurrence of a failure, it can be determined that there is a possibility that a failure exists in the output unit 30A.

  FIG. 9 is a table for explaining a failure of the multiplexing control device 2 of the third embodiment.

  FIG. 9 shows failure detection results of the determination units 34A to 34C when an abnormality occurs in the output unit 30A. Similar to the determination unit 34A of the output unit 30A, the determination units 34B and 34C are provided in the output units 30B and 30C, respectively. Similarly to the diagnostic input unit 33A of the output unit 30A, the diagnostic input units 33B and 33C are provided in the output units 30B and 30C, respectively.

  Regarding the output unit 30A, the two determination units 34A and 34C determine that there is a possibility of failure. On the other hand, for the output unit 30B, one determination unit determines that there is a possibility of failure, and one determination unit determines that there is no possibility of failure. Similarly, for the output unit 30C, one determination unit determines that there is a possibility of failure, and one determination unit determines that there is no possibility of failure.

  The inter-system determination unit 24A according to the present embodiment can specify a failure location by applying majority logic to these determination results. Specifically, the output unit 30A is determined to have a failure possibility by two determination units, the output unit 30B is determined to have a failure possibility by one determination unit, and the output unit 30C can be failed by one determination unit. Since it is determined that there is a possibility, it can be determined by the majority decision that the output unit 30A has a failure.

  As described above, in the present embodiment, the failure portion of the output units 30A to 30C can be specified by the inter-system determination unit 24A. Therefore, according to the present embodiment, it is possible to perform failure determination with higher accuracy than in the second embodiment.

(Fourth embodiment)
FIG. 10 is a block diagram illustrating a configuration of the output unit 30A of the multiplexing control device 2 according to the fourth embodiment. The following description also applies to the output units 30B and 30C.

  The output unit 30A of the present embodiment includes a main output circuit 31A, a sub output circuit 32A, a diagnosis input unit 33A, a determination unit 34A, and a safety stop instruction unit 35A that is an example of an instruction unit. In FIG. 10, for convenience of drawing, illustration of wiring between the output value line 52A and the main output circuit 31A and the sub output circuit 32A is omitted.

  The calculation units 20A to 20C of the present embodiment have the same configuration as the calculation unit 20A of the third embodiment. The calculation unit 20A supplies the failure location identification result of the inter-system determination unit 24A to the output unit 30A via the output value line 52A. Accordingly, the safety stop instruction unit 35A of the output unit 30A can acquire the failure detection result from the calculation unit 20A. The same applies to the output units 30B and 30C.

  The safety stop instruction unit 35A receives the failure detection result from the determination unit 34A, and receives the failure location specifying result from the inter-system determination unit 24A. The failure detection result indicates a failure detection result in the output units 30A and 30B. The fault location specifying result indicates the fault location specifying result of the output units 30A to 30C. For example, the failure location specifying result indicates the determination result that the output unit 30A has a failure in the form of instructing to stop the output unit 30A. Hereinafter, the failure detection result is denoted as “first determination result”, and the failure location specifying result is denoted as “second determination result”.

  The safety stop instruction unit 35A handles the first determination result and the second determination result by OR operation. Specifically, the safety stop instruction unit 35A indicates that the first determination result indicates that the output units 30A and 30B have a failure, or the second determination result indicates that the output unit 30A has a failure. If it is, a safety stop instruction is issued to the main output circuit 31A and the sub output circuit 32A. The safety stop instruction is an instruction to transition the state of the main output circuit 31A and the state of the sub output circuit 32A to the safe side state (release state). When these circuits transition to the safe side state, the output signal line 53A of the output unit 30A transitions to the safe side state (released state).

  The output unit 30A preferentially handles the safety stop instruction from the safety stop instruction unit 35A over the output value from the calculation unit 20A. Therefore, even if the arithmetic unit 20A outputs an output value to the output unit 30A, when the safety stop instruction unit 35A issues a safety stop instruction, the main output circuit 31A and the sub output circuit 32A transition to the safe side state. .

  When the first determination result indicates that the output units 30A and 30B have a failure, only the output unit 30A has failed, only the output unit 30B has failed, and the output unit 30A and the output There may be a case where both of the parts 30B are out of order. In any of these cases, the safety stop instruction unit 35A of the present embodiment causes the main output circuit 31A and the sub output circuit 32A to transition to the safe side state (release state). When the main output circuit 31A is released, the output signal line 53A of the output unit 30A is released. Further, when the sub output circuit 32A is released, the output signal line 53C of the output unit 30C is also released. Thus, in this embodiment, when one output unit issues a safety stop instruction, the two output signal lines transition to the safe side state.

  FIG. 11 is a table for explaining the operation of the multiplexing control device 2 of the fourth embodiment.

  The multiplexing control device 2 includes a setting unit for setting whether the safety stop instruction unit 35A handles the first determination result and the second determination result by an AND operation or an OR operation. When the set value “AND operation” is set in the setting unit, the safety stop instruction unit 35A handles these by AND operation. On the other hand, when the set value “OR operation” is set in the setting unit, the safety stop instruction unit 35A handles these by the OR operation.

  In the present embodiment, a setting value “OR operation” is set in the setting unit. On the other hand, in a fifth embodiment described later, a setting value “AND operation” is set in the setting unit.

  As described above, in the present embodiment, when any of the output units 30A to 30C fails, the two output signal lines transition to the safe side state according to the safety stop instruction. As a result, the system output signal line 54 transits to the safe side state by the majority operation of the majority unit 40. Therefore, according to the present embodiment, it is possible to realize a highly safe multiplexing control device 2 in which the system output signal line 54 transitions to the safe state even if one output unit fails.

(Fifth embodiment)
As in the fourth embodiment, the fifth embodiment will be described with reference to FIGS. 10 and 11.

  As shown in FIG. 10, the output unit 30A of the present embodiment includes a main output circuit 31A, a sub output circuit 32A, a diagnosis input unit 33A, a determination unit 34A, and a safety stop instruction unit 35A that is an example of an instruction unit. And. In the present embodiment, the setting value “AND operation” is set in the setting unit (see FIG. 11).

  Therefore, the safety stop instruction unit 35A of the present embodiment indicates that the first determination result indicates that the output units 30A and 30B have a failure, and the second determination result indicates that the output unit 30A has a failure. Issue safety stop instructions when indicated. However, this safety stop instruction is issued only to the main output circuit 31A and is not issued to the sub output circuit 32A. As a result, the main output circuit 31A changes to the safe side state (released state), and as a result, the output signal line 53A of the output unit 30A changes to the safe side state (released state).

  When the first determination result indicates that there is a failure in the output units 30A and 30B, there may be a case where the output unit 30A has failed and a case where the output unit 30A has not failed. Therefore, the safety stop instruction unit 35A according to the present embodiment issues the safety stop instruction based on the first and second determination results without issuing the safety stop instruction based only on the first determination result. Thereby, only when the output unit 30A is out of order, the output signal line 53 of the output unit 30A can be shifted to the safe state.

  In this case, when the safety stop instruction is issued to the sub output circuit 32A, the output signal line 53 of the output unit 30A transitions to the safe side state even though the output unit 30C has not failed. Therefore, the safety stop instruction unit 35A of the present embodiment issues a safety stop instruction only to the main output circuit 31A and does not issue a safety stop instruction to the sub output circuit 32A. Thus, in this embodiment, when one output unit issues a safety stop instruction, one output signal line transitions to the safe side state.

  As described above, in the present embodiment, when any of the output units 30A to 30C fails, one output signal line transitions to the safe side state according to the safety stop instruction. In this case, the system output signal line 54 is not changed to the safe state but maintained in the original state by the majority operation of the majority unit 40. Therefore, according to this embodiment, when a certain output unit fails, only the output unit can be stopped, and the stop of the output unit without failure can be prevented. Therefore, according to the present embodiment, it is possible to achieve both the safety against the failure of the output units 30A to 30C and the operation continuity at the time of a single failure of the output units 30A to 30C.

  Note that the safety stop instruction unit 35A of the fourth and fifth embodiments can acquire both the first and second determination results, and issues a safety stop instruction based on the first determination result or / and the second determination result. Although it is issued, only one of the first and second determination results may be acquired. In this case, the safe stop instruction unit 35A of the fourth and fifth embodiments may issue a safe stop instruction based only on the first determination result that can be acquired, or only based on the second determination result that can be acquired. May issue a safety stop instruction.

(Sixth embodiment)
Similar to the first embodiment, the sixth embodiment will be described with reference to FIG. In the following description, the first to fifth embodiments will be described first with reference to FIG. 2, and then the sixth embodiment will be described with reference to FIG.

  The safe side state in the first to fifth embodiments refers to a released state of the signal line, and a state in which the signal line is opened. On the other hand, the dangerous side state refers to a connection state of signal lines and a state in which the signal lines are closed. An example of the system output signal in this case is a control signal for supplying power to the motor that drives the power plant. The reason is that such motors are generally safer when the power is cut off and at a standstill than when the motor is powered and in an operating state.

  In FIG. 2, the state of the output signal line 53A of the output unit 30A is controlled by a main output circuit 31A that outputs a main output signal to the output signal line 53A and a sub output circuit 32B that outputs a sub output signal to the output signal line 53A. Is done. The main output signal and the sub output signal have either a first value indicating a release state or a second value indicating a connection state. In the first to fifth embodiments, the example of the first value indicating the release state is a positive voltage, and the example of the second value indicating the connection state is a zero voltage. Therefore, when at least one of the main output circuit 31A and the sub output circuit 32B is released, the output signal line 53A is released. On the other hand, when both the main output circuit 31A and the sub output circuit 32B are connected, the output signal line 53A is connected.

  As described above, in the first to fifth embodiments, the safe side state (release state) of the main output signal and the sub output signal is handled by the OR operation, and the dangerous side state (connection state) of the main output signal and the sub output signal. Are handled by AND operation. Therefore, when the system output signal is in an incorrect state, the rate at which the system output signal is erroneously in a dangerous state can be reduced, and the rate at which the system output signal is erroneously in a safe state can be increased.

  On the other hand, the safe side state in the present embodiment refers to the connection state of the signal lines and the state where the signal lines are closed. On the other hand, the dangerous side state refers to a state in which the signal line is released and a state in which the signal line is open. An example of the system output signal in this case is a control signal for supplying electric power to the solenoid valve in the power plant. The reason is that such a solenoid valve is generally safer in a state where it can be operated with power supplied, rather than in a state where it cannot operate because the power is cut off.

  In the present embodiment, an example of the first value indicating the release state is a zero voltage, and an example of the second value indicating the connection state is a positive voltage. Therefore, when at least one of the main output circuit 31A and the sub output circuit 32B is connected, the output signal line 53A is connected. On the other hand, when both the main output circuit 31A and the sub output circuit 32B are released, the output signal line 53A is released.

  In this way, in this embodiment, the safe side state (connection state) of the main output signal and the sub output signal is handled by OR operation, and the dangerous side state (release state) of the main output signal and the sub output signal is AND operation. Be treated. Therefore, when the system output signal is in an incorrect state, the rate at which the system output signal is erroneously in a dangerous state can be reduced, and the rate at which the system output signal is erroneously in a safe state can be increased. That is, according to the present embodiment, as in the first to fifth embodiments, it is possible to increase the rate at which the system output signal erroneously enters the safe state.

  Note that the output unit 30A of the present embodiment may include a diagnosis input unit 33A, a determination unit 34A, and a safe stop instruction unit 35A, as in the second to fifth embodiments. Further, the calculation 20A of the present embodiment may include an inter-system determination unit 24A as in the second to fifth embodiments. The same applies to the output units 30B and 30C and the calculation units 20B and 30C.

  Further, the multiplexing control device 2 of the present embodiment may include a setting unit for setting one of the released state and the connected state to the safe side state. When the setting value “released state” is set in the setting unit, the released state is treated as a safe state. On the other hand, when the setting value “connection state” is set in the setting unit, the connection state is treated as a safe side state.

  In this embodiment, the safe side state (connection state) is handled by an OR operation, and the dangerous side state (released state) is handled by an AND operation. Conversely, the safe side state is handled by an AND operation, and the dangerous side. The state may be handled by an OR operation. This will be referred to as a modified example of the sixth embodiment in the following description. Similarly, in the first to fifth embodiments, the safe side state (released state) is handled by an OR operation, and the dangerous side state (connected state) is handled by an AND operation. Conversely, the safe side state is treated by an AND operation. And the dangerous state may be handled by OR operation. This will be referred to as a modified example of the first to fifth embodiments in the following description.

(Seventh embodiment)
As in the first embodiment, the seventh embodiment will be described with reference to FIG.

  The output units 30A to 30C of the present embodiment include test units 36A to 36C that test operations of the output units 30A to 30C (see FIG. 2). The test units 36A to 36C can execute tests for confirming the soundness of the main output circuits 31A to 31C, the sub output circuits 32A to 32C, the output signal lines 53A to 53C, the signal lines 56A to 56C, and the like.

  The test units 36A to 36C of the present embodiment temporarily operate the outputs of the main output circuits 31A to 31C and the sub output circuits 32A to 32C, and the diagnostic results as the result of this operation are diagnostic input units 33A to 33C (FIG. 6). If there is a discrepancy between the value of the output signal set by the operation of the test units 36A to 36C and the value of the output signal diagnosed by the diagnosis input units 33A to 33C, the determination units 34A to 34C ( 6) performs a failure detection process in the output units 30A to 30C in response to an operation from the test units 36A to 36C. The test units 36A to 36C can check whether the output units 30A to 30C are healthy by acquiring the failure detection results by the determination units 34A to 34C.

  FIG. 12 is a table for explaining the operation of the multiplexing control apparatus 2 of the seventh embodiment.

  The table of FIG. 12 is applicable to the test of the multiplexing control device 2 of the first to fifth embodiments. The table in FIG. 12 can also be applied to the test of the multiplexing control device 2 of the sixth embodiment by switching the release state and the connection state.

  FIG. 12 shows an example of a test pattern when the set value of the safe side state is “released state”. For example, in the test pattern 1, among the main output circuits 31A to 31C and the sub output circuits 32A to 32C, the main output circuit 31A is set to the released state, and the other circuits are set to the connected state. In this case, if there is no failure in the output units 30A to 30C, the diagnosis input unit 33A determines that the value of the output signal is the first value (released state), and the diagnosis input units 33B and 33C determine the value of the output signal as the first value. It is expected to be determined as binary (connection state). Furthermore, if there is no failure in the output units 30A to 30C, the value of the system output signal of the majority decision unit 40 is expected to be the second value (connected state).

  Also in the test patterns 2 to 6, like the test pattern 1, one of the main output circuits 31A to 31C and the sub output circuits 32A to 32C is set to the released state, and the other circuits are set to the connected state. . Thus, the test units 36A to 36C can check the release operation capability of each circuit.

  In the test pattern 1, when the diagnosis input unit 33A determines that the value of the output signal is the second value (connection state), there is a possibility that the output units 30A and 30B have a failure. The reason is that the test units 36A to 36C in the test pattern 1 set the value of the output signal of the output unit 30A to the first value (by setting the main output circuit 31A to the released state and the sub output circuit 32B to the connected state. This is because the release state is set. Therefore, if there is no failure in the output units 30A and 30B, the diagnosis result by the diagnosis input unit 33A should be the first value (released state).

  In this case, the determination units 34A to 34C perform failure detection processing in the output units 30A to 30C in accordance with operations from the test units 36A to 36C. For example, when there is a failure in the output unit 30A, it is expected that the determination units 34A and 34C determine that there is a failure, and the determination unit 34B determines that there is no failure. The test units 36A to 36C can confirm that the output unit 30A has a failure by acquiring these determination results.

  FIG. 13 is a table for explaining the operation of the multiplexing control device 2 of the seventh embodiment.

  The table of FIG. 13 is applicable to the test of the multiplexing control device 2 of the modification of the sixth embodiment. Moreover, the table of FIG. 13 is applicable also to the test of the multiplexing control apparatus 2 of the modification of 1st-5th embodiment by switching a release state and a connection state.

  FIG. 13 shows an example of a test pattern when the set value of the safe side state is “connected state”. For example, in the test pattern 1, among the main output circuits 31A to 31C and the sub output circuits 32A to 32C, the main output circuit 31A and the sub output circuit 32B are set to the connected state, and the other circuits are set to the released state. In this case, if there is no failure in the output units 30A to 30C, the diagnosis input unit 33A determines that the value of the output signal is the second value (connection state), and the diagnosis input units 33B and 33C determine the value of the output signal as the first value. It is expected to be determined as 1 value (released state). Furthermore, if there is no failure in the output units 30A to 30C, the value of the system output signal of the majority decision unit 40 is expected to be the first value (released state).

  Also in the test patterns 2 and 3, as in the test pattern 1, two of the main output circuits 31A to 31C and the sub output circuits 32A to 32C are set to a connected state, and the other circuits are set to a released state. . Accordingly, the test units 36A to 36C can check the connection operation capability of each circuit.

  Note that the operation of the test units 36A to 36C when an abnormality is detected in the test of FIG. 13 is the same as that of the test of FIG.

  As described above, according to the present embodiment, the operation of the output units 30A to 30C can be tested by the diagnosis input units 33A to 33C, the determination units 34A to 34C, and the test units 36A to 36C. For example, according to the present embodiment, it is possible to determine which of the three output units has a failure without using the inter-system determination units 24A to 24C, and which main output circuit or sub-output circuit It is possible to determine whether or not there is a failure.

(Eighth embodiment)
FIG. 14 is a block diagram illustrating the configuration of the arithmetic units 20A to 20C of the multiplexing control device 2 according to the eighth embodiment.

  As described above, the calculation units 20A to 20C of the present embodiment include calculation processing units 21A to 21C, diagnosis units 22A to 22C, and communication units 23A to 23C (not shown). Furthermore, the calculation units 20A to 20C of the present embodiment include inter-system determination units 24A to 24C and setting units 25A to 25C, respectively. The setting units 25A to 25C are set values for the above-mentioned “AND operation” and “OR operation” for the output units 30A to 30C and set values for the above-mentioned “release state” and “connection state” for the output units 30A to 30C, respectively. Used to set The arithmetic units 20A to 20C can output the setting values in the setting units 25A to 25C to the output units 30A to 30C via the output value lines 52A to 52C, respectively. The output units 30A to 30C can realize the above-described setting by using the received setting value. The output units 30A to 30C may register the received setting values in the output units 30A to 30C.

  FIG. 14 further shows an engineering tool 4 accessible to the multiplexing control device 2. The engineering tool 4 is a generic term for software that can access the multiplexing control device 2 and perform various settings of the multiplexing control device 2 and computers that can execute the software. An example of the engineering tool 4 is a PC (Personal Computer) in which such software is installed. For example, this PC can access the multiplexing control device 2 by being connected to the multiplexing control device 2 by a signal line 58 such as a cable.

  The arithmetic units 20A to 20C can communicate with the engineering tool 4. The engineering tool 4 can register various setting values in the setting units 25A to 25C through this communication. The engineering tool 4 provides a user interface for the user to select a setting value.

  The above set values differ depending on the specifications of the input devices 1A to 1C and the output device 3 of the power plant to which the multiplexing control device 2 is applied and the specifications of the majority decision unit 40 of the multiplexing control device 2. . According to this embodiment, the user of the multiplexing control device 2 can set setting values suitable for these specifications.

  The multiplexing control device 2 of the first to eighth embodiments includes three systems of input units, arithmetic units, and output units, but includes four or more systems of input units, arithmetic units, and output units. Also good. For example, when the multiplexing control device 2 includes N systems (N is an integer of 3 or more) of input units, arithmetic units, and output units, the multiplexing unit 40 outputs the output signals from the N systems of output units. The majority operation is performed.

  Although several embodiments have been described above, these embodiments are presented as examples only and are not intended to limit the scope of the invention. The novel apparatus described herein can be implemented in various other forms. Various omissions, substitutions, and changes can be made to the form of the apparatus described in the present specification without departing from the gist of the invention. The appended claims and their equivalents are intended to include such forms and modifications as fall within the scope and spirit of the invention.

1A, 1B, 1C: input device 2: multiplexing control device 3: output device 4: engineering tool 10A, 10B, 10C: input unit 20A, 20B, 20C: calculation unit 21A, 21B, 21C: calculation processing unit 22A, 22B 22C: Diagnosis unit 23A, 23B, 23C: Communication unit 24A, 24B, 24C: Inter-system determination unit 25A, 25B, 25C: Setting unit 30A, 30B, 30C: Output unit 31A, 31B, 31C: Main output circuit 32A, 32B, 32C: Sub-output circuits 33A, 33B, 33C: Diagnostic input units 34A, 34B, 34C: Determination units 35A, 35B, 35C: Safety stop instruction units 36A, 36B, 36C: Test units 40: Majority units 51A, 51B, 51C: Input value line 52A, 52B, 52C: Output value line 53A, 53B, 53C: Output signal line 54: System output signal line 55A, 55B, 55C: Network 56A, 56B, 56C: Signal line 57A, 57B, 57C: Signal line 58: Signal line 61: Fault system detector 62: Signal line

Claims (7)

First to Nth input units (N is an integer of 3 or more) for converting an input signal into an input value and outputting the input value;
A first to Nth arithmetic units for calculating the input value to generate an output value and outputting the output value;
The first to Nth output units that convert the output value into an output signal and output the output signal to a majority unit that performs a majority operation on the output signal,
Each output unit includes first and second circuits, converts the output values into first and second signals, and supplies the first and second signals to the first and second circuits, respectively.
The second circuit of the X-th output unit (X is an integer from 1 to N) receives the second signal generated by the X-th output unit, and receives the received second signal as a Y-th output unit (Y is Output to the first circuit of 1 to N different from X),
The first circuit of the Xth output unit receives the first signal generated by the Xth output unit, and the second circuit of the Zth output unit (Z is an integer of 1 to N different from X and Y). Receiving the second signal from a circuit, and outputting at least one of the received first and second signals to the majority unit as the output signal;
Multiplexing control device.   The Xth output unit converts the output value generated by the Xth operation unit corresponding to the Xth output unit into the first signal, and is generated by the Yth operation unit corresponding to the Yth output unit. The multiplexing control apparatus according to claim 1, wherein the output value is converted into the second signal.   The Xth operation unit according to claim 2, wherein the Xth operation unit outputs the output value generated by the Xth operation unit and the output value received from the Yth operation unit to the Xth output unit. Multiplexing control device. The X-th output unit is
A diagnostic unit for diagnosing the value of the output signal supplied from the X-th output unit to the majority decision unit;
First determination for detecting a failure in the Xth and Zth output units based on the value of the first signal generated by the Xth output unit and the value of the output signal diagnosed by the diagnostic unit And
The multiplexing control apparatus according to any one of claims 1 to 3, further comprising:   The X-th operation unit corresponding to the Y-th output unit obtains a failure detection result by the first determination unit of the first to N-th output units, and based on the detection result, the first to N-th The multiplexing control device according to claim 4, further comprising a second determination unit that identifies a failure location of the output unit. And a test unit for testing the operation of the first to Nth output units,
The first determination unit performs the failure detection process when there is a mismatch between the value of the output signal set by the test unit and the value of the output signal diagnosed by the diagnosis unit. The multiplexing control apparatus according to claim 4 or 5. Furthermore, a setting unit for setting the setting value of the output unit from a tool accessible to the multiplexing control device,
The said setting part can set the said setting value for setting any one of the release state of the output signal line of the said output part, and a connection state to a safe side state, The any one of Claim 1 to 6 A multiplexing control apparatus according to 1.

Images