JP2016095770A - Controller and redundancy control system using the same - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a redundancy control system in which after a power interruption of the active system occurs, a standby system is quickly switched to the active system.SOLUTION: A system management unit 54 of a controller 10A of an active system transmits, when detecting by a power supply voltage monitoring unit 56 an interruption of the supply of a power supply voltage from a power supply 20, a power interruption state notification to a controller 10B of a standby system by a network management unit 51 of its own system. A system management unit 54 of the controller 10B of the standby system performs, when receiving the power interruption state notification by the network management unit 51 of its own system, switching from the standby system to the active system.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a controller that controls equipment and a redundant control system using the controller.

  In industrial facilities such as factories and various plants, a control system is often constructed to control various operations. The control system includes a controller that collects monitoring data from sensors installed in an industrial facility and performs drive control of an electric motor or the like according to the collection result. As such a controller, a DCS (Distributed Control System) or a programmable logic controller (hereinafter, PLC) is used. In a general FA (Factory Automation) system, PLC is often used as a control device, and in plant facilities that require high reliability, DCS is often used as a control device.

  In this type of control system, in order to avoid an operation stoppage of a factory or the like due to a failure of the control system, it is common that a monitoring control system such as a controller is duplicated. Here, duplication of the supervisory control system means that two supervisory control systems such as a controller are provided and one of them is operated as an active system and the other as a standby system. The active controller collects monitoring data from the monitoring target device, executes an application using the collected monitoring data, and supplies control data obtained thereby to the control target device. Then, the standby system waits in preparation for a failure of the active system. Hereinafter, this redundant control system is referred to as a redundant control system.

  FIG. 5 is a block diagram showing the configuration of the redundancy control system 9. FIG. 5 shows a redundant control system 9 including two controllers, a controller 90A and a controller 90B. As shown in FIG. 5, the controllers 90 </ b> A and 90 </ b> B are connected to each other via a network line 91. The network line 91 is an inter-controller communication unit that mediates communication between the controllers 90A and 90B. Although not shown, a monitoring target device and a control target device are connected to the controller 90A and the controller 90B via an I / O device or the like. In the illustrated example, one of the controllers 90A and 90B is an active system and the other is a standby system to prepare for the stop of the active system.

  FIG. 6 is a sequence diagram showing an operation example of the redundancy control system 9 shown in FIG. In the example shown in FIG. 6, the controller 90A is an active system and the controller 90B is a standby system. As shown in FIG. 6, the active controller 90A repeats the application execution 102 and the equalization transfer 103 alternately.

  In the application execution 102, monitoring data is collected from the monitoring target device via an I / O device or the like, and control data obtained by calculating the monitoring data is supplied to the control target device via the I / O device or the like.

  In the equalization transfer 103, the monitoring data collected from the monitoring target device, the control data obtained by calculating the monitoring data, and the data indicating the intermediate result of the calculation (hereinafter these data are referred to as input / output data). ) To the standby controller 90B via the network line 91.

  In addition, the active controller 90A repeatedly executes the state notification and the state determination 104 at a constant cycle by interrupting the application execution 102 or the equalization transfer 103. In this status notification and status determination 104, status data indicating the status of the active system including the presence / absence of a failure is transmitted to the standby controller 90B via the network line 91, and at that time, standby is performed via the network line 91. The state data (described later) received last from the system controller 90B is determined. The execution cycle of this state notification and state determination 104 is a transmission cycle of state data from the active controller 90A to the standby controller 90B. Note that the controller 90A performs idle processing 101 when none of the application execution 102, equalization transfer 103, status notification, and status determination 104 is executed.

  On the other hand, the standby controller 90B performs idle processing 111 when no data is received from the active controller 90A.

  The standby controller 90 </ b> B executes the equalization reception expansion 113 when the input / output data transmitted by the equalization transfer 103 is received via the network line 91 by the active controller 90 </ b> A. In the equalization reception expansion 113, the input / output data received from the active controller 90A is overwritten with the input / output data in the memory of the standby controller 90B, and the input / output data held by the controller 90B is replaced with the active input / output data. The same as the input / output data held by the controller 90A.

  In addition, the standby controller 90B interrupts the idle process 111 or the equalization reception expansion 113, so that the state notification and the state determination are performed in the same execution cycle as the state notification and the state determination 104 in the active controller 90A. 114 is repeatedly executed. In this status notification and status determination 114, status data indicating the status of the standby system including the presence or absence of a failure (status data determined in the status notification and status determination 104 described above) is transmitted to the active system controller via the network line 91. At the same time, the status data received at the time from the active controller 90A via the network line 91 (status data transmitted by the status notification and status determination 104 described above) is determined.

  Although not shown in the operation example shown in FIG. 6, if status data indicating a failure of the active system is received by the standby controller 90B in the status notification and status determination 114, the controller 90B Switch 115 is executed. As a result, the controller 90B is switched from the standby system to the active system.

  In the operation example illustrated in FIG. 6, the power interruption 121 occurs in the active controller 90 </ b> A. Moreover, this power-off 121 is not a temporary instantaneous interruption, but the power-off controller 121 puts the active controller 90 </ b> A into the stop state 122. Accordingly, after the occurrence of the power interruption 121, transmission of the status data to the standby controller 90B is interrupted. In this situation, the standby controller 90B cannot determine the state of the active system.

  Therefore, the standby controller 90B does not receive status data from the active controller 90A twice consecutively during execution of periodic status notification and status determination 114 (transmission of status data since the previous reception). When it is detected that state data has not been received for two or more cycles, the redundancy switching 115 is executed to switch the controller 90B from the standby system to the active system. Thus, the controller 90B starts the application execution 112 using the input / output data obtained by the equalization reception expansion 113, and operates as an active system.

  Here, when the periodic status notification and the status determination 114 are executed, detecting that status data is not received twice in succession is a condition for switching between the active system and the standby system. Because of the reason.

  First, there are several possible causes for the status data not reaching the standby controller 90B. As one of the causes, as illustrated in FIG. 6, there may be a case where a power interruption occurs in the operating system and the operating system controller is stopped. As another cause, there may be a case where communication is temporarily discarded due to the influence of noise or the like generated in a network line or the like.

  In the former case, since the active controller is in a stopped state, the standby controller needs to execute the redundancy switching 115 and take over the operation of the active system. However, in the latter case, it is a temporary phenomenon that the state data is not transmitted, and the state data can be transmitted if the state of communication via the network line 91 returns to a stable state.

  In the latter case, if the standby controller performs the redundancy switching 115 even though the active controller A has not stopped, both controllers become active (hereinafter referred to as both-system operation). . In this case, there is a possibility that the control by both monitoring control systems may collide.

  Therefore, when the status data does not reach the standby controller 90B, it is not a good idea for the standby controller 90B to immediately switch to the active system, and the standby controller 90B is temporarily affected by noise or the like. Switching to the active system should be performed when it is confirmed that there is a low possibility that a general communication disruption has occurred.

  As described above, the transmission cycle of the state data from the active controller 90A to the standby controller 90B is the same as the execution cycle of the state notification and state determination 114 in the standby controller 90B. Therefore, normally, reception of new status data should be detected at the time of execution of status notification and status determination 114 in the standby controller 90B.

  Here, it is possible that reception of new status data is not detected when the status notification and status determination 114 are executed in the standby controller 90B due to temporary communication cancellation. However, in the state notification and state determination 114 that are repeatedly executed at a constant execution cycle, it is usually impossible to detect reception of new state data twice in succession. Therefore, in the status notification and status determination 114, when the reception of new status data is not detected twice in succession, it is considered that some abnormality has occurred in the operating system rather than temporary communication cancellation. It's okay.

  Therefore, in the operation example of FIG. 6, when the standby controller 90B detects that state data has not been received twice consecutively when the periodic state notification and state determination 114 are executed, / Switch the working system.

  A technique for notifying the state of the own system between the active system and the standby system is disclosed in Patent Document 1.

JP 2012-230446 A

  However, since the standby controller 90B detects that no status data is received from the active controller 90A for two or more of the status data transmission cycles, the standby controller 90B executes the redundancy switching 115. It takes a long time to switch the active / standby system after the controller 90B is powered off. Therefore, when the active controller 90A is stopped due to power interruption, the time required until the active control is started becomes long, and there is a problem that the availability of the control system is lowered.

  The present invention has been made in view of the circumstances as described above, and provides a controller capable of quickly switching between an active system and a standby system after occurrence of an abnormality in the power supply voltage of the active system. For the purpose.

  The present invention includes two controllers connected to each other via an inter-controller communication means, with one controller serving as an active system and the other controller serving as a standby system, and the active system controller controlling external devices. A controller in a control system, wherein a power supply voltage monitoring unit that monitors a power supply voltage supplied to the controller, and the power supply voltage monitoring unit detects an abnormality in the power supply voltage within a period in which the controller is operating In addition, an abnormality notification unit that transmits an abnormality notification to the standby controller via the inter-controller communication unit, and the abnormality notification is received via the inter-controller communication unit during a period in which the controller is a standby system. A redundant switching means for switching the controller from the standby system to the active system. Providing a controller, wherein the door.

  According to this invention, when an abnormality in the power supply voltage is detected by the power supply voltage monitoring unit, the abnormality notification means transmits an abnormality notification to the standby controller via the inter-controller communication means. In the standby system controller, when the abnormality notification is received via the inter-controller communication unit, the redundancy switching unit switches the controller from the standby system to the active system. Therefore, according to the present invention, it is possible to reduce the time required for the standby system to switch to the active system after the occurrence of an abnormality in the power supply voltage of the active system.

It is a block diagram which shows the structure of the redundancy control system 1 which is one Embodiment of this invention. It is a figure which shows the structural example of the controller 10 in the embodiment. It is a figure which illustrates the process continuation management part 55 at the time of power-off in the same embodiment, and its peripheral circuit. It is a sequence diagram which shows the operation example of the redundancy control system 1 in the same embodiment. It is a block diagram which shows the structure of the redundancy control system 9 in a prior art. It is a sequence diagram which shows the operation example of the redundancy control system 9 in a prior art.

Embodiments of the present invention will be described below with reference to the drawings.
FIG. 1 is a block diagram showing a configuration of a redundant control system 1 to which controllers 10A and 10B according to an embodiment of the present invention are applied. The redundant control system 1 includes controllers 10A and 10B, power supplies 20A and 20B, I / O device groups 30A and 30B, and a network line 40. In this embodiment, for the sake of convenience, the monitoring control system including the controller 10A, the power supply 20A, and the I / O device group 30A is referred to as A system, and the monitoring control system including the controller 10B, the power supply 20B, and the I / O device group 30B is referred to as B system. . In the present embodiment, one of the A system and the B system is an active system, and one is a standby system. When the active system stops, the controller that has been the standby system operates as the active system thereafter. Although FIG. 1 shows an example of a redundant control system in which two control systems of the A system and the B system are duplicated, a control system in which three or more control systems are connected by a network line 40 and multiplexed is shown. It may be configured.

  In the following description, since the controllers 10A and 10B have the same configuration, they are referred to as “controller 10” when it is not necessary to distinguish them. In addition, since the power supplies 20A and 20B have the same configuration, the power supplies 20A and 20B are referred to as “power supply 20” when it is not necessary to distinguish them. In addition, since the I / O device groups 30A and 30B have the same configuration, the I / O device groups 30A and 30B are referred to as “I / O device group 30” when it is not necessary to distinguish between them.

  The controller 10 has a function of collecting monitoring data from the monitoring target device and performing drive control of the control target device according to the collection result. The power source 20A supplies power to the controller 10A and the I / O device group 30A, and the power source 20B supplies power to the controller 10B and the I / O device group 30B. The I / O device group 30A includes I / O devices 30A_1 to 30A_n, and the I / O device group 30B includes I / O devices 30B_1 to 30B_n. When the A system is an active system, the monitoring data output from each monitoring target device is output to the controller 10A via the I / O device group 30A. The control data output from the controller 10A is output to each control target device via the I / O device group 30A. When the B system is an active system, the monitoring data output from each monitoring target device is output to the controller 10B via the I / O device group 30B. The control data output from the controller 10B is output to each control target device via the I / O device group 30B. The network line 40 is a communication unit that mediates communication between the controllers 10A and 10B.

  FIG. 2 is a diagram illustrating a configuration example of the controller 10. As shown in FIG. 2, the controller 10 includes a network management unit 51, an application execution management unit 52, an equalization management unit 53, a system management unit 54, a power-off process continuation management unit 55, and a power supply voltage monitoring unit 56. . The power supply voltage monitoring unit 56 is means for monitoring the power supply voltage supplied from the power supply 20 to the controller 10. The processing continuation management unit 55 at the time of power-off is an auxiliary power source that supplies the power voltage to the inside of the controller 10 for a predetermined time after the supply of the power voltage from the power source 20 to the controller 10 is cut off. The network management unit 51, the application execution management unit 52, the equalization management unit 53, and the system management unit 54 are functions realized by the CPU in the controller 10 executing a control program.

  The network management unit 51 is connected to another system controller via the network line 40. All data transmitted to and received from other controllers passes through the network management unit 51. More specifically, the network management unit 51 performs transmission / reception of state data during execution of state notification and state determination, transmission / reception of input / output data during execution of equalization transfer, and transmission / reception of a power-off state notification described later. Further, the network management unit 51 performs management of the network state in addition to the above processing. The network management unit 51 is a function executed by the CPU in the controller 10, but may be configured by, for example, an ASIC (Application Specific Integrated Circuit).

  When the own system is an active system, the application execution management unit 52 collects monitoring data from the monitoring target device via the I / O device group 30, calculates control data from the monitoring data, and calculates the I / O device group. The application supplied to the control target device via 30 is executed.

  The equalization management unit 53 performs equalization transfer and equalization reception expansion. More specifically, the equalization management unit 53, when its own system is an active system, input data (monitoring data) of an application executed by the application execution management unit 52 and output data (control data and (Data of the intermediate result of the calculation) is received, and input / output data composed of the input data and output data is transmitted to the network management unit 51 of the own system. Then, the network management unit 51 transmits the input / output data to the standby network management unit 51, whereby equalization transfer is executed. On the other hand, when the own system is a standby system, the equalization management unit 53 receives the input / output data from the network management unit 51 of the own system, executes equalization reception expansion, and transfers the input / output data to the controller 10. Are overwritten on input / output data in a memory (not shown). Further, when the own system is the standby system, the equalization management unit 53 transmits the input / output data in the memory to the own application execution management unit 52 after executing the switching of the standby system / active system. Thereby, the application execution management part 52 can start application execution using the input / output data acquired by equalization transfer.

  The system management unit 54 is a unit that performs overall control in the controller 10. The processing contents of the system management unit 54 include status notification and status determination 64, power-off notification and power-off processing 65, and redundancy switching 75. The active system management unit 54 repeats the state notification and the state determination 64 at a predetermined execution cycle. In this status notification and status determination 64 of the active system, the status of the local system including the presence or absence of a failure is monitored, status data indicating the monitoring result is generated, and the status data is transmitted via the network management unit 51 of the local system. Status notification by transmitting to the standby controller 10. On the other hand, the standby system management unit 54 also repeats the state notification and state determination 64 at the same execution cycle as that of the active system. In the standby state notification and state determination 64, the state data transmitted from the active system is received via the local network management unit 51, and the state of the active system is determined with reference to the state data. The standby system management unit 54 activates the redundancy switching 75 when a failure of the active system is detected from the state data in the state notification and state determination 64. In the redundancy switching 75, standby / active switching is executed.

  Similarly, in the status notification and status determination 64, the standby system management unit 54 monitors the status of the local system including the presence / absence of a failure, and the status data indicating the monitoring result is transmitted to the local network management unit 51. The status notification is executed by transmitting to the active network management unit 51 via the network. When the active system management unit 54 receives the status data transmitted from the standby controller from the local network management unit 51, the active system management unit 54 refers to the status data in the status notification and status determination 64, and determines the status of the standby system. Determine.

  The active system management unit 54 detects that the power supply voltage monitoring unit 56 detects an abnormality in the power supply voltage supplied from the power supply 20 to the controller 10, specifically, the interruption of the supply of power supply voltage to the controller 10. Then, the power-off notification and the power-off process 65 are executed. In the power-off notification and power-off processing 65, an abnormality notification, specifically, a power-off state notification indicating the occurrence of power-off is transmitted to the standby controller 10 one or more times via the local network management unit 51. To do. The power-off notification and power-off processing 65 is performed by the standby controller 10 via the inter-controller communication means when an abnormality in the power supply voltage is detected by the power supply voltage monitoring unit 56 during the period in which the controller 10 is in the active system. It serves as an abnormality notification means for transmitting an abnormality notification. The standby system management unit 54 activates the redundancy switching 75 when the status notification and status determination 64 confirm that the network management unit 51 of the own system has received the power-off status notification from the active system. Switching between standby and active systems. The redundancy switching 75 serves as a redundancy switching unit that switches the controller from the standby system to the active system when an abnormality notification is received via the inter-controller communication unit within a period in which the controller is a standby system. .

  Similarly to the above-described conventional technology, the standby system management unit 54 determines that the status data has not been received twice consecutively in the periodic status notification and status determination 64. 75 is activated to switch between active / standby systems. In the present embodiment, this control is left because the state data is not stored in the standby system due to a cause other than the power interruption (for example, when a serious failure occurs in the active system and communication with the standby system is hindered). This is because it may be impossible to reach.

  In addition to the above processing, the system management unit 54 gives an instruction to the application execution management unit 52 to control the timing for starting application execution, the timing for transmitting input / output data during equalization transfer, and the like. The system management unit 54 performs idle processing when each unit in the controller 10 is not executing processing. When the idle process is executed, the system management unit 54 may perform a process such as stopping the power supply to each part in the controller 10.

  FIG. 3 is a circuit diagram illustrating the configuration of the power-off process continuation management unit 55 that is an auxiliary power source in the controller 10 and its peripheral circuits. As shown in FIG. 3, the controller 10 has a diode D1. The diode D <b> 1 has an anode connected to the power supply 20 and a cathode serving as an internal power supply terminal that supplies a power supply voltage to each unit in the controller 10. A large-capacitance capacitor C1, which is a processing continuation management unit 55 at the time of power interruption, is interposed between the cathode of the diode D1 and the ground line. The power supply voltage monitoring unit 56 is a voltage detection IC that operates using the charging voltage across the capacitor C1 as the power supply voltage and monitors the power supply voltage supplied from the power supply 20 to the anode of the diode D1.

  When the power supply voltage is normally supplied from the power supply 20, this power supply voltage is supplied to each part in the controller 10 via the diode D1. The capacitor C1 is charged by the power supply voltage that has passed through the diode D1. However, when the supply of the power supply voltage from the power supply 20 is cut off, the voltage on the anode side of the diode D1 decreases and the diode D1 is turned OFF. However, even if the supply of the power supply voltage from the power supply 20 is interrupted, the power supply voltage monitoring unit 56 operates using the charging voltage across the capacitor C1 as the power supply voltage. When the power supply voltage monitoring unit 56 detects that the voltage on the anode side of the diode D1 has fallen below a predetermined threshold value, the power supply voltage monitoring unit 56 transmits an interrupt signal to that effect to the system management unit 54. As a result, the system management unit 54 executes processing for transmitting the power-off notification described above. In the controller 10, even after the supply of the power supply voltage from the power supply 20 is cut off, each unit in the controller 10 can continue processing for a predetermined time by the power stored in the capacitor C <b> 1. Hereinafter, processing performed by the controller 10 after the power is turned off is referred to as power-off processing. Further, a period from when the supply of the power supply voltage from the power supply 20 is interrupted until the charging voltage of the capacitor C1 reaches the lower limit power supply voltage at which the controller 10 can operate is referred to as a process continuation possible period.

  FIG. 4 is a sequence diagram showing an operation example of the redundancy control system 1 in the present embodiment. In the following description, the A system is the active system and the B system is the standby system.

  In the A system, the system management unit 54 activates the application execution management unit 52 and the equivalence management unit 53 alternately. The A-system application execution management unit 52 activated by the system management unit 54 performs application execution 62. That is, the application execution management unit 52 collects input data (monitoring data) from the monitoring target device via the I / O device group 30A, and calculates the output data (control data) obtained by calculating this input data. It supplies to control object apparatus via O apparatus group 30A.

  The A-equalization management unit 53 activated by the system management unit 54 executes an equalization transfer 63. That is, the A-system equalization management unit 53 acquires input / output data from the local application execution management unit 52 and transmits the data to the local network management unit 51. The A-system network management unit 51 transmits the data to the B-system network management unit 51 via the network line 40.

  The A-system system management unit 54 interrupts the currently executing process in response to a timer interrupt that occurs at a fixed period, and executes state notification and state determination 64. More specifically, the A system management unit 54 generates status data indicating the status of the local system, and transmits the status data to the B system controller 10B via the local network management unit 51 and the network line 40. Further, the A-system management unit 54 determines the state of the B-system based on the status data last received from the B-system controller 10B through the network line 40 and the own network management unit 51 at that time. To do. The execution cycle of this state notification and state determination 64 is a transmission cycle of state data transmitted from the A system to the B system. Note that when each part of the A system is not executing a process, the A system management unit 54 performs an idle process 61.

  On the other hand, when the B-system network management unit 51 receives the input / output data from the equalization transfer 63 from the A-system network management unit 51, the B-system network management unit 51 sends it to the own-system equalization management unit 53. Send. When receiving the input / output data, the B system equalization management unit 53 executes the equalization reception expansion 73.

  In addition, the system management unit 54 of the B system interrupts the process (in this case, the idle process 71 or the equalization reception deployment 73) being executed at the same execution cycle as the execution cycle of the state notification and state determination 64 in the A system. The state notification and state determination 74 are repeatedly executed. In this status notification and status determination 74, the B system management unit 54 generates status data indicating the status of the own system, and the A system controller 10A via the own network management unit 51 and the network line 40. Send to. In addition, the B-system management unit 54 determines the state of the A-system based on the status data last received from the A-system controller 10A via the network line 40 and the local network management unit 51 at that time. To do.

  Although not shown, if the B system management unit 54 detects the occurrence of a failure from the status data transmitted by the A system management unit 54, the redundancy switching 75 is executed. Thereby, the controller 10B operates as an active system thereafter.

  In the operation example shown in FIG. 4, a power interruption 81 occurs in the A system. As a result, in the controller 10A, the voltage on the anode side of the diode D1 decreases. When the voltage on the anode side of the diode D1 falls below a predetermined threshold, the power supply voltage monitoring unit 56 provides an interrupt signal indicating power supply interruption to the system management unit 54. Thereby, the system management unit 54 interrupts the process being executed (application execution 62 in the example shown in FIG. 4), and starts the power-off notification and the power-off process 65. In the power-off notification and power-off processing 65, the power-off state notification 84 is transmitted one or more times to the B-system controller 10 </ b> B via the network management unit 51. Thereafter, in the A-system controller 10 </ b> A, the power-off process 65 is continued by supplying power from the power-off process continuation management unit 55. Here, the power-off state notification 84 may be transmitted once. However, in the aspect in which the power-off state notification 84 is transmitted a plurality of times, the power-off state notification 84 can be received by the B-system controller 10B in a situation where temporary communication can be lost in communication via the network line 40. There is an advantage that the sex can be enhanced.

  When the B-system management unit 54 confirms that the network management unit 51 of the own system has received the power-off state notification 84 transmitted from the A-system controller 10A in the periodic status notification and status determination 74, The redundancy switching 75 is executed. As a result, the B system becomes the active system and the A system becomes the standby system.

  In the B system that has become the active system, the equalization management unit 53 transmits the input / output data in the memory to the application execution management unit 52 of the own system. The application execution management unit 52 starts application execution 72 using the input / output data.

  On the other hand, in the A system, when the charging voltage of the capacitor C1 falls below the lower limit voltage at which the controller 10A can operate, the process continuation possible period 82 ends, and the entire controller 10A enters the stop state 83.

  According to this embodiment, when the power-off occurs, the active controller operates using the charging voltage of the capacitor C1 as the power supply voltage, and detects one or more power-off status notifications to the standby controller while detecting the power-off. Send once. When the standby controller receives the power-off state notification, the standby controller promptly performs redundancy switching. Therefore, according to the present embodiment, it is possible to shorten the time from when the power failure occurs in the active system to when the standby system starts the operation as the active system, compared to the conventional system.

<Other embodiments>
Although one embodiment of the present invention has been described above, other embodiments are conceivable for the present invention. For example, it is as follows.

(1) In the above embodiment, the power supply voltage monitoring unit 56 is a voltage detection IC, and measures the voltage on the anode side of the diode D1. However, in addition to the power supply voltage monitoring unit 56, for example, an overcurrent monitoring IC or a temperature sensor is provided in the controller 10, and when an abnormality is detected in these monitoring devices, the system management unit 54 is notified of that fact. Based on this notification, the system management unit 54 may determine a failure in the active system.

(2) In the above embodiment, when the standby system management unit 54 receives the power-off state notification 84, the standby-system management unit 54 refers to the power-off state notification 84 when executing the state notification and the state determination 74. However, in this case, the standby system management unit 54 refers to the power-off state notification 84 until the execution period of the periodic state notification and state determination 74 after entering the power-off state notification 84. I can't. Therefore, when the power-off state notification 84 is received, the standby controller 10B may generate an interrupt and execute the state notification and the state determination 74. Accordingly, the standby system management unit 54 can quickly switch between the active system and the standby system after receiving the power-off state notification 84.

(3) When the standby controller 10B receives the power-off state notification 84, it activates the redundancy switching 75. In this redundancy switching 75, an inquiry as to whether or not the active controller 10A cannot operate as an active system is sent to the active controller 10A via the network line 40, and it cannot be operated as an active system. May be switched from the standby system to the active system when the answer is received from the active system controller 10A. According to this aspect, both system operations can be avoided more reliably.

(4) In the above embodiment, the operating system power supply voltage monitoring unit 56 notifies the system management unit 54 by an interrupt only when the power supply voltage of the power supply 20 decreases. However, the operating power supply voltage monitoring unit 56 may periodically notify the system management unit 54 of the power supply voltage of the power supply 20. In this case, the system management unit 54 predicts in advance that the power supply voltage from the power supply 20 is below the threshold based on the notification from the power supply voltage monitoring unit 56, and performs control for reducing the processing amount of the power-off processing. May be performed. Further, in the above-described embodiment, when the power supply voltage falls below a predetermined threshold value, a power-off state notification is sent to the standby system controller to switch from the standby system to the active system. However, not only when the power supply voltage drops but also when the power supply voltage becomes unstable, such as when the power supply voltage becomes unstable, an abnormality notification is sent to the standby system controller from the standby system to the active system. May be switched.

(5) In the above-described embodiment, the active system management unit 54 starts the time measurement by the timer after detecting the power interruption, and shifts the controller 10A to the stop state 83 before the processing continuable period 82 expires. Also good. Specifically, the system management unit 54, for example, discharges the capacitor C1 and forcibly stops the power supply to the controller 10A when the timer ends. Thereby, it is possible to avoid the controller 10A from performing an unstable operation in a state where the power supply voltage is low.

(6) In the above embodiment, the capacitor C <b> 1 is used as an auxiliary power source for the controller 10. However, an auxiliary power source other than a capacitor such as a battery may be used.

DESCRIPTION OF SYMBOLS 1,9 ... Redundancy control system, 10,90 ... Controller, 20 ... Power supply, 30 ... I / O apparatus group, 40, 91 ... Network line, 51 ... Network management part, 52 ... Application execution management part, 53 ... etc. Value management unit, 54... System management unit, 55... Power continuation process continuation management unit, 56... Power supply voltage monitoring unit, 61, 71, 101, 111. 63, 103 ... Equalization transfer, 73, 113 ... Equalization reception deployment, 64, 74, 104, 114 ... Status notification and status determination, 65 ... Power-off notification and power-off processing, 75, 115 ... Redundancy switching , 81, 121 ... Power off, 82 ... Process continuation possible period, 83, 122 ... Stopped state, 84 ... Power off state notification, C1 ... Capacitor, D1 ... Diode.

Claims (6)

A controller in a redundant control system that includes two controllers connected to each other via inter-controller communication means, where one controller is an active system and the other controller is a standby system, and the active controller controls external devices. Because
A power supply voltage monitoring unit for monitoring the power supply voltage supplied to the controller;
An abnormality notification means for transmitting an abnormality notification to the standby controller via the inter-controller communication means when the abnormality of the power supply voltage is detected by the power supply voltage monitoring unit within a period in which the controller is active;
Redundant switching means for switching the controller from a standby system to an active system when the abnormality notification is received via the inter-controller communication means within a period in which the controller is a standby system. Controller.   The controller according to claim 1, wherein the abnormality notification unit transmits the abnormality notification when the power supply voltage monitoring unit detects that the power supply voltage has fallen below a predetermined threshold.   The redundancy switching means of the controller is such that the information periodically transmitted from the active controller via the inter-controller communication means during a period when the controller is a standby system over a predetermined time or more. The controller according to claim 1, wherein the controller is switched to an active system when it is not received.   The controller according to any one of claims 1 to 3, wherein the controller includes an auxiliary power supply that supplies power to the controller when the supply of the power supply voltage is interrupted.   The redundant switching means of the controller indicates that the active controller cannot operate as an active system when the abnormality notification is received within a period in which the controller is a standby system. The controller according to any one of claims 1 to 4, wherein the controller is switched to an active system. This is a redundant control system that includes two controllers connected to each other via inter-controller communication means, where one controller is the active system and the other controller is the standby system, and the active controller controls external devices. And
Each of the two controllers is
A power supply voltage monitoring unit for monitoring the power supply voltage supplied to the controller;
An abnormality notification means for transmitting an abnormality notification to the standby controller via the inter-controller communication means when the abnormality of the power supply voltage is detected by the power supply voltage monitoring unit within a period in which the controller is active;
Redundancy switching means for switching the controller from the standby system to the active system when the abnormality notification is received from the active system controller via the inter-controller communication means within a period in which the controller is a standby system. A redundant control system characterized by:

Images