JP2009223399A - Security equipment and security condition setting support system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To obtain the optimal safety conditions according to a network system to be actually used. <P>SOLUTION: Safety equipment 22 is provided with: a communication time calculation part 25 for calculating the communication time of a received frame; a communication time table 26 for storing the communication time calculated by the communication time calculation part for each connection specifying equipment of the other party of communication; a transmission frequency decision part 27 for deciding how many frames have been transmitted from the previously received frame; a transmission frequency table 28 for storing the number of transmissions decided by the transmission frequency decision part for each connection; and a means for transmitting information on a communication time stored in a communication time table and information on the number of transmissions stored in the transmission frequency table. The safety condition setting support device obtains information based on the actual measurement value, and obtains safety conditions. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a safety device and a safety condition setting support system.

  A network system in FA (Factory Automation) includes one or more PLCs (Programmable Logic Controllers) that control input devices and output devices in a production facility, and devices whose operations are controlled by the PLCs. Connected to the network. These PLCs and devices communicate with each other cyclically via the network of the control system, thereby sending and receiving IN data and OUT data (hereinafter referred to as I / O data) to control production facilities.

  The PLC connects a CPU unit that executes calculations based on a control program, an input device such as a sensor or a switch and inputs an on / off signal as an input signal, and an output device such as an actuator or a relay. It is composed by combining multiple units such as an output unit that sends output signals to them, a communication unit that sends and receives data to and from other devices connected to the network, and a power supply unit that supplies power to each unit. Yes. There is also an integrated PLC in which each function is mounted in one housing.

  Furthermore, recently, a fail-safe (safety) system is being introduced also in the control by PLC. That is, not only the PLC and each device itself, but also the network connecting them is configured with a built-in safety function. Here, the safety function refers to, for example, duplicating the CPU and other processing units so that correct output is performed, a network error (normal communication is not possible), an emergency stop switch being pressed, When the network system enters a dangerous state, such as when a sensor such as a curtain detects the intrusion of a person (part of the body), the fail-safe function is activated, the system becomes safe, and the operation stops. It is.

  This type of safety control system includes a safety controller and a safety I / O terminal, and is used with a cutting machine, a cutting machine, a manufacturing machine robot with an arm, and the like. The safety controller incorporates a logic operation function and input / output control function similar to those of a general programmable controller (PLC), as well as a built-in safety self-diagnosis function, thereby providing a high level of safety and reliability in its control. Secured. The safety controller has a function (fail-safe function) for forcibly performing safe control so that the self-control does not lead to danger when an abnormality is detected from the self-diagnosis result. The safety I / O terminal also has a self-diagnosis function, and has a fail-safe function in which, when an abnormality is detected based on the self-diagnosis result, the self-control does not lead to danger. Thereby, the safety control system prevents the operation of the manufacturing machine robot or the like from leading to danger.

  More specifically, the term “safety” as used herein means that standardized safety standards are included. Safety standards include, for example, IEC61508 and EN standards. IEC 61508 (International Electrotechnical Commission on Functional Safety of Programmable Electronic Systems) defines the establishment of dangerous failures per hour (Probability of Failure per Hour), which establishes the SIL level (Safety Integrity Level). ) Is classified into 4 levels. Further, EN standards require that the risk of a machine be evaluated and that risk reduction measures be taken, and EN 954-1 defines the safety categories. The safety controller, safety I / O terminal, safety control system, and the like referred to in this specification correspond to any of these safety standards.

  The safety control system may be referred to as a “safety control system”, and the safety controller may be referred to as a “safety controller” or a “safety control device”. The safety I / O terminal is sometimes referred to as a “safety slave station”, “safety slave unit”, or simply “safety slave”, and is sometimes referred to by replacing safety with “safety”.

  There is known a safety control system in which a safety controller and a safety I / O terminal are connected via a network. The safety controller has a communication master function for performing network communication with the safety I / O terminal. When the safety controller is a building block type in which a plurality of unit housings (for example, a power supply unit, a CPU unit, an IO unit, a communication unit, etc.) are connected, the communication master unit itself has a built-in communication master function. There is also a case. The communication master unit may be referred to as “safety master station”, “safety master unit”, or “safety master”, and may be referred to by replacing safety with “safety”.

  The safety I / O terminal has a network communication function, that is, a communication slave function, with the communication master function of the safety controller. The safety I / O terminal includes a connection terminal, and at least one of an input device such as a switch for outputting an on / off signal and an output device that is an output destination of the control signal is connected to the connection terminal. Examples of the input device are an emergency stop switch SW, a light curtain, a door switch, and a two-hand switch. Examples of output devices are safety relays and contactors. These input devices or output devices also comply with safety standards. The safety I / O terminal generates control data based on a signal input from the connected safety application device, and performs network communication of the generated control data to the safety controller.

  If the safety controller is a building block type, each unit is connected to a common internal bus, and performs bus communication with the CPU unit that controls the entire safety controller to exchange data. The connected I / O unit also includes a connection terminal, and an input device for safety use or an output device for safety use is connected to the connection terminal. And the safety controller inputs the input signal of the input device input by the network communication from the safety I / O terminal via the communication master unit or the input signal of the input device connected to the connected I / O unit, The on / off of the input signal is logically calculated by a logic program stored in advance. An output signal based on the calculation result is output to the safety I / O terminal by network communication via the communication master unit or output to the connected I / O unit. The I / O unit and the safety I / O terminal output the output signal to an output device. By repeating this series of operations, the entire system including the manufacturing machine robot is controlled by the safety controller.

  Note that the communication cycle between the safety controller and the safety I / O terminal may be synchronized with the cycle of repeated execution of the safety controller or may be asynchronous. A logic program to be subjected to logic operation processing in the safety controller or CPU unit is created in advance by a programmer. The programming description at the time of creation may be, for example, ladder notation, mnemonic notation, or function block notation. In terms of programming language, it may be an interpreted language, a script language, an assembly language, a high-level language, or a Java language. Source code written in such a programming language is subjected to processing such as assembling and compiling to be executed by the CPU.

  Safety relays and contactors, which are output devices connected to the safety I / O terminal, are connected to manufacturing machine robots, processing machines, cutting machines, etc., while the contact points of the relays and contactors are on, the manufacturing machine robot Etc. operate and the manufacturing machine robot stops while the contacts are off. Therefore, the safety controller controls the operation of the operation robot or the like to be finally controlled by performing on / off control of the output device. As a specific example, when the safety controller inputs that the emergency stop switch SW has been normally operated by communication from the safety I / O terminal, the safety controller prevents the control target from performing dangerous operations. Or forcibly control to a safe state and immediately take the necessary safety measures. When a safety controller inputs a diagnosis result indicating that the emergency stop switch SW or other input device has an abnormality, the control target performs a dangerous operation regardless of whether the emergency stop switch SW is operated or whether the input device is on or off. The output device is turned off so as not to stop the operation, or it is forcibly controlled to a safe state, and the necessary safety measures are immediately taken.

  When constructing this type of safety control system, in order to execute fail-safe, the mechanical equipment whose operation is controlled by the related output device and the installation position relationship (safety distance) of the input device are also important factors. That is, if the operating range of a mechanical facility such as a robot controlled by an output device is a dangerous area, an input device such as a sensor for detecting a person's entry is installed in front of the dangerous area. At this time, in order for a person to enter the danger area, it must pass through the detection area of the input device such as this sensor, and other places cannot be entered because, for example, walls are installed. It shall be.

  Then, before a person reaches the danger area, the person always passes the detection area of the sensor that is an input device. Therefore, in a fail-safe system, a detection signal output from a sensor that detects the passage of a person is finally transmitted to an output device via a network, and the output device is a mechanical facility operating in a hazardous area. Stop the operation. At this time, a certain delay occurs from when the sensor detects the passage of a person until the operation of the equipment machine is actually stopped. This delay requires at least the total time including the internal processing time of the input device and the output device and the communication time required when various notifications are transmitted over the network.

  Even when the delay time elapses, the person or part of the body approaches the danger area. Therefore, the time it takes for a person or part of the body to reach the danger zone after passing through the detection area of the sensor (walking speed x walking distance, moving speed of part of the body (hand, arm, half body, etc.) If the total time is shorter than (travel distance), the mechanical equipment can be stopped before a person or part of the body reaches the danger zone. Therefore, when designing the system, considering the above, set the internal processing time of the input device and output device to be short, or increase the walking distance (distance from the detection position of the input device to the dangerous area). To ensure that the system (mechanical equipment) can be stopped when an abnormality occurs.

Assuming that the distance from the detection position of the input device necessary for realizing fail-safe to the danger zone is the minimum safety distance S, the minimum safety distance S is a walking speed (movement speed) K (for example, 1 m / sec). S = K × T or S = K × T + C C: Safety factor (additional distance) when the stop operation time T related to the system stop is the above total time
It can ask for.

When an actual safety system is constructed using a network, it is necessary to reflect the delay time due to communication and the processing time of each input / output device in the safety distance in the installation of the mechanical equipment as described above. As a safety condition setting support device that can set parameters for constructing a safety network (safety control system) without understanding the specifications of each device used in an actual system, it is conventionally disclosed in Patent Document 1 Technology has been developed. The technique disclosed in Patent Document 1 stores, for example, information on internal processing times of safety devices including safety input devices and safety output devices connected to a network in a parts database, and transmission intervals between safety devices. When either the safety distance or the safety distance is input, a function for obtaining a recommended value for the uninputted from the connection relationship of the safety device and the internal processing time of the safety device is provided.
JP 2003-263202 A

  The safety condition setting support device disclosed in Patent Document 1 described above includes parameters (safety distance, transmission of each device) for constructing a safety network system, even if the specification of each device used in the system is not understood. Interval). This safety condition setting support device is used in the system design before actually allocating the actual machine to the production facility. During the process, the transmission interval depending on the transmission performance of each device and the layout of the system are used. The optimum value for the system is determined by repeatedly determining that the safety distances depend on each other and determining the other. Thereafter, the user actually installs the device and sets each device according to the determined setting value.

  However, after starting the installation of the device, various changes such as changing the layout, changing to another type of device with similar functions, changing the manufacturer of the device, etc. May occur. In addition, after the system is operated, a change such as a layout change or addition of a device may occur to expand the system. When such a change occurs, it is necessary to re-determine the transmission interval and safety distance of each device, as in the system design work. However, if the requirements cannot be satisfied due to device performance and layout constraints, the system design must be restarted from the beginning, increasing costs and duration.

  On the other hand, the safety condition setting support device has a calculation method for obtaining the safety condition. However, in order to cope with various network configurations and user usage environments, the parameters used there are fixed values with a certain margin. It's being used. Even if the user can change the parameter, the validity cannot be determined unless the technical role of the parameter is understood. For this reason, the user can use only the recommended value calculated by the fixed parameter, and the user's degree of freedom in system design is limited.

  An object of this invention is to provide the safety device which can obtain | require the optimal safety condition according to the network system actually used, and a safety condition setting assistance system.

For example, in CIP Safety, which is a communication protocol for safety networks, communication delay (network delay time) is
Maximum network delay time = transmission interval * number of transmissions + 2 * communication time. Then, it is recommended that the number of transmissions is two and that the communication time is a transmission interval. Therefore, in the conventional support system, each parameter of the safety condition is obtained based on the recommended value (fixed value), or the actual safety network system is evaluated based on the obtained parameter. However, depending on the usage environment, the number of transmissions may be one, or it may need to be increased. Also, the communication time is often shorter than the transmission interval. Therefore, the safety device monitors the number of transmissions and the communication time during actual communication, and stores these measured values (history information) inside. Thereby, when calculating | requiring an actual safety condition, the value according to the condition of the safety network system of the process target can be calculated | required by performing using the memorize | stored actual value. And specifically, it comprised as follows.

  (1) When a safety input device detects a dangerous state, the safety output device is a safety device used in a safety network system that stops a control target device based on a detection signal output from the safety input device, A measurement unit for measuring network parameters used in calculating safety conditions for executing the stopping process within a certain time, and a measurement value obtained by the measurement unit for each connection for specifying a communication partner device And a storage unit.

  (2) On the premise of the invention of (1), the safety device receives frames transmitted at a fixed transmission interval, and the measurement unit calculates the communication time of the received frame and It is good to comprise so that the frequency | count of transmission from an apparatus may be measured.

  (3) It is a safety device that receives frames transmitted at a fixed transmission interval and is used in a safety system in which fail safe works and the controlled device becomes safe and stops operating when safe operation cannot be guaranteed. A communication time calculation unit that calculates the communication time of the received frame, a communication time history information storage unit that stores the communication time obtained by the communication time calculation unit for each connection that identifies a communication partner device, Transmission number determination means for determining the number of transmission frames from the previously received frame, and transmission number history information for storing the number of transmission occurrences determined by the transmission number determination means for each connection Information related to the communication time stored in the communication time history information storage unit according to the received read request, and the transmission count history information storage unit It means for transmitting information about the number of occurrences of paid has been transmitted number, and configured with a. The above frame is a frame for transmitting I / O data, for example.

  (4) The transmission number determination means obtains a time difference between the transmission time of the frames from the time stamp added to the previously received frame and the time stamp added to the currently received frame, and sets the time difference and the set frame. It is preferable to have a function of determining the number of transmissions based on the transmission interval.

  (5) The communication time determining means obtains a difference between the transmission time of the frame specified by the time stamp added to the received frame and the reception time of receiving the frame, and determines the communication time of the frame received this time It can be calculated.

  (6) A function for clearing information on the communication time stored in the communication time history information storage unit and information on the number of occurrences of transmission stored in the transmission number history information storage unit in accordance with a clear request received via the network It is good to have.

  (7) The safety device according to any one of the above and a safety condition setting support device. The safety condition setting support device detects when a signal indicating a dangerous state is input from a connected device that outputs a signal indicating the dangerous state of the safety system by pressing an emergency stop switch or detecting the entry of a person. A safety input device that outputs a signal, and a safety output device that connects the control target device and stops the control target device based on the output of the detection signal of the safety input device. It is what you want. The safety input device is the safety device according to any one of (3) to (6), and the safety condition is a period from when the detection signal is output from the safety input device to when the control target device is stopped. In addition, it is a condition of a safety distance and / or a transmission interval of the safety device for preventing a person or a part of the body from entering the dangerous area of the control target device. Then, the safety condition setting support device issues a read request and stores information on the communication time stored in the communication time history information storage unit and information on the number of occurrences of transmission stored in the transmission number history information storage unit. An acquisition means for acquiring, an appropriate value determination means for determining an appropriate value of the communication time and the number of transmissions from the information acquired by the acquisition means, and a database for storing information on the internal processing time of the safety device constituting the safety system; , Acquiring at least one condition of the transmission interval and the desired safety distance, and based on the acquired condition, the appropriate value obtained by the appropriate value determining means, and the internal processing time stored in the database, And means for obtaining. As the appropriate value, one optimum value may be obtained, or a plurality of possible values may be obtained. When a plurality of values are obtained, the safety condition is obtained based on each appropriate value.

  (8) The safety condition setting support device includes an improvement method storage unit that stores an improvement method in a case where the obtained safety condition is inferior to the recommended safety condition obtained from parameters that are fixed in advance, and the obtained safety condition. When the comparison means by which the recommended safety conditions are compared and the comparison result by the comparison means is inferior in the safety conditions, the corresponding improvement method is extracted from the improvement method storage unit and the corresponding improvement method is displayed together with the comparison result. Means.

  According to the present invention, it is possible to obtain an optimum safety condition in accordance with a safety system (network system) that is actually used. Therefore, for example, even when a system change such as replacement of equipment or a change in installation layout occurs, it is possible to easily obtain the safety conditions suitable for the production facility, and whether or not the safety conditions can be changed. It can be obtained in a short time. Moreover, although it is an actual measurement value for obtaining safety, it is preferable to use history data stored in each safety device as it is so that safety conditions can be obtained immediately. In addition, when a function for clearing history information is provided as in the safety device of (6), the history information is accumulated after clearing, so that it is based on the communication time and transmission interval in the latest situation. More appropriate safety conditions. Note that the collection period of the communication time and transmission interval after clearing can be, for example, about one day.

  According to the present invention, since it is possible to obtain an optimum safety condition according to a network system actually used, it is possible to flexibly cope with a change in the system.

  FIG. 1 shows a preferred embodiment of the present invention. As shown in FIG. 1, the network 5 is connected to various safety network compatible devices such as the safety input device 6, the safety output device 7 and the safety PLC 8, and transmits and receives data between predetermined devices. The system is configured.

  In order to construct such a safety network system in an actually operable state, it is necessary to download various programs and parameters. In addition, in order to perform data communication between the safety PLC 8 and the safety slave (safety input device 6, safety output device 7), it is necessary to allocate the I / O of the safety slave to the memory of the safety PLC 8. The same applies to communication between safety I / O terminals. Then, the tool device 10 is used to create such a program, and the tool device 10 is connected to the network 5 and downloaded to a predetermined device, or a memory is allocated.

  First, the safety network system finally constructed by the processing object of the present invention will be briefly described. For example, sensing information detected by the safety input device 6 is transmitted to a predetermined safety PLC 8 via the network 5. The safety PLC 8 analyzes the acquired sensing information and sends a control command to the safety output device 7 to be operated based on the sensing result. When an abnormal situation occurs, the safety output device 7 is operated to the safe side. In some cases, a command may be sent directly from the safety input device 6 to the safety output device 7.

  At this time, in order to construct such a network system, not only each device is physically connected to the network, but also each I / O module number of each device is assigned to the memory (address) of the safety PLC 8 or the safety PLC 8 Therefore, it is necessary to perform programming processing such as creating a program for what kind of arithmetic processing is performed. Furthermore, in order to construct a safety network system, in addition to performing the above-described communication, it is necessary to make various settings for realizing a safety function. Furthermore, in relation to the present invention, the network system can no longer maintain a safe operation such as when an emergency stop switch is pressed or a sensor such as a light curtain detects the entry of a person (part of the body). In some cases, fail safe works, the system becomes safe, and the operation stops, but it is necessary to stop the operation within a certain time (before the person (part of the body) reaches the danger zone) It is necessary to calculate and set the internal processing time and safety distance in each device. These processes are performed by the tool device 10. Here, the safety distance refers to the distance from the safety input device to the control target device, that is, the distance from the detection position of the safety input device to the dangerous area.

  The tool device 10 includes a display unit 11 such as a monitor, an input unit 12 such as a keyboard, a mouse, and other pointing devices, a processing unit 13 that performs predetermined signal processing based on information provided from the input unit 12, and a network 5 And a communication interface unit 14 connected to the network. Further, the processing unit 13 has a function of displaying a result of processing according to information given via the input unit 12 on the display unit 11.

  As shown in FIG. 2, the processing unit 13 is connected to the display unit 11, a display unit interface 13 a that controls transmission / reception of data, and an input unit interface 13 b that is connected to the input unit 12 and controls transmission / reception of data, A component database 13d that stores information about an MPU 13c that actually executes arithmetic processing, a memory 13e that is used as a work memory when the MPU 13c executes arithmetic operations, and a safety device that is used when the MPU 13c obtains parameters such as a safety distance. And.

  In the component database 13d, information on components that can be directly or indirectly connected to a network such as each device, specifically, information on the internal processing time of each device is stored in association with each device. Of course, other information is also associated and registered.

  Also, as disclosed in Japanese Patent Laid-Open No. 2003-263202 (Patent Document 1), each safety device or the like that constructs a safety network system has a connection with a data transmission partner, and a connection is made for each connection. No. Since the connection information such as the data transmission direction, data size, communication method, and transmission interval is set, the connection information is stored and held in a predetermined storage means (memory 13e or the like).

  FIG. 3 shows the internal structure of the safety PLC 8. This safety PLC 8 is a building block type, and in the figure, two units of a CPU unit 20 and a communication unit 21 are shown. In addition, various units such as a power supply unit and an I / O unit are connected. Is done. Each unit is linked by an internal bus 8a, and I / O data and messages are transmitted and received through the internal bus 8a. In the case of the safety PLC 8, the internal bus 8a is also duplicated.

  The CPU unit 20 includes an MPU 20a, a RAM 20b, a nonvolatile memory 20c, a display unit 20e, a setting unit 20f, and a bus control unit 20h. The MPU 20a cyclically executes and executes a user program, and controls the devices constituting the safety network system. The RAM 20b functions as a work memory when the MPU 20a executes an operation and an IO memory that stores I / O data. Further, the RAM 20b stores a transmission count table for storing the actual transmission count, which will be described later, and a communication time table for storing the actual communication time. The nonvolatile memory 20c stores various setting data, user programs, and the like. The display unit 20e includes, for example, an operation state (communication state) such as an LED, a display lamp (alarm lamp) indicating abnormality / normality, and a display unit having a message display function using a liquid crystal panel or an EL panel. The setting unit 20f is a switch for setting an address. The bus control unit 20h is an interface (physical layer) for the internal bus 8a, and the MPU 20a transmits and receives data to and from a predetermined unit via the bus control unit 20h.

  The communication unit 21 includes an MPU 21a, a RAM 21b, a nonvolatile memory 21c, a display unit 21d, a setting unit 21e, a communication physical layer 21f, and a bus control unit 21g. The MPU 21a executes communication processing with the CPU unit 20 and communication processing with an external device. This communication process includes a predetermined I / O data transmission / reception process (including a transfer process), a process for a received message addressed to itself, and a response return process.

  The RAM 21b functions as a work memory used when the MPU 21a executes processing. In the present embodiment, the CPU unit 20 side has a table for storing measured values, but it may be stored in the RAM 21b or the like of the communication unit. The nonvolatile memory 21c stores various setting data and the like. The display unit 21d is, for example, an operation state (communication state) such as an LED or a display lamp (alarm lamp) indicating abnormality / normality. The setting unit 21e is a switch for setting an address. The communication physical layer 21f is a physical layer corresponding to the communication protocol of the connected network, and is also referred to as a communication interface. The bus control unit 21g is an interface (physical layer) for the internal bus 8a, and the MPU 21a transmits / receives data to / from a predetermined unit via the bus control unit 21g.

  The safety PLC 8 is on either the I / O data transmission side or the reception side. In the case of the transmission side, the communication unit 21 (MPU 21a) adds a time stamp including the current time information in the packet when transmitting (generating) the frame according to an internal clock (not shown). The transmitting side and the receiving side periodically synchronize the internal clock.

  FIG. 4 is a block diagram showing the internal structure of the safety device 22. The safety device 22 is the safety input device 6 or the safety output device 7. The safety device 22 includes an MPU 22a, a RAM 22b, a nonvolatile memory 22c, a display unit 22d, a setting unit 22e, a communication physical layer 22f, and an I / O drive circuit 22g. The MPU 22a receives a message acquired via the network 5, executes a predetermined process, generates and returns a response, and executes control on the connected I / O device. In other words, if the safety input device 6 controls this I / O device, the I / O data (IN data) of the connected input device is acquired, and the safety PLC 8 and the safety that are connected at a predetermined timing It is to be sent to the output device 7. If it is the safety output device 7, the I / O data (OUT data) sent from the safety PLC 8 or the safety output device 7 is acquired, and the connected output device is operated. It is to let you. When the safety device 22 is the safety input device 6 on the I / O data transmission side, the MPU 22a includes the current time information in the packet when transmitting (generating) the frame according to an internal clock (not shown). Add a time stamp.

  The RAM 22b functions as a work memory used when the MPU 22a executes processing. When the safety device 22 is the safety output device 7 on the I / O data receiving side, the RAM 22b stores a transmission count table for storing the actual transmission count described later, and a communication time for storing the actual communication time. A table is stored. The nonvolatile memory 22c stores various setting data. The display unit 22d is, for example, an operation state (communication state) such as an LED or a display lamp (alarm lamp) indicating abnormality / normality. The setting unit 22e is a switch for setting an address. The communication physical layer 22f is a physical layer corresponding to the communication protocol of the connected network 5, and is also referred to as a communication interface, and transmits / receives I / O data, various messages, and the like to / from the master communication unit 21. . The I / O drive circuit 22g is connected to an external I / O device such as an input device or an output device, and transmits / receives I / O data. Assuming that the I / O device takes a binary value of ON / OFF, in the case of an output device, the I / O drive circuit 22g controls ON / OFF of the operation of the output device according to an instruction from the MPU 22a. . When the I / O device is an input device, the I / O drive circuit 22g has a function of transmitting the state of the I / O device to the MPU 22a. It is also possible to control the operation of the output device by providing an open / close switch in the electric circuit and opening / closing the open / close switch.

  The safety PLC 8 and the safety device 22 (safety output device 7) on the receiving side have a function of detecting the number of transmissions of received data and the communication time. Each of these detecting functions uses a time stamp included in the packet in this embodiment. In other words, as described above, the safety device on the transmission side (safety input device 6) and the safety PLC 8 (communication unit 21) add a time stamp in the packet when transmitting the frame. (Including the PLC) obtains the time of the difference when the frame is received from the internal clock and calculates the communication time of the frame by obtaining the difference from the time of the time stamp added in the packet. The communication time calculation process is performed by the communication time calculation unit 25 set in the MPU 22 a in the case of the safety device 22. In the case of the safety PLC 8, the communication unit 21 (MPU 21a) obtains the communication time and transmits the result to the CPU unit 20. The communication time may be calculated on the CPU unit 20 side.

  As for the communication time calculated in this way, a communication time table 26 is created for each connection, and is stored and held in the RAMs 20a and 22b. As shown in FIG. 5, in this embodiment, the communication time is divided into a plurality of areas (in the figure, 10 [ms] intervals), the measured actual communication time is distributed to each area, and data transmission belonging to each area is transmitted. The number of times is stored and held. Therefore, the data structure of the communication time table 26 is obtained by associating the connection No. with the number of occurrences of each area.

  The number of transmissions is detected as follows. That is, as shown in FIG. 6, frames are periodically transmitted from the transmission side at a set transmission interval T. A time stamp (TS) is added to this frame. Then, if the time stamp of the frame transmitted n times is TSn, the difference (TSn−TS (n−1)) from the time stamp TS (n−1) of the previously transmitted frame (n−1) is , The transmission interval T. TSn is specific time information.

  In addition, CIP Safety, which is a communication protocol for safety network (safety), does not have a specification that can receive a response from the receiving side for each communication. Therefore, the transmitting side transmits the latest data (I / O data) at the set transmission interval regardless of whether or not the transmitted frame has reached the party that established the connection. ing.

  Here, as shown in FIG. 6, it is assumed that the fourth, sixth and seventh transmission frames do not reach the receiving side for some reason. As described above, the transmitting side transmits the latest data regardless of whether or not the transmitted frame has arrived at the receiving side, so whether it is the first transmission in the transmission frame or the retransmission (m-th) It is not possible to add information that distinguishes between transmissions. Therefore, the frame received at the fourth time on the receiving side is actually the frame transmitted at the fifth time on the transmitting side. However, if the received frame itself is analyzed, it is determined whether it is the fourth transmission frame. Transmission frame cannot be identified. Therefore, in the present embodiment, the time stamp added to the previously received frame is stored and held on the receiving side, and the number of transmissions is specified from the difference from the time stamp added to the currently received frame. did.

  That is, in the example shown in FIG. 5, the time stamp of the fourth frame received on the receiving side is TS5. When the difference from the time stamp TS3 of the previously received frame is obtained, the calculation result is doubled. Is a value that approximates the transmission interval (2T) (which is sufficiently longer than the transmission interval T). Accordingly, in this case, since it can be estimated that one frame has been transmitted from the previous reception to the current reception, the number of transmissions until the reception side can receive the frame is two.

  Similarly, the time stamp of the fifth frame received on the receiving side is TS8. When the difference from the time stamp TS5 of the previously received frame is obtained, the calculation result is twice the transmission interval (3T). (Which is sufficiently longer than the transmission interval T). Therefore, in this case, since it can be estimated that two frames have been transmitted from the previous reception to the current reception, the number of transmissions until the reception side can receive the frame is three.

  In order to perform such processing, a previous time stamp storage unit for storing the time stamp of the frame received last time (previous time stamp) is set in the RAMs 22b and 20b on the receiving side. Since the management of the number of transmissions is performed for each connection, a plurality of previous time stamp storage units are prepared according to the number of connections when a plurality of connections are held like the safety PLC 8.

  The receiving device includes a transmission number determination unit 27 that determines how many times a received frame is a transmission frame from a previously received frame. Every time a frame is received, the transmission count determination unit 27 obtains a transmission interval by using the time stamp of the previously received frame in the connection. Then, the transmission count determination unit 27 creates a transmission count table 28 that summarizes the determined transmission count for each connection, and stores and stores them in the RAMs 20a and 22b. Actually, since the obtained difference value of the time stamp does not always coincide with a multiple of the transmission interval T, a certain margin is provided, and the difference value is a certain time range with respect to N times the transmission interval. If it is within the range, the number of transmissions may be set to N times. As shown in FIG. 7, the transmission number table 28 associates the connection No. with the number of occurrences of the transmission number. In addition, when the number of transmissions is large, it can be said that the specific number of times does not matter so much (in the first place, the number of times of transmission itself is a problem). The number of occurrences may be managed.

  FIG. 8 is a flowchart showing the reception processing function in the safety device 22. The same reception process is performed in the safety PLC 8. First, when a frame is received, the MPU 22a determines whether data is received (S1). In the case of data reception, that is, I / O data, the branch determination is Yes, the process jumps to the processing step S2, and the MPU 22a performs a transmission number determination process (S2). That is, the connection No is identified from the transmission source information of the received data, the corresponding previous reception time stamp is read from the previous time stamp storage unit, and the current time stamp added to the received frame is extracted. The number of transmissions is determined from the time difference.

  The MPU 22a updates the transmission count table according to the determined transmission count (S3). That is, the number of times stored in the area of the number of times of transmission of the corresponding connection No is incremented by “1”.

  Next, the MPU 22a calculates the communication time by obtaining the difference between the current time stamp and the current time (reception time) (S4). Then, the MPU 22a determines which region the calculated communication time belongs to.

  The MPU 22a updates the communication time table according to the area to which the determined communication time belongs (S5). That is, the number of times stored in the area of the communication time area of the corresponding connection No is incremented by “1”. In this embodiment, the determination of the number of transmissions and the table update are performed first, but the determination of the communication time and the table update may be performed first.

  On the other hand, if the received frame is other than data, the branch determination in process step 1 is No, so the process proceeds to process step 6 and the MPU 22a determines whether the message is a “transmission count table read request” message (S6). In the case of the request, the MPU 22a reads the corresponding transmission count table (S7), and transmits the content of the read transmission count table as a normal response (S8).

  If the received frame message is not a “transmission count table read request”, the MPU 22a determines whether it is a “communication time table read request” (S9). In the case of the request, the MPU 22a reads the corresponding communication time table (S10), and transmits the content of the read communication time table as a normal response (S11).

  Further, when the received frame message is not “communication time table read request”, the MPU 22a determines whether it is a “table clear request” (S12). In the case of the request, the MPU 22a clears the data stored in the transmission time number table and the communication time table (S13, S14). This table to be cleared is all connections. Thereby, in this embodiment, if the clear command concerned is received, all the tables will be cleared collectively. Of course, the table clear request may be issued together with the connection information (connection No), and the table may be cleared only for the relevant connection or connections. When the MPU 22a clears the table, it sends a completion notification as a normal response (S15).

  When data is received after this clearing process, the transmission number table and the communication time table are updated by executing the processing steps S2 to S5. Therefore, when a table clear request is received, information on communication time and transmission interval based on actual communication performed after the request is cleared can be collected. If the received frame message is not a “table clear request”, the MPU 22a transmits an error response (S16).

  The tool device 10, which is a safety condition setting support device, reads information about the network system from the storage means such as the parts database 13d and the like, and sets a condition for configuring a safety network from parameters that are fixed inside, A function for obtaining a condition for configuring a safety network taking into account the actual network status based on the actual values stored in the transmission frequency table and the communication time table managed by the above-described safety device on the receiving side, Have.

  Specifically, the tool device 10 has a function of processing according to a flowchart shown in FIG. As a premise, the tool device 10 creates and stores connection information such as connection information and actual component placement / connection / communication parameters in advance, and reads the stored information as necessary. Various conditions that satisfy the requirements of the safety network are set. This is also the same as in Patent Document 1.

  When the MPU 13c is instructed via the input unit 12 in the safety condition setting mode (S21), the connection information stored in the memory 13e is read (S22), and the current connection information is visually displayed on the display unit 11 based on the connection information (S22). Visually display. That is, the mark of each element is displayed at a predetermined position, and a line connecting each mark is displayed (S23). Next, when it is desired to replace an object to be edited, for example, a device, a corresponding device is selected, and when a communication parameter is to be changed, a line is selected (S24). Based on this, properties, that is, communication parameters and the like are displayed, and the display allows the data input mode (S25). As an example, it is displayed in the work area 11b of the display unit 11 as shown in FIG. In this example, since data such as communication parameters has already been input and stored in the memory 13e or the like as a premise, the stored set information is read and displayed for the communication method, transmission interval, and the like. Although not displayed on the screen, at least the internal processing time information (stored in the parts database 13d) of the target device is also read at this time.

  The user operates the input unit 12 and re-inputs data as necessary (S26). That is, on the input screen displayed in FIG. 10A, for example, a data input area to be corrected such as a transmission interval is selected, and a specific numerical value or the like is input.

  Next, it waits for an input from the input unit 12, and determines whether or not the user specifies a safe distance (S27). Specifically, input switch areas such as “safe distance input” and “condition calculation / judgment” are provided on the display screen, and when “safe distance input” is selected, input of the safe distance is specified. The safety distance input screen is displayed, and the input from the input unit 12 is waited for. The safety distance input here is the distance to the dangerous position and the detection position of the safety input device that the user is trying to take at the actual site.

  In this example, the safety distance is input. In this example, after the branch determination in step S27, when the safety distance is designated, a separate safety distance input screen is displayed. At the time of display, as shown in FIG. 10 (b), an area for inputting the safety distance is also displayed together, and a predetermined button (calculation start, etc.) is selected without entering specific data in this safety distance. If it is detected, it can be determined that the safety distance is not input.

  If the safety distance is input (S28), the process proceeds to step S29, where the tool device 10 issues a predetermined table read request to the target device, receives the response from the target device, The communication time and the number of transmissions are acquired (S29). Based on the connection information, the tool device 10 determines the device to be processed (receiving device) and the connection number related thereto. Based on that, issue a message over the network.

  The tool device 10 determines a parameter value (number of transmissions, communication time) for setting safety conditions based on the acquired actual measurement value (S30). The communication time is determined by using the upper limit value of the maximum area of the actually measured values among the communication times acquired from the communication time table as a parameter. For example, in the case shown in FIG. 11, since the communication time is 40 [ms] or more and less than 50 [ms] is 50, and there is no communication of 50 [ms] or more, the maximum 50 [ms] is set as the communication time. In addition, since the method of dividing the region is set to the lower limit value or more and less than the upper limit value, if the actual measurement value is 50 [ms], it belongs to the region of 50 [ms] or more and less than 60 [ms]. The parameter value for setting the safety condition related to the communication time is 60 [ms]. By doing in this way, even if measurement error (tolerance) etc. are considered, a safe condition can be calculated | required more reliably. Of course, the region may be larger than the lower limit value and less than or equal to the upper limit value, and the parameter value for setting the safety condition when the measured value is 50 [ms] may be 50 [ms].

  Since the determination of the communication time is made the upper limit of the region to which the longest communication time (actual measurement value) belongs, for example, in the example shown in FIG. 11, the actual measurement value belonging to the region of 50 [ms] or more and less than 60 [ms] In the present embodiment, the parameter value for setting the safety condition is 70 [ms] when there are one or several actual measurement values belonging to the region of 60 [ms] or more and less than 70 [ms] at 0 times. This is because the effect of the load is greater than the effect of noise etc. on the communication time, and if a phenomenon that takes a long communication time during normal driving operation occurs, the safety network This means that a load is temporarily applied and the communication time may be prolonged in the system, and it is necessary to ensure safety even in such a state. In any case, since the communication time is defined using the transmission interval in the conventional determination of the safety parameter based on the fixed value, it is shorter than that.

  On the other hand, the number of transmissions is determined by comprehensively judging from the state of actual measurement values. Specifically, as shown in FIG. 11, if the number of transmissions is 1 for all data communications, the parameter value for setting the safety condition for the number of transmissions in that case is 1 time. In the example shown in FIG. 11, when the number of times of transmission = 2 times is not 0 although the number of times of occurrence is small, such as several times, the parameter of the number of times of transmission is both 1 time and 2 times, A safety parameter is obtained based on each. Further, when the number of times of transmission = 2 times occurs relatively frequently, the parameter of the number of times of transmission is set to 2 times. If a transmission occurs three times or more, it does not satisfy the rule of two times or less, and this is displayed.

  Whether the number of occurrences is small or not is determined by setting a fixed threshold value as an absolute value, for example, 10 times or less, or the number of transmissions is 10% or less of the number of occurrences of 1 time. Can set different standards. In any case, the above numerical values are examples and can be changed as appropriate. If the fixed and relative threshold values are exceeded, the number of occurrences is assumed to be large.

  Using the parameter values obtained as described above, the total processing time, the required safety distance, and the like are calculated, and the calculation results are displayed (S31). In the calculation processing in step S31, when both the safety distance and the transmission interval are given, it is determined whether or not the requirements as the safety network are satisfied under the conditions. When either one is not input, a condition necessary for satisfying the requirements as a safety network is obtained.

  Specifically, for example, regarding communication between the devices A and B with which the connection is established, information on input parameters (communication conditions) and internal processing times in the devices A and B stored in the component database are shown in FIG. It is assumed that it is as shown in.

  First, in CIP Safety, communication delay (network delay time) is calculated using the following formula.

Maximum network delay time = transmission interval * transmission count + 2 * communication time Therefore, when substituting transmission interval = 200 ms, transmission count = 1 time and communication time = 50 ms determined based on the actual measurement value into the above formula, The delay time is 300 ms. If the internal processing times in the devices A and B are acquired from the database, the total processing time is 1000 ms. Further, when the walking speed of the worker set as the initial condition is 1 m / sec, the safety distance is 1 m or more. The walking speed can be arbitrarily set / changed, and information on the walking speed is also stored in the component database or other storage means. Further, since this walking speed is an assumed walking speed that is not an actual walking speed, it can also be referred to as an assumed walking speed. In addition, the approach to the dangerous area is not limited to walking, for example, it occurs with the movement of a part of the body such as inserting a hand, or it moves with a vehicle or other moving means to approach it. The following embodiments are possible. Accordingly, the walking speed (assumed walking speed) is not limited, and a moving speed (assumed moving speed) according to the place (around the dangerous area) may be set. Depending on the location, the walking speed may be appropriate, or the movement speed of a part of the body such as the arm or upper body may be appropriate. For example, speed information (walking speed / (Moving speed) may be stored, and the safe distance may be calculated using that.

  On the other hand, the calculation of the safety distance using a fixed value is recommended by the specification that CIP Safety uses the transmission frequency as the default and the transmission interval as the communication time by default. Then, in the above case, the network delay time calculated based on the fixed value (recommended value) is 800 ms, and the safety distance is required to be 1.5 m or more. Therefore, in this case, in the safety network installed in the actual production facility, it is only necessary to secure a safety distance of 1 m, so the degree of freedom of layout in a state where the safety conditions are satisfied is increased.

  And the result calculated | required in this way is displayed on a display part (S32). In this display, only the result based on the actual measurement value may be displayed in a table format or the like, or the result based on the fixed value (recommended value) may be displayed together as shown in FIG. good.

  And it is judged whether what satisfy | filled the request | requirement as a safety network was obtained (S33). This determination is made in response to an input from the user. By executing the processing step S32, the user who sees the displayed result knows that the safety distance in the actual safety network system in the previously set communication conditions is 1 m or more. (In the case of layout change, whether or not 1 m or more can be secured) is determined. If it can be determined, the determination in step S33 satisfies the requirements.

  If it is determined that the request is satisfied, the safety conditions / parameters determined as necessary are downloaded to the corresponding devices, and the process is terminated (S34).

  If a distance of 1 m cannot be secured at the actual site (No in S33), the process returns to processing step S24, re-inputs the conditions, and executes the calculation again. At this time, as a condition for re-inputting, the transmission interval may be shortened, or conversely, a distance that can be actually taken is input as a safe distance, and a transmission interval that is not input and satisfies the requirements of the safety network. The interval can also be determined. When the transmission interval is changed, it is necessary to reflect the change on the actual network. Therefore, the execution process of step S34 is performed, and the changed condition is downloaded.

  In the above example, the calculation of the safety distance based on the transmission interval and the communication time based on the actual measurement value and the number of transmissions has been described. However, both the transmission interval and the safety distance are input to determine whether the installation conditions are appropriate. You can also. In this case, a safety distance (required safety distance) in the safety network system is calculated based on the transmission interval, the communication time based on the actual measurement value, and the number of transmissions, and the calculation result is compared with the input safety distance to obtain The required safety distance is compared with the input safety distance to determine whether the requirement is satisfied. That is, “OK” is obtained when the safety distance is longer, and “NG” is obtained when the safety distance is shorter.

  In this embodiment, both the function of determining the safety parameter (safety condition) based on the recommended value and the function of determining the safety parameter (safety condition) based on the actually measured value are provided. However, the safety parameter is determined based on the actually measured value. Only the desired function may be used. On the contrary, by providing both functions as in the present embodiment, the parameter value determined based on the actual measurement value is compared with the value determined based on the default (recommended value). It is desirable to provide a function for notifying the user of an item considered as a cause and an improvement method.

  As an inferior example, there is a case where, for example, the safety distance is increased, the transmission interval necessary for setting the safety distance to a value desired by the user is shortened, or the number of transmissions is 3 or more. These causes are that the communication cable is longer than specified, there is a connection failure of the connector part, or an environment where a lot of noise occurs, and the causal relationship is associated in advance. In addition, there are some methods for improving the cause, such as “Check the cable length” and “Is the connector securely attached”? Therefore, the tool device 10 stores in the database data that associates the inferior item with the cause and the improvement method based on the causal relationship, and the parameter value determined based on the actual measurement value is inferior. Can be realized by extracting the relevant information from the database and displaying the results (items and parameter values) along with the improvement method and the like previously stored inside.

  Moreover, although the above-mentioned example demonstrated the case where safety conditions, such as a safe distance and the transmission interval about the case of transmitting / receiving data between two apparatuses, were calculated | required, this invention is not limited to these. That is, in the case of a system configuration in which a detection signal indicating an abnormal state output from the safety input device 6 is directly sent to the safety output device 7 and the control target device connected to the safety output device 7 is stopped. The safety conditions suitable for the actual situation can be obtained by the apparatus / system of the above embodiment.

  On the other hand, the detection signal output from the safety input device 6 is once sent to the safety PLC 8, and after a predetermined calculation process is executed by the safety PLC 8, a stop signal is sent to the safety output device 7, In a configuration in which the output device 7 stops the connected control target device, the safety condition can be obtained as follows. That is, the history information of the communication time and the transmission interval of the actual measurement value regarding the connection from the safety input device 6 to the safety PLC 8 is stored in each table provided in the safety PLC 8, and is sent from the safety PLC 8 to the safety output device 7. The actual communication time and transmission interval history information for the connection is stored in each table provided in the safety output device 7. Therefore, the tool device 10 issues a table read request to the safety PLC 8 and the safety output device 7, and communication between the devices (safety input device 6 -safety PLC 8, safety PLC 8 -safety output device 7). Get history information of time and transmission interval. Therefore, the communication time is obtained by adding the maximum communication times between the devices. As the transmission interval, an appropriate value of the transmission interval between the respective devices is obtained, and the worst one is determined as the transmission interval based on the actually measured value.

  Based on the communication time and the appropriate value of the transmission interval obtained in this way, the internal processing time of each device (safety output device 6, safety PLC 8, safety output device 7), and the transmission interval, the detection signal from the safety input device 6 is detected. Is output and the total time from when the stop command is transmitted to the safety output device 7 is obtained, and based on this, the safety distance can be calculated.

  Even when four or more devices are transmitted, the necessary conditions can be obtained in the same manner as described above, and the safety condition can be obtained by adding them.

  The above-described embodiment has been described on the assumption that it is incorporated in the tool device. However, the above-described embodiment is a program for causing a computer to execute each of the above-described processes (for example, a process for executing the flowcharts illustrated in the drawings). The program may be provided by being recorded on a predetermined recording medium.

1 is a diagram illustrating an example of a system configuration to which an embodiment of the present invention is applied. It is a block diagram which shows one form of a tool apparatus. It is a block diagram which shows the internal structure of safety PLC. It is a block diagram which shows the internal structure of a safety device. It is a figure which shows an example of the data structure of a communication time table. It is a figure explaining the function which calculates | requires the frequency | count of transmission. It is a figure which shows an example of the data structure of a transmission frequency table. It is a flowchart which shows the reception function of a safety device. It is a flowchart which shows the function of the tool apparatus which is a safety condition setting assistance apparatus. It is a figure which shows an example of an input and a display screen. It is a figure explaining an effect | action. It is a figure explaining an effect | action.

Explanation of symbols

6 Safety input device 7 Safety output device 8 Safety PLC
DESCRIPTION OF SYMBOLS 10 Tool apparatus 11 Display part 12 Input part 13 Processing part 13a Display part interface 13b Input part interface 13c MPU
13d Component database 13e Memory 14 Communication interface unit 20 CPU unit 20a MPU
20b RAM
20c Non-volatile memory 21 Communication unit 21a MPU
21b RAM
21c Non-volatile memory 22 Safety device 22a MPU
22b RAM
22c Non-volatile memory 25 Communication time calculation unit 26 Communication time table (communication time history information storage unit)
27 Transmission interval determination unit 28 Transmission interval table (transmission count history information storage unit)

Claims (8)

When a safety input device detects a dangerous state, the safety output device is a safety device used in a safety network system in which a control target device is stopped based on a detection signal output from the safety input device,
A measurement unit for measuring a network parameter, which is used in calculating a safety condition for executing the processing to be stopped within a predetermined time;
A storage unit that stores a measurement value obtained by the measurement unit for each connection that identifies a device of a communication partner;
Safety equipment characterized by comprising The safety device receives frames transmitted at a constant transmission interval,
The safety device according to claim 1, wherein the measurement unit calculates a communication time of a received frame and measures the number of transmissions from a communication partner device. A safety device that receives frames that are transmitted at a fixed transmission interval and is used in a safety system in which fail safe works when the safe operation cannot be guaranteed and the controlled device becomes safe and stops operating.
A communication time calculation unit for calculating the communication time of the received frame;
A communication time history information storage unit that stores the communication time obtained by the communication time calculation unit for each connection that identifies a communication partner device;
A number-of-transmissions determination unit that determines how many times the received frame is from the last received frame;
A transmission frequency history information storage unit for storing the number of transmissions determined by the transmission frequency determination unit for each connection;
Means for transmitting the information related to the communication time stored in the communication time history information storage unit and the information related to the number of occurrences of transmission stored in the transmission number history information storage unit in response to the received read request;
Safety equipment characterized by comprising   The transmission number determination means obtains a time difference in which both frames were transmitted from a time stamp added to the previously received frame and a time stamp added to the currently received frame, and transmits the time difference and the set frame transmission. The safety device according to claim 3, wherein the number of transmissions is determined based on the interval.   The communication time determination means obtains the difference between the transmission time of the frame specified by the time stamp added to the received frame and the reception time of reception of the frame, and calculates the communication time of the currently received frame. The safety device according to claim 3 or 4, wherein the safety device is a thing.   In accordance with a clear request received via the network, a function of clearing information on the communication time stored in the communication time history information storage unit and information on the number of occurrences of transmission stored in the transmission number history information storage unit The safety device according to any one of claims 3 to 5, wherein the safety device is provided. A safety device according to any one of claims 3 to 6, and a safety condition setting support device,
The safety condition setting support device connects a device that outputs a signal indicating a dangerous state of the safety system by pressing an emergency stop switch or detecting the entry of a person, and when a signal indicating the dangerous state is input from the device. A safety input device that outputs a detection signal, and a safety output device that connects the control target device and stops the control target device based on the output of the detection signal of the safety input device. Is a safety requirement,
The safety input device is the safety device according to any one of claims 1 to 4,
The safety condition is that the person or part of the body does not enter the danger area of the control target device after the detection signal is output from the safety input device until the control target device is stopped. The safety distance and / or the transmission interval of the safety device,
The safety condition setting support device includes:
Obtaining means for issuing the read request and acquiring information on the communication time stored in the communication time history information storage unit and information on the number of occurrences of transmission stored in the transmission number history information storage unit;
From the information acquired by the acquisition means, appropriate value determination means for determining an appropriate value of the communication time and the number of transmissions,
A database for storing information on internal processing times of safety devices constituting the safety system;
Acquire at least one condition of a transmission interval and a desired safety distance, based on the acquired condition, the appropriate value obtained by the appropriate value determining means, and the internal processing time stored in the database, Means to determine safety conditions;
A safety condition setting support system characterized by comprising: The safety condition setting support device has an improvement method storage unit that stores an improvement method when the obtained safety condition is inferior to a recommended safety condition obtained from a parameter that is fixed internally in advance.
Comparison means for comparing the determined safety condition with the recommended safety condition;
When the comparison result by the comparison means is inferior in the safety condition, means for extracting the corresponding improvement method from the improvement method storage unit and displaying the corresponding improvement method together with the comparison result;
The safety condition setting support system according to claim 7, further comprising:

Images