JP6840052B2 - Work machine - Google Patents

Description

The present invention relates to a work machine, and particularly relates to a technique for checking the safety of the work machine.

In recent years, when controlling equipment that requires high safety, such as work machines, with an electrical / electronic / programmable electronic system (hereinafter, E / E / PES), it is essential to take measures for functional safety. It has become. Specifically, for example, in the international standard IEC 61508, a system for reducing the risk of a controlled device to an acceptable level and putting it in a safe state is called a safety-related system, and it is safe as a measure of its ability. It defines the degree level (SIL: Safety Intelligence Level).

As a method for calculating such a safety level, for example, in Patent Document 1, "input of the value of the design parameter of the safety-related device necessary for evaluating the safety level of the safety-related device using the SIL model is input. Based on the SIL model using the design parameter input unit that accepts, the safety level target value input unit that accepts the input of the safety level target value of the safety-related equipment, and the value of each design parameter input to the design parameter input unit. The design support device is equipped with a display unit that calculates the safety level of safety-related equipment and displays the calculation result and the target value input to the safety level target value input unit (abstract excerpt). It is disclosed.

Japanese Unexamined Patent Publication No. 2004-341814

When applying the SIL safety level to work machines used at construction sites and mine excavation sites, to check the self-diagnosis test performed by the safety device of the work machine and whether the function of the safety device is normal. Proof test and need to be performed. The proof test is a test aimed at detecting even hidden dangerous failures that cannot be detected by the self-diagnosis test. Generally, it cannot be executed during normal operation, and the timing of its execution is restricted. There is.

However, stopping the work machine to perform the proof test causes interruption of construction and excavation work, which leads to delay in construction period and reduction in productivity. Therefore, there is a demand to achieve a safety level by executing a proof test on a work machine while suppressing the hindrance of construction and excavation work as much as possible. Regarding this point, Patent Document 1 only calculates the safety level, and does not consider the above request at all.

The present invention has been made in view of the above problems, and an object of the present invention is to provide a technique capable of performing a proof test during continuous operation of a work machine.

In order to solve the above problems, the work machine according to the present invention monitors the operation of the work machine, and when an abnormality is detected, the safety device that shifts the work machine to a safe state and whether the safety device is functioning normally. A work machine equipped with a proof test device that performs a proof test to confirm that the proof test is a hidden danger side that cannot be detected by a self-diagnosis test performed while the safety device is online. This is a test for detecting a failure, and the proof test device executes a test to determine whether the safety device may be stopped and the proof test may be executed while the main power of the work machine is turned on. determine satisfaction or non-satisfaction of possible conditions, said safety device is stopped and determines that they meet e Bei test execution unit for executing the proof test, the working machine includes an engine, a hydraulic actuator, A control valve that controls the flow of pressure oil in the hydraulic actuator, an electromagnetic proportional valve connected to the control valve, and a lever that outputs an electromagnetic valve drive current for driving the hydraulic actuator in response to an operation of the operation lever. The test execution unit includes a controller and an output breaker which is arranged between the electromagnetic proportional valve and the lever controller and cuts off the output of the electromagnetic valve drive current from the lever controller to the electromagnetic proportional valve. As the test execution condition, the engine is not started, or even if the engine is started, the elapsed time after the operation, which is the elapsed time since the last operation of the operation lever, is no operation. When any of the time thresholds and the above is satisfied, the safety device that shuts off the output of the electromagnetic valve drive current from the output breaker is stopped and the proof test is executed. It is a feature.

According to the present invention, it is possible to provide a technique capable of performing a proof test during continuous operation of a work machine. The purposes, configurations, and effects other than those described above will be clarified in the following embodiments.

Top view showing the configuration of a hydraulic excavator Left side view showing the configuration of a hydraulic excavator The figure which shows the control system of the hydraulic excavator which concerns on 1st Embodiment Block diagram showing the functional configuration of the lever controller according to the first embodiment Hardware configuration diagram of lever controller Operation flowchart of the control system in the work machine according to the first embodiment Operation flowchart showing the details of the proof test process according to the first embodiment The figure which shows an example of the warning display which concerns on 1st Embodiment The figure which shows the control system of the hydraulic excavator which concerns on 2nd Embodiment Block diagram showing the functional configuration of the lever controller according to the second embodiment Operation flowchart showing the details of the proof test process according to the second embodiment The figure which shows an example of the warning display which concerns on 2nd Embodiment

Hereinafter, embodiments of the present invention will be described with reference to the drawings. In all the drawings, the same configuration and steps are designated by the same reference numerals, and duplicate description is omitted.

Prior to the specific description of the embodiment, the proof test in the present embodiment will be described. In IEC 61508, there are four safety levels from SIL 1 to 4, with SIL 4 being the highest level of safety and SIL 1 being the lowest level. Each level defines various requirements for the hardware and software that make up the safety-related system, and one of them is the target failure measure.

The function failure scale means the probability that the safety function cannot be performed due to the failure of the safety-related system itself and becomes a dangerous state, and depending on the operation frequency of the safety function, the dangerous side function failure time average probability (PFDavg) or It is expressed by one of the time average dangerous side failure frequency (PFH). IEC61508 defines a target value (minimum value) for each safety level for PFDavg and PFH, and the higher the safety level, the lower the dysfunction scale is required. Therefore, it is necessary to reduce the probability that undetected defects interfere with the performance of safety functions by detecting defects in a wide range and with high accuracy. Parameters such as diagnostic coverage by self-diagnosis test or proof test interval must be adjusted.

It is necessary to test the safety-related system itself to detect the failure in order to prevent the safety function from operating due to the failure of the safety-related system itself and the controlled device from becoming a dangerous state. This check method is generally divided into two types, a self-diagnosis test and a proof test.

A self-diagnosis test is a system in which a safety-related system is automatically and periodically executed while online, and when any defect is detected, the system immediately shifts to the safety state. The cycle of this self-diagnosis test needs to be shorter than the process safety time, which is the time allowed from the occurrence of a failure to the transition of the system to a safe state. Usually, for example, it is on the order of several tens of milliseconds to several seconds. In addition, due to the restriction that it is executed online and the processing time is limited, only some defects can be detected, and not all defects can be detected. The failure detected by such a self-diagnosis test is called a dangerous failure (usually represented by λDD).

Proof tests, on the other hand, are designed to detect hidden hazardous failures (usually represented by λDU) that could not be detected by self-diagnosis tests. During a proof test, safety features usually do not work, so this test is generally done off-line by stopping the controlled equipment in equipment such as a chemical plant, or in a vehicle-mounted controller. In such cases, it is common to execute the device as an initial diagnosis at startup at each startup of the device. The test interval threshold T1, which is the permissible time from the last proof test to the next proof test, is much longer than the process safety time and is generally on the order of hours to years.

The test interval threshold T1 is an important factor in calculating the safety level of a safety-related system. The average probability of failure of the dangerous function (PFDavg) of the single system (1oo1) architecture when the safety function is operated infrequently is calculated by the following formula (1). It can be seen that it has a great influence on the determination of the level SIL.
However, tCE = λDU · (T1 / 2 + MRT) / λD + λDD · MTTR / λD
MRT: Mean Repair Time (Time from failure detection to completion of repair and restart of operation: Mean Repair Time)

(First Embodiment)
1A and 1B show the configuration of the hydraulic excavator 10 as an example of a work machine. As shown in FIG. 1A, the hydraulic excavator 10 is attached to a lower traveling body provided with a pair of left and right crawlers 11a and 11b, an upper rotating body 12 rotatably supported by the lower traveling body, and the upper rotating body 12. A boom 14 that is swingably supported by the cab 13 and the upper swing body 12, an arm 15 that is swingably supported by the boom 14 (see FIG. 1B), and a swingable support of the arm 15. The bucket 16 is provided. Further, a hydraulic motor and a hydraulic cylinder, which are actuators, are provided in order to execute the traveling operation using the crawlers 11a and 11b, the turning operation of the upper swing body 12, and the swinging operation of the boom 14, the arm 15, and the bucket 16. ing. The hydraulic motor is provided for turning operation and the like, and the hydraulic cylinder is provided for swinging operation of the boom 14 and the like. Although a hydraulic type is assumed here, it is not limited to that, and an electric type such as an electric motor or a linear actuator may be used.

Further, the hydraulic excavator 10 is a lever controller equipped with a safety device that monitors the operation of the actuator and shifts the hydraulic excavator 10 to a safe state when an abnormality is detected, and a proof test device that executes a proof test on the safety device. The 110 is provided. The mounting position of the lever controller 110 shown in FIGS. 1A and 1B is only an example, and may be provided in another portion of the upper swing body 12 or in the cab 13.

FIG. 2 is a diagram showing a control system of the hydraulic excavator 10. The hydraulic excavator 10 includes an operating lever 101 and a display device 120 provided in the cab 13, a pilot hydraulic pump (hereinafter abbreviated as “pilot pump”) 102, and a main hydraulic pump (hereinafter abbreviated as “main pump”) 103. , Electromagnetic proportional valve 104, control valve 105, hydraulic actuator 106, stroke sensor 107, engine 108 as a power source, and lever controller 110.

Further, inside the lever controller 110, a safety device 20 and a proof test device 30 are configured. The safety device 20 and the proof test device 30 are components of a safety-related system for enhancing the safety of the hydraulic excavator 10. Although FIG. 2 shows a state in which the safety device 20 and the proof test device 30 are mounted on one lever controller 110, these three devices may be configured as separate members. For example, the main control unit 111 (described later) of the lever controller 110 is mounted on a high-performance information system microcontroller, while the safety device 20 and the proof test device 30 are mounted on another low-performance, high-reliability microcontroller. You may. In this case, two microcontrollers are required, but on the other hand, a memory protection function or an operating system for preventing the safety device 20 and the proof test device 30 from being affected by the main control unit 111 is not required. ..

The operator's operation on the actuator provided in the hydraulic excavator 10 is input to the operation lever 101. The input operation received by the operation lever 101 is detected by the lever controller 110. The lever controller 110 is, for example, a microcontroller that executes a predetermined program, generates a drive current for controlling the hydraulic actuator based on an operation input by the operator to the operation lever 101, and outputs the drive current to the electromagnetic proportional valve 104. .. The details of the internal operation of the lever controller 110 will be described later. Further, in the above description, for the sake of simplicity, it is described that there is one electromagnetic proportional valve 104, one control valve 105, one hydraulic actuator 106, and one stroke sensor 107, but in reality, a plurality of systems may be provided. For example, two electromagnetic proportional valves 104 are generally provided, one in the forward and reverse directions in order to increase or decrease the position of the spool of the control valve 105. Further, it is common that one or more hydraulic actuators 106 are provided for each of the boom, arm, bucket, and the like.

FIG. 3 is a block diagram showing a functional configuration of the lever controller according to the first embodiment. As shown in FIG. 3, the lever controller 110 includes a main control unit 111, an output switching unit 113, a CAN (CONTOROLER AREA NETOWORK) communication unit 117, a safety device 20, and a proof test device 30. Each function of the safety device 20, each functional unit included in the proof test device 30, and each function of the lever controller 110 will be described later.

FIG. 4 is a hardware configuration diagram of the lever controller 110.

The lever controller 110 includes a CPU 51, a RAM 52, a ROM 53, a flash memory 54, an I / F 55, and a bus 56. Then, the CPU 51, the RAM 52, the ROM 53, the flash memory 54, and the I / F 55 are connected to each other via the bus 56. The I / F 55 is connected to the CAN 60. The lever controller 110 receives the lever operation signal generated by the operation lever 101 in response to the input operation via the CAN 60 and the stroke signal from the stroke sensor 107 provided in the actuator.

Next, the operation of the control system inside the lever controller 110 will be described with reference to FIGS. 5, 6, and 7. FIG. 5 is an operation flowchart of the control system in the work machine according to the first embodiment. FIG. 6 is an operation flowchart showing details of the proof test process according to the first embodiment. FIG. 7 is a diagram showing an example of a warning display according to the first embodiment.

As shown in FIG. 5, when starting the hydraulic excavator 10, when the operator of the hydraulic excavator 10 inserts the ignition key 109 into the key slot and turns it one step, the main power supply of the electric system of the hydraulic excavator 10 is turned on ( S101) The lever controller 110 is also activated. After that, the monitoring / abnormality detection process (S102 to S109) by the safety device 20, the self-diagnosis process (S201 to S206) by the self-diagnosis unit 211 of the safety device 20, and the proof test execution process (S300) by the proof test device 30. Are executed in parallel. These three processes are continuously executed until the next main power is turned off (S110 / No). When the main power is turned off (S110 / Yes), the hydraulic excavator 10 is stopped.

When the operator turns the ignition key 109 further, the engine 108 starts (S102). As a result, the pilot pump 102 and the main pump 103 are activated, and each actuator of the hydraulic excavator 10 can be driven.

When the operator operates the operation lever 101 (S103), the main control unit 111 acquires a lever operation signal indicating the operator's operation input amount from the operation lever 101. The main control unit 111 generates a solenoid valve drive current for controlling the hydraulic actuator in response to the lever operation signal (S104).

The output circuit breaker 114 maintains the electric circuit between the main control unit 111 and the electromagnetic proportional valve 104 in the connected state under the normal state, and cuts off the electric circuit when the safety device 20 or the proof test device 30 detects an abnormality. And stop the operation of the hydraulic actuator.

The output circuit breaker 114 is, for example, a relay, a field effect transistor for a large current, or the like, and when it receives an output cutoff signal, it shuts off the drive current to the electromagnetic proportional valve 104, and the electromagnetic proportional valve 104 and subsequent control valves. 105, the operation of the hydraulic actuator 106 is stopped, the work machine is moved to a safe state, and the control is terminated. Restoring from a safe state may be configured to require, for example, stopping and then restarting the engine 108. As described above, since there are actually a plurality of electromagnetic proportional valves 104, a plurality of output circuit breakers 114 may be installed correspondingly, or the main control unit 111 generates a drive current. It may be a single circuit breaker that cuts off the power supply to a plurality of output stage transistors (not shown) at once.

The main control unit 111 is responsible for the main function of the lever controller 110. For example, the solenoid valve drive current is fed back to the solenoid valve 104 to perform PID (proportional-integration-differential) control for stabilization. By making the operating amount of the operating lever 101 and the solenoid valve driving current to the solenoid valve 104 correspond to a non-linear relationship, the operability of the operator is improved.

If the output circuit breaker 114 maintains the connected state (S105 / Yes), the solenoid valve drive current generated by the main control unit 111 is applied to the solenoid valve 104 via the output circuit breaker 114 (S106).

The pilot pump 102 and the main pump 103 are driven by the engine 108 to discharge pressure oil, respectively. The discharge pressure from the pilot pump 102 (called the pilot primary pressure) is guided to the electromagnetic proportional valve 104, and the discharge pressure from the main pump 103 (called the main pump pressure) is guided to the control valve 105. In the solenoid proportional valve 104, the pilot primary pressure is reduced according to the solenoid valve drive current applied from the lever controller 110, and is output to the control valve 105 as the pilot pressure. The pilot pressure supplied to the control valve 105 controls the direction and flow rate of the main pump pressure supplied to the hydraulic actuator 106 by moving the spool in the control valve 105, and causes the hydraulic actuator 106 to operate as intended by the operator. It is operated (S107).

The hydraulic actuator 106 is provided with a stroke sensor 107 as an operating state detection device. As the stroke sensor 107, for example, a rotary encoder that detects the relative position of the cylinder, a magnetostrictive phenomenon that detects the absolute position of the cylinder, or the like is used. The stroke signal indicating the stroke length of the cylinder detected by the stroke sensor 107 is transmitted to the lever controller 110 via the CAN 60 (S108). Then, the process proceeds to step S110.

On the other hand, when the output circuit breaker 114 cuts off the electric circuit between the main control unit 111 and the solenoid proportional valve 104 (S105 / No), the output of the solenoid valve drive current is cut off, so that the actuator does not operate. (S109). As a result, the drive current from the main control unit 111 is not applied to the electromagnetic proportional valve 104, and the actuator does not operate even if the operating lever 101 is operated. Then, the process proceeds to step S110.

(Operation of safety device)
When the safety device 20 acquires the lever operation signal from the operation lever 101 in step S103, the safety device 20 temporarily stores the lever operation signal in the lever operation signal storage unit 212 (S201).

A stroke signal is input to the safety device 20 from the stroke sensor 107 (S202).

The responsiveness calculation unit 214 reads the lever operation signal from the lever operation signal storage unit 212, and calculates an index value indicating the responsiveness (which may be rephrased as followability) of the stroke signal acquired in step S202 to the lever operation signal. , The abnormality determination unit 215 compares the abnormality determination threshold value stored in the abnormality determination threshold value storage unit 213 with the responsiveness index value, and if the responsiveness index value is equal to or greater than the abnormality determination threshold value, it is determined to be normal (S203). / Yes), if the responsiveness index value is less than the abnormality determination threshold value, it is determined that there is an abnormality (S203 / No), and an abnormality signal is output to the output switching unit 113.

In this step, for example, when the cylinder is not stationary even though the operating lever 101 is neutral, or when the cylinder is moving in the direction opposite to the operating amount of the operating lever 101, the stroke with respect to the lever operating signal. The responsiveness index value of the signal becomes significantly lower than in the normal state, and it is detected as an abnormality. Such an abnormality occurs, for example, due to a failure of a component in the main control unit 111, a malfunction of a software program, or a temporary malfunction due to electromagnetic noise or a neutron beam.

The output switching unit 113 outputs a cutoff signal to the output circuit breaker 114 in response to the abnormal signal, and the output circuit breaker 114 cuts off the circuit that electrically connects the main control unit 111 and the electromagnetic proportional valve 104 (S204). ).

On the other hand, if the responsiveness index value is equal to or higher than the abnormality determination threshold value in step S203 and no abnormality is detected (S203 / Yes), the self-diagnosis unit 211 executes a periodic self-diagnosis test (S205), and the safety device Self-diagnose whether or not a failure has occurred in 20. As described above, this self-diagnosis test is performed within a range that does not affect the performance of the safety function even when the safety device 20 is online. For example, in the case of self-diagnosis of a microcontroller, the value of the peripheral control register is read out and compared with the expected value, or the operation signal from the operation lever 101 (for example, an analog voltage signal) is duplicated to separate A / Ds. A data error is detected by inputting to a converter and comparing the two values, or checking an ECC (Error Signal Code) added in advance to the data read from a RAM or Flash memory.

If a failure of the safety device 20 is detected in step S205 (S206 / Yes), the safety device 20 has lost the ability to perform the safety function, so that the safety cannot be guaranteed by operating the hydraulic excavator 10 any more. .. Therefore, the process proceeds to step S204 to shut off the solenoid valve drive current output and shift to a safe state. As a result, the safety of the hydraulic excavator 10 is ensured even if the safety device 20 fails.

If no failure is detected (S206 / No), the process proceeds to step S110.

Only the detected dangerous failure (λDD) can be detected by the self-diagnosis test by the safety device 20. Therefore, in order to deal with the so-called hidden dangerous side failure (λDU) that could not be detected by the self-diagnosis test, the proof test device 30 executes the proof test.

As shown in FIG. 6, when the main power is turned on, the proof test apparatus 30 measures the post-test elapsed time T, which is the elapsed time since the last post-test time measuring unit 311 executed the proof test. Resume (S301). In this embodiment, a battery-backed real-time clock (RTC) is used as the post-test time measurement unit 311. However, the value of the counter that counts at a cycle proportional to the clock of the microcontroller is periodically set to a non-volatile memory such as a flash memory. It may be realized by memorizing in. The elapsed time T after this test measures the elapsed time since the most recent proof test was performed, and the main power supply of the hydraulic excavator 10 is turned on after the last proof test, that is, the safety device 20 is set. Indicates the cumulative time when the power is on.

At the same time, the post-operation time measurement unit 312 is initialized, and the measurement of the non-operation time, which is the elapsed time since the last operation of the operation lever 101, is started (S301). In this embodiment, a battery-backed real-time clock (RTC) is used as the post-operation time measuring unit 312, but the value of the counter that counts at a cycle proportional to the clock of the microcontroller is periodically transferred to a non-volatile memory such as a flash memory. It may be realized by memorizing.

When the post-operation time measurement unit 312 acquires the lever operation signal, it repeats the process of reinitializing and starting the measurement.

The time threshold storage unit 314 stores a test interval threshold T1 that defines a time interval at which the proof test should be executed, and a warning time threshold Twarm that is used for determining whether or not it is necessary to output warning information that prompts the execution of the proof test. .. The warning time threshold value Twarm is a parameter defined in the present specification, and satisfies the relationship of warning time threshold value Twarm <T1 as the time until a warning prompting the operator of the hydraulic excavator 10 to execute the proof test is displayed. Set in the range.

The interval determination unit 313 compares the post-test elapsed time T measured by the post-test time measurement unit 311 with the test interval threshold value T1 (S302).

If the elapsed time T after the test measured in this way is equal to or greater than the test interval threshold T1 for which the proof test should be executed (S302 / Yes), a hidden dangerous failure (λDU) may have occurred. It is highly probable and cannot satisfy the value of the dysfunction scale corresponding to a predetermined safety level. Therefore, in such a case, the interval determination unit 313 outputs a signal indicating that the test interval threshold value T1 or more has been reached to the test execution unit 315. In response to this, the test execution unit 315 outputs a cutoff instruction signal to the output switching unit 113, and the output switching unit 113 cuts off the solenoid valve drive current output to shift to a safe state (S303).

On the other hand, if the test interval threshold value T1 has not been reached yet (S302 / No), the interval determination unit 313 determines whether the elapsed time T after the test is equal to or greater than the warning time threshold value Twarm (S304).

As described above, when the test interval threshold value T1 or more is reached in step S302, the safety state is forcibly shifted, and the work machine cannot be used any more, which is inconvenient. Therefore, when the warning time threshold value Twarm or more before the test interval threshold value T1 is equal to or greater than (S304 / Yes), the interval determination unit 313 outputs the result to the warning unit 316, and the warning unit 316 displays the result via the CAN communication unit 117. The warning information is output to the device 120 (S305), and the process proceeds to step S306.

The display device 120 is, for example, a liquid crystal monitor attached to the cab 13, and displays a warning content urging the execution of the proof test here. The warning display may include the remaining time (T1-T) until the forced transition to the safe state. FIG. 7 is an example of a warning display.

If the elapsed time T after the test is less than the warning time threshold value Twarm (S304 / No), the process proceeds to step S306 without displaying the warning information. The following steps S306 and S307 correspond to the determination process of whether or not the proof test executable condition is satisfied.

The test execution unit 315 is the elapsed time since the operation lever 101 was last operated even when the engine 108 has not started (S306 / No) and even if the engine 108 has started (S306 / Yes). When the elapsed time Top after the operation is equal to or greater than the non-operation time threshold value Tid (S307 / Yes), it is determined that the test execution condition is satisfied and the proof test is executed (S308). If the elapsed time Top after the operation is less than the non-operation time threshold value Tid (S307 / No), it is determined that the test execution condition is not satisfied, and the process proceeds to step S110.

In the proof test, for example, in the proof test of a microcontroller, an arbitrary value is written to the peripheral control register for verification check, or read / write is exhaustively repeated over a wide area of RAM to adjacent cells. Make sure that there is no interference from.

The test execution unit 315 initializes the post-test time measurement unit 311, and the post-test time measurement unit 311 starts measuring the elapsed time since the proof test was executed in the immediately preceding step S308 (S309).

If the test execution unit 315 does not detect an abnormality as a result of the proof test (S310 / No), the process proceeds to step S110. On the other hand, when the test execution unit 315 detects an abnormality (S310 / Yes), the process proceeds to step S303 to shut off the solenoid valve drive current output and shift to a safe state.

According to the present embodiment, the proof test apparatus satisfies the proof test execution condition even while the hydraulic excavator 10 is normally operated, that is, while the main power is turned on and the engine is started. If the condition is satisfied, a proof test is executed. This reduces the possibility of stopping the hydraulic excavator for the purpose of performing the proof test, and can extend the substantial continuous operation time.

Further, if the proof test apparatus determines that the proof test executable condition is satisfied after the main power of the hydraulic excavator is turned on, the proof test device executes the proof test regardless of the elapsed time since the last proof test was executed. As a result, if there is an opportunity to execute the proof test, the proof test can be executed, and the timing at which the elapsed time T after the test until the next proof test exceeds the test interval threshold value T1 can be shifted later.

Further, by issuing a warning before the test interval threshold value T1 for a certain period of time, that is, when the warning time threshold value is greater than or equal to Twarm, it is possible to prevent the hydraulic excavator from suddenly stopping and inconvenience.

In the present embodiment, as a safety function, a case where an abnormality is detected by comparing the operation amount of the operation lever 101 with the stroke information from the stroke sensor 107 has been described as an example, but the present invention is not limited to this. For example, the pilot pressure from the electromagnetic proportional valve 104 may be detected by the oil pressure sensor, and the operation amount of the operating lever 101 may be compared with this.

(Second Embodiment)
The configuration of the work machine according to the second embodiment will be described with reference to FIGS. 8 and 9. FIG. 8 is a diagram showing a configuration of a control system in the work machine according to the second embodiment. FIG. 9 is a block diagram showing a functional configuration of the lever controller according to the second embodiment.

As shown in FIG. 8, the work machine according to the second embodiment includes a safety state transition device 150a including a gate lock valve 402 and a gate lock lever 401. The lever operation signal of the gate lock lever 401 is input to the lever controller 110a, and in response to this, the lever controller 110a controls the opening and closing of the gate lock valve 402.

The proof test device 30a according to the present embodiment opens and closes the gate lock lever 401 in place of the non-operation time of the operation lever 101 and the engine starting state in the first embodiment as conditions for executing the proof test in the test execution unit 315. It is characterized by using the state.

Therefore, as shown in FIG. 9, the lever controller 110a includes a lock control unit 403 that opens and closes the gate lock valve 402 in response to the input of the lever operation signal of the gate lock lever 401. Further, a lever operation signal of the gate lock lever 401 is input to the test execution unit 315 of the proof test device 30a, and the test execution unit 315 outputs an opening / closing signal of the gate lock valve 402 to the lock control unit 403.

The gate lock lever 401 is a lever provided at the entrance of the cab 13, and is configured to be switched between a lock position for prohibiting the drive of the hydraulic actuator and an unlock position for allowing the drive.

The gate lock valve 402 is an electromagnetic switching valve whose ON / OFF control is controlled by a drive current from the lock control unit 403, and is installed between the pilot pump 102 and the electromagnetic proportional valve 104. When the gate lock valve 402 is closed, the supply of pilot oil pressure to the electromagnetic proportional valve 104 is stopped, so that the control valve 105 does not operate and the drive of the hydraulic actuator 106 is stopped.

The operator operates the gate lock lever 401 to the raised position which is the lock position when leaving the seat due to a change or the like or when starting the engine. Further, when the gate lock lever 401 is seated in the cab 13 and operated to the lowered position which is the unlocked position, the hydraulic actuator can be driven.

The lock control unit 403 outputs a drive current for switching and controlling the gate lock valve 402 according to the operating position of the gate lock lever 401. The details of the control procedure of the lock control unit 403 will be described later.

Next, with reference to FIG. 10, the flow of the proof test execution process according to the second embodiment will be described. FIG. 10 is an operation flowchart showing details of the proof test process according to the second embodiment. Of the flowchart of FIG. 10, duplicate description will be omitted for the same steps as the flowchart of the first embodiment shown in FIG.

After the start of the proof test execution process, steps S301 to S305 are the same as those in the first embodiment. In step S301, the measurement of the elapsed time after the operation is not started.

In the present embodiment, the proof test execution condition is that the gate lock lever 401 is released. Therefore, the test execution unit 315 determines whether or not the gate lock lever 401 is in the raised position, that is, in the released state. When the gate lock lever 401 is in the raised position, the lock control unit 403 closes the gate lock valve 402 to stop the supply of pilot oil to the electromagnetic proportional valve 104, so that the driving of the hydraulic actuator 106 is prohibited. .. If the driving of the hydraulic actuator 106 is prohibited, even if the function of the safety device 20 is stopped to execute the proof test, there is no danger due to the operation of the hydraulic excavator 10, so that the proof test can be executed. Condition.

Therefore, when the test execution unit 315 receives the release signal from the gate lock lever 401 (S501), the test execution unit 315 divides the proof test into a plurality of blocks and divides the proof test into a plurality of blocks (corresponding to a part of the proof test processing). Execute (S502). By determining the gate lock lever release detection performed in step S505, which will be described later, each time each block is completed, the reaction when the operation prohibition release input operation is performed on the gate lock lever can be made as quick as possible. For example, in the case of a verification check for the peripheral control register of the microcontroller or a read / write access test to the RAM area as described above, the block unit may divide the read / write area once. The time required for the per-test can be shortened.

As a result of executing the proof test in one block, the test execution unit 315 did not detect an abnormality (S503 / No), but there was an unexecuted block and one proof test was not completed (S504 /). No), the test execution unit 315 determines whether the gate lock lever 401 is still in the raised position, that is, in the locked state. If it is in the locked state (S505 / No), the process returns to step S502 and the remaining proof tests are continuously executed.

When the test execution unit 315 detects an abnormality (S503 / Yes), the output is cut off (S303), and the process proceeds to step S110.

If no abnormality is detected (S503 / Yes) and all the proof tests are executed (S504 / Yes), the process proceeds to step S110.

When the test execution unit 315 determines that the gate lock lever 401 has been returned to the lowered position, that is, in the released state (S505 / Yes), the interval determination unit 313 has elapsed time T after the test since the completion of the previous proof test. Is equal to or greater than the proof test uninterrupted time Tunstop (S506).

In the conventional work machine, when the operator releases the gate lock lever 401, the gate lock valve 402 is immediately opened so that the hydraulic actuator can be driven by the operator. However, in the hydraulic excavator 10 of the present embodiment, it is dangerous to enable such immediate drive during the execution of the proof test, and if the proof test is interrupted, the actual proof test is performed thereafter. There is a high possibility that the interval will exceed the test interval threshold T1 and will not meet the predetermined safety level. Therefore, in the present embodiment, a parameter called the proof test uninterrupted time Tunstop is introduced, and as a criterion for determining whether or not the proof test may be interrupted by the operation of the operator during execution, within the range satisfying the relationship of Tunstop <T1. Set it.

When the interval determination unit 313 determines that the elapsed time T after the test from the completion of the previous proof test is less than the proof test uninterruptable time Tunstop (S506 / No), the operator's operation is prioritized and the test execution unit 315 Suspends the proof test (S507), and the test execution unit 315 transmits a signal permitting the unlock to the lock control unit 403. In response to this, the lock control unit 403 opens the gate lock valve 402 (S508), supplies the pilot pressure to the electromagnetic proportional valve 104, and restarts the drive of the hydraulic actuator 106.

On the other hand, when the interval determination unit 313 determines that the elapsed time T after the test is equal to or greater than the proof test uninterruptable time Tunstop (S506 / Yes), the input operation received by the gate lock lever 401 regardless of the operator's operation. Is disabled, the gate lock valve 402 is maintained in the locked state, and the process proceeds to step S507. In step S507, the warning unit 316 outputs warning information prompting the display device 120 to execute the proof test via the CAN communication unit 117. As a result, the display device 120 displays, for example, the warning display screen shown in FIG. Here, FIG. 11 is a diagram showing an example of warning display in the present embodiment. Through this warning display, we will notify that the gate unlocking will be delayed because the proof test is prioritized.

After that, the process returns to step S502 to execute the remaining proof test processing. During this time, the lock control unit 403 locks the gate lock valve, that is, keeps the hydraulic flow path connecting the pilot pump 102 and the electromagnetic proportional valve 104 closed.

According to the present embodiment, whether or not the proof test can be executed is determined by the lock determination of the gate lock lever 401, and the lock control unit 403 always closes the gate lock valve during the proof test. Therefore, no matter what kind of abnormal control signal is output from the lever controller 110a during the proof test, the hydraulic excavator 10 does not operate in response to it, and the proof test can be executed while ensuring safety. it can.

Also, during the proof test execution, even if the gate lock lever 401 is released again, the proof test can be continued without opening the gate lock valve until the proof test is completed, so the work machine is stopped. The possibility of having to run a proof test can be reduced and the effective continuous operation time can be extended.

Each of the above embodiments is not intended to limit the present invention, and various modifications that do not deviate from the object of the present invention are included in the present invention. For example, the work machine is not limited to a hydraulic excavator as long as it is a work machine provided with a hydraulic actuator, and may be, for example, a dump truck. In that case, as a mode for shifting to the safe state, the dump truck may be retracted to the shoulder of the traveling path, a safety zone, or the like instead of stopping the operation of the hydraulic actuator.

Further, in the second embodiment, the method of polling the gate lock release in step S505 between the proof test processes of step S502 is adopted, but the present invention is not limited to this. For example, the unlock determination may be operated in parallel by another task or an interrupt.

Further, when the proof test is interrupted in step S507, it is possible to memorize how much of the divided proof test processes have been completed, and in the next step S502, the proof test may be executed from the continuation. As a result, even in a situation where the operator frequently operates the gate lock lever, it is possible to substantially extend the continuous operation time by proceeding with the proof test little by little.

Further, in the second embodiment, the case where the gate lock valve is closed to stop the supply of pilot pressure in order to ensure safety during the proof test has been described as an example, but the present invention is not limited to this. For example, the drive current output from the lever controller 110a to the electromagnetic proportional valve 104 may be cut off. Alternatively, the main pump 103 may be stopped, or a valve for stopping the main pump pressure from the main pump 103 to the control valve 105 may be provided to shut off the power for driving the hydraulic actuator 106. Alternatively, a brake or the like for fixing the movement of the cylinder or the motor may be installed on the outside of the hydraulic actuator 106.

Further, in the work machine according to each of the above embodiments, the proof test apparatus uses any one or combination of the test interval threshold value, the no-operation time threshold value, the warning time threshold value, and the uninterrupted time, instead of the predetermined fixed values. A user-configurable proof test interval adjustment unit may be provided. As a result, the user can perform the proof test and each of the related processes according to the safety level suitable for the place of use and the usage situation of the work machine.

10: Excavator, 20: Safety device, 30: Proof test device, 101: Operating lever, 102: Pilot pump, 103: Main pump, 104: Electromagnetic proportional valve, 105: Control valve, 106: Hydraulic actuator, 107: Stroke Sensor, 110: Lever controller

Claims (6)

A safety device that monitors the operation of the work machine and shifts the work machine to a safe state when an abnormality is detected, and a proof test device that executes a proof test to confirm whether the safety device is functioning normally. It is a work machine equipped with
The proof test is a test for detecting a hidden dangerous failure that cannot be detected by a self-diagnosis test performed while the safety device is online.
The proof test device is
While the main power of the work machine is turned on, the safety device is stopped to determine whether or not the test executable condition for determining whether or not the proof test may be executed is satisfied, and the condition is satisfied. Bei give a test execution unit for executing the proof test is stopped the safety device and determines that there,
The work machine includes an engine, a hydraulic actuator, a control valve that controls the flow of pressure oil of the hydraulic actuator, an electromagnetic proportional valve connected to the control valve, and the hydraulic actuator in response to an operation of an operation lever. An output that is arranged between the lever controller that outputs the solenoid valve drive current for driving and the solenoid proportional valve and the lever controller, and cuts off the output of the solenoid valve drive current from the lever controller to the solenoid valve. Equipped with a breaker,
In the test execution unit, as the test execution condition, the engine is not started, or even if the engine is started, the elapsed time after the operation, which is the elapsed time from the last operation of the operation lever. When the time is equal to or greater than the non-operation time threshold value, the safety device for shutting off the output of the solenoid valve drive current from the output circuit breaker is stopped and the proof test is performed. Execute,
A work machine characterized by that. In the work machine according to claim 1,
The proof test device is
And after the test time measuring unit for measuring the test after an elapsed time since the last complete the proof test,
And time threshold storage unit for storing the test interval threshold value indicating the allowable time until the next execution of the proof test since the last execution of the proof test,
An interval determination unit for determining whether the elapsed time after the test is equal to or greater than the test interval threshold value is further provided.
When the interval determination unit determines that the elapsed time after the test is equal to or greater than the test interval threshold value, the test execution unit sends the work machine to the safety device without executing the proof test. outputs an instruction signal for shifting to the safe state,
When the interval determination unit determines that the elapsed time after the test is less than the test interval threshold value and the test execution unit satisfies the test execution condition, the test execution unit performs the test execution unit. , Perform the proof test,
A work machine characterized by that. The work machine according to claim 2.
The proof test device is
It is further provided with a warning unit that outputs warning information prompting the execution of the proof test.
The time threshold storage unit further stores the warning time threshold used for determining whether or not the warning information needs to be output, which is shorter than the test interval threshold.
When the interval determination unit determines that the elapsed time after the test is equal to or greater than the warning time threshold value, the warning unit outputs the warning information.
A work machine characterized by that. The work machine according to claim 1.
Further comprising a gate lock lever that receives an input operation of the operation inhibition and cancellation of the operation prohibition of said hydraulic actuator,
When the gate lock lever accepts the operation prohibition input operation, the test execution unit determines that the test execution condition is satisfied.
A work machine characterized by that. The work machine according to claim 4.
The post-test time measurement unit that measures the elapsed time after the test since the last proof test was completed,
When the proof test is executed in a plurality of blocks for a time shorter than the test interval threshold value indicating the allowable time from the last execution of the proof test to the next execution of the proof test. In addition, a time threshold storage unit that stores the uninterrupted time used for determining whether or not to prohibit the interruption of the proof test being executed before all the blocks are completed,
An interval determination unit for determining whether the elapsed time after the test is equal to or longer than the uninterruptable time,
Further provided with a warning unit for outputting warning information notifying that the gate lock cannot be released until the completion of the proof test being executed.
When the gate lock lever receives an input operation for releasing the operation prohibition after the test execution unit executes the test of one block included in the proof test once, the interval determination unit determines the elapsed time after the test. When the uninterrupted time is compared and it is determined that the elapsed time after the test is equal to or longer than the uninterrupted time, the warning unit outputs the warning information, and the test executing unit outputs the warning information, and the test executing unit outputs the proof during the execution. Execute the remaining blocks included in the test to complete the proof test,
A work machine characterized by that. The work machine according to claim 1.
In the proof test, the test execution unit writes an arbitrary value to the peripheral control register of the microcontroller constituting the safety device for verification check, and covers the area of the RAM constituting the safety device. Repeat read or write to make sure there is no interference from adjacent cells, do at least one of the following:
A work machine characterized by that.