Aiming at the serious safety accidents happened in escalators in recent years, according to the functional safety standard IEC6150 of electrical/electronic/programmable electronic safety related systems, this paper studies the hardware redundancy technology and method of dual-computer redundancy system, puts forward a dual-CPU system scheme of high reliability escalator safety controller based on dual-computer hot backup, emphatically introduces the overall hardware design scheme, and at the same time puts forward a proposal.
A typical design scheme of arbitration circuit and watchdog circuit is presented. In recent years, in the use of escalator system, a series of safety accidents have occurred due to the malfunction and misoperation of electronic components, resulting in great casualties and property losses. In order to avoid the recurrence of such accidents, thermostatic element the State Administration of Quality Supervision and Inspection (AQSIQ) in GB 16899-2011 “Safety Code for the Manufacture and Installation of escalators and automatic sidewalks” clearly requires that safety controllers which can directly monitor the operation of escalators and automatic sidewalks be installed in escalators and automatic sidewalks systems. Safety-related system based on safety controller is independent of process control system.
It can perform its safety function correctly before dangerous events occur and avoid causing heavy casualties and property losses. It is an important measure to ensure production safety. High reliability is the main characteristic of safety controller, which is usually realized by redundancy technology. The redundancy technology of security controller mainly includes software redundancy and hardware redundancy. At present, there are four kinds of hardware redundancy: power redundancy, controller redundancy, communication network redundancy and I/O module redundancy. Hardware redundancy switching speed is relatively fast, although the cost has increased, but it is acceptable for security controllers.
This paper presents a hardware design of a double CPU security controller based on STM32F106 with fault-tolerant technology. The overall scheme of the security controller proposed in this paper is shown in Figure 1. The main hardware redundancy technologies of the controller include: (1) controller redundancy; (2) minimum system redundancy and alarm device redundancy; (3) interface module redundancy. Each controller is connected with an interface module, which is connected to the bus. The heartbeat signals will be sent between the controllers to ensure that the other party is in normal working state. Data transmission will be carried out in each working cycle. CRC checkers will be added at the end of the data to ensure the correctness and integrity of data transmission. When the following faults occur, the controller will switch or alarm: (1) power failure; (2) hardware failure of the controller itself; (3) failure of the interface module. When the communication between the standby controller and the main controller is in trouble, the standby controller will make final confirmation through all connections with the main controller. If all communication modes are invalid, it can be determined that the main controller may lose power at present. The standby controller will alarm and light the corresponding fault indicator.
If it is found that the interface module is working normally and the controller is not working properly through the detection, it indicates that there may be a fault (2). At this time, the standby controller will alarm and light the corresponding fault indicator. When two interface modules communicate or detect bus data, if the standby interface module finds that the main interface module has problems, the standby controller will be notified, and the standby controller will ask the main controller for judgment. Arbitration circuit is one of the keys of redundant controller. Mainly ensure the correct switching between the main controller and the standby controller. The arbitration circuit used by this controller is shown in Fig. 2. Among them, F_CPU_A and F_CPU_B are the state signals of primary and standby CPUs, respectively. EN_CPU_A and EN_CPU_B are the enabling signals of primary and standby CPUs, respectively. S is a manual switch. Since the main CPU and the standby CPU are completely symmetrical in structure and function, the working CPU can be determined by S switch. If S receives high-level VCC, the default is that the main CPU works first. When the main CPU fails, the F_CPU_A is high, then the EN_CPU_A signal is invalid, the EN_CPU_B enabling signal is valid, and the standby CPU works. When both CPUs fail, the circuit does not work at all.
CPU is the core component of security controller. In order to effectively monitor the working state of CPU, the controller also designs a hardware watchdog on the circuit. The structure of the hardware watchdog is shown in Figure 3. This controller uses SP706 as the main chip of watchdog circuit. It has the functions of reset output, low voltage monitoring and manual reset. In the process of power-on, when Vcc reaches 1V, RESET will be a stable logic low level, usually 0.4V or lower. RESET will maintain LOW when Vcc increases. When Vcc exceeds the reset threshold, an internal timer generates a 200 ms RESET signal. RESET remains low when Vcc falls below the reset threshold. If a power failure occurs during the initial reset, the reset pulse will last at least 140 Ms.
When Vcc drops below reset threshold, RESET will remain LOW and stabilize at 0.4V or lower until Vcc is below 1V. Before the voltage difference of 5V regulator is produced, the voltage on PFI can be reduced to less than 1.25V by choosing the voltage dividing ratio. PPFO is used to interrupt the CPU so that the working voltage of the CPU can be monitored. Redundancy technology is one of the technologies to ensure the reliable operation of safety controller. This paper mainly discusses the hardware design of the security controller. Hardware watchdog technology can further improve the reliability of the controller.