Circuit anti-misoperation method and system based on manual and automatic mode isolation
By preprocessing input signals and detecting sticking and locking state machines in industrial control systems, inserting hardware dead zones, and using dynamic isolation masks and mutual exclusion logic to process signals, the safety hazards caused by signal interference and button sticking are solved. This achieves absolute isolation between manual and automatic modes and prevents misoperation, ensuring system stability and safety.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- 四川钭进科技有限公司
- Filing Date
- 2026-03-20
- Publication Date
- 2026-06-19
AI Technical Summary
Existing industrial control systems suffer from safety hazards caused by signal interference, button sticking, mode switching timing conflicts, and software logic errors, making it difficult to achieve absolute isolation between manual and automatic modes and prevent misoperation.
By receiving and preprocessing the input signal, a purified signal vector is generated and a stuck-lock state machine model is detected. A hardware dead zone is inserted, and the signal is processed using a dynamic isolation mask and mutual exclusion logic. A hardware dead zone and asynchronous rejection logic are constructed to ensure safe switching.
It achieves accurate identification of button sticking and mode switching, prevents accidental device startup, ensures system stability and safety in high interference environments, extends the life of power devices, and improves operational safety.
Smart Images

Figure CN121900279B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of logic circuit technology, and in particular to a method and system for preventing circuit misoperation based on manual and automatic mode isolation. Background Technology
[0002] In industrial control systems, actuators such as motors and valves typically have both manual and automatic control modes. Traditional control cabinets often use relay logic or programmable logic controllers (PLCs) to achieve mode switching and control. However, with increasingly complex industrial environments and higher safety requirements, existing technologies are gradually revealing a series of safety hazards and technical bottlenecks. For example, there are risks of signal interference and metastability: industrial environments are characterized by severe electromagnetic noise and mechanical switch jitter, while traditional PLCs have long scan cycles, making it difficult to capture transient interference and easily causing malfunctions. Furthermore, when directly using high-speed digital circuits to process asynchronous signals, the lack of effective cross-clock domain synchronization can easily lead to trigger metastability, causing system logic collapse. Physical adhesion and false reset hazards also exist: when manual button contacts become welded or mechanically jammed, or when an operator forcibly switches to automatic mode while holding down the manual button, traditional logic often fails to recognize this dangerous state. If the system misinterprets this as a reset and starts the automatic program, the equipment may start unexpectedly without personnel evacuating, leading to serious safety accidents. Short-circuit risk during mode switching: Electronic logic switching speeds are on the nanosecond scale, while the disconnection of external power devices such as contactors requires tens of milliseconds of physical time. If there is no reliable dead-zone control during mode switching, a phase-to-phase short-circuit fault may occur, where the contactor of the previous mode has not disconnected while the contactor of the next mode has already engaged, leading to a machine explosion. Unreliable software logic: Interlocking logic based on pure software (such as PLC ladder diagrams or host computer code) is prone to failure due to program bugs, crashes, or communication delays.
[0003] Therefore, there is an urgent need for a circuit control scheme that can achieve absolute isolation between manual and automatic modes from the underlying physical logic, and has a complete anti-interference and anti-misoperation mechanism. Summary of the Invention
[0004] One of the objectives of this invention is to provide a circuit anti-misoperation method based on manual and automatic mode isolation, so as to solve the safety hazards caused by signal interference, button sticking, mode switching timing conflicts and software logic errors in the existing industrial control system.
[0005] This invention is achieved through the following technical solution: a circuit anti-misoperation method based on manual and automatic mode isolation, comprising the following steps:
[0006] Further, S100, receive the input signal and preprocess it to obtain the purified manual signal vector, automatic signal vector, and mode status bit; S200, based on the adhesion-locked state machine model, perform forced reset detection on the manual signal vector to generate a manual occupancy lock flag with memory characteristics. The manual occupancy lock flag is used to characterize whether there is an unresolved human intervention or physical adhesion risk in the manual control channel; S300, generate mutually exclusive manual allow mask and automatic allow mask according to the mode status bit and the manual occupancy lock flag, and insert a fully silent hardware dead zone during the mode switching transition period; S400, based on the manual allow mask and automatic allow mask, perform gated transmission on the manual signal vector and automatic signal vector respectively, and perform logical aggregation and interlock verification on the gated signals to generate the final control output signal.
[0007] Furthermore, the preprocessing includes digital filtering and synchronization processing, which includes: constructing a state-holding counter with hysteresis characteristics for each input signal channel; monitoring the continuity and consistency of the input signal level in real time, and only considering the signal as a valid state switch when the input signal level remains constant for N consecutive clock cycles; otherwise, treating any signal fluctuations with a width smaller than the sampling window width as noise and filtering them out; wherein, the sampling window width corresponding to N clock cycles is configured to be greater than the preset physical jitter period of the mechanical switch; the synchronization processing specifically includes: before digital filtering, using a multi-stage cascaded trigger chain to sample the input signal continuously along the clock edge, so that the signal level converges during cross-clock domain transmission and eliminates metastability.
[0008] Furthermore, in S200, the generation of the manual occupancy lock flag follows the asymmetric principle of logical self-locking and conditional unlocking, including: setting condition: when the manual signal vector is detected to be at a valid level, the manual occupancy lock flag is immediately set to a valid state regardless of the current working mode; reset condition: during system operation, the manual occupancy lock flag is only allowed to be cleared when all of the following constraints are met simultaneously: (1) mode constraint: the system receives a request signal to enter the automatic mode; (2) state constraint: the real-time sampled value of the manual signal vector returns to an invalid level; (3) time domain constraint: the manual signal vector remains at an invalid level for a period of time exceeding the preset security confirmation period.
[0009] Furthermore, the preset safety confirmation period is configured to be significantly longer than the mechanical rebound time of the manual control element, so as to construct a logical hysteresis interval in the time dimension and eliminate the situation where poor contact or intermittent contact is mistakenly judged as a successful reset.
[0010] Furthermore, in S300, the hardware dead-time insertion process includes: real-time monitoring of the edge transition of the mode status bit; once a mode switching action is detected, the dead-time counter is immediately started, and before the dead-time counter reaches zero, the manual enable mask and the automatic enable mask are forcibly set to an invalid state, so that the output port is in a passive safe state during the dead-time counter counting.
[0011] Furthermore, in S300, the logic for generating the automatic allow mask is as follows: the automatic allow mask is set to an effective state only when the current mode is automatic, the dead zone counter has ended counting, and the manual occupancy lock flag is false; if the manual occupancy lock flag is true, the automatic allow mask is forcibly blocked to an invalid state regardless of the mode status bit.
[0012] Furthermore, in S400, the gated transmission of the manual signal vector and the automatic signal vector specifically includes: using parallel processing logic, performing a bitwise AND operation between the purified manual signal vector and the manual enable mask to generate a manual instruction stream; simultaneously, performing a bitwise AND operation between the purified automatic signal vector and the automatic enable mask to generate an automatic instruction stream; and performing a bitwise logical OR operation between the manual instruction stream and the automatic instruction stream to generate a unified driving instruction.
[0013] Furthermore, the S400 also includes an emergency stop circuit breaker mechanism: outside the logic path of logic convergence and interlock verification, asynchronous rejection logic is configured; when an emergency stop input signal is detected to be valid, all mask arbitration and timing control logic are bypassed, and all control output ports are forcibly set to a safe disconnect state.
[0014] Furthermore, in S400, the interlock check includes end-to-end conflict blocking logic: real-time monitoring of the state of mutually exclusive output signal pairs; if both mutually exclusive output signal pairs are detected to be at an active level, conflict blocking is triggered, forcing both mutually exclusive output signal pairs to be simultaneously set to an invalid state.
[0015] Another aspect of the present invention provides a circuit error prevention operating system based on manual and automatic mode isolation, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, it implements the circuit error prevention operation method based on manual and automatic mode isolation as described above.
[0016] Compared with the prior art, the present invention has the following advantages and beneficial effects:
[0017] 1. This invention, through an asymmetric logic design that is easy to enter but difficult to exit, and especially by introducing a time-domain constraint of a safety confirmation cycle, enables the system to accurately identify mechanical welding, poor contact due to carbon buildup, or manual long-pressing of buttons. As long as the manual circuit has not undergone a complete 'closing-releasing-stabilizing' physical cycle, the automatic mode will be permanently locked, fundamentally eliminating the accidental self-starting of equipment due to equipment failure or personnel violation of regulations, and realizing the principle of fault-oriented safety.
[0018] 2. This invention addresses the problem of mismatch between the speed of electronic logic and mechanical action by forcibly inserting a hardware dead zone at the moment of mode switching to construct a millisecond-level physical short-circuit protection barrier. This mechanism establishes an absolute barrier in the time dimension, ensuring that all external inductive loads (such as contactors) have sufficient time to release energy and disconnect physical contacts before the transfer of control, thus significantly extending the service life of power devices.
[0019] 3. This invention constructs a logical digital gate within the FPGA through dynamic isolation masking technology. By designing manual and automatic masks as mathematically mutually exclusive, it ensures that the system can only be in a definite control state (or a completely silent state) at any given time. This design simplifies complex mode competition problems to low-level Boolean algebra operations. Even if the host computer software malfunctions or issues incorrect instructions, it cannot penetrate the underlying hardware masking blockade, thus guaranteeing the determinism and robustness of the control logic.
[0020] 4. By combining electrical isolation, cross-clock domain (CDC) synchronization chain and time-integrated digital filtering, this invention can effectively suppress surge impacts of up to several kilovolts in industrial environments, eliminate contact jitter of mechanical switches, and reduce the probability of metastability to a negligible level in engineering applications. It has extremely high anti-interference capability and system stability, ensuring that the signals input to the FPGA logic core are pure, synchronous, and stable, and avoiding misjudgments caused by signal glitches in the logic circuit.
[0021] 5. This invention adopts a low-voltage indirect drive architecture. The operation panel and core logic chip operate only at a safe voltage of 3.3V / 5V, completely physically isolated from the 380V / 220V high-voltage circuit. This not only protects the expensive control chip, but more importantly, ensures the personal safety of the operator. It eliminates the risk of electric shock caused by high voltage buttons due to insulation aging in traditional electrical boxes, achieving an inherently safe design of weak current controlling strong current. Furthermore, utilizing the parallel processing characteristics of FPGA, the interlock verification and emergency stop fuse mechanism are directly implemented by hardware combinational logic, without relying on the CPU instruction cycle or system scheduling. When an emergency stop signal or output conflict is detected, the output can be forcibly cut off within nanoseconds. Its response speed and reliability are far superior to traditional PLC software interlocks. Attached Figure Description
[0022] The accompanying drawings, which are included to provide a further understanding of embodiments of the invention and form part of this application, do not constitute a limitation thereof. In the drawings:
[0023] Figure 1 The above is a flowchart of the overall method provided in Embodiment 1 of the present invention. Detailed Implementation
[0024] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. The components of the embodiments of the present invention described and shown in the accompanying drawings can generally be arranged and designed in various different configurations.
[0025] Example 1
[0026] This embodiment discloses a circuit anti-misoperation method based on manual and automatic mode isolation. Figure 1 This embodiment shows the overall method flowchart, from Figure 1 As can be seen from this embodiment, it includes the following steps:
[0027] Step 1: Perform electrical isolation, cross-clock domain synchronization, and digital filtering on the multi-source heterogeneous input signals to obtain the purified manual signal vector, automatic signal vector, and mode status bit.
[0028] The input signals refer to the raw electrical signals acquired by the system from the physical world. These signals are typically unprocessed before entering the FPGA logic core. Specifically, input signals include, but are not limited to, manual control signals generated by operators pressing physical buttons (such as start, stop, jog, etc.), automatic control signals issued by the host computer or PLC, and mode selection signals determined by selector switches. Understandably, in industrial high-voltage environments, these raw signals often carry high voltages (such as 24V or even 220V / 380V) and are accompanied by significant electromagnetic noise and mechanical vibration. Therefore, this step is not merely a simple signal reading, but a crucial preprocessing step that transforms the randomness of the analog world into the determinism of digital logic.
[0029] In this embodiment, to ensure the electrical safety of the FPGA chip and achieve physical separation of high and low voltage, this step first involves electrical isolation and level conversion mechanisms. Specifically, the system uses optocouplers or high-impedance voltage divider circuits to convert external high-voltage input signals into low-voltage logic levels (such as 3.3V or 5V) acceptable to the FPGA chip's I / O ports. This process not only achieves voltage matching, but more importantly, utilizes the electrical insulation characteristics of optocouplers to cut off the surge impact path that external high-voltage circuits may cause to the internal precision logic circuits, establishing the system's first line of defense.
[0030] In this embodiment, considering the asynchronous nature of the original signal relative to the FPGA system clock, a cross-clock domain (CDC) synchronous processing model is constructed. Since the timing of the external button press or the arrival time of the PLC signal is completely random relative to the FPGA's high-speed clock, direct sampling could easily lead to the flip-flops entering a metastable state, meaning the output level would oscillate between logic 0 and 1 due to insufficient setup / hold time. Therefore, to address this physical uncertainty, the system configures a multi-stage cascaded D flip-flop chain at the logic entry point. Utilizing probabilistic principles, continuous clock edge sampling allows the signal to quickly converge to a stable logic level during cascaded transmission. This mathematically reduces the probability of metastability propagating to subsequent logic circuits to a negligible level, ensuring the baseline stability of subsequent logic operations.
[0031] Furthermore, in this embodiment, in order to eliminate the inherent contact jitter of mechanical switches and the high-frequency pulse interference in industrial environments, a digital de-jittering filter model based on the time integration principle is introduced in this step.
[0032] Contact bounce refers to the multiple unexpected and drastic voltage fluctuations that occur within a short period of time during the closing or opening of a mechanical switch due to the elastic collision of the reed contacts. If left unchecked, a single button press might be misinterpreted by a high-speed FPGA as dozens of consecutive trigger commands, leading to serious logic errors.
[0033] This digital dejitter filtering model is not a simple low-pass filter, but rather constructs a state-holding counter with hysteresis characteristics. Specifically, the model monitors the continuity and consistency of the input signal level in real time by establishing a time accumulator for each input channel within the FPGA. Only when the input signal level is continuously consistent... The system only recognizes a signal as a valid state transition, rather than transient noise, if it remains constant within a clock cycle; this dejitter threshold constant... A sampling window (e.g., 10ms~20ms) corresponding to physical time is designed to be strictly larger than the physical jitter period of a common mechanical switch. In this way, a time threshold is mathematically constructed. Any signal fluctuations with a width smaller than this threshold (including high-frequency electromagnetic interference pulses, electrostatic discharge interference, or mechanical micro-motion) will be regarded as invalid noise and filtered out, thereby ensuring that the generated manual and automatic signal vectors are pure, deterministic, and faithfully reflect the operator's true intentions.
[0034] In this embodiment, a mutual exclusion check logic is specifically introduced for processing the mode status bit. Considering that an external mode selection switch might malfunction, resulting in both manual and automatic signals being simultaneously high (logic short circuit) or simultaneously low (open circuit), the system performs XOR and NAND logic analysis on these two signals during the sampling phase. It is understood that a valid mode state must be one and only one of the two. Once an illegal intermediate state is detected, the system will forcibly lock the cleaned mode status bit to the safe shutdown mode to prevent the system from operating in an undefined state due to switch failure. Specifically, in this embodiment, the digital dejitter filtering model based on the time integration principle can be constructed through the following steps:
[0035] 1) First, in order to transform parallel inputs from the physical world into mathematically computable objects, a standardized input vector space needs to be defined. This will be defined in each FPGA system clock cycle. The captured raw physical level is mapped to a multidimensional Boolean vector, thus freezing continuous analog voltage transients into discrete digital snapshots.
[0036] Specifically, all key control signals (such as manual buttons, automatic mode switches, emergency stop buttons, etc.) can be considered as independent dimensions in a vector space, and at any given time... The system's input state is not just a scalar, but a state vector that contains the instantaneous values of all channels. This vectorized representation provides the mathematical basis for subsequent parallel filtering.
[0037] For example, in this embodiment, the first Input signal vectors with discrete-time indices It can be defined by the following formula:
[0038]
[0039] in, For discrete-time indexing; The input signal vector; The original sampled value representing the manual start button; The original sampled value representing the automatic operation signal; Representative mode selection switch ( automatic, The original sampled values (manually); This represents the original sampled value of the emergency stop button. All components. These all correspond to the TTL level states on the FPGA pins (0 for low level, 1 for high level). This step successfully transforms the physical input, which is full of noise, voltage risks, and timing uncertainties, into a synchronous, stable, and secure standardized data vector in the FPGA's internal logic space, laying a solid data foundation for subsequent isolation arbitration and logic operations.
[0040] 2) After establishing the input vector space, the original sampled values must be eliminated. To eliminate transient noise, considering that mechanical contacts typically experience physical jitter lasting 5ms-20ms during the closing instant, manifested as high-frequency 0 / 1 transitions, a time-integral de-jitter operator was constructed. .
[0041] Specifically, the operator in this embodiment does not rely on simple delay, but is based on the principle of energy integration, by applying energy integration to each input channel. Introduce a separate debounce state hold counter This counter is used to measure the continuity energy of the signal state; it only applies when the original sampled value of the input... The counter only increments when it remains constant throughout consecutive clock cycles; once any tiny jump (such as a noise pulse) is detected, the counter is immediately reset to zero. This is equivalent to building a highly sensitive reset mechanism in the time domain, where any signal fluctuations that are insufficient to sustain the signal for a sufficient duration will be treated as invalid energy and discarded by the mathematical model.
[0042] For example, in this embodiment, the first The dejitter state hold counter equation for each input channel can be calculated using the following formula:
[0043]
[0044] in, For the first Each input channel has a dejitter state hold counter, used to represent the current continuity count value; For the first The original sampled values of each input channel; This is the count value of the debounce state hold counter at the previous moment. This formula indicates that the debounce state hold counter... The growth of is a strictly monotonically increasing process and has zero tolerance for signal discontinuities.
[0045] 3) Finally, in order to obtain a stable logic output, a hysteresis characteristic needs to be introduced. This is a nonlinear transformation with memory damping to ensure that the system output does not frequently flip with small fluctuations of the input signal near the threshold.
[0046] Specifically, by setting a dejitter threshold constant This threshold represents the minimum time integral (i.e., minimum pulse width) required for a signal to be considered valid; only when the value accumulated by the counter exceeds this dejitter threshold constant... Only when the current input value is reached is the output's valid logic state allowed to be updated; otherwise, the system will maintain the previous output state. This mechanism effectively constructs a low-pass filter, whose cutoff frequency is determined by the dejitter threshold constant. and FPGA system clock cycle A joint decision.
[0047] For example, in this embodiment, the effective logical state after cleaning It can be calculated using the following formula:
[0048]
[0049] in, For the first The effective logic state after cleaning each input channel. It is the dejitter threshold constant, which is the FPGA system clock cycle. ( ), and the typical bounce time of the physical contact is 10ms, then set This means that any width smaller than The level changes (whether from external arcing interference or internal electrostatic spikes) cause variations in voltage levels due to their duration. It will never reach 500,000, therefore... The output will be completely filtered out, and the output will remain in the previous stable state. .
[0050] It should be noted that the above formulas together constitute the core of the anti-interference processing in this embodiment, through... With strict constraints, this model purifies the input signal, ensuring that subsequent state machine models (such as adhesion detection) process absolutely clean and definite Boolean values, avoiding logical misjudgments or illegal state machine transitions caused by signal jitter.
[0051] Step 2: Perform a forced reset detection based on the adhesion-locked state machine model to generate an adhesion-locked flag with memory characteristics. Following Step 1, obtain a pure and valid logic state through digital filtering. Furthermore, a deeper challenge arises: if the physical button undergoes mechanical welding, or if the operator forcibly switches modes while holding down the manual button, the filtering in step 1 will fail to recognize such dangerous situations. Therefore, it is necessary to construct an event-driven, sticky-locked state machine model, introducing a memory damping mechanism to transform transient signals into persistent state constraints.
[0052] Forced reset detection refers to the logical process of monitoring the physical state of external manual control elements throughout their entire lifecycle during system operation, especially during the transition from manual to automatic mode or during the maintenance of automatic mode. The core task of this process is not to simply determine the current signal level, but to verify whether the manual command has undergone a complete closing-releasing-stabilizing timing cycle, thereby confirming whether the operation loop is in a safe physical clearance state.
[0053] Adhesion Locking Mark This refers to a Boolean state variable with memory damping characteristics constructed within the FPGA's internal logic. This flag is used to characterize whether the manual control channel was activated at the current moment or at an immediately preceding past moment and has not yet received a definitive reset confirmation. When this flag is in the set (valid) state, mathematically and logically, it is equivalent to declaring that there is currently an unresolved human intervention or potential contact adhesion risk in the system, thus serving as the absolute basis for subsequently blocking the automatic control path.
[0054] In this embodiment, to eliminate the safety hazards caused by false resets in traditional relay logic or simple PLC programs, this step constructs an event-driven sticky-lock state machine model. This model introduces the asymmetry between logical self-locking and conditional unlocking. Specifically, the evolution of this model follows the principle of easy entry and difficult exit:
[0055] On the one hand, as long as the system detects the filtered manual valid logic state A valid voltage level is displayed (i.e., the operator has pressed the button, or a short circuit has occurred at the contact), regardless of the current operating mode, and the sticking lock indicator remains active. It is immediately and unconditionally set, a process that simulates a trigger action in the physical world. Its response is instantaneous, designed to capture any possible intention of human intervention as quickly as possible.
[0056] On the other hand, the adhesion locking mark Clearing the stuck-lock flag requires extremely stringent reset confirmation conditions. This is not a simple signal toggle, but a multi-dimensional logical verification process that requires the following three hard constraints to be met simultaneously before the flag can be cleared:
[0057] Mode constraint: The system must explicitly receive a request signal for automatic mode;
[0058] State constraints: Manually valid logical states The real-time value must return to an invalid level (i.e., logic 0), indicating that the physical button has theoretically been released;
[0059] Temporal constraints: Manually valid logic states The duration of maintaining the invalid level must strictly exceed the preset security acknowledgment period. .
[0060] It is understandable that a security confirmation cycle is introduced. The significance of this time-domain constraint lies in constructing the logic hysteresis interval. In practical engineering, aging buttons or contactors may experience a semi-engaged state due to mechanical spring fatigue or high-impedance contact due to carbon buildup at the moment of disconnection. By requiring the signal to remain in the disconnected state for a sufficient duration (e.g., significantly longer than the mechanical rebound time when the button is released manually), this model effectively eliminates the possibility of poor or intermittent contact being mistakenly interpreted as a successful reset. In fact, in this embodiment, this step also implicitly incorporates the design concept of a fail-safe mechanism; assuming that the external manual button contacts have undergone physical welding (i.e., adhesion), or that the connecting cable has experienced a short circuit to the power supply, the manual valid logic state will be... The system will continuously display a high level or exhibit an unstable oscillating level. Under this fault condition, because the aforementioned state constraints cannot be met, or the time-domain constraints cannot complete the counting, the state machine will never transition to the unlocked state, meaning the stuck-lock flag will remain locked. It will remain true indefinitely.
[0061] This design ensures that even if the host computer issues an automatic start command, or the operator accidentally switches the switch to automatic mode, the locking mark will remain in place due to the adhesive. Because of its existence, the FPGA will always determine that the system is in an unsafe state, thereby blocking the execution authority of the automatic mode from the root and realizing the highest safety principle of stopping the system when a fault occurs.
[0062] Specifically, in this embodiment, the event-driven adhesion-locking state machine model can be constructed through the following steps:
[0063] 1) First, define the sticking and locking flag and memory mechanism. In order to mathematically describe whether the manual button has been safely released, a sticking and locking flag with self-locking properties needs to be defined. .
[0064] Specifically, this flag not only reflects whether the button is currently pressed, but also records whether the manual operation loop is in an open state. Its logic rule is set as follows: as long as a valid manual operation logic state is detected at any time... For valid (logic 1), the adhesion lock flag is active. It must be set to 1 immediately. Additionally, this flag has a memory damping characteristic, meaning that once set, it will not change with manually activated logic states. Instead of being automatically cleared immediately when it becomes 0, it enters a self-locking state awaiting confirmation. This design logically forms a one-way trap, ensuring that any minor manual operation is captured and recorded by the system until a specific security protocol is met before it is released.
[0065] 2) Then, construct reset and unlock conditions based on multiple constraints; in order to clear the aforementioned adhesive locking flags. The locked state requires a stringent reset confirmation condition. This is to demonstrate that the button is not only currently disconnected, but that it was disconnected safely and intentionally.
[0066] Specifically, reset confirmation conditions The following three physical constraints must be satisfied simultaneously for the condition to be valid:
[0067] Schema correctness: Schema state valid logical state It must be in automatic mode, indicating that the system is ready to take over control.
[0068] Physical disconnect verification: Manually valid logic state It must be a low level (logic 0), which is direct evidence that the physical contacts are separated;
[0069] Time-domain security verification: Manually valid logical state The time it takes to maintain a value of 0 must exceed the safety confirmation period. .
[0070] Introducing a security confirmation cycle here The purpose is to prevent false resets; for example, momentary disconnection caused by poor contact. Only when the signal remains stably in the 0 state for more than the safety confirmation period... Only when this condition is met is the reset considered valid. For example, in this embodiment, the reset confirmation condition is... It can be calculated using the following formula:
[0071]
[0072] in, As a condition for resetting confirmation, For logical AND operation; This represents the valid logical state of the filtered mode state. This is the manually valid logic state after filtering; It is a manually valid logical state. A reset duration counter that remains at 0; This is the security confirmation period (set to [value] in this embodiment). This value is typically set much larger than the dejitter threshold constant. This ensures that the physical contacts have been fully cooled and stably disconnected.
[0073] It should be noted that in the above formula, This indicates that the current mode is automatic, which is used to limit the effective range of the reset confirmation logic. Since this system has both manual and automatic management logic, The time-domain safety verification represented here is specifically used for signal self-testing in automatic mode. When the system is in automatic mode, the controller needs to use algorithms to filter out false resets caused by physical contact jitter or momentary disconnection; while if the system is in non-automatic mode, different safety protection protocols may be adopted. Through this conditional constraint, mode management and safety verification are decoupled, ensuring the accuracy of the reset action and the controllability of system state transitions. This indicates that the filtered manual active logic state is low, meaning the manual button has not been pressed.
[0074] 3) Finally, construct the adhesion-locking state transition equation; based on the adhesion-locking flag defined in the aforementioned two sub-steps. and reset confirmation conditions They are integrated into a recursive state transition equation, which is used in each clock cycle. Dynamically update the system's lock status.
[0075] For example, in this embodiment, the state transition equation for the adhesion locking mark can be calculated using the following formula:
[0076]
[0077] in, This indicates the adhesion / locking flag at the current moment. For logical OR operation; For logical NOT operation; This represents the manually valid logic state after filtering. This is the adhesion and locking indicator from the previous moment. This is a reset confirmation condition; it should be noted that in this formula... The term is the core logical closed loop of this model: self-locking maintenance, if the previous time step stuck the locking flag. The value is 1, and the reset confirmation condition is not met at the current moment, i.e. If true, then the adhesion lock mark The value will be forced to remain at 1. Physical adhesion detection: If the manual button becomes physically stuck, causing the manual operation logic state to be active... If the value is always equal to 1, then the reset confirmation condition is... The value will always be false. Substituting this into the state transition equation, the adhesion locking flag... It will be permanently locked to 1. This mechanism perfectly addresses the requirements for preventing accidental operation; as long as the lock icon is attached... When the value is 1, the system will prevent the automatic mode from starting in subsequent logic; that is, unless the manual button is physically disconnected and logically confirmed, the automatic mode will never be able to take over, thus achieving absolute logical isolation.
[0078] Step 3: Generate a dynamic isolation mask and insert it into the hardware dead zone to build a mutually exclusive signal transmission channel.
[0079] Among them, the dynamic isolation mask refers to the adhesion and locking flag generated by the system based on the current real-time operating status, mode selection instructions, and the previous step. This is a set of binary vectors calculated in real time to control the on / off state of control signals. This mask acts as a digital gate in the logic circuit, physically determining which signals are allowed to pass and which signals must be forcibly blocked through bitwise logic operations with the original command signals.
[0080] Hardware dead zones refer to a period of complete silence that the system forcibly inserts during the transition between system operating modes or when a potential conflict is detected. During this period, all control channels are forcibly disabled regardless of changes in external input signals. This mechanism creates an absolute safety barrier in the time dimension.
[0081] In this embodiment, to address the safety hazards caused by the extreme mismatch between the electronic logic switching speed (nanosecond level) and the operating speed of external power devices (millisecond level), this step constructs a dead-zone insertion model based on time-domain flow control. It is understandable that in industrial control, after power failure, the contacts of external actuators (such as AC contactors) often require tens of milliseconds to fully disconnect due to mechanical inertia and the presence of an electric arc. If the FPGA immediately switches the control logic based solely on the instantaneous change of the mode switch, a short-circuit condition is highly likely to occur where the contactor of the previous mode has not fully released before the contactor of the next mode has already engaged. Therefore, the design concept of this step is to disconnect before connecting; specifically, the system monitors the valid logic state of the mode status in real time. The edge transition. Once a mode switch is detected, the system immediately starts an uninterruptible dead-time counter. The physical purpose of this counter is to simulate the maximum operating delay of external physical devices; before the counter reaches zero, the system forces a manual enable mask. and automatic allow mask All values are set to zero, thus ensuring that the output port is in a passive high-impedance or safe-level state during the mode switching transition period. This provides sufficient physical time for the energy release of external inductive loads and the reliable separation of mechanical contacts, effectively preventing phase-to-phase short circuits and reverse electromotive force breakdown.
[0082] In this embodiment, to achieve absolute logical isolation, a mask generation logic controlled by a security interlock is constructed. The goal of this logic is to achieve orthogonal isolation between manual and automatic modes at a mathematical level and eliminate physical race conditions during mode switching. It needs to ensure that at any given time, the system can only be in a definite control state or a forced, fully silent, secure state. The core of this logic is that mask generation depends not only on the position of the mode switch but also, more strictly, on the adhesion-locking flag generated in step 2. Specifically, for automatically enabled masks... The generation of this parameter employs an extremely stringent conditional logic: it only occurs when the system is currently in automatic mode, the dead time has expired, and the sticky lock flag is active. The automatic mask is only enabled when all three conditions are met simultaneously: false (i.e., the manual button has been confirmed to be reset). Its design aims to implement the principles of manual priority and fault-oriented safety. This means that even if the operator switches to automatic mode, as long as the FPGA's internal logic determines that the manual button is stuck or not reset, the automatic mask will be enabled. The value will always remain zero. This physical blockade at the logic gate level ensures that the automatic control signal is truncated inside the FPGA and cannot be transmitted to the output stage, thus fundamentally eliminating the possibility of automatic program malfunctions caused by software logic errors or external contact failures.
[0083] In this embodiment, based on the generated mask, this step performs mutual exclusion construction of parallel channels, utilizing the parallel processing capabilities of the FPGA to simultaneously maintain both manual and automatic signal processing pipelines. Gated signal transmission is achieved by performing a bitwise AND operation between the purified signal vector and the corresponding dynamic mask. It is understandable that, due to the manually enabled mask... With auto-allow mask Mathematically, it is designed to be positively reciprocal, meaning that at any given time, neither can be true simultaneously (but both can be false simultaneously, such as during a dead zone). Therefore, the manual instruction stream and the automatic instruction stream, after masking, are logically completely isolated. This design not only prevents race conditions between the signals in the two modes on the bus, but more importantly, it simplifies the complex mode switching problem to low-level Boolean algebra operations, thus ensuring the system's logical determinism and robustness under extreme interference.
[0084] Specifically, in this embodiment, the mask generation logic controlled by security locking can be constructed through the following steps:
[0085] 1) During the switching process of a physical relay, there is a time difference of microseconds to milliseconds between the closing of the normally open contact and the opening of the normally closed contact. If this is directly performed mathematically... The instantaneous switching could cause the drive circuits to conduct simultaneously within a nanosecond timeframe, triggering a short-circuit current. Therefore, it is first necessary to construct a time-dependent dead-time counter. A silent period with no output is forcibly inserted at the moment of mode switching.
[0086] Specifically, an edge detection mechanism is introduced to monitor the valid logical state of the mode state. Once detected In the event of a state transition (whether from 0 to 1 or from 1 to 0), immediately reset the dead time counter. The preset dead time constant Then, the counter is decremented every clock cycle until it reaches zero. During this countdown, the system is considered to be in an unstable region, and all control masks are forcibly locked.
[0087] For example, in this embodiment, the dead-time counter The update logic can be expressed by the following formula:
[0088]
[0089] in, This is the current dead-time counter value. This represents the dead-time counter value at the previous moment. This indicates that a mode switching edge has been detected; The preset dead time constant (for example, if the relay operating time is...) To allow for a safety margin, a corresponding setting can be configured. (count value); The function ensures that the counter stops decrementing to 0 and will not underflow or flip. Each mode switch must pay a certain time cost in exchange for physical safety.
[0090] 2) After resolving the security issues in the time domain, it is necessary to address the permission issues in the logical domain. This can be achieved by defining two mutually exclusive Boolean mask variables—a manual permission mask. With auto-allow mask It serves as a logic gate for subsequent control commands to reach the output stage.
[0091] Specifically, because the mask generation logic must follow strict AND operation rules, for manually enabled masks... Its activation conditions are relatively simple: the system only needs to be in manual mode and the dead time has ended. As for the automatic enable mask... Its activation conditions are even more stringent: in addition to requiring the system to be in automatic mode and the dead time to have ended, the adhesion locking flag calculated in step 2 must also be connected in series. The non-logical.
[0092] This means that as long as the preceding model detects that the manual button has not been safely released (i.e., the sticky lock indicator), (Equal to 1) Automatically enables masking regardless of mode switch settings. All of these will be forcibly clamped to 0, and this design can transform known risks into certain blocks.
[0093] For example, in this embodiment, the mask is manually enabled. With auto-allow mask It can be expressed by the following formula:
[0094]
[0095]
[0096] in, To manually enable the mask, To automatically enable the mask, This represents the valid logical state of the filtered mode state. This indicates the dead zone has ended and the system is stable; it should be noted that the above formula automatically enables the mask. The construction logic directly responds to pattern isolation to prevent misoperation; This ensures that the logical state is valid within the modal state. Manually enable masking at the moment of change. and automatic allow mask Both will be 0, which mathematically creates a safety window where opening precedes closing; and through This ensures that even if the pattern state is valid, the logical state remains unchanged. It has been switched to automatic mode. As long as there is a risk of adhesion in the manual circuit, the mask will be allowed automatically. This makes it impossible to set a position, thus logically achieving zero tolerance for operation with defects.
[0097] Step 4: Synthesize the final control output and perform hardware interlock and emergency stop verification.
[0098] Among them, the synthesis of final control output refers to the process of logically converging the various valid instruction streams after the previous steps (isolation mask filtering) within the FPGA to generate a unified signal source that can be directly used to drive the physical ports.
[0099] Hardware interlocking and emergency stop verification refers to the last line of defense for safety before the control signal leaves the FPGA chip pin and enters the external drive circuit. This step ensures that no matter how complex the preceding logic operation is, the signal finally output to the actuator is always safe and conflict-free in terms of physics and logic by building a logic rejection mechanism with the highest priority at the output stage.
[0100] In this embodiment, in order to convert the isolated signal stream into a single execution instruction, this step performs instruction synthesis based on logical OR. By performing a bitwise logical OR operation between the masked manual instruction and the masked automatic instruction, a safe output synthesis and interlock verification model is constructed. The goal of this part of the model is to synthesize the control instructions processed by the preceding steps into the level signal that finally drives the FPGA pin. In this process, an emergency stop operator and interlock verification logic must be introduced to ensure that the output can be forcibly cut off immediately under any extreme abnormal conditions (such as the external emergency stop being pressed or the internal logic experiencing forward and reverse conflict).
[0101] Understandably, thanks to the mask generation logic constructed in step 3, the two generated instruction streams are mathematically guaranteed to be orthogonal—that is, at any given moment, at most one of the two channels contains a valid signal, while the other channel must be all zeros. Therefore, this synthesis operation is not a simple signal superposition, but a safe switching of logical channels. Its significance lies in the fact that the system can seamlessly and smoothly transfer control between the operator and the automation program within a millisecond-level switching cycle, without generating signal contention or bus conflicts.
[0102] In this embodiment, to address the most extreme safety risks in industrial settings, this step establishes a high-priority emergency stop circuit breaker mechanism, with an emergency stop signal... Typically triggered by an emergency stop button on-site, indicating an immediate threat to personnel safety. In the logical model of this system, the emergency stop signal... Instead of participating in conventional mask arbitration, it directly acts on the final gate circuits of the output stage. Its design philosophy lies in employing asynchronous veto logic; that is, regardless of whether the current mode is automatic or manual, and regardless of the internal state machine's computational state, as long as an emergency stop signal is detected... For this to be effective, the system will immediately (within nanoseconds) force all critical control output ports to a safe disconnect state (typically low level or high impedance). Understandably, this design effectively creates a hardware bypass within the FPGA, independent of the main clock logic. This ensures that even in extreme failures such as clock system anomalies or main logic deadlock, the emergency stop function can still be activated instantly through combinational logic circuitry, thus adhering to the design principle that personal safety takes precedence over all logical operations.
[0103] In addition, in this embodiment, for special control scenarios involving power circuit safety, such as motor forward and reverse rotation, this step also integrates end-point logic consistency verification, i.e., hardware interlocking. Although the front-end logic has isolated the signal source, it cannot rule out the possibility that a single signal source itself may issue an erroneous command (e.g., a bug in the host computer software causes simultaneous issuance of start and stop commands, or simultaneous issuance of forward and reverse commands). Therefore, this step introduces mutual exclusion pair verification logic at the output stage. By monitoring the state of the mutual exclusion signal pair in real time; if both are detected to be high, this is physically and logically an illegal state. At this time, the system does not simply execute one of them, but triggers contradictory interlocking logic, forcing both mutual exclusion outputs to be simultaneously invalidated. This is used to prevent phase-to-phase short circuits caused by simultaneous engagement of external three-phase contactors. This FPGA-based pure hardware interlocking verification has a response speed and reliability far superior to traditional relay mechanical interlocking or PLC software interlocking, eliminating the risk of race conditions and short circuits caused by mechanical delays or software scan cycles.
[0104] In this embodiment, this step ultimately completes the low-voltage indirect drive signal output. The purified signal, after undergoing the aforementioned multiple verifications, is finally output at a low-voltage logic level of 3.3V or 5V through the FPGA's I / O port. This signal does not directly drive the high-voltage contactor, but rather drives the onboard low-voltage DC relay or solid-state relay. This design architecture achieves a two-stage physical isolation between the low-voltage logic core and the high-voltage execution circuit, allowing the FPGA chip to handle only logic operations without any electrical connection to the 380V / 220V industrial power supply. This not only protects the expensive control chip from breakdown by high-voltage back electromotive force, but more importantly, this configuration effectively ensures that the operation panel (button area) is always within the SELV (Safe Voltage for Humans) range, solving the hazard of electric shock to operators caused by high-voltage buttons in traditional electrical boxes.
[0105] Specifically, in this embodiment, the secure output synthesis and interlock verification model can be constructed through the following steps:
[0106] 1) First, the manually valid logic states after filtering need to be... and automatic valid logic state Compared with the manually enabled mask calculated in the previous section and automatic allow mask The significance of logical fusion lies in purification. That is, only when the system is in the correct mode and has passed all security checks (no sticking, no dead zone) will the operation signal be allowed to pass through the mask gate. Any signal generated outside the current mode, or signal generated in the locked state, will be ruthlessly filtered out by mathematical logic in this step.
[0107] Specifically, by performing a logical AND operation on each signal and its corresponding mask, and then combining the results from different modes using a logical OR operation, the request is considered a valid preliminary instruction, regardless of whether it comes from manual or automatic mode, as long as it conforms to the current security mask rules. For example, in this embodiment, for any control action (such as start or forward rotation), its preliminary synthesized instruction... It can be calculated using the following formula:
[0108]
[0109] in, For the initial synthesis instructions, This represents the manually valid logic state after filtering. This is the automatically valid logic state after filtering; To manually enable the mask, To automatically enable the mask; this formula ensures that if the system is in manual mode, A value of 0 indicates an automatically valid logical state. No matter how it changes, it cannot affect the initial synthesis instructions. This achieves complete isolation of the logical channels.
[0110] 2) Upon obtaining the initial synthesis instructions Therefore, a direct output cannot be provided because safety is paramount in industrial settings. A final output equation is needed, which concatenates all the highest-priority rejection conditions. Specifically, this final output equation must consider safety constraints in the following two dimensions:
[0111] Global Emergency Stop: This is a highest priority cutoff signal; regardless of the system mode or commands, as long as the emergency stop button is pressed (emergency stop signal), the system will automatically shut down. The output must be forced to zero.
[0112] Logic interlocking: For output pairs with conflicting characteristics (such as forward and reverse rotation of a motor), it is necessary to prevent them from being true at the same time; if forward and reverse preparatory instructions occur simultaneously due to internal logic errors in the FPGA or external line interference, this logical paradox must be identified and all outputs must be forcibly shut down to prevent power short circuits in external contactors.
[0113] For example, in this embodiment, the final output signal It can be calculated using the following formula:
[0114]
[0115] in, This is the final output signal, representing the level state of the final output to the FPGA I / O pin; This is the initial synthesis instruction; This is an emergency stop signal; This is the initial synthesized command for the forward rotation direction; This is the initial synthesis command for reversing the direction; This reflects the veto power of emergency stop signals—as long as an emergency stop signal is present... When the value is 1 (i.e., pressed), the entire AND operation result immediately becomes 0; the last term As a mutual exclusion check item, it monitors the initial synthesis instructions for forward rotation in real time. and inversion of the initial synthesis instruction Whether a conflict has occurred.
[0116] It should be noted that the above formula, through mathematical logical NOT-AND operations, ensures the crucial role of safety signals (emergency stop, interlock) in the control chain. The model calculates... The weak digital signal (3.3V / 5V) on the FPGA pins will drive the onboard low-voltage relay in the physical implementation, and the low-voltage relay will then control the 220V / 380V contactor in the field. Through this hierarchical architecture of FPGA logic → low-voltage relay → high-voltage execution, combined with the above mathematical model, dual isolation between high-voltage and low-voltage electricity in both physical and logical spaces is achieved.
[0117] Example 2
[0118] This embodiment discloses a circuit error prevention operating system based on manual and automatic mode isolation.
[0119] The circuit's anti-misoperation operating system, based on an FPGA, can function as an intelligent protection switch or intelligent intermediate relay module. This system can be integrated into the control systems of industrial control cabinets, distribution boxes, or automated production lines. The core logic unit of the system is a Field Programmable Gate Array (FPGA) chip, which achieves nanosecond-level signal isolation and logic arbitration through its parallel processing capabilities. The device's input / output interfaces employ opto-isolation or low-voltage drive circuits to replace traditional high-voltage direct interlocking. In this embodiment, the method can also be integrated into embedded control systems with complex safety requirements, where the safety loop is directly managed by hardware logic, independent of the operating status of upper-level software systems (such as MCUs or PLCs).
[0120] The specific embodiments described above further illustrate the purpose, technical solution, and beneficial effects of the present invention. It should be understood that the above description is only a specific embodiment of the present invention and is not intended to limit the scope of protection of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.
Claims
1. A circuit anti-misoperation method based on manual and automatic mode isolation, characterized in that, The circuit anti-misoperation method includes: S100: Receive the input signal and preprocess it to obtain the purified manual signal vector, automatic signal vector and mode status bit; S200. Based on the adhesion-locked state machine model, a forced reset detection is performed on the manual signal vector to generate a manual occupancy lock flag with memory characteristics. The forced reset detection refers to monitoring the physical state of the manual control element during system operation to verify whether the manual signal vector has undergone a complete closing, releasing, and stable timing cycle, in order to confirm whether the manual operation loop is in a safe physical clearance state. If the forced reset test fails, the manual occupancy lock flag will be set to an active state to indicate that there is an unresolved risk of human intervention or physical adhesion in the manual control channel. S300. Based on the mode status bit and the manual occupancy lock flag, generate mutually exclusive manual enable mask and automatic enable mask, and insert a fully silent hardware dead zone during the mode switching transition period. S400. Based on the manual enable mask and the automatic enable mask, the manual signal vector and the automatic signal vector are gated and transmitted respectively, and the gated signals are logically converged and interlocked to generate the final control output signal. Gated transmission of the manual and automatic signal vectors includes: Using parallel processing logic, a bitwise AND operation is performed between the purified manual signal vector and the manual enable mask to generate a manual instruction stream; Simultaneously, the purified automatic signal vector is bitwise ANDed with the automatic enable mask to generate an automatic instruction stream; The manual instruction stream and the automatic instruction stream are bitwise ORed to generate unified driving instructions.
2. The circuit anti-misoperation method based on manual and automatic mode isolation according to claim 1, characterized in that, The preprocessing includes digital filtering and synchronization. The digital filtering includes: For each input signal channel, construct a state-holding counter with hysteresis characteristics; The signal level is continuously monitored in real time. The signal is considered to be a valid state switch only when the level of the input signal remains constant for N consecutive clock cycles. Otherwise, any signal fluctuations with a width smaller than the sampling window width will be treated as noise and filtered out. Among them, the sampling window width corresponding to N clock cycles is configured to be greater than the preset mechanical switch physical jitter cycle; The synchronization process includes: Before digital filtering, the input signal is sampled continuously along clock edges using a multi-stage cascaded flip-flop chain to make the signal level converge during cross-clock domain transmission and eliminate metastability.
3. The circuit anti-misoperation method based on manual and automatic mode isolation according to claim 1, characterized in that, In step S200, the generation of the manually occupied locking flag follows the asymmetric principle of logical self-locking and conditional unlocking, including: Setting condition: When the manual signal vector is detected to be at a valid level, regardless of the current working mode, the manual occupancy lock flag is immediately set to a valid state; Reset conditions: During system operation, the manual occupancy lock flag is only allowed to be cleared if all of the following constraints are met simultaneously: (1) Mode constraint: The system receives a request signal to enter automatic mode; (2) State constraint: The real-time sampled value of the manual signal vector reverts to an invalid level; (3) Time domain constraint: The duration for which the manual signal vector remains at the invalid level exceeds the preset security confirmation period.
4. The circuit anti-misoperation method based on manual and automatic mode isolation according to claim 3, characterized in that, The preset safety confirmation period is configured to be significantly longer than the mechanical rebound time of the manual control element. By constructing a logical hysteresis interval in the time dimension, the possibility of misjudging a successful reset due to poor contact or intermittent contact is eliminated.
5. The circuit anti-misoperation method based on manual and automatic mode isolation according to claim 1, characterized in that, In S300, the hardware dead zone insertion process includes: Real-time monitoring of edge transitions of the mode status bits; Once a mode switching action is detected, the dead-time counter is immediately started, and Before the dead-time counter reaches zero, both the manual enable mask and the automatic enable mask are forcibly set to an invalid state so that the output port is in a passive safe state during the dead-time counter counting.
6. The circuit anti-misoperation method based on manual and automatic mode isolation according to claim 1 or 5, characterized in that, In S300, the logic for automatically enabling mask generation is as follows: The automatic enable mask is set to an active state only when the following conditions are met simultaneously: the current mode is automatic, the dead zone counter has ended counting, and the manual occupancy lock flag is false. If the manual occupancy lock flag is true, then regardless of the mode status bit, the automatic enable mask is forcibly blocked as invalid.
7. The circuit anti-misoperation method based on manual and automatic mode isolation according to claim 1, characterized in that, The S400 also includes an emergency stop circuit breaker mechanism: Configure asynchronous rejection logic outside the logical path of logical convergence and interlock verification; When an emergency stop input signal is detected to be valid, all mask arbitration and timing control logic are bypassed, and all control output ports are forcibly set to the safe disconnect state.
8. The circuit anti-misoperation method based on manual and automatic mode isolation according to claim 1, characterized in that, In S400, the interlock verification includes end-point contradiction locking logic: Real-time monitoring of the status of mutually exclusive output signal pairs; If both mutually exclusive output signal pairs are detected to be active simultaneously, a conflict blocking mechanism is triggered, forcing both pairs of mutually exclusive output signal pairs to be deactivated simultaneously.
9. A circuit error prevention operating system based on manual and automatic mode isolation, characterized in that, The circuit error prevention operating system includes: Core logic operation unit; Memory, which stores computer programs The core logic operation unit is a field-programmable gate array (FPGA). When the computer program is executed by the FPGA, it implements the circuit anti-misoperation method based on manual and automatic mode isolation as described in any one of claims 1 to 8.