CN113541672B - Risk degradation device and risk degradation method - Google Patents
Risk degradation device and risk degradation method Download PDFInfo
- Publication number
- CN113541672B CN113541672B CN202110753214.6A CN202110753214A CN113541672B CN 113541672 B CN113541672 B CN 113541672B CN 202110753214 A CN202110753214 A CN 202110753214A CN 113541672 B CN113541672 B CN 113541672B
- Authority
- CN
- China
- Prior art keywords
- output module
- output
- processor
- switch
- processing unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000015556 catabolic process Effects 0.000 title claims abstract description 85
- 238000006731 degradation reaction Methods 0.000 title claims abstract description 85
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000012545 processing Methods 0.000 claims abstract description 68
- 238000001514 detection method Methods 0.000 claims abstract description 15
- 238000012552 review Methods 0.000 claims description 28
- 238000004891 communication Methods 0.000 claims description 23
- 230000005284 excitation Effects 0.000 claims description 6
- 230000000593 degrading effect Effects 0.000 abstract description 17
- 230000002159 abnormal effect Effects 0.000 abstract description 8
- 238000012360 testing method Methods 0.000 description 12
- 238000010586 diagram Methods 0.000 description 8
- 238000004519 manufacturing process Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 238000003745 diagnosis Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 230000008439 repair process Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000011990 functional testing Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H03—ELECTRONIC CIRCUITRY
- H03K—PULSE TECHNIQUE
- H03K19/00—Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits
- H03K19/003—Modifications for increasing the reliability for protection
-
- H—ELECTRICITY
- H03—ELECTRONIC CIRCUITRY
- H03K—PULSE TECHNIQUE
- H03K19/00—Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits
- H03K19/007—Fail-safe circuits
-
- H—ELECTRICITY
- H03—ELECTRONIC CIRCUITRY
- H03K—PULSE TECHNIQUE
- H03K19/00—Logic circuits, i.e. having at least two inputs acting on one output; Inverting circuits
- H03K19/0175—Coupling arrangements; Interface arrangements
- H03K19/017509—Interface arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mathematical Physics (AREA)
- Hardware Redundancy (AREA)
Abstract
The application relates to a risk degrading device and a risk degrading method, wherein the risk degrading device comprises: the control module, the first output module and the second output module which are redundant each other, the first output module comprises a first processing unit and a first main switch, and the second output module comprises a second processing unit and a second main switch; the control module is respectively connected with the first processing unit and the second processing unit; the first processing unit is connected with the controlled end of the second main switch, and the second processing unit is connected with the controlled end of the first main switch; the control module is used for detecting whether a fault output module exists according to the return detection signals of the output modules, and sending a first degradation control instruction to the corresponding redundant output module under the condition that the fault output module exists is detected, so as to instruct the redundant output module to disconnect a main switch of the fault output module. The application solves the problem that the system risk cannot be degraded due to failure in detection of the output channel or abnormal execution of the risk degradation logic, and realizes the risk degradation.
Description
Technical Field
The present application relates to the field of risk control, and in particular to a risk degradation apparatus and a risk degradation method.
Background
The automatic safety instrument system is used for timely responding and protecting potential dangerous or improper actions of the production device and equipment, and the production device and equipment enter a predefined safe stopping working condition (such as a cut-off switch), so that the risk is reduced to an acceptable degree, and the safety of the production device, equipment and surrounding environment is ensured. Some critical components or functions are artificially configured in a redundancy way in view of system safety and reliability. When the system fails, the redundant components can be used as spare parts to intervene in time and bear the work of the failed components, so that the probability of system stopping is reduced, the failure time of the system is reduced, and the availability of the system is improved.
In existing multiplexed redundant output architectures, each channel degrades itself by self-test, e.g., opens an output switch to disconnect from the load. The integrity of the self-checking capability of the channel is the premise of correctly executing the degradation strategy, and when undetectable faults occur in the channel or degradation logic is abnormal in execution, the system can be caused to output error values so that the field working condition is in a dangerous state.
Aiming at the problem that the system risk cannot be degraded due to undetectable faults of output channels or abnormal execution of risk degradation logic in the related technology, no effective solution is proposed at present.
Disclosure of Invention
The embodiment provides a risk degradation device and a risk degradation method, so as to solve the problem that the system risk cannot be degraded due to undetectable faults of an output channel or abnormal execution of risk degradation logic in the related technology.
In a first aspect, in this embodiment, there is provided a risk degrading apparatus, including: the control module, each other are redundant first output module and second output module, the said first output module includes first processing unit and first total switch, the said second output module includes second processing unit and second total switch; wherein,
The control module is respectively connected with the first processing unit and the second processing unit;
The connection ends of the first main switch and the second main switch are connected with an excitation source, and the other connection ends of the first main switch and the second main switch are connected with a load;
The first processing unit is connected with the controlled end of the second main switch, and the second processing unit is connected with the controlled end of the first main switch;
The control module is used for detecting whether a fault output module exists according to the return detection signals uploaded by the output modules, and sending a first degradation control instruction to the processing unit of the corresponding redundant output module under the condition that the fault output module exists is detected, so as to instruct the processing unit of the redundant output module to disconnect the main switch of the fault output module.
In some embodiments, the first output module includes a first output switch, a controlled end of the first output switch is connected to the first processing unit, a connection end of the first output switch is connected to the first total switch, and another connection end of the first output switch is used for being connected to the load; the second output module comprises a second output switch, a controlled end of the second output switch is connected with the second processing unit, a connecting end of the second output switch is connected with the second main switch, and the other connecting end of the second output switch is used for being connected with the load; wherein,
The first processing unit is used for detecting whether the first processing unit has faults according to the return detection signal, if so, the first processing unit controls the first output switch to be disconnected so as to cut off an electric path between the first total switch and the load;
And the second processing unit is used for detecting whether the second processing unit has faults according to the return detection signal, and if so, the second processing unit controls the second output switch to be disconnected so as to cut off the electric path between the second main switch and the load.
In some embodiments, the return signal of the first output module includes an electrical signal flowing through a loop of the first output switch and an electrical signal driving the load, and the return signal of the second output module includes an electrical signal flowing through a loop of the second output switch and an electrical signal driving the load.
In some of these embodiments, the first processing unit includes a first processor and a second processor, the first processor being communicatively coupled to the second processor, the first processor being coupled to the controlled end of the second master switch, the second processor being coupled to the controlled end of the first output switch; the second processing unit comprises a third processor and a fourth processor, the third processor is in communication connection with the fourth processor, the third processor is connected with the controlled end of the first main switch, and the fourth processor is connected with the controlled end of the second output switch; the first processor is in communication connection with the third processor; wherein,
The second processor is used for collecting a review signal and sending the review signal to the first processor, the first processor is used for generating a second degradation control instruction according to the review signal and sending the second degradation control instruction to the second processor so as to instruct the second processor to control the state of the first output switch according to the second degradation control instruction, and the first processor is also used for controlling the state of the second main switch under the control of the control module;
the fourth processor is used for collecting a review signal and sending the review signal to the third processor, the third processor is used for generating a second degradation control instruction according to the review signal and sending the second degradation control instruction to the fourth processor so as to instruct the fourth processor to control the state of the second output switch according to the second degradation control instruction, and the third processor is also used for controlling the state of the first total switch under the control of the control module.
In some of these embodiments, the first processor and the second processor are electrically isolated from each other; the third processor and the fourth processor are electrically isolated from each other.
In a second aspect, in this embodiment, there is provided a risk degrading method applied to the risk degrading apparatus described in the first aspect, where the method includes:
acquiring return detection signals uploaded by the first output module and the second output module;
detecting whether a fault output module exists according to the rechecking signal;
And under the condition that the fault output module is detected to exist, sending a first degradation control instruction to the redundant output module without the fault so as to instruct the redundant output module to disconnect a main switch of the fault output module.
In some of these embodiments, detecting whether a faulty output module is present includes:
Comparing the return detection signals of the output modules with the output instructions, determining the output modules with inconsistent comparison results as the fault output modules, and determining the output modules with consistent comparison results as the redundant output modules.
In some of these embodiments, the method further comprises:
The method comprises the steps of obtaining a redundant pairing state mark generated by the first output module after the in-place state of the second output module is detected, and obtaining a redundant pairing state mark generated by the second output module after the in-place state of the first output module is detected;
Judging whether the paired output modules are in an in-place state according to the redundant paired state marks generated by the output modules, and if the output modules which are in an out-of-place state exist, sending out an alarm prompt.
In some of these embodiments, after receiving the first redundant pairing state flag indicating that the pairing output module is in a non-in-place state, the method further comprises:
Starting overtime timing for a target output module reporting the redundant pairing fault;
And when the timeout timing length reaches a preset condition, determining that the target output module is not maintained, and sending a second degradation control instruction to the target output module to instruct the target output module to disconnect an output switch of the target output module.
In some of these embodiments, in the event that the target output module detects that the paired output module is in an on-bit state, the method further comprises:
acquiring a second redundant pairing state mark generated by the target output module, wherein the second redundant pairing state mark is used for indicating that the pairing output module is in an in-place state;
And stopping the time-out timing of the target output module according to the second redundant pairing state mark, and performing decrementing processing on a time-out counter.
Compared with the related art, the risk degradation device and the risk degradation method provided in the embodiment solve the problem that the system risk cannot be degraded due to undetectable faults or abnormal execution of the risk degradation logic of the output channel, and realize effective degradation of the system risk.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the other features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
Fig. 1 is a schematic diagram of a risk degrading apparatus of the present embodiment;
FIG. 2 is a waveform diagram of the inching test signal according to the present embodiment;
FIG. 3 is a flow chart of the control module detection fault output module of the present embodiment;
Fig. 4 is a second schematic structural diagram of the risk degrading apparatus of the present embodiment;
FIG. 5 is a schematic structural view of the risk degradation device of the present preferred embodiment;
FIG. 6 is a flow chart of the control of the output switch by the processing unit of the preferred embodiment;
fig. 7 is a flowchart of the risk degrading method of the present embodiment.
Reference numerals: 100. a control module;
10. a first output module; 11. a first processing unit; 12. a first total switch; 13. a first output switch; 14. a first diode; 15. a first processor; 16. a second processor;
20. A second output module; 21. a second processing unit; 22. a second main switch; 23. a second output switch; 24. a second diode; 25. a third processor; 26. a fourth processor;
31. An excitation source; 32. and (3) loading.
Detailed Description
The present application will be described and illustrated with reference to the accompanying drawings and examples for a clearer understanding of the objects, technical solutions and advantages of the present application.
Unless defined otherwise, technical or scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terms "a," "an," "the," "these" and similar terms in this application are not intended to be limiting in number, but may be singular or plural. The terms "comprising," "including," "having," and any variations thereof, as used herein, are intended to encompass non-exclusive inclusion; for example, a process, method, and system, article, or apparatus that comprises a list of steps or modules (units) is not limited to the list of steps or modules (units), but may include other steps or modules (units) not listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this disclosure are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein means two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. Typically, the character "/" indicates that the associated object is an "or" relationship. The terms "first," "second," "third," and the like, as referred to in this disclosure, merely distinguish similar objects and do not represent a particular ordering for objects.
In this embodiment, there is provided a risk degrading apparatus, fig. 1 is a schematic structural diagram of the risk degrading apparatus of this embodiment, and as shown in fig. 1, the risk degrading apparatus includes:
the control module 100, a first output module 10 and a second output module 20 which are redundant to each other, wherein the first output module 10 comprises a first processing unit 11 and a first main switch 12, and the second output module 20 comprises a second processing unit 21 and a second main switch 22; wherein the control module 100 is connected with the first processing unit 11 and the second processing unit 21 respectively; one connecting end of the first main switch 12 and the second main switch 22 is used for being connected with an excitation source 31, and the other connecting end is used for being connected with a load 32; the first processing unit 11 is connected to the controlled end of the second main switch 22, and the second processing unit 21 is connected to the controlled end of the first main switch 12.
In this embodiment, the first output module 10 and the second output module 20 are configured to receive an output command from the control module 100, and output a driving signal according to the output command to conduct an electrical path between the excitation source 31 and the load 32.
The control module 100 is configured to detect whether a faulty output module exists according to the review signal uploaded by each output module, and make a risk degradation decision, where the risk degradation decision includes the following three cases:
(1) If neither the first output module 10 nor the second output module 20 fails, no risk degradation is performed on the first output module 10 and the second output module 20.
(2) If the first output module 10 fails and the second output module 20 fails, the second output module 20 is controlled to open the first main switch 12 of the first output module 10.
(3) If the second output module 20 fails and the first output module 10 fails, the first output module 10 is controlled to open the second main switch 22 of the second output module 20.
In this embodiment, the main switch of each output module is controlled by the redundant output module, and in a normal working state, the main switch of each output module is in a closed state, and when a fault occurs, the main switch of the fault output module is turned off by the redundant output module. In some cases, an undetectable fault may occur in the output module, or the risk degradation logic performs abnormally, resulting in the output module failing to perform risk degradation itself (cutting off its connection to the load 32). At this time, the control module 100 generates a first degradation control instruction, sends the first degradation control instruction to the redundant output module, and turns off the main switch of the fault output module through the redundant output module, so as to ensure that the risk of the fault output module can be effectively degraded.
In addition, since the main switch is a normally closed switch under normal working conditions, the main switch of each output module is independently controlled by the redundant output module, that is, the control module 100 controls the redundant output module to perform the turn-off (degradation) operation, even if the main switch is turned off by mistake due to the failure of the main switch control circuit, the system will remain in a safe turn-off state (the turn-off state is the preset safe state).
By the embodiment, the problem that the system risk cannot be degraded due to undetectable faults or abnormal execution of the risk degradation logic of the output channel is solved, and effective degradation of the system risk is realized.
In some embodiments, when the control module 100 detects whether there is a faulty output module, the control module 100 may perform a functional test on the main switch of the single output module periodically, and the control module 100 performs a jog test (pulse test) on the main switch on the target output module through the redundant output module, and fig. 2 is a schematic waveform diagram of a jog test signal of the present embodiment, and as shown in fig. 2, the jog test signal has a pulse width of 2ms, and performs a jog test on the main switch every 15 minutes. Fig. 3 is a flowchart of the control module detecting the failure output module of the present embodiment, as shown in fig. 3, the flowchart includes the following steps:
Step S31, judging whether the system outputs an ON signal; if yes, go to step S32; if not, the process returns to step S31.
Step S32, a test mode of a main switch of the target output module is started, and the output signal sent by the output module is shielded to return to the detection function of fault.
And step S33, receiving the review signal sent by the target output module.
Step S34, judging whether the rechecking signal is consistent with the expected test logic; if so, executing step S35; if not, step S36 is performed.
Step S35, determining that the main switch of the target output module is normal; step S37 is performed.
Step S36, determining that the main switch function of the target output module has a fault; step S38 is performed.
And step S37, exiting the test mode of the main switch of the current output module, and preparing to test the main switch of the redundant output module.
And S38, giving an alarm, starting fault overtime counting, and outputting a second degradation control instruction to all output modules after the counter overtime.
In this embodiment, the total switch diagnostics of the two output modules are independent of each other and do not occur simultaneously.
The risk degradation device of the present application comprises a two-stage risk degradation decision:
First stage: the output module uploads the review signal to the control module 100, is uniformly detected by the control module 100, and makes a risk degradation decision.
Second stage: and the output module self-tests and automatically generates a risk degradation decision.
Wherein the first level risk degradation decision has been described in the above embodiments, embodiments of the risk degradation device will be presented below based on the second level risk degradation decision.
Fig. 4 is a schematic diagram of a second structural diagram of the risk degradation device of the present embodiment, as shown in fig. 4, the first output module 10 includes a first output switch 13, a controlled end of the first output switch 13 is connected to the first processing unit 11, a connection end of the first output switch 13 is connected to the first total switch 12, and another connection end of the first output switch 13 is used for being connected to the load 32; the second output module 20 includes a second output switch 23, a controlled end of the second output switch 23 is connected to the second processing unit 21, a connection end of the second output switch 23 is connected to the second main switch 22, and another connection end of the second output switch 23 is used for being connected to the load 32.
In this embodiment, the output module detects whether there is a fault in itself according to the return detection signal read by itself, and if it detects that there is a fault in itself, controls the output switch to be turned off to cut off the electrical path between itself and the load 32, thereby cutting off the electrical path of the excitation source 31 flowing from itself to the load 32.
For example, each output module compares the review signal with the output command acquired from the control module 100, and if the comparison is inconsistent, determines that the own output module has a fault.
The feedback signal of the output module includes an electrical signal flowing through the loop of the output switch and an electrical signal driving the load 32. For example, diodes (the first diode 14 and the second diode 24) are arranged between the output switch and the load 32, the output signals of the output modules are output in parallel through the diodes, signals (LB 1 and RB 1) of driving the load 32 at the input ends of the acquisition diodes, and output state signals (LB 2 and RB 2) of the output ends of the acquisition diodes are acquired, and the acquired two self-checking readback values are taken as the readback signals.
In this embodiment, the first-stage risk decision and the second-stage risk decision are independent of each other and do not interfere with each other, and the fault output module can always achieve the purpose of risk degradation by actively switching off the output switch or passively switching off the main switch. And, through the unified diagnosis strategy of 'output module self-checking + control module 100 diagnosis', the accuracy of output end diagnosis is improved.
In some embodiments, the control module 100 stores an output instruction, the first output module 10 and the second output module 20 generate a check signal after receiving the output instruction from the control module 100, and upload the check signal to the control module 100, where the control module 100 compares the check signal of each output module with the output instruction, determines an output module with inconsistent comparison results as a fault output module, and determines an output module with consistent comparison results as a redundant output module.
Referring to fig. 5, LB1 and LB2 are self-checking readback signals of the first output module 10, RB1 and RB2 are self-checking readback signals of the second output module 20, and each output module uploads the self-checking readback signals to the control module 100 in real time for unified processing, and the control module 100 makes a risk degradation decision, as shown in table 1 specifically:
TABLE 1 two-stage risk degradation decision table
Fig. 5 is a schematic structural diagram of the risk degradation device of the preferred embodiment, as shown in fig. 5, in some embodiments, the first processing unit 11 includes a first processor 15 and a second processor 16, the first processor 15 is communicatively connected to the second processor 16, the first processor 15 is connected to the controlled end of the second main switch 22, and the second processor 16 is connected to the controlled end of the first output switch 13; the second processing unit 21 comprises a third processor 25 and a fourth processor 26, the third processor 25 is communicatively connected to the fourth processor 26, the third processor 25 is connected to the controlled end of the first main switch 12, and the fourth processor 26 is connected to the controlled end of the second output switch 23.
In the present embodiment, the first processor 15 receives the output instruction from the control module 100, and transmits the output instruction to the second processor 16 to control the first output switch 13. The second processor 16 collects the review signal and transmits the review signal to the first processor 15, the first processor 15 compares the review signal with the output instruction of the control module 100, and if the comparison is inconsistent, the second processor 16 sends a second degradation control instruction to turn off the first output switch 13.
The third processor 25 receives the output instruction from the control module 100 and passes the output instruction to the fourth processor 26 to control the second output switch 23. The fourth processor 26 collects the review signal and transmits the review signal to the third processor 25, the third processor 25 compares the review signal with the output instruction of the control module 100, and if the comparison is inconsistent, the second degradation control instruction is sent to the fourth processor 26 to turn off the second output switch 23.
In addition, the first processor 15 and the third processor 25 upload their own review signals to the control module 100, and the control module 100 compares the review signals of the output modules with the output instructions, respectively, and if the review signals of the first output module 10 are inconsistent with the output instructions, the control module 100 sends a first degradation control instruction to the second output module 20 to instruct the third processor 25 to turn off the first main switch 12, and if the review signals of the second output module 20 are inconsistent with the output instructions, the control module 100 sends a first degradation control instruction to the first output module 10 to instruct the first processor 15 to turn off the second main switch 22.
In practice, the circuits on the load 32 side are prone to malfunction, particularly the second processor 16 and the fourth processor 26. In this embodiment, if the second processor 16 fails, the first processor 15 may normally execute the service logic, and if the fourth processor 26 fails, the third processor 25 may normally execute the service logic. By providing a plurality of processors at the processing unit, the reliability of the risk degrading apparatus can be enhanced.
In some embodiments, the first processor 15 and the second processor 16 are electrically isolated from each other; the third processor 25 and the fourth processor 26 are electrically isolated from each other. So configured, electrical isolation between the risk-degrading device and the load 32 is achieved, thereby enhancing the safety of the risk-degrading device.
In some preferred embodiments, on-board communication is performed between the first processor 15 and the second processor 16 in the first processing unit 11, and data frame verification is employed to ensure correctness, integrity, and timeliness of the transferred data. When the first output module 10 fails to cause communication failure between the first processor 15 and the second processor 16, the first processing unit 11 starts maintenance of a communication timeout counter after detecting the communication failure, and when the timeout counter exceeds a preset value, the first processing unit 11 controls the first output switch 13 to be in a turned-off state. The flow of the processing unit controlling the output switch is specifically shown in fig. 6, and fig. 6 is a flow chart of the processing unit controlling the output switch according to the preferred embodiment, and the flow includes the following steps:
In step S51, the first processing unit establishes a communication connection with the control module, and receives an output instruction of the control module.
Step S52, judging whether the communication is overtime; if yes, go to step S60; if not, step S52 is performed.
In step S53, the first processor receives the data frame and checks it.
Step S54, judging whether the communication is wrong; if yes, go to step S64; if not, step S55 is performed.
In step S55, the first processor and the second processor establish a communication connection, and forward an output instruction to the second processor.
Step S56, judging whether the communication is overtime; if yes, go to step S69; if not, step S57 is performed.
In step S57, the second processor receives the data frame and checks it.
Step S58, judging whether the communication is wrong; if yes, go to step S73; if not, step S59 is executed.
In step S59, the second processor controls the state of the first output switch according to the output instruction.
In step S60, the communication timeout counter counts.
Step S61, judging whether the counter is 0; if yes, return to step S51; if not, step S62 is performed.
Step S62, judging whether the counter exceeds a preset value; if yes, go to step S68; if not, step S63 is performed.
Step S63, a counter is maintained, and step S61 is returned.
In step S64, the communication error counter counts.
Step S65, whether the break counter is 0; if yes, return to step S53; if not, step S66 is performed.
Step S66, judging whether the counter exceeds a preset value; if yes, go to step S68; if not, step S67 is performed.
Step S67, a counter is maintained, and step S65 is returned.
In step S68, the first processor controls the first output switch to be turned off.
Step S69, the communication timeout counter counts.
Step S70, judging whether the counter is 0; if yes, return to step S55; if not, step S71 is performed.
Step S71, judging whether the counter exceeds a preset value; if yes, go to step S77; if not, step S72 is performed.
Step S72, a counter is maintained, and step S70 is returned.
Step S73, the communication error counter counts.
Step S74, judging whether the counter is 0; if yes, return to step S57; if not, step S75 is performed.
Step S75, judging whether the counter exceeds a preset value; if yes, go to step S77; if not, step S76 is performed.
Step S76, the counter is maintained, and step S74 is returned.
In step S77, the second processor controls the first output switch to be turned off.
Similarly, the second processing unit 21 and the first processing unit 11 have similar arrangements, and will not be described herein.
In some embodiments, the first output module 10 and the second output module 20 interact with each other's bit status over a communication link; the first output module 10 is configured to detect an in-place state of the second output module 20, maintain a redundant pairing state flag according to the in-place state, and upload the redundant pairing state flag to the control module 100; the second output module 20 is configured to detect an in-place status of the first output module 10, maintain a redundant pairing status flag according to the in-place status, and upload the redundant pairing status flag to the control module 100. For example, a redundant pairing state flag of 0 indicates that the paired output module is in a non-in-place state, a redundant pairing state flag of 1 indicates that the paired output module is in a in-place state, the control module 100 may determine whether a faulty output module exists according to the redundant pairing state flag, and if the faulty output module exists, the control module 100 sends an alarm prompt to prompt a worker to repair the faulty output module.
In some embodiments, the control module 100 is configured to start time-out timing for the target output module reporting the redundant pairing failure after receiving the redundant pairing status flag indicating that the paired output module is in the non-in-place status, determine that the target output module is not maintained when the timing length reaches a preset condition, and send a second degradation control instruction to the target output module to instruct the target output module to turn off the output switch thereof.
For example, the control module 100 is provided with a timeout counter (TimeoutCounter) corresponding to each output module, and the control module 100 maintains the timeout counter of each output module according to the redundant pairing status flag reported by each output module, where the initial value of the timeout counter of each output module is 0.
The control module 100 maintains a timeout time for the timeout counter, which may be configured as a predetermined maintenance time MTTR.
If the first output module 10 detects that the other party is not in place (redundant communication fault or disconnection), the first output module 10 starts to set the own redundant pairing state flag PairLst _flag=1, the control module 100 starts the timeout counter to count time, and if the timeout counter is >0 and exceeds the predetermined maintenance time MTTR, the control module 100 issues a second degradation control instruction to the first output module 10 to instruct the first output module 10 to turn off the own output switch.
In this way, if one of the output modules is in a non-in-place state (redundant communication failure or disconnection) in the pair of output modules which are redundant to each other, even if the other output module is in a normal operation state at present, the output module still is in a normal operation state in the subsequent operation, and if the output module is abnormal, the output switch may not be automatically turned off. In order to avoid the problem, the embodiment starts the overtime timing to the target output module reporting the redundant pairing fault, if the target output module is not maintained after overtime, a second degradation control instruction is issued to the target output module, and the output switch of the target output module is turned off in time, so that the system is ensured to guide to a preset safety state.
In some embodiments, the first output module 10 is configured to update the redundant pairing status flag and upload the updated redundant pairing status flag to the control module 100 when the second output module 20 is detected to be in the in-place status; the second output module 20 is configured to update the redundant pairing state flag and upload the updated redundant pairing state flag to the control module 100 when detecting that the first output module 10 is in the in-place state; the control module 100 is configured to stop timing the corresponding output module in the non-in-place state and perform decrementing processing on the timeout counter according to the updated redundant pairing status flag.
For example, if the second output module 20 resumes the bit state during the timeout counting period, the first output module 10 releases the pairing loss fault, sets PairLst _flag=0, and the control module 100 processes the timeout counter according to the fault recovery acknowledgement principle of "+2, -1", that is, if the timeout counter is accumulated to 200 after 100 communication cycles exist for the fault, 200 communication cycles are required, the first output module 10 continuously uploads PairLst _flag=0, and the timeout counter is decremented to 0.
According to the embodiment, the problem that a plurality of faults affect the correct output of the system can be solved, namely when a single fault occurs, the user is prompted to repair through pairing loss alarm, if the user does not process the alarm fault within the set repair time, the system considers that the subsequent fault can cause the dangerous condition of system error output, and therefore the output switch of the target output module for reporting the redundant pairing fault is actively turned off when the count is overtime.
In some embodiments, multiple risk downgrading devices may be connected in series to build a 2oo4d security system voting downgrading architecture, where numeral 2 represents the number of channels needed to perform the security function and numeral 4 represents the total number of channels available.
In combination with the risk degrading apparatus of the foregoing embodiment, the present embodiment further provides a risk degrading method, which is applied to the risk degrading apparatus of any one of the foregoing embodiments, and fig. 7 is a flowchart of the risk degrading method of the embodiment of the present application, as shown in fig. 7, where the flowchart includes the following steps:
Step S701, obtaining the review signals uploaded by the first output module and the second output module.
Referring to fig. 1-6, the control module 100 obtains the review signals uploaded by the first output module 10 and the second output module 20.
Step S702, detecting whether a fault output module exists according to the recheck signal.
The control module 100 detects whether the first output module 100 has a fault according to the rechecking signal of the first output module 10, and detects whether the second output module 20 has a fault according to the rechecking signal of the second output module 20.
In some embodiments, the control module 100 stores an output instruction, before detecting whether there is a faulty output module, the control module 100 issues the output instruction to each output module, compares the feedback signal with the output instruction after receiving the feedback signal fed back by each output module, determines an output module with inconsistent comparison results as a faulty output module, and determines an output module with consistent comparison results as a redundant output module.
In step S703, if it is detected that there is a faulty output module, a first degradation control instruction is sent to the redundant output module that does not have a fault, so as to instruct the redundant output module to disconnect the main switch of the faulty output module.
For example, when a failure of the first output module 10 is detected, and the second output module 20 is not failed, a first degradation control instruction is sent to the second output module 20 to instruct the second output module 20 to open the first total switch 12 of the first output module 10. When the second output module 20 fails and the first output module 10 fails, a first degradation control command is sent to the first output module 10 to instruct the first output module 10 to open the second main switch 22 of the second output module 20.
By the embodiment, the problem that the system risk cannot be degraded due to undetectable faults or abnormal execution of the risk degradation logic of the output channel is solved, and effective degradation of the system risk is realized.
In some embodiments, the control module 100 obtains the redundant pairing status flag of the first output module 10 and obtains the redundant pairing status flag of the second output module 20, and the control module 100 determines whether the paired output modules (the first output module 10 and the second output module 20 are paired output modules) are in an in-place state according to the redundant pairing status flag generated by each output module, and if there is an output module in an out-of-place state, an alarm prompt is sent.
In some of these embodiments, after receiving the first redundant pairing state flag indicating that the paired output module is in a non-in-place state, the control module 100 starts a timeout timer for the target output module that reported the redundant pairing failure; when the timeout period reaches the preset condition, the control module 100 determines that the target output module is not maintained, and sends a second degradation control instruction to the target output module to instruct the target output module to turn off the output switch thereof.
In some embodiments, when the target output module detects that the paired output module is in the in-place state, the control module 100 acquires a second redundant paired state flag generated by the target output module, where the second redundant paired state flag is used to indicate that the paired output module is in the in-place state; the control module 100 stops the timeout timing of the target output module according to the second redundant pairing status flag, and decrements the timeout counter.
It should be understood that the specific embodiments described herein are merely illustrative of this application and are not intended to be limiting. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure in accordance with the embodiments provided herein.
It is to be understood that the drawings are merely illustrative of some embodiments of the present application and that it is possible for those skilled in the art to adapt the present application to other similar situations without the need for inventive work. In addition, it should be appreciated that while the development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as a departure from the disclosure.
The term "embodiment" in this disclosure means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive. It will be clear or implicitly understood by those of ordinary skill in the art that the embodiments described in the present application can be combined with other embodiments without conflict.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the patent claims. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.
Claims (10)
1. A risk degradation apparatus, comprising: the control module, each other are redundant first output module and second output module, the said first output module includes first processing unit and first total switch, the said second output module includes second processing unit and second total switch; wherein,
The control module is respectively connected with the first processing unit and the second processing unit;
The connection ends of the first main switch and the second main switch are connected with an excitation source, and the other connection ends of the first main switch and the second main switch are connected with a load;
The first processing unit is connected with the controlled end of the second main switch, and the second processing unit is connected with the controlled end of the first main switch;
The control module is used for detecting whether a fault output module exists according to the return detection signals uploaded by the output modules, and sending a first degradation control instruction to the processing unit of the corresponding redundant output module under the condition that the fault output module exists is detected, so as to instruct the processing unit of the redundant output module to disconnect the main switch of the fault output module.
2. The risk degradation device of claim 1, wherein the first output module comprises a first output switch, a controlled end of the first output switch being connected to the first processing unit, a connection end of the first output switch being connected to the first total switch, and another connection end of the first output switch being configured to be connected to the load; the second output module comprises a second output switch, a controlled end of the second output switch is connected with the second processing unit, a connecting end of the second output switch is connected with the second main switch, and the other connecting end of the second output switch is used for being connected with the load; wherein,
The first processing unit is used for detecting whether the first processing unit has faults according to the return detection signal, if so, the first processing unit controls the first output switch to be disconnected so as to cut off an electric path between the first total switch and the load;
And the second processing unit is used for detecting whether the second processing unit has faults according to the return detection signal, and if so, the second processing unit controls the second output switch to be disconnected so as to cut off the electric path between the second main switch and the load.
3. The risk degradation device of claim 2, wherein the return signal of the first output module comprises an electrical signal flowing through a loop of the first output switch and an electrical signal driving the load, and the return signal of the second output module comprises an electrical signal flowing through a loop of the second output switch and an electrical signal driving the load.
4. The risk degradation device of claim 2, wherein the first processing unit comprises a first processor and a second processor, the first processor communicatively coupled to the second processor, the first processor coupled to the controlled end of the second master switch, the second processor coupled to the controlled end of the first output switch; the second processing unit comprises a third processor and a fourth processor, the third processor is in communication connection with the fourth processor, the third processor is connected with the controlled end of the first main switch, and the fourth processor is connected with the controlled end of the second output switch; the first processor is in communication connection with the third processor; wherein,
The second processor is used for collecting a review signal and sending the review signal to the first processor, the first processor is used for generating a second degradation control instruction according to the review signal and sending the second degradation control instruction to the second processor so as to instruct the second processor to control the state of the first output switch according to the second degradation control instruction, and the first processor is also used for controlling the state of the second main switch under the control of the control module;
the fourth processor is used for collecting a review signal and sending the review signal to the third processor, the third processor is used for generating a second degradation control instruction according to the review signal and sending the second degradation control instruction to the fourth processor so as to instruct the fourth processor to control the state of the second output switch according to the second degradation control instruction, and the third processor is also used for controlling the state of the first total switch under the control of the control module.
5. The risk degradation apparatus of claim 4, wherein the first processor and the second processor are electrically isolated from each other; the third processor and the fourth processor are electrically isolated from each other.
6. A risk degradation method applied to the risk degradation device of any one of claims 1 to 5, characterized in that the method comprises:
acquiring return detection signals uploaded by the first output module and the second output module;
detecting whether a fault output module exists according to the rechecking signal;
And under the condition that the fault output module is detected to exist, sending a first degradation control instruction to the redundant output module without the fault so as to instruct the redundant output module to disconnect a main switch of the fault output module.
7. The risk degradation method of claim 6, wherein detecting whether a faulty output module is present comprises:
Comparing the return detection signals of the output modules with the output instructions, determining the output modules with inconsistent comparison results as the fault output modules, and determining the output modules with consistent comparison results as the redundant output modules.
8. The risk degradation method of claim 6, further comprising:
The method comprises the steps of obtaining a redundant pairing state mark generated by the first output module after the in-place state of the second output module is detected, and obtaining a redundant pairing state mark generated by the second output module after the in-place state of the first output module is detected;
Judging whether the paired output modules are in an in-place state according to the redundant paired state marks generated by the output modules, and if the output modules which are in an out-of-place state exist, sending out an alarm prompt.
9. The risk degradation method of claim 8, wherein after receiving the first redundant pairing status flag indicating that the pairing output module is in a non-in-place state, the method further comprises:
Starting overtime timing for a target output module reporting the redundant pairing fault;
And when the timeout timing length reaches a preset condition, determining that the target output module is not maintained, and sending a second degradation control instruction to the target output module to instruct the target output module to disconnect an output switch of the target output module.
10. The risk degradation method of claim 9, wherein in the event that the target output module detects that the paired output module is in an on-site state, the method further comprises:
acquiring a second redundant pairing state mark generated by the target output module, wherein the second redundant pairing state mark is used for indicating that the pairing output module is in an in-place state;
And stopping the time-out timing of the target output module according to the second redundant pairing state mark, and performing decrementing processing on a time-out counter.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110753214.6A CN113541672B (en) | 2021-07-02 | 2021-07-02 | Risk degradation device and risk degradation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110753214.6A CN113541672B (en) | 2021-07-02 | 2021-07-02 | Risk degradation device and risk degradation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113541672A CN113541672A (en) | 2021-10-22 |
| CN113541672B true CN113541672B (en) | 2024-04-23 |
Family
ID=78126670
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110753214.6A Active CN113541672B (en) | 2021-07-02 | 2021-07-02 | Risk degradation device and risk degradation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113541672B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114493184A (en) * | 2022-01-05 | 2022-05-13 | 山东正晨科技股份有限公司 | Park management system and method based on Internet of things |
| CN114280919B (en) * | 2022-03-08 | 2022-05-31 | 浙江中控技术股份有限公司 | Redundancy control device |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR19990005390A (en) * | 1997-06-30 | 1999-01-25 | 윤종용 | Redundancy Device and Method of ATM Switch Board |
| KR19990066535A (en) * | 1998-01-30 | 1999-08-16 | 이종수 | Output redundancy and failure prevention circuit of PLC system |
| US6550018B1 (en) * | 2000-02-18 | 2003-04-15 | The University Of Akron | Hybrid multiple redundant computer system |
| US7870299B1 (en) * | 2008-02-06 | 2011-01-11 | Westinghouse Electric Co Llc | Advanced logic system |
| CN102096401A (en) * | 2010-12-22 | 2011-06-15 | 北京昊图科技有限公司 | Redundant and fault-tolerant safety instrument control system based on fieldbus and ARM (advanced RISC machines) |
| CN202421854U (en) * | 2011-12-22 | 2012-09-05 | 上海新华控制技术(集团)有限公司 | Triplex level redundancy switching value output module for DCS (data communication system) |
| CN103293949A (en) * | 2013-06-08 | 2013-09-11 | 杭州和利时自动化有限公司 | On-off output channel redundancy fault-tolerant control method and redundancy on-off output channels |
| CN203643761U (en) * | 2013-12-19 | 2014-06-11 | 上海新华控制技术集团科技有限公司 | Triple redundancy concurrent control module |
| FR3000322A1 (en) * | 2012-12-21 | 2014-06-27 | Schneider Electric Ind Sas | DEVICE FOR PROTECTING AN ELECTRONIC OVERCURRENT OF AT LEAST ONE ELECTRONIC SWITCHING BRANCH, A CONVERSION SYSTEM COMPRISING SUCH A PROTECTIVE DEVICE, AND A CONTROL METHOD THEREFOR |
| CN104407556A (en) * | 2014-09-26 | 2015-03-11 | 浙江中控技术股份有限公司 | Hot standby redundancy module switching device |
| CN111007713A (en) * | 2019-07-10 | 2020-04-14 | 沈阳中科一唯电子技术有限公司 | Heterogeneous redundant vehicle control unit conforming to functional safety |
| CN112631256A (en) * | 2020-12-29 | 2021-04-09 | 浙江中控技术股份有限公司 | Switching value output module with safe function and diagnosis processing method |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2022547639A (en) * | 2019-09-03 | 2022-11-14 | アトム・パワー・インコーポレイテッド | Solid state circuit breaker with self-diagnosis, self-maintenance and self-protection functions |
-
2021
- 2021-07-02 CN CN202110753214.6A patent/CN113541672B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR19990005390A (en) * | 1997-06-30 | 1999-01-25 | 윤종용 | Redundancy Device and Method of ATM Switch Board |
| KR19990066535A (en) * | 1998-01-30 | 1999-08-16 | 이종수 | Output redundancy and failure prevention circuit of PLC system |
| US6550018B1 (en) * | 2000-02-18 | 2003-04-15 | The University Of Akron | Hybrid multiple redundant computer system |
| US7870299B1 (en) * | 2008-02-06 | 2011-01-11 | Westinghouse Electric Co Llc | Advanced logic system |
| CN102096401A (en) * | 2010-12-22 | 2011-06-15 | 北京昊图科技有限公司 | Redundant and fault-tolerant safety instrument control system based on fieldbus and ARM (advanced RISC machines) |
| CN202421854U (en) * | 2011-12-22 | 2012-09-05 | 上海新华控制技术(集团)有限公司 | Triplex level redundancy switching value output module for DCS (data communication system) |
| FR3000322A1 (en) * | 2012-12-21 | 2014-06-27 | Schneider Electric Ind Sas | DEVICE FOR PROTECTING AN ELECTRONIC OVERCURRENT OF AT LEAST ONE ELECTRONIC SWITCHING BRANCH, A CONVERSION SYSTEM COMPRISING SUCH A PROTECTIVE DEVICE, AND A CONTROL METHOD THEREFOR |
| CN103293949A (en) * | 2013-06-08 | 2013-09-11 | 杭州和利时自动化有限公司 | On-off output channel redundancy fault-tolerant control method and redundancy on-off output channels |
| CN203643761U (en) * | 2013-12-19 | 2014-06-11 | 上海新华控制技术集团科技有限公司 | Triple redundancy concurrent control module |
| CN104407556A (en) * | 2014-09-26 | 2015-03-11 | 浙江中控技术股份有限公司 | Hot standby redundancy module switching device |
| CN111007713A (en) * | 2019-07-10 | 2020-04-14 | 沈阳中科一唯电子技术有限公司 | Heterogeneous redundant vehicle control unit conforming to functional safety |
| CN112631256A (en) * | 2020-12-29 | 2021-04-09 | 浙江中控技术股份有限公司 | Switching value output module with safe function and diagnosis processing method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113541672A (en) | 2021-10-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113541672B (en) | Risk degradation device and risk degradation method | |
| US5740157A (en) | Distributed control methodology and mechanism for implementing automatic protection switching | |
| JP5863545B2 (en) | Data transmission system and data transmission apparatus | |
| US4270715A (en) | Railway control signal interlocking systems | |
| CN113315572B (en) | Detection method and device for optical module physical link, optical module and optical transmission system | |
| CN101145942B (en) | A serial bus failure detection method for single bus master-slave protection device | |
| WO2016116002A1 (en) | Method and device for automatically detecting otn network fault node | |
| CN111342893A (en) | Channel fault point positioning method | |
| CN113568301B (en) | Hot standby redundancy method and control system | |
| KR101960020B1 (en) | Plant Protection System and Reactor Trip Switchgear System | |
| CN116149301A (en) | Fault diagnosis device and method and vehicle | |
| US8867923B2 (en) | Transponder, repeater, and terminal equipment | |
| CN113466584B (en) | Fault diagnosis positioning method for tripping and closing monitoring | |
| US6373819B1 (en) | Routine testing parity maintenance | |
| CN111755763A (en) | BMS function safety control system and control method | |
| KR101006680B1 (en) | Apparatus for mornitoring transmission controll unit | |
| JP2017038316A (en) | Transmission device and fault detection method | |
| CN111510328B (en) | Short-time recovery method for channel abnormity | |
| CN116770926A (en) | Automatic system fault diagnosis device and method and working machine | |
| US10240973B2 (en) | Two-channel communication systems | |
| CN109101359B (en) | Equipment, method and module for transmitting information between equipment components and computer equipment | |
| CN107942894B (en) | Main input/output submodule, diagnosis method thereof and editable logic controller | |
| KR100827065B1 (en) | Network error management system | |
| JP3420880B2 (en) | Test method of transmission processing unit | |
| JP2004334548A (en) | Failure monitoring system for distributed supervisory control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |