The present invention relates to a synchronization system and a synchronization method for synchronizing a synchronous-multisystem control apparatus comprising a plurality of systems operating synchronously with each other for each fixed control period. More particularly, the present invention relates to a synchronization system and a synchronization method for synchronizing a synchronous-multisystem control apparatus which comprises a plurality of systems operating synchronously with each other and is capable of at least operating with only one system.
In addition, the present invention relates to a communication control apparatus, or more particularly, relates to a communication control apparatus having an error-recovery function using a repeated-transmission technique.
Furthermore, the present invention relates to a synchronous-multisystem control apparatus comprising a plurality of control circuits and a degradation-control method or, in particular, relates to a synchronous-multisystem control apparatus and a degradation-control method capable of raising the availability factor of a system controlled by the synchronous-multisystem control apparatus and the degradation-control method.
A power converting apparatus comprises a power converter for converting power and a controller for controlling the power converter. The power converter comprises a plurality of switching devices. The power converter turns the switching devices on and off in accordance with gate pulse signals generated by the controller in order to convert power from direct-current power into alternating-current power or vice versa, or to shape the waveform of power. Thus, when an error is generated in the controller, power output by the power converter becomes abnormal.
Causes of generation of an error in the controller include a harsh environment of the site of power converting apparatus in which noise is most likely generated by an external source and introduced into the controller from the external source, radiated light such as alpha light introduced into the controller and deteriorating components of the controller.
Such a power converting apparatus is typically applied to systems such as a power generating system, an industrial production system, a railroad system and a public utility system. As generally known, such systems play roles of importance to society. It is thus necessary to prevent an abnormality from being generated in the power converting apparatus because an abnormality generated in the power converting apparatus will have a big impact on society. For this reason, there is demanded a controller which is capable of normally continuing control of the power converter even if an error is generated in the controller. In order to implement such a controller, a method to operate the controller as a multisystem controller is generally adopted.
In a multisystem control apparatus comprising a plurality of controllers provided for the same plurality of systems, it is necessary to synchronize the systems with each other. Methods for synchronizing a plurality of systems with each other include a technique to synchronize clock signals of the systems and a technique to synchronize beginnings of pieces of processing for the systems.
The technique to synchronize clock signals of systems comprises the step of generating the clock signals having phases shifted from each other by a predetermined number of angular degrees by relatively delaying a source oscillation signal from another, and for any specific system, the steps of:
forming a judgment as to whether the rising or falling edge of a clock signal of each other system leads ahead of or lags behind the rising or falling edge of the clock signal of the specific system;
selecting and outputting a clock signal lagging behind the clock signal of the specific system by a predetermined phase if a result of the judgment indicates that the clock signal of the specific system is leading ahead of a majority of clock signals of the other systems; and
selecting and outputting a clock signal leading ahead of the clock signal of the specific system by a predetermined phase if a result of the judgment indicates that the clock signal of the specific system is lagging behind a majority of clock signals of the other systems.
Technologies for implementing the technique to synchronize clock signals of systems are disclosed in Japanese Patent Laid-open No. Sho 56-47120.
In the case of the technique to synchronize beginnings of pieces of processing for systems, on the other hand, a central processing apparatus of each of the systems is connected to a majority-decision making circuit and a timer. The technique comprises the steps of:
setting a value in the timer with predetermined timing;
outputting time-up information upon the lapse of a predetermined period of time;
supplying pieces of time-up information generated by all the systems to the majority-decision making circuit; and
supplying an output determined by a decision based on a majority and made by the majority-decision making circuit, if any, to the central processing apparatus connected to the majority-decision making circuit as an interrupt.
Technologies for implementing the technique to synchronize beginnings of pieces of processing for systems are disclosed in Japanese Patent Laid-open No. Sho 62-57051.
Control executed by the power converting apparatus, which adopts the technique to synchronize beginnings of pieces of processing for systems and is employed in a power generating system, comprises an iterative sequence of steps of:
sampling the voltage and/or current generated by the power generating system;
determining on/off timings of switching devices employed in the power converting apparatus; and
outputting gate pulse signals.
The sequence is repeated at a period of typically several tens of microseconds to several milliseconds. Thus, the beginnings of pieces of processing, that is, the start points of control periods, can be recognized. As a result, the systems can be loosely coupled.
In a synchronous-multisystem controller employed in a power converting apparatus adopting the technique to synchronize clock signals of the systems, on the other hand, there is a requirement to prevent a control period from being shifted even if the length of time it takes to transmit of a clock signal differs from system to system. It is thus necessary to tightly couple the systems.
In a synchronous-multisystem controller employed in a power converting apparatus, by the way, there is also a requirement to normally continue control of a power converter to sustain the operation of the synchronous-multisystem controller even if an error is generated in a controller of a system. It is thus necessary to prevent a failure occurring in a system from affecting the other systems, that is, to loosely couple the systems.
For the above reason, the technique to synchronize clock signals of systems is not appropriate for a synchronous-multisystem controller employed in a power converting apparatus. It is rather the technique to synchronize beginnings of pieces of processing for systems that can be said to be appropriate for a synchronous-multisystem controller employed in a power converting apparatus.
In the technique to synchronize beginnings of pieces of processing for systems, however, processing is started by an interrupt generated by a decision based on a majority of pieces of time-up information. In consequence, if a decision based on such a majority can not be made for some reasons such as the fact that only a controller of one system is operating, an interrupt can not be generated. In such a case, control to turn on and off switching devices employed in the power converter is suspended inevitably. As a result, there is raised a problem of a flowing overcurrent damaging the switching devices.
A controller which is capable of normally continuing control of the power converter even if an error is generated in the controller is also required for controlling equipment other than a power converting apparatus. Other controllers required for such control include a controller employed in an emergency power breaking system and a controller for industrial applications. To put it concretely, examples of such controllers are a control apparatus employed in an emergency power breaking system used for urgently breaking the supplying of energy such as fuel (including oil and gas) and electric power, a controller for controlling manufacturing equipment provided with sensors and actuators and a controller for controlling a production line of typically a metal refinery. We can assume cases in which a production machine is out of order or a product resulting from manufacturing work using the machine is damaged due to suspension of processing carried out by a controller in the course of control of the machine. In the case of a production line of a metal refinery, a lot of work and a lot of time are required to resume production in the event of a failure. For the reasons described above, a synchronous-multisystem control apparatus is adopted in such a controller and it is necessary for such a controller to be capable of sustaining the continuity of the control with a high degree of reliability.
It is thus a first object of the present invention to provide a capability of operating a synchronous-multisystem control apparatus based on at least one system even if a plurality of systems of the apparatus are halted.
A conventional communication control apparatus having an error-recovery function for recovering an error by repeated transmissions of the same data is disclosed in Japanese Patent Laid-open No. Hei 5-160815. In this communication control apparatus, a sequence of pieces of information is divided into information blocks. Each information block is put in a packet or a frame which also includes the number of transmissions to be carried out consecutively, that is, the number of times the packet is to be transmitted repeatedly, the sequence number of transmission and a block number representing the sequence number of the information block among information blocks composing the sequence of pieces of information. By transmitting a packet a number of times indicated by the number of transmissions, the receiver is capable of recovering a transmission error. Since the same information block is transmitted repeatedly a number of times by using frames, it is necessary for the receiver to form a judgment as to whether or not to discard a normally received current frame by comparing the block number and the contents of information block of the current frame with those of a frame normally received in a previous transmission. If they match each other, the normally received current frame is discarded.
In the conventional communication apparatus described above, however, a memory with a large storage capacity is required for storing the block number and the contents of information block of a frame normally received in a previous transmission. As a result, there is raised a problem of an increased amount of memory hardware.
In addition, since a lot of information is stored in a memory, an incident alpha ray may cause a problem of an increased probability that the stored data is lost.
There is also raised a problem of a most likely increased overhead of the processing to compare the block number and the contents of information block of a current frame with those of a frame normally received in a previous transmission.
Furthermore, in order to compare a packet just received with a packet stored in the memory, it is necessary to provide a memory-read circuit to read out data from the memory. As a result, there is raised another problem of an increased amount of circuitry.
It is therefore a second object of the present invention to reduce the amount of hardware and to decrease the overhead of reception processing besides to provide a capability of receiving information with a high degree of reliability.
As described above, the power converting apparatus for converting and controlling power is typically applied to systems such as a power generating system, an industrial production system, a railroad system and a public utility system which are important to society. In the application of the power converting apparatus to such a system, the power converting apparatus is installed in a harsh environment in which noise is most likely generated by an external source and introduced into the controller employed in the power converting apparatus from the external source. It is thus necessary to detect an error caused by noise generated in the controller and to halt execution of the control. If the control is interrupted frequently, however, society will be much affected. It is therefore necessary to avoid interruptions of the system as much as possible.
In general, as a method of increasing the reliability of a controller, the controller is designed into a multisystem configuration comprising a plurality of systems. By selecting outputs of only normally operating systems, the reliability of the controller can be increased. As a technique of identifying a system getting out of order in a multisystem controller due to an abnormality, any particular system is driven to exchange data with other systems of the controller. The particular system then compares pieces of data received from others with its own piece of data by using logic according to a decision based on a majority of the pieces of data in order to produce a piece of diagnosis data. If its own piece of data does not match the piece of diagnosis data produced by decision based on a majority, the particular system judges its own piece of data to be incorrect. This technique is disclosed in documents such as Japanese Patent Laid-open No. Hei 4-307633. A system judged to be out of order is detached from the diagnosing system according to a decision based on a majority before a two-system failure occurs to provide a multisystem controller assuring safety by adopting a technique disclosed in Japanese Patent Laid-open No. Hei 6-348524.
With the techniques described above, however, a problem is raised when matching of outputs is assured by establishing synchronization among systems. That is to say, with the techniques described above, a state of synchronization among controllers for different systems is not known with a high degree of reliability. Thus, when a system of a three-system control apparatus is halted and detached from the apparatus due to a failure for example, a two-system control apparatus comprising the remaining systems can be sustained. If an abnormality of synchronization between the remaining two systems further occurs, however, the outputs of the two systems do not match each other any more due to a synchronization shift. In this case, the failing system can not be identified, making it necessary to halt both the systems. Such a problem is encountered for example in a self-excited power converting apparatus employing a controller with an extremely short control cycle. In such a controller, since a synchronization shift most likely occurs, there is raised a problem of a decreased availability factor of the systems caused by a multisystem failure.
A controller that is capable of normally continuing the control of a power converting apparatus even in the event of an error generated in the controller may be needed in control of equipment other than the power converting apparatus in some cases. Examples of controllers required for such control include a controller employed in an emergency power breaking system and a controller for industrial applications.
To put it concretely, examples of such controllers are a control apparatus employed in an emergency power breaking system used for urgently breaking the supplying of energy such as fuel (including oil and gas) and electric power, a controller for controlling manufacturing equipment provided with sensors and actuators and a controller for controlling a production line of typically a metal refinery. We can assume cases in which a production machine is out of order or a product resulting from manufacturing work using the machine is damaged due to suspension of processing carried out by a controller in the course of control of the machine. In the case of a production line of a metal refinery, a lot of work and a lot of time are required to resume production in the event of a failure. For the reasons described above, a synchronous-multisystem control apparatus is adopted in such a controller and it is necessary for such a controller to be capable of sustaining the continuity of the control with a high degree of reliability.
It is thus a third object or the present invention to provide a degradation control method capable of increasing the availability factor in the event of a multisystem failure occurring in a multisystem control apparatus.