CN116774666B - A method and device for IO diagnosis of measurement and control equipment - Google Patents
A method and device for IO diagnosis of measurement and control equipmentInfo
- Publication number
- CN116774666B CN116774666B CN202210230483.9A CN202210230483A CN116774666B CN 116774666 B CN116774666 B CN 116774666B CN 202210230483 A CN202210230483 A CN 202210230483A CN 116774666 B CN116774666 B CN 116774666B
- Authority
- CN
- China
- Prior art keywords
- processor
- switch
- output
- diagnosis
- measurement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Safety Devices In Control Systems (AREA)
Abstract
本发明涉及一种高安全完整性测控设备IO诊断方法及装置。测控装置由两路冗余的测控单元组成,测控单元的逻辑控制部分进行逻辑处理和输出控制,诊断过程中输出部分会输出控制信号,当两个控制器都接收到输出反馈信号,诊断IO输出正常,否则诊断为IO输出输出错误。本发明解决了控制器IO输出的安全动作问题,通过两路侧空单元的冗余输出,提高了测控装置输出的可靠性,通过脉冲诊断的方式,提高了测控装置输出的安全性。本发明可满足测控设备IO输出高安全完整性要求,具有很大的应用推广空间。
The present invention relates to a method and device for IO diagnosis of high-safety integrity measurement and control equipment. The measurement and control device is composed of two redundant measurement and control units. The logic control part of the measurement and control unit performs logic processing and output control. During the diagnosis process, the output part outputs a control signal. When both controllers receive the output feedback signal, the IO output is diagnosed as normal. Otherwise, it is diagnosed as an IO output error. The present invention solves the problem of safe action of the controller IO output. The reliability of the measurement and control device output is improved through the redundant output of the two-way side air unit. The safety of the measurement and control device output is improved through pulse diagnosis. The present invention can meet the high safety integrity requirements of the measurement and control equipment IO output and has a large application and promotion space.
Description
Technical Field
The invention belongs to the field of industrial control instruments, and particularly provides an IO diagnosis method and device for high-safety-integrity measurement and control equipment.
Background
Functional safety systems, also known as Safety Instrumented Systems (SIS) or emergency shutdown systems (ESD), are functionally safe systems. The safety instrument system consists of high safety integrity measurement and control equipment, comprises a sensor, a controller and an executing mechanism, is mainly used in industrial production, protects operators and production equipment, avoids accidents seriously endangering the life safety of the operators, and has higher Safety Integrity Level (SIL) requirements on the safety instrument system because the functional safety is the embodiment of whether the safety instrument system can effectively execute the safety function of the safety instrument system and is the last guarantee before dangerous accidents happen.
A hardware random failure is a time-random, fixed-outcome failure, regardless of the source of the failure, the end result is always an output error or a behavioral error. If a redundant structure is adopted, whether an error or failure occurs can be judged by comparing the calculation results of the parallel operation of the multiple components. Conventional systems often employ a single channel structure, i.e., a linear 1oo1 (1 out of 1) structure without redundancy, but the structure cannot guarantee reliability nor safety.
From the development technology of functional safety products, redundancy and fault tolerance are popular methods of international safety design, and the usability of the system under the condition of faults is ensured through the multiplexing design of the system, such as multiple controllers, multiple IO, multiple power supplies and the like. By adding technical measures such as voting, diagnosis and the like in the system, the safe operation of the system under the fault condition is checked. Common redundancy structures include dual channel redundancy 1oo2, three channel redundancy 2oo3, and redundancy greater than four times more is rare, mainly because of cost and efficiency issues. The redundant architecture application includes two kinds, one is a reliability application and one is a security application. The reliability application is mainly to ensure the reliability of the system, such as dual hot standby or cold standby, but the voting structure is not needed, and the accuracy of the calculation result is not needed to be considered. Reliability application emphasis is placed on the ability to provide continuous service, while the accuracy requirements of the results are less stringent. The emphasis of security applications is on the correctness of the result, if the security function of an application is to output a high level, the output high level must output a high level, and the output low level cannot be output. The security application is similar to 'algorithm', a plurality of channels work simultaneously, the results are compared, if the results are the same or acceptable (for example, two results in 2oo3 are consistent), the results are considered to be correct, otherwise, the security output is needed. It can be seen that the two most differ in that reliability applications typically do not have a voting mechanism, whereas security applications typically contain a voting mechanism.
Another effective means of improving the safety integrity of measurement and control devices during diagnostics, for safety-related applications of electronic/electrical/programmable components, is to discover and process early in random failures, avoiding dangerous failures. Particularly, the control part of the actuator is an inductive element, such as a relay, and the high-frequency pulse is smoothed by the inductor, so that the high-frequency pulse does not affect normal operation, and after the output pulse, the output state can be judged by feeding back the high-frequency pulse, thereby completing diagnosis of the output.
In the current system design process, the safety integrity of the system is improved through higher-order redundancy, and the cost is high. Therefore, in view of cost, the invention combines redundancy and diagnosis technologies, adds diagnosis measures on the basis of redundancy to improve the diagnosis capability of the system so as to make up the defect caused by insufficient redundancy quantity, and adds the diagnosis measures through the 1oo2 system to achieve the same safety and integrity capability as that of the 2oo3 system.
Disclosure of Invention
Aiming at the defects in the prior art, the technical problem to be solved by the invention is to provide the IO diagnosis method and the device for the high-safety-integrity measurement and control equipment, which are mainly used for the IO output diagnosis function of the measurement and control equipment. According to the design, the reliability of the output of the measurement and control device is improved through the design of the two paths of redundant units according to the high safety integrity technology of the measurement and control device, and the safety of the output of the measurement and control device is improved through a pulse diagnosis mode. The invention can effectively diagnose the IO output function of the measurement and control equipment by adding the IO output diagnosis pulse into the 1oo2 system, has the characteristics of simple structure and high safety performance, and has wide application and popularization values.
The technical scheme adopted by the invention for realizing the purposes is that the IO diagnosis device of the high-safety-integrity measurement and control equipment comprises two measurement and control units;
The measurement and control unit comprises:
the processor is used for generating an output pulse control command to the output module, receiving a feedback pulse signal acquired by the output module and performing pulse diagnosis;
and the output module is used for receiving the feedback pulse signal of the switch, feeding back the feedback pulse signal to the processor and sending a pulse control command of the processor to the switch.
The two processors are redundant, and data exchange and clock synchronization are performed regularly.
The utility model provides a high safety integrality measurement and control equipment IO diagnostic device for diagnose switch circuit, switch circuit includes first switch, the second switch of series connection, and switch circuit one end is connected with the power, and the other end is used for connecting the executor.
The first switch and the second switch are MOS transistors;
The grid electrode of the first MOS tube is connected with the output module of the first measurement and control unit to receive pulses, the drain electrode of the first MOS tube is connected with an input power supply, and the source electrode of the first MOS tube is connected with the drain electrode of the second MOS tube;
the grid electrode of the second MOS tube is connected with the output module of the second measurement and control unit to receive the pulse, the source electrode is connected with the actuator, and the switch state is fed back to the output module of the first measurement and control unit and the output module of the second measurement and control unit.
In the diagnostic state, the periodically transmitted pulses have a period of not less than 500ms and a pulse width of not more than 250ns.
When the processor performs pulse diagnosis, judging a feedback pulse signal of the current corresponding switch, outputting a high level to indicate that the switch is turned off, and outputting a low level to indicate that the switch is turned on;
When the feedback pulse signal indicates that the switch operation output state is on, diagnosing that the output pulse is high level;
When the feedback pulse signal indicates that the operation output state of the switch is off, diagnosing that the output pulse is low level;
The pulse diagnosis is specifically as follows:
The first processor and the second processor respectively and periodically send pulse signals to respective output modules so as to control the conduction of corresponding switches, simultaneously send feedback pulse signals of the first switch and the second switch to the first processor and the second processor respectively, and respectively judge whether the sent pulse signals and the feedback pulse signals are consistent or not, if not, the first switch and the second switch are disconnected, and an alarm signal is sent.
The pulse diagnosis comprises the following steps:
the first processor and the second processor perform time synchronization;
After the diagnosis period starts, starting a timer, and simultaneously sending out pulse control commands by the first processor and the second processor to enable the first switch and the second switch to act simultaneously;
the first processor and the second processor receive the feedback pulse signals at the same time;
the first processor and the second processor judge whether feedback pulse signals are received or not through data interaction;
when the first processor and the second processor both receive the feedback pulse signals, the diagnosis result is that the output work is normal;
When the first processor and the second processor do not receive the feedback pulse signals, the diagnosis result is output working faults;
when only the first processor or the second processor receives the feedback pulse signal, the diagnosis result is that the circuit diagnosis circuit works as a fault;
and judging that the time of the timer is up, and performing the next diagnosis.
The invention discloses a method and a device for realizing IO diagnosis of high-safety-integrity measurement and control equipment. It has the following advantages:
1. the implementation method is simple and easy to operate, the method is based on the design framework of redundant measurement and control equipment,
The function diagnosis is carried out by adding pulse output, the method is simple, the functions can be realized only by simple circuit matching, and the method is simple to realize and has strong operability.
2. The hardware circuit is convenient to design. The invention uses hardware circuit and software to realize output diagnosis, only
The feedback circuit is added on the basis of the original hardware, the hardware circuit is convenient to design, and the problem of high diagnosis coverage rate by applying a complex circuit is solved.
3. The universality is strong. Along with the increasing of the safety performance of the measurement and control equipment in the industry, the safety performance of the measurement and control equipment is set in the prior art
On the basis of the method, the high safety integrity of output diagnosis is realized to a large extent, a hardware system platform is not required to be changed greatly, the method is particularly suitable for realizing diagnosis of relay output elements through high-frequency pulses, the universality is strong, and the implementation is easy.
Drawings
FIG. 1 is a block diagram of the present invention;
fig. 2 is a flow chart of the algorithm of the controller side of the present invention.
Detailed Description
The invention will be described in further detail with reference to the accompanying drawings and examples of implementation.
The invention relates to an IO diagnosis method and device for high-safety-integrity measurement and control equipment. The measurement and control device consists of two paths of redundant measurement and control units, a logic control part of the measurement and control units carries out logic processing and output control, an output part outputs a control signal in the diagnosis process, when the two controllers receive output feedback signals, the IO output is diagnosed as normal, and otherwise, the IO output is diagnosed as IO output error. The invention solves the problem of safe action of the IO output of the controller, improves the reliability of the output of the measurement and control device through the redundant output of the two paths of side air units, and improves the safety of the output of the measurement and control device through a pulse diagnosis mode. The invention can meet the requirement of high safety and integrity of IO output of the measurement and control equipment and has a large application and popularization space.
Fig. 1 is a structural diagram of the present invention. The measurement and control unit consists of an input part, a processor and an output part, wherein the input part collects data of a sensor, converts analog values into digital signals through A/D, and transmits the output to the processor, the processor realizes control of the output through logical operation, and the output unit mainly realizes output according to the command of the logical control part and realizes opening and closing of a switch by sending control signals
The input module is used for receiving the sensor signal and converting the sensor signal into a digital signal to be sent to a processor, such as a temperature sensor (a thermal resistor, a thermocouple and the like) or a pressure sensor and the like, the processor is used for receiving the input signal of the sensor, performing logic processing, sending a pulse to a switch, performing pulse diagnosis and generating an output pulse control command to the output module, which can be a general ARM structure processor, and the output module is used for receiving a feedback pulse signal of the switch, wherein the redundant switch can select a MOS tube or other electronic devices with switching properties.
As shown in FIG. 1, the redundant switch part is connected as follows, taking MOS as a switch for example, the grid electrode of the first MOS tube is connected with the output module of the first measurement and control unit to receive pulses, the drain electrode is connected with the input power supply, the source electrode is connected with the drain electrode of the second MOS tube, the grid electrode of the second MOS tube is connected with the output module of the second measurement and control unit to receive pulses, the source electrode is connected with the actuator, and the switch state is fed back.
In order to ensure the safety of the output, the switch is defined to be in a safe state when being opened. The logic control unit executes an output function by controlling the two switches, when the two switches are conducted, the power supply to the actuator is realized, when any one of the two switches fails and cannot be conducted, the power supply cannot be executed, when the two switches fail and cannot be conducted, the power supply cannot be executed, but dangerous failure cannot occur, when the two switches are controlled to be turned off, the logic control unit realizes the power failure to the actuator, when any one of the two switches fails and cannot be turned on, the actuator still cannot supply power, and when the two switches fail and cannot be turned off, dangerous failure can occur. The redundancy method can improve the output safety, but cannot solve the dangerous failure that two paths of switches fail and cannot be disconnected.
Aiming at the problems, considering the avoidance requirement of dangerous failure, the redundant logic unit can periodically send pulse signals to the output part in a pulse diagnosis mode, the output part controls the conduction of the switch, meanwhile, the output state monitoring signals are fed back to the processor, the processor judges whether the sent control signals are consistent with the fed back signals, if not, the switch is fully opened, and an alarm signal is sent. When the processor performs pulse diagnosis, the current operation state can be judged, when the current operation output state is opened, the pulse of diagnosis output is high level, the current operation output state is closed, and the pulse of diagnosis output is low level.
FIG. 2 is a flow chart of the diagnosis of the invention, wherein after the measurement and control equipment operates normally, the redundant processor performs time synchronization through data exchange, the redundant processor respectively starts a timer when the diagnosis period starts to judge the respective current switch output states, the controller simultaneously sends out pulse control command, when the current operation output state is on, the pulse of the diagnosis output is high level, the current operation output state is off, and the pulse of the diagnosis output is low level. The measurement and control equipment logic unit controls the two switches to act simultaneously, the two processors receive the fed-back pulse signals simultaneously, the two processors are compared through data exchange to judge whether the pulse feedback signals are received, when the two processors receive the fed-back pulse signals, the diagnosis result is that the output work is normal, when the two processors fail to receive the fed-back pulse signals, the diagnosis result is that the output work is faulty, and when the two processors receive only one path of fed-back pulse signals, the diagnosis result is that the circuit is faulty. And judging that the time of the timer is up, and performing the next diagnosis.
Claims (7)
1. The IO diagnosis device of the measurement and control equipment is characterized by comprising two measurement and control units;
The measurement and control unit comprises:
the processor is used for generating an output pulse control command to the output module, receiving a feedback pulse signal acquired by the output module and performing pulse diagnosis;
the pulse diagnostics is configured to perform:
the first processor and the second processor perform time synchronization;
After the diagnosis period starts, starting a timer, and simultaneously sending out pulse control commands by the first processor and the second processor to enable the first switch and the second switch to act simultaneously;
the first processor and the second processor receive the feedback pulse signals at the same time;
the first processor and the second processor judge whether feedback pulse signals are received or not through data interaction;
when the first processor and the second processor both receive the feedback pulse signals, the diagnosis result is that the output work is normal;
When the first processor and the second processor do not receive the feedback pulse signals, the diagnosis result is output working faults;
when only the first processor or the second processor receives the feedback pulse signal, the diagnosis result is that the circuit diagnosis circuit works as a fault;
judging the time of the timer to be up, and performing the next diagnosis;
and the output module is used for receiving the feedback pulse signal of the switch, feeding back the feedback pulse signal to the processor and sending a pulse control command of the processor to the switch.
2. The IO diagnostic device of claim 1, wherein the two processors are redundant with each other and periodically perform data exchange and clock synchronization.
3. The IO diagnostic apparatus of a measurement and control device according to claim 1, wherein the IO diagnostic apparatus is used for diagnosing a switch circuit, the switch circuit comprises a first switch and a second switch which are connected in series, one end of the switch circuit is connected with a power supply, and the other end of the switch circuit is used for being connected with an actuator.
4. The IO diagnostic device of claim 3, wherein the first switch and the second switch are MOS transistors;
The grid electrode of the first MOS tube is connected with the output module of the first measurement and control unit to receive pulses, the drain electrode of the first MOS tube is connected with an input power supply, and the source electrode of the first MOS tube is connected with the drain electrode of the second MOS tube;
the grid electrode of the second MOS tube is connected with the output module of the second measurement and control unit to receive the pulse, the source electrode is connected with the actuator, and the switch state is fed back to the output module of the first measurement and control unit and the output module of the second measurement and control unit.
5. The IO diagnostic device of claim 1, wherein in the diagnostic state, the periodically transmitted pulses have a period of not less than 500ms and a pulse width of not more than 250ns.
6. The method for diagnosing an IO diagnostic device of a measurement and control apparatus according to claim 1, wherein when the processor performs pulse diagnosis, it judges the feedback pulse signal of the current corresponding switch, outputs a high level to indicate switch off, and outputs a low level to indicate switch on;
When the feedback pulse signal indicates that the switch operation output state is on, diagnosing that the output pulse is high level;
When the feedback pulse signal indicates that the operation output state of the switch is off, diagnosing that the output pulse is low level;
the pulse diagnosis comprises the following steps:
the first processor and the second processor perform time synchronization;
After the diagnosis period starts, starting a timer, and simultaneously sending out pulse control commands by the first processor and the second processor to enable the first switch and the second switch to act simultaneously;
the first processor and the second processor receive the feedback pulse signals at the same time;
the first processor and the second processor judge whether feedback pulse signals are received or not through data interaction;
when the first processor and the second processor both receive the feedback pulse signals, the diagnosis result is that the output work is normal;
When the first processor and the second processor do not receive the feedback pulse signals, the diagnosis result is output working faults;
when only the first processor or the second processor receives the feedback pulse signal, the diagnosis result is that the circuit diagnosis circuit works as a fault;
and judging that the time of the timer is up, and performing the next diagnosis.
7. The method for diagnosing an IO diagnostic device of a measurement and control apparatus according to claim 6, wherein the pulse diagnosis is specifically as follows:
The first processor and the second processor respectively and periodically send pulse signals to respective output modules so as to control the conduction of corresponding switches, simultaneously send feedback pulse signals of the first switch and the second switch to the first processor and the second processor respectively, and respectively judge whether the sent pulse signals and the feedback pulse signals are consistent or not, if not, the first switch and the second switch are disconnected, and an alarm signal is sent.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210230483.9A CN116774666B (en) | 2022-03-10 | 2022-03-10 | A method and device for IO diagnosis of measurement and control equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210230483.9A CN116774666B (en) | 2022-03-10 | 2022-03-10 | A method and device for IO diagnosis of measurement and control equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116774666A CN116774666A (en) | 2023-09-19 |
| CN116774666B true CN116774666B (en) | 2025-10-24 |
Family
ID=87990176
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210230483.9A Active CN116774666B (en) | 2022-03-10 | 2022-03-10 | A method and device for IO diagnosis of measurement and control equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116774666B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102799169A (en) * | 2011-05-23 | 2012-11-28 | 株式会社东芝 | Control system for providing diagnostic pulse signal, and control device therefor |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5787127B2 (en) * | 2010-09-03 | 2015-09-30 | 富士電機株式会社 | Power converter protection circuit |
| EP3112966B1 (en) * | 2015-07-03 | 2020-02-19 | Inventio AG | Safety switch for an electrical installation, in particular for a safety chain of a lift assembly |
| CN206374742U (en) * | 2016-12-23 | 2017-08-04 | 比亚迪股份有限公司 | Redundancy control circuit and rail vehicle |
| US20180364673A1 (en) * | 2017-06-16 | 2018-12-20 | Honeywell International Inc. | Process data synchronization between redundant process controllers |
| JP6601587B1 (en) * | 2019-07-26 | 2019-11-06 | フジテック株式会社 | Elevator encoder diagnostic system and diagnostic method |
| CN110647102B (en) * | 2019-10-21 | 2021-11-02 | 河南思维轨道交通技术研究院有限公司 | Intelligent safe output module |
-
2022
- 2022-03-10 CN CN202210230483.9A patent/CN116774666B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102799169A (en) * | 2011-05-23 | 2012-11-28 | 株式会社东芝 | Control system for providing diagnostic pulse signal, and control device therefor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116774666A (en) | 2023-09-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7509345B2 (en) | Functionally safe switching quantity output module and diagnostic processing method | |
| CN102096401B (en) | Redundant and fault-tolerant safety instrument control system based on fieldbus and ARM (advanced RISC machines) | |
| CN100422889C (en) | emergency stop device | |
| CN105278516B (en) | A kind of implementation method of the reliable fault-tolerant controller of dual redundant switching value PLC control system | |
| CN215416351U (en) | Fault-tolerant redundancy control device | |
| RU2662571C2 (en) | System and method for shutting down field device | |
| CN103955188A (en) | Control system and method supporting redundancy switching function | |
| JP6222362B2 (en) | Power converter | |
| CN115913906A (en) | A kind of ship redundant control system and method | |
| EP2595018A2 (en) | Method and apparatus for analogue output current control | |
| CN116774666B (en) | A method and device for IO diagnosis of measurement and control equipment | |
| CN206133294U (en) | Controller fault protection system | |
| CN110376931B (en) | Functional safety current output module with high diagnosis coverage rate | |
| CN114347025B (en) | Collaborative robot functional safety control circuit, control method and collaborative robot | |
| CN101782617B (en) | Method and device for detecting circuit faults | |
| WO2020110652A1 (en) | Electromagnetic brake control device and control device | |
| US7890817B2 (en) | Protective system for an installation and a method for checking a protective system | |
| CN111681792B (en) | ATWT control device and nuclear power equipment | |
| CN112034774A (en) | Hot redundancy control method | |
| CN114995354B (en) | Four-party voting circuit, fault diagnosis method and storage medium for SIS safety system | |
| RU2536990C1 (en) | Two-channel system for controlling train movement | |
| KR19990082957A (en) | Fault tolerant control system | |
| CN114488991A (en) | Robot safety monitoring system and method for diagnosing abnormity thereof | |
| CN222952841U (en) | Reactor power control device for nuclear power station | |
| CN118689088B (en) | High-availability IO module redundancy control method and system for secure and reliable system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |