JP2007026010A - Radio communication method of safety related signal processing system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a radio communication method of a safety related signal processing system capable of enhancing transmission reliability by dual radio lines and of ensuring mutual checks while executing a process without waiting even if data transmission delays vary among the lines, thereby providing redundancy at lower cost than before. <P>SOLUTION: When communication data are normally received on at least one line of a plurality of radio control parts, a safety related signal control part performs a drive/stop control process using a safety related signal state shown by the communication data normally received, and excludes from the process the data of the radio lines where data was abnormally received or not received at all. Either one of the dual radio lines uses a radio method that is lower in transmission reliability than the methods of the other lines. A predetermined alarm is issued if a communication failure is detected. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a wireless communication method of a safety-related signal processing system that transmits safety-related signals such as an emergency stop signal using a plurality of wireless lines.

In conventional safety-related signal processing systems, emergency stop signals and interlock signal processing circuits are wired 1: 1 with hard wires, and particularly important parts are duplicated and made redundant. (For example, refer nonpatent literature 1, p.8 Figure 2.1).
However, in order to reduce wiring, a safety-related signal communication system (safety fieldbus) that connects safety components with a serial bus has become oriented. For example, many open safety bus systems such as SafetyBusP, AsiSafety, and DeviceNetSafety. (For example, see Patent Document 1 or Non-Patent Document 1, p. 38, FIG. 4.5).
In order to further reduce wiring and improve workability, there is a wireless bus system (see, for example, Patent Document 2). On the other hand, as a means for improving the reliability of wireless transmission, a technique using both a radio medium with low directivity and an optical communication means with high directivity is disclosed (for example, Patent Document 3).

  FIG. 7 shows an example of a typical hard-wired emergency stop circuit. Reference numeral 20 denotes an emergency stop switch, which has redundant contacts 21a and 21b, wired by control lines 26a and 26b, and an electromagnetic contactor 22a. , 22b is turned ON / OFF to control the power from the main circuit power supply 23 supplied to the power device 24. Since the system is duplexed with the A system / B system, an emergency stop can be performed even if there is a failure somewhere. Moreover, since a programmable device is not included, there is no risk of mixing bugs due to programming.

On the other hand, FIGS. 8 and 9 are conventional examples in which the hard wire portion is replaced with a safety field bus 4 ′. Although it is not the same as the means described in Patent Document 1 or Patent Document 2, it has a substantially corresponding configuration (Patent Document 2 will be described in detail separately).
In FIG. 8, signal inputs of so-called “safety related signals” such as signal states of the contacts 21 a and 21 b of the emergency stop switch 20 and sensor signals of enable switches and protective devices are taken in by the safety related signal input processing device 2. It is transmitted to the safety-related signal control device 3 via the safety field bus 4 '. Therefore, a predetermined control sequence is executed and output as a safety-related signal output. For example, the electromagnetic contactors 22a and 22b for cutting the power supplied to the power device 24 can be controlled. The safety-related signal input processing device 2 and the safety-related signal control device 3 usually include duplicated programmable devices such as CPUs 10a, 10b, 13a, and 13b, and are configured to monitor each other for failure. The communication control units (T / R) 7 ″ and 8 ″ for controlling the communication procedure on the safety field bus 4 ′ are shown as a single block in the figure, but actually the configuration of this part is as follows. There are various types, which will be described later with reference to FIG.
For example, in the case of Patent Document 1, as a specific means of fault monitoring performed by the duplicated CPUs, the memory images of two CPUs, processing results, communication channel data, and the like are cyclically compared, and the difference is determined. If there is a comparison failure variable: Vf is incremented, if it is successful, it is decremented, and if the value of Vf exceeds a predetermined upper limit value, a failure-safe (“emergency avoidance”) failure process is entered. Techniques to do this are disclosed. In this way, a method of delaying a certain delay until the memory images of both CPUs coincide with each other is taken.

  Further, in FIG. 9, the safety PLC 40 and the safety I / O 41 — i (I = 0, 1) are not used as the safety-related signal input processing device 2 and the safety-related signal control device 3, but as general-purpose safety-related devices. ,... Shows a typical configuration. Information on such a configuration is disclosed as open safety fieldbus technologies such as SafetyBusP and DeviceNetSafety described above, and the outline is also shown in Non-Patent Document 1 below.

The four system configuration diagrams shown in FIG. 10 show variations of the bus connection form in the redundant safety-related signal processing system described in Non-Patent Document 1. In this document, as shown in the figure, there are four bus connection models. 42a_i and 42b_i (i = 0, 1) are safety layers, 43_i (i = 0, 1) are transmission layers, and 44 is a transmission medium. ing.
In model A, the safety layer is duplicated, but the transmission layer is connected to only one of them (42b_i). In the model B, the transmission layer and the transmission medium are also completely made redundant, and 43a_i, 43b_i and 44, 44 'are connected to the safety layers 42a_i, 42b_i, respectively. In model C, the safety layer and the transmission layer are made redundant, but the transmission medium is shared. In model D, the transmission layer is not made redundant, but is shared by the redundant safety layer, so that the two safety layers can transmit and receive communication data independently.

FIG. 11 quotes one of the embodiments using wireless communication disclosed in Patent Document 2. (The numbers in the figure have been changed.) The teaching operation panel 50 and the robot controller 60 are connected by a plurality of redundant wireless communication means (transmitting means 59 — i, 66, receiving means 58, 67 — i), and teaching operation is performed. The contact state of the emergency stop switch 20 attached to the panel 50 is transmitted to the redundant emergency stop control circuit 65 — i of the robot control unit 60.
In the present invention, as a means for improving the transmission reliability of the emergency stop signal, a plurality of emergency stop packet data is generated and if one of them is delivered to the emergency stop control circuit 65_i, the power supply to the servo amplifier 68 is cut off. I can do it.
Further, fault monitoring is performed between the plurality of emergency stop control circuits 65_i to improve the reliability of the control circuit. As a specific example of the monitoring, the state of the emergency stop control circuit 65_i (emergency stop signal) If the (status) is compared in a short cycle and is different, the "emergency stop function related failure" is notified and the robot is stopped.
Also, an embodiment is proposed in which when the wireless communication is interrupted by noise or the like and a packet for transmitting the emergency stop state has not arrived, the emergency stop control circuit 65_i is activated to stop the robot in an emergency stop.

As described above, in the communication method in the conventional safety-related signal processing system, the redundantly inputted safety-related signal is transmitted by a single or redundant transmission layer through a wired or wireless medium, and the received redundancy is received. The safety-related signal control unit is configured to perform signal processing, and the redundant safety-related signal control unit takes a procedure of performing failure monitoring by comparing the received signal states with each other.
JP-A-10-320003 (terms 0005, 0015, 0044 to 0048, FIG. 1) JP 2004-148488 A (terms 0016 to 0022, FIGS. 8 and 9) Japanese Patent No. 3352836 (Items 0014 to 0017, FIG. 1) Translated by Junichi Tanaka "Safety Bus System for Automation", NPO Safety Engineering Laboratory, September 24, 2003, p. 7-9, p. 38 Figure 4.5 (Original: D. Reinert, M. Schaefer, “Sichere Bussysteme fur die Automation”, published by Huethig GmbH & Co KG, April 23, 2001)

The conventional wireless communication method in the safety-related signal processing system is based on the conventional serial transmission technology of the safety field bus and is intended to replace this with wireless communication. At that time, since the transmission reliability of the wireless line is lower than that of the wired line, there is a problem that the cost is generally increased due to the means of improving the reliability by making the line redundant.
In addition, even if the wireless line is made redundant, when performing mutual monitoring in the redundant safety-related signal control unit, if the reception state of the safety-related signal is inconsistent or a transmission error occurs, it is treated as a failure . This prevents malfunctions, but actually increases the frequency of transmission errors by increasing the frequency of communication rather than increasing the reliability of transmission by making it redundant, and happens to be transmitted on any one line. When an error occurs, the entire system fails, and there is a risk of increasing the frequency of system failure and lowering the operation rate. In the first place, although the transmission error is a result of normal error control detected and removed by the transmission layer, there has been a problem that it is a double wasteful error processing in which it is treated as a failure.

  Since the radio transmission process shares the signal transmission space, transmission is performed when the carrier frequency is detected by communication of other systems, such as the CSMA / CA (Carrier Sense Multiple Access / Contention Avoidance) method. It may take time until transmission of communication data is completed due to temporary waiting or retransmission due to noise or the like. For this reason, even if you try to transmit data simultaneously using multiple wireless lines, the time variation until the transmission is completed will actually increase, and it will be likely to cause a state mismatch in the safety-related signal control unit, or until the state matches There is also a problem that the waiting time must be larger than in the case of wired communication.

The present invention has been made in view of such problems, and improves transmission reliability by making redundant lines redundant, and does not wait even if there is variation in data transmission delay between lines. It is an object to provide a redundant check at a lower cost than in the prior art, enabling a mutual check to be performed reliably while executing processing.

In order to solve the above problem, the present invention is as follows.
The invention described in claim 1
Safety-related signal input processing device that performs input processing of so-called safety-related signals generated by emergency stop switches, enable switches, etc., and drive / stop control of dangerous parts such as motors and actuators according to the state of input safety-related signals The safety-related signal input processing device includes a safety-related signal input interface unit and a wireless control unit having at least two lines, and the safety-related signal control device includes at least 2 A radio control unit over the line and a safety-related signal control unit that controls driving / stopping of a dangerous part based on the received safety-related signal, between the safety-related signal input processing device and the safety-related signal control device At least two or more wireless lines are used, and the safety-related signal status at the same timing is used as communication data via the multiple lines. In safety-relevant signal processing wireless communication method of a system for exchanging and,
When the communication data is normally received on at least one line of the plurality of radio control units of the safety-related signal control device, the safety indicated by the communication data that has been normally received first by the safety-related signal control unit The drive / stop control process is performed using the related signal state.

The invention according to claim 2
In the safety-related signal processing system, the safety-related signal input interface unit of the safety-related signal input processing device attaches a time stamp to the communication data and then transmits the communication data by the wireless control unit of a plurality of lines. And
In the safety-related signal control device, when the communication data is normally received from the radio control unit of any one line, the safety-related signal control unit checks the time stamp attached to the communication data,
If it is the latest data, it does not wait for normal reception from the other wireless control unit and performs safety-related signal processing using the safety-related signal state of the communication data and stores the communication data,
If the time stamp is the same as the communication data received from the other radio control unit in the past, the stored communication data received in the past is collated, and the safety-related signal input state is If it does, it is discarded, and if it does not match, predetermined failure processing is executed.

The invention according to claim 3
In the safety-related signal processing system, any one of the at least two or more wireless lines between the safety-related signal input processing device and the safety-related signal control device has lower transmission reliability than other lines. In the wireless system, when a communication failure of the low reliability line is detected, an alarm is issued in one or both of the safety-related signal input processing device and the safety-related signal control device.

And the invention of Claim 4 is
In the safety-related signal processing system, when a communication failure is detected on any one of the low-reliability lines, only a safety-related signal with a high priority is exchanged until the communication failure is recovered. It is characterized by.

  According to the first aspect of the present invention, even if a transmission error is detected in some of a plurality of redundant wireless lines, the safety-related signal control unit does not handle the failure, and any one line is normally communicated. If this is done, the system can operate normally, and by making the radio line redundant, the chances of normally sending and receiving safety-related signals increase, and the transmission reliability of the entire system can be improved.

  According to the invention described in claim 2, by adding a time stamp to the communication data, it is possible to determine which and which of the communication data arrives asynchronously via a plurality of wireless lines at the same timing. Since it is possible to correctly identify whether there is communication data, the communication data that has been normally received first can be immediately sent to the safety-related signal control processing without waiting, which is efficient. On the other hand, since the communication data received normally with a delay can be correctly collated with the communication data received in advance, it is possible to have the same system failure monitoring capability as in the past.

  According to the third and fourth aspects of the invention, instead of adopting a highly reliable and high cost wireless communication control unit for improving reliability when making a wireless line redundant, an electromagnetic environment Adopting a relatively unreliable wireless system that is sensitive to changes, so that redundancy can be realized at a lower cost than in the past, and in a situation where the system can be operated, the system is not brought to an emergency stop but to the user. By notifying the deterioration of the electromagnetic environment at an early stage, it is possible to remove the obstacle or to smoothly shift the system to a safe state.

  Hereinafter, specific examples of the method of the present invention will be described with reference to the drawings.

FIG. 1 is a system configuration diagram of a safety-related signal processing system that implements the method of the first invention. In the figure, a safety-related signal processing system 1 includes a safety-related signal input processing device 2, a safety-related signal control device 3, and redundant wireless lines 4a and 4b.
In the present embodiment, the safety-related signal input processing device 2 is connected to the emergency stop switch 20 having the contacts 21a and 21b which are redundantly configured (system A / system B). 3 is connected to redundant electromagnetic contactors 22a and 22b provided in the middle of the power line 25. The main contact 3 corresponds to the emergency stop operation of the user or the system failure state detected by the safety-related signal processing system. The power supply from the circuit power supply 23 to the power equipment 24 which is a dangerous part is cut off.

The safety-related signal input processing device 2 is composed of a safety-related signal input interface unit 5 whose main parts are designed to be redundant in the A system / B system, and radio control units 7a and 7b which are also designed to be redundant. Further, the safety-related signal input interface unit 5 is composed of DIs 9a and 9b that take in redundant safety-related signal input signals and CPUs 10a and 10b that control the DIs 9a and 9b and edit the safety-related signal input state into communication data. ing. The CPUs 10a and 10b are connected to the radio control units 7a and 7b corresponding to the respective redundant systems (A system / B system), and send the edited communication data to the safety-related signal control device 3 through the respective radio lines. can do. Further, the CPUs 10a and 10b periodically collate each other's safety-related signal input state and communication processing state through the CPU mutual monitoring line 11, and detect a failure of the counterpart CPU.

  The safety-related signal control device 3 is composed of a safety-related signal control unit 6 whose main parts are made redundant in the A system / B system, and radio control units 8a and 8b which are also designed to be redundant. The signal control unit 6 internally processes the communication data received from the radio control units 8a and 8b and performs predetermined safety-related signal output control according to the safety-related signal state, and redundantly outputs the safety-related signals. DO14a and 14b performed in this manner. The CPUs 13a and 13b are connected to radio control units 8a and 8b corresponding to the respective redundant systems (A system / B system). Further, the CPUs 13a and 13b detect the failure of the counterpart CPU by exchanging received data with each other through the CPU mutual monitoring line 15 and periodically checking the safety-related signal control state. Further, an output monitoring line 16 for monitoring the output state to the A-system DO 14a by the B-system CPU 13b and monitoring the output state to the B-system DO 14b by the A-system CPU 13a is also wired.

FIG. 2 is a flowchart showing the safety-related signal input control processing procedure of the A-system CPU 10a of the safety-related signal input interface unit 5 and the safety-related signal control processing of the A-system CPU 13a of the safety-related signal control unit 6. The method of the present invention will be described step by step with reference to this figure. In the figure, each processing step is indicated by S + “number”.

In the safety-related signal input control processing procedure of the A-system CPU 10a of the safety-related signal input interface unit 5, it is first determined in S1000 whether it is the access timing to the DI 9a. The process loops until the access timing is reached, and waits. When the access timing is reached, the process moves to S1001. When the safety-related signal input status is read from the DI 9a in S1001, the input status is exchanged via the CPU mutual monitoring line 11 in S1002, and the other CPU is detected by checking whether the input status is the same in S1003. I do.
If they do not match, the predetermined failure processing mode is set in S1007. If they match normally, in S1004 and S1005, the communication data to be transmitted this time is edited and a time stamp is added. When the communication data is transmitted to the A-system radio control unit 7a and the normal transmission is completed, the process returns to S1000 and waits for the next DI9a access timing. Such a series of operations is repeated at a predetermined cycle.
Since the time stamp is used for determining the identity of each communication data of the A system / B system on the receiving side, the same time stamp must be set in the A system / B system on the transmitting side. For example, a sequence number incremented every time the DI 9a is accessed, or a time and counter value that are managed by the CPUs 10a and 10b are set.
Since DI access is performed in synchronization with the A system / B system, the same value can be easily set as the incremented sequence number.
When using a time or counter value based on the oscillator operating for each of the CPUs 10a and 10b, for example, a means for matching both, or an intermediate value between the two within a predetermined tolerance is used as a time stamp. Means such as means for matching the time stamp values of the A system / B system are separately required.
This flowchart is for the A-system CPU 10a, but the B-system CPU 10b has the same flow and operates at the same timing.

On the other hand, in the safety-related signal control processing procedure of the A-system CPU 13a of the safety-related signal control unit 6, first, in S2000, it is checked whether data is normally received by the A-system radio control unit 8a, and if not, the process proceeds to S2500.
If it has been received, the process proceeds to S2001, where the Ack packet is returned to the A system side of the safety-related signal input device via the radio control unit 8a, and the current received data is sent to the B system CPU 13b via the CPU mutual monitoring line 15 in S2002. In S2003, the received data processing shown in the flowchart of FIG. 3 is performed, and whether the output result matches the B-system side or not, in S2004 via the output monitoring line 16, After checking, if they match, the process proceeds to S2005, and if they do not match, failure processing is performed in S2008.
In S2005, it is confirmed via the CPU mutual monitoring line 15 whether the communication data is normally received by the B-system radio control unit 8b. If there is reception in the B system, the reception data processing shown in the flowchart of FIG. 3 is performed in S2006. Finally, the result output to the DO 14b from the counterpart CPU 13b performed in the predetermined reception process is collated with the output result of the own CPU via the output monitoring line 16, and the fault of the counterpart CPU is detected. This flowchart is for the A-system CPU 13a, but the B-system CPU 13b has exactly the same flow.

  As described above, the safety-related signal control unit 6 performs predetermined reception processing using the communication data normally received first in either the A system or the B system even in the case of the A system CPU, and the radio control unit 8a detects the reception abnormality. Since the determined communication data is not used for processing but is not handled as a system failure, the system can operate normally if communication is normally performed on any one line, so that the wireless line is made redundant. As a result, the chances of normally sending and receiving safety-related signals increase, and the transmission reliability of the entire system can be improved.

  FIG. 3 is a flowchart including steps relating to the second processing procedure in the received data processing (S2003, S2006) shown in the first processing procedure. FIG. 4 shows an example of a communication data format and an example of a received data log table for storing received data.

The communication data format 100 includes a header part 101, a time stamp field 102, a safety related signal input state field 103, and an error control code field 104. The header part includes information such as a normal transmission destination address, a transmission source address, a data packet type, and a data length. The time stamp set in the time stamp field 102 may be a sequence number incremented for each DI access, but the time information indicated by the built-in clock managed by the CPUs 10a and 10b of the safety-related signal input interface unit 5 Or a counter value.
The error control code field 104 includes, for example, a CRC code having an error detection capability strong against a burst error and a Reed-Solomon code having a strong error correction capability. Alternatively, a convolutional code that encodes the entire data can be used.
The communication data is a communication data format between the safety-related signal input interface unit 5 and the safety-related signal control unit 6 corresponding to the safety layer 42 in FIG. 10, but is transmitted by each radio control unit as the transmission layer 43. A header, trailer, and error control code for control are added separately. An Ack packet format example 110 is also shown. This Ack packet is also performed as a delivery confirmation means in the functional part corresponding to the safety layer 42, and a procedure for transmission control / error control performed between the radio control units as the transmission layer is a separate method. Suppose that it is done.

The reception data log table 200 is a log area that the CPUs 13a and 13b of the safety-related signal control unit 6 have in their respective memories, stores normally received communication data, and receives data of the same time stamp in another redundant system. The record area (205_i, 206_i, 207_i, i = 0, 1,..., N) for storing the received data is used as a cyclic buffer. It has come to be. In order to indicate a valid record area, the pointer 203 of the oldest record and the pointer 204 of the latest record are included in the received data waiting for collation.
Records that have been verified, records with a time stamp older than the verified record, and records that have not received data from other systems even after the allowable reception delay time has elapsed, are treated as a time-over without receiving one system. Thus, the record area is sequentially released. When communication data with the latest time stamp that has not been received yet has been received, the time stamp field 102 and the safety related signal input state field 103 of the communication data received this time by advancing the latest record pointer by one. Is copied to the corresponding record.

The method of the second invention will be described step by step with reference to this figure. In the figure, each processing step is indicated by S + “number”.
First, in S3000, the normality of the received data is determined by checking the data header, error control code, and the like. If it is determined that there is an abnormality in this check, the CPU 13a, 13b is abnormal as data edited in the safety layer even though the data is normally received as the transmission unit header. Any one of the processing systems is determined to have a failure, and a predetermined failure processing mode is entered in S3002.
If it is determined to be normal, the received data log search process is executed in S3001, the own system received data log table 200 shown in FIG. 4 is accessed, and the latest record pointer from the record indicated by the oldest record pointer 203 is accessed. Each time stamp up to the record indicated by 204 is compared with the time stamp of the current received data, and it is determined whether the received data is the latest data (S3002). If received, the received data of the same time stamp stored in S3003 is compared with the current received data to determine whether the safety-related signal input state matches.
If they do not match, the process proceeds to a predetermined failure processing mode (S3004). If they match, the related reception count in the reception data log table 200 is updated, and the reception process is terminated normally. If the current received data is the latest data, the received data is stored in the received data log table after executing predetermined control using the received data, and the present receiving process is normally terminated. If the data received this time has not been received in the past and is not the latest data, it is an abnormal data reception and the process proceeds to a predetermined failure processing mode (S3008).

FIG. 5 shows an example of the timing at which the communication sequence between the safety-related signal input processing device 2 and the safety-related signal control processing device 3 is performed by taking such a procedure. The sequence on the left side in the figure shows exchanges exchanged through the A-system radio line 4a, and the sequence on the right side shows exchanges exchanged through the B-system radio line 4b. Further, in this embodiment, it is assumed that the normal wireless line 4a is slower than the wireless line 4b due to a slow response due to a difference in wireless system or electromagnetic environment.
First, in S4000a and S4000b, the communication data with the time stamp # 0 is transmitted from the safety-related signal input processing device 2 to the safety-related signal control device 3 via the redundant wireless lines 4a and 4b. Transmission of transmission data is faster in the wireless line 4b, and the B system first receives communication data # 0 in S4001b. As for this communication data, after Ack # 0 is returned from the B system according to the flowcharts of FIGS. 2 and 3, the same reception processing is performed for both the A system (S4001a) and the B system. Since the communication data of the same time stamp (# 0) is received in the A system this time in S4003a with a slight delay, after the Ack # 0 is returned from the A system, this is the same as the A system and the B system (S4003b). The data is compared with the data of the received time stamp # 0.
However, since the received data has been processed, the state of the safety-related signal outputs 17a and 17b does not change. S4004a, S4004b to S4006a, and S4006b change similarly. However, the communication data (time stamp # 2) transmitted in S4008a and S4008b is not taken into the safety-related signal control device 3 due to a transmission error in the B-system wireless line 4b, and is slightly delayed via the wireless line 4a. When the incoming A-system communication data is normally received in S4009a, the same reception processing is performed for both the A-system and the B-system (S4009b) after Ack # 2 is returned from the A-system.

In this way, when communication data is sent and received with a time stamp and received normally, if it is new data, it is used for control processing such as output, but if it is already received data, the content is checked If there is a discrepancy, the procedure is to perform fault handling, so out of the communication data that arrives asynchronously via multiple radio links, what is the one that was issued at the same timing Therefore, the communication data that has been normally received first can be immediately sent to the safety-related signal control process without waiting for it.
On the other hand, since the communication data received normally with a delay can be correctly collated with the communication data received in advance, it is possible to have the same system failure monitoring capability as in the past. In addition, in the case of a transmission error, only the normally received data is used without treating it as a failure, so that the transmission reliability as a redundant wireless line system is also improved.

FIG. 6 is a system configuration diagram showing the methods of the third and fourth inventions. In this embodiment, the A-system radio line 4a is a highly reliable IEEE 802.11. The a / b / g tri-mode radio system is applied, while the B-system radio line 4b applies a weak radio (proprietary communication system) having a radio frequency of 300 MHz that is easily affected by disturbance noise. From the radio control units 7a 'and 7b' of the safety-related signal input processing device 2, data indicating the transmission quality of each radio channel is notified to both CPUs 10a and 10b as radio control unit monitoring lines 30a and 30b. ing.
Similarly, the wireless control units 8a ′ and 8b ′ of the safety-related signal control device 3 notify the CPUs 10a and 10b of data indicating the transmission quality of the respective wireless lines as the wireless control unit monitoring lines 32a and 32b. It has become. The data indicating the transmission quality includes, for example, the number of transmission errors detected by a transmission control unit such as a CRC error, the received signal strength around the AGC (auto gain control) system circuit of the receiver, BER (Bit Error Rate) or SNR ( Real-time measurement data such as Signal Noise Ratio). In this way, each CPU (10a, 10b, 13a, 13b) that has received data that leads to transmission quality from each wireless control unit issues a corresponding line failure alarm 31a, 31b, 33a, 33b to the user. Notify the warning.
Furthermore, when a situation where a line failure is determined by the wireless control unit on one side of the A system / B system, the traffic of communication data to be transmitted is reduced, and safety-related signals with high priority and urgency, for example, The safety-related signal input interface unit 5 CPUs 10a and 10b can perform priority management so that only the emergency stop signal is edited and transmitted.

  By doing so, instead of adopting a highly reliable and costly wireless communication control unit for improving reliability when making a wireless line redundant, a relatively unreliable weak sensitive to changes in the electromagnetic environment. In addition to being able to achieve redundancy at a lower cost than conventional systems because wireless methods such as wireless communication can be adopted, the electromagnetic environment is deteriorated for the user instead of stopping the system in an emergency when the system can be operated. By notifying at an early stage, it is possible to remove a failure or to smoothly shift the system to a safe state.

1 is a system configuration diagram showing the configuration of a safety-related signal processing system that implements the method of the first invention. The flowchart which shows the process sequence of the method of 1st invention. The flowchart which shows the reception processing procedure of the method of 2nd invention Communication data and received data log table format example of the method of the second invention The sequence chart which shows an example of the communication sequence of the method of 2nd invention System configuration diagram of third and fourth invention methods System configuration diagram showing a conventional hardwired method System configuration diagram showing a conventional safety fieldbus connection method System configuration diagram showing another conventional safety fieldbus connection method Diagram of bus connection form in conventional safety bus system System configuration diagram showing a conventional method of using redundant wireless communication

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Safety related signal processing system 2 Safety related signal input processing device 3 Safety related signal control device 4a, 4b Radio | wireless line 4 'Safety field bus 5 Safety related signal input interface part 6 Safety related signal control part 7a, 7b Safety related signal input processing In-device radio control unit 7a 'In the safety-related signal input processing device, radio control unit (IEEE802.11.a / b / g)
7b 'In the safety-related signal input processor, wireless control unit (weak wireless)
7 ″ Safety-related signal input processing device communication control unit 8a, 8b Safety-related signal control device wireless control unit 8a ′ Safety-related signal control device wireless control unit (IEEE802.11.a / b / g)
8b 'In the safety related signal control device, wireless control unit (weak wireless)
Communication control unit 9a, 9b DI in 8 ″ safety related signal control device
9a ', 9b' I / O
10a, 10b Safety-related signal input interface section CPU
11 Safety-related signal input interface section CPU mutual monitoring lines 12a, 12b, 12a ', 12b' Safety-related signal inputs 13a, 13b Safety-related signal control sections 14a, 14b DO
15 Safety-related signal control unit CPU mutual monitoring line 16 Safety-related signal control unit output monitoring line 17a, 17b, 17a ', 17b' Safety-related signal output 20 Emergency stop switch 21a, 21b Contact 22a, 22b Electromagnetic contactor 23 Main circuit power supply 24 Power device 25 Power line 26a, 26b Control line 30a, 30b In safety related signal input processing device Wireless control unit monitoring line 31a, 31b In safety related signal input processing device Line fault alarm 32a, 32b In safety related signal control device Monitoring lines 33a and 33b Safety related signal control equipment Line fault alarm 40 Safety PLC
41_i Safety I / O (i = 0, 1)
42a_i, 42b_i (i = 0, 1)
43_i, 43a_i, 43b_i (i = 0, 1)
50 Teaching operation panel 51 Display panel 52 Keyboard 53 Display panel control 54 Keyboard I / F
55 CPU
56 ROM
57 RAM
58 Receiving means 59_j Transmitting means 1, 2, 3 (j = 0, 1, 2)
60 Robot controller 61 CPU
62 ROM
63 RAM
64 Servo control circuit 65_k Emergency stop control circuit (k = 1, 2)
66 Transmitting means 67_j Receiving means 1, 2, 3 (j = 0, 1, 2)
68 Servo amplifier 100 Communication data format example 101 Header portion 102 Time stamp field 103 Safety-related signal input state 104 Error control code 110 Ack packet format proposal 200 Received data log table length 201 Table length 202 Number of records 203 Oldest record pointer 204 Latest record Pointer 205_i Time stamp storage area 206_i Safety-related signal input state area 207_i Number of receptions by record

Claims (4)

Safety-related signal input processing device that performs input processing of so-called safety-related signals generated by emergency stop switches, enable switches, etc., and drive / stop control of dangerous parts such as motors and actuators according to the state of input safety-related signals The safety-related signal input processing device includes a safety-related signal input interface unit and a wireless control unit having at least two lines, and the safety-related signal control device includes at least 2 A radio control unit over the line and a safety-related signal control unit that controls driving / stopping of a dangerous part based on the received safety-related signal, between the safety-related signal input processing device and the safety-related signal control device At least two or more wireless lines are used, and the safety-related signal status at the same timing is used as communication data via the multiple lines. In safety-relevant signal processing wireless communication method of a system for exchanging and,
When the communication data is normally received on at least one line of the plurality of radio control units of the safety-related signal control device, the safety indicated by the communication data that has been normally received first by the safety-related signal control unit A wireless communication method for a safety-related signal processing system, wherein drive / stop control processing is performed using a related signal state. In the safety-related signal processing system, the safety-related signal input interface unit of the safety-related signal input processing device attaches a time stamp to the communication data and then transmits the communication data by the wireless control unit of a plurality of lines. And
In the safety-related signal control device, when the communication data is normally received from the radio control unit of any one line, the safety-related signal control unit checks the time stamp attached to the communication data,
If it is the latest data, it does not wait for normal reception from the other wireless control unit and performs safety-related signal processing using the safety-related signal state of the communication data and stores the communication data,
If the time stamp is the same as the communication data received from the other radio control unit in the past, the stored communication data received in the past is collated, and the safety-related signal input state is The wireless communication method for a safety-related signal processing system according to claim 1, wherein if it does not match, it is discarded, and if it does not match, predetermined failure processing is executed. In the safety-related signal processing system, any one of the at least two or more wireless lines between the safety-related signal input processing device and the safety-related signal control device has lower transmission reliability than other lines. The wireless system is used, and when one or both of the safety-related signal input processing device and the safety-related signal control device detects a communication failure of the low-reliability line, an alarm is issued. Alternatively, a wireless communication method for a safety-related signal processing system according to claim 2.   In the safety-related signal processing system, when a communication failure is detected on any one of the low-reliability lines, only a safety-related signal with a high priority is exchanged until the communication failure is recovered. The wireless communication method for a safety-related signal processing system according to claim 3.

Images