1. Field of the Invention
The present invention relates to a duplex system which is applied to a safety system, and more particularly to a duplex system in which the validity of a security system is improved.
2. Description of the Related Art
In the field of a processor device which may be applied to a distributed control system that performs process control, and the like, a duplex system is widely in practical use in which processor devices for performing process control calculation are duplicated in order to enhance availability, and one of the processor devices is on standby for a failure of the other processor device.
FIG. 3 is an operation diagram of a related-art duplex system at the start of duplication.
Duplication is initiated by activation of a standby side processor device 20 during operation of a control side processor device 10.
A memory 11 of the control side processor device 10 stores a logic engine 12 and an OS 13. The logic engine 12 repeatedly executes at constant intervals a process in which a data of an input module 30 is read and control calculation is performed via the OS 13, and thereafter output data is written into an output module 40 via the OS 13.
When the standby side processor device 20 is activated, the control side processor device 10 knows the activation of the standby side processor device 20, and enables first copying section 14 of the control side processor device 10.
When the first copying section 14 is enabled, data which is written into the memory 11 by a processor (not shown) of the control side processor device 10 is written to the same address of a memory 21 of the standby side processor device 20.
The OS 13 of the control side processor device 10 executes a process in which all data on the memory 11 of the control side processor device 10 are gradually sequentially copied at constant intervals to the memory 21 of the standby side processor device 20 by second copying section.
In this way, at the timing when the copy process is done on all the area of the memory by the first and second copying section 14, 15 which copy the memory 11 of the control side processor device 10 to the standby side processor device 20, the contents of the memory 21 of the standby side processor device 20 coincide with those of the memory 11 of the control side processor device 10.
FIG. 4 is an operation diagram of synchronization of the related-art duplex system.
As a result of the process of FIG. 3, the contents of the memory of the control side processor device 10 are identical with those of the memory of the standby side processor device 20.
The OS 13 of the control side processor device 10 reads data from the input module 30. An OS 23 of the standby side processor device 20 copies the data which is read by the OS 13 of the control side processor device 10, to the memory 21 of the standby side processor device 20. The OSs 13, 23 on the both sides transmit the same data to the logic engines 12, 22.
Since the memory data of the control side processor device 10 and the standby side processor device 20 are identical with each other, the logic engines 12, 22 on the both sides perform the same calculation process. At this time, in order to cause the calculation process on the both sides to operate in the same sequence at the same timing, the OSs 13, 23 on the both sides execute a synchronizing process of queuing with each other, each time when the logic engines 12, 22 call the respective OSs. As a result of the synchronizing process, the calculation process performed by the logic engine 12 of the control side processor device 10 is identical in sequence and timing with that performed by the logic engine 22 of the standby side processor device 20.
As a result of the above, the logic engines 12, 22 on the both sides output the same calculation result. Therefore, the OS 23 of the standby side processor device 20 is not required to write output data into the output module 40, and only the OS 13 of the control side processor device 10 executes an output to the output module 40.
When the control side processor device 10 is stopped because of any reason such as a hardware failure, a control right is switched to the standby side processor device 20, a calculation result which ought to have been output by the stopped control side processor device 10 is continuously output to the output module 40.
Even when one of the processor devices is stopped, therefore, the input/output modules 30, 40 and the control calculation are not stopped as a whole, and high availability as a controller is ensured.
For example, JP-A-7-36720 discloses the configuration of a convention duplex system.
JP-A-7-36720 is referred to as a related art.
In the case where the related-art example shown in FIGS. 3 and 4 is applied to a safety system, there arise the following problems.
When the contents of the memory 11 of the control side processor device 10 are to be copied to the memory 21 of the standby side processor device 20, the possibility that erroneous data are copied to the standby side because of a failure of a hardware portion which executes the operation of copying data must be reduced as compared with a conventional control system.
When the OS 23 of the standby side processor device 20 is to copy data of the input module 30 from the control side and transfer the data to the logic engine 22, the possibility that erroneous data which are different from those of the control side are switched to the standby side because of a failure of a hardware which relates to this process must be reduced as compared with a related-art control system.
Furthermore, the possibility that the synchronizing process between the control side processor device 10 and the standby side processor device 20 malfunctions because of a failure of a hardware which relates to the synchronizing process, and the sequence and timing of the calculations of the logic engines 12, 22 on the control and standby sides are deviated must be reduced as compared with a related-art control system.
In these cases, during a period when the control side processor device 10 operates, only the control side performs the output to the output module 40. In the period, therefore, there arises no problem. The possibility that, as soon as the control side is stopped, erroneous data which lack sequence are output to the output module 40 by the standby side must be reduced as compared with a related-art control system.