JP2012150618A - Safety control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a safety control system that, in a control device using plural arithmetic devices, always detects defect factors such as noise or failure during operation, has flexibility for noise, and can secure safety while suppressing deterioration of an operation rate.SOLUTION: A function for detecting defect factors such as noise or failure is imparted to arithmetic devices 31 and 41, monitoring means 37 and 47 are notified of an abnormal state when a failure factor is detected to perform monitoring control, and thereby electromagnetic noise having possibility to flow into the arithmetic devices 31 and 41 or a signal having possibility to cause a safety risk due to irregularity generated by device failure such as short circuit or wire disconnection is detected, so that defect factors such as noise or failure are always detected during operation.

Description

  The present invention relates to a safety control system that has a safety monitoring function of a controlled device such as a power converter and controls the controlled device based on a control signal given via a network.

  2. Description of the Related Art Conventionally, power converters used in factories and various industrial devices are used by being indirectly or directly connected to various related devices via networks, power supply lines, and the like. Moreover, equipment (controlled device) such as a motor (electric motor) is used for the load of the power converter, and functional safety is required so that humans do not enter or get involved.

  For this reason, in accordance with the functional safety standards represented by the IEC61508 series, in addition to diagnostic and monitoring functions, functions to shift the controlled device to a safe state such as safe stop and safe deceleration based on signals from external sensors, etc. Is defined.

  In addition, for this functional safety, the concept of EMC functional safety taking into account the risk caused when external noise is added has recently been proposed as a standard.

  Therefore, as such a safety function, a “safety bus” is used to give control signals and safety signals from an external controller to the power converter of the safety control system, and to mix the safety signals with the control signals and put them on the industrial network. Has been proposed (for example, see Patent Document 1).

  In order to improve reliability, there is also known a system that employs a duplex information system, outputs an interrupt signal as a trigger in the event of a failure, and operates the other system (for example, Patent Document 2). reference).

JP 2006-178730 A JP 2006-209624 A

  By the way, when taking countermeasures against electromagnetic noise as functional safety, it is necessary to examine from many aspects. In particular, in power converters, runaway or malfunction of the controlled device is estimated as a problem that occurs when strong electromagnetic noise is superimposed on some signal of the control device. Measures against electromagnetic noise are required. In addition, when implementing a functional safety-compliant power converter, the control device often includes a plurality of arithmetic devices, so the function when a control signal or the like overlaid with strong electromagnetic noise flows Safety measures are essential. Furthermore, there are cases where uniform safety measures cannot be taken depending on the configuration or purpose of the device on which the controlled device is mounted or the entire device.

  For example, even if it is a device or device equipped with an electric motor as a controlled device, it may stop immediately when noise is detected (escalator, large machine tool, belt conveyor, etc.), after a predetermined time or after deceleration There are things (elevators, electric cars, etc.) that should be stopped.

  However, in each of the cited references described above, the actual situation is that no specific countermeasure is taken against malfunctions and the like caused by such noise.

  Therefore, the present invention is a control device using a plurality of arithmetic devices, and always detects a failure factor such as noise or failure during operation, and also gives flexibility to noise, thereby reducing the operating rate. It aims at providing the safety control system which can ensure safety | security, suppressing.

  A safety control system according to the present invention includes a control device that outputs a control signal to a power converter, and a safety device that includes an operation unit that outputs a stop command to the power converter and other fail-safe processing. The arithmetic means inputs an external interrupt signal, and when the waveform of the interrupt signal includes an abnormal signal assumed to be noise or a device failure, based on the operating frequency or carrier frequency of the power converter An abnormality type of noise or device failure is determined based on a predetermined threshold, and an input means for outputting an abnormality notification together with the abnormality type to the outside upon detection of an abnormality signal; upon receiving the abnormality notification, And a monitoring means for executing a corresponding fail-safe process.

  According to the safety control system of the present invention, the calculation means is provided with a malfunction factor detection function such as noise and device failure, and the abnormality function is transmitted to the monitoring means when the failure factor is detected, thereby realizing the safety function. It can detect electromagnetic noise that can flow into the device, and signals that can cause risk of failure due to device failure such as short circuit or wire breakage, and can operate failure factors such as noise and device failure. A safety control system capable of ensuring safety while always detecting the inside and giving flexibility to noise while suppressing a decrease in operating rate.

  Further, the calculation means of the safety control system according to the present invention includes a plurality of the input means, and an abnormality determination matrix table that defines fail-safe processing to be executed based on a combination of abnormality types for each input means. The monitoring unit executes fail-safe processing selected based on the abnormality determination matrix when receiving an abnormality notification from any of the plurality of input units.

  In the present invention, the abnormality determination matrix table identifies the combination failure factors of a plurality of input signals, so that it is possible to determine the abnormality with high accuracy.

  Furthermore, the safety device of the safety control system according to the present invention includes a plurality of the calculation units, and each calculation unit includes a counter variable that stores the number of times of abnormality detection for each input unit one by one, The arithmetic means exchanges the value of the counter variable connected by the mutual communication means and stored in the monitoring means, and executes fail-safe processing using the predetermined threshold and the value of the counter variable exchanged. It is characterized by.

  According to the present invention, the abnormality detection states of a plurality of arithmetic devices can be mutually confirmed and used, and the reliability of abnormality detection can be further improved.

  The safety control system of the present invention can always detect a failure factor such as noise or a device failure during operation, and has flexibility against noise, thereby ensuring safety while suppressing a decrease in operating rate. .

1 shows a safety control system according to an embodiment of the present invention and is a configuration diagram of a peripheral device. 1 is a schematic configuration diagram of a safety device, showing a safety control system according to an embodiment of the present invention. It is explanatory drawing of the relationship between the timing synchronous signal waveform by each embodiment of this invention, each signal name in a negative logic, and a time name. It is explanatory drawing of the timing synchronous signal waveform by embodiment of this invention, and the example of an error factor. It is a functional block diagram of CPU32,42 which the arithmetic units 31,41 by embodiment of this invention have. It is an operation | movement flowchart at the time of signal fall of the input means of the safety control system which concerns on embodiment of this invention, and regulation ON time progress. It is an operation | movement flowchart at the time of the signal rise of the input means of the safety control system which concerns on embodiment of this invention. It is a block diagram of the principal part of a safety control system, showing the safety control system concerning a 2nd embodiment of the present invention. It is an operation | movement flowchart of the safety control system which concerns on the 2nd Embodiment of this invention. It is explanatory drawing of the terminal abnormality classification of the safety control system which concerns on embodiment of this invention. FIG. 10 is an operation flowchart of the abnormality type determination process in FIG. 9. FIG. 10 is an operation flowchart of the fail safe process of FIG. 9. It is a data structural example of the abnormality determination matrix table of the safety control system which concerns on embodiment of this invention. The safety control system which concerns on the 2nd Embodiment of this invention is shown, (A) is explanatory drawing of the planar direction at the time of applying the dummy terminal for abnormality detection, (B) is the case where the dummy terminal for abnormality detection is applied It is explanatory drawing of the side surface direction. It is a block diagram of the principal part of the safety control system which concerns on the 3rd Embodiment of this invention. It is an operation | movement flowchart of the abnormal terminal counter threshold value determination process of the safety control system which concerns on the 3rd Embodiment of this invention.

[First Embodiment]
Next, a safety control system according to an embodiment of the present invention will be described with reference to the drawings. The following embodiment is a preferred specific example in the safety control system of the present invention, and may have various technically preferred limitations. However, the technical scope of the present invention is not limited to the present invention. As long as there is no description which limits, it is not limited to these aspects. In addition, the constituent elements in the embodiments shown below can be appropriately replaced with existing constituent elements and the like, and various variations including combinations with other existing constituent elements are possible. Therefore, the description of the embodiment described below does not limit the contents of the invention described in the claims.

(overall structure)
FIG. 1 is a configuration diagram of a safety control system and peripheral devices according to an embodiment of the present invention. In this figure, the safety control system 1 is connected to an external controller 2 via a network 3. The external controller 2 performs monitoring by transmitting a control function and a command signal related to the safety function to the safety control system 1 and receiving monitoring data from the safety control system 1. On the other hand, the safety control system 1 monitors and controls the electric motor 4 that is a control target based on a command signal sent from the external controller 2.

  The safety control system 1 includes a communication device 10 that communicates with the external controller 2 via the network 3, a control device 20 that outputs a control command (control signal) based on a command signal sent from the external controller 2, and a control device. CPU which monitors the presence or absence of abnormality of the power converter 60, the power converter 60 and the control device 20 that drive the electric motor 4 by the control signal output from 20, and outputs a safety command such as a stop command to the power converter 60 The safety device 30 is duplicated. The communication device 10, the control device 20, and the safety device 30 are connected by connection means such as cables and connectors that can be separated and connected. Each device of the safety control system 1 may be realized by a unit configuration or a substrate configuration.

  The functional outline of each device constituting the safety control system 1 will be described. First, the control device 20 separates the communication data of the external controller 2 passed from the communication device 10 into control data and safety data. When the control data is received, the voltage, current, frequency, and the like of the power converter 60 are determined based on the control data, and a control signal is generated and output to the power converter 60. The power converter 60 supplies or stops power for operating the electric motor 4 according to a control command from the control device 20 or a stop command from the safety device 30. When the communication data passed from the communication device 10 is safety data, the control device 20 passes this safety data to the safety device 30. The safety data is transferred to one arithmetic device 31 that communicates with the control device 20 among the redundant arithmetic devices, and the arithmetic device 31 transfers the safety data to the other arithmetic device 41. The way of passing safety data is not limited to this. For example, a branching unit for branching data is provided, and the safety data transmitted from the control device 20 is sent to both the arithmetic units 31, You may make it transmit to 41.

  Both the arithmetic devices 31 and 41 of the safety device 30 perform emergency stop control by a safety function setting signal from the external controller 2, notification processing to the external controller 2 of the safe state, and the like.

  The arithmetic units 31 and 41 are connected by cable, but are synchronized by notifying the timing of processing to each other by an external interrupt signal. In addition, since an interrupt signal between CPUs is output to the outside of the CPU with respect to an interrupt signal (internal interrupt signal) generated by the CPU's program processing inside the arithmetic unit, an external interrupt is described in the following description. It is called a signal. The operation noise of the power converter 60 may cause noise on the cable, which may cause malfunction.

  In the present embodiment, the following configuration is adopted so as not to reduce the operating rate of the electric motor 4 as much as possible against this noise.

  FIG. 2 shows a schematic configuration diagram of the safety device 30. The arithmetic devices 31 and 41 of the safety device 30 respectively have CPUs 32 and 42 that execute arithmetic processing by a program. Between the CPUs 32 and 42, circuits (timing synchronization signal generating circuits) 33 and 43 for generating external interrupt signals and circuits (timing synchronization signal receiving circuits) 44 and 34 for receiving external interrupt signals are provided. . The timing synchronization signal generating circuits 33 and 43 and the timing synchronization signal receiving circuits 44 and 34 are collectively referred to as timing synchronization means 40 in order to synchronize the CPU processing with an external interrupt signal.

  The timing synchronization signal generation circuit 33 includes a decode circuit 33A that decodes the address of the CPU 32, an AND circuit 33B that calculates the logical product of the output of the decode circuit 33A and the write signal, and a latch circuit 33C. The latch circuit 33C is realized by a DFF (D-type flip-flop), and a D-input is connected to a bit (for example, LSB) of data, and a clock input (CK) is connected to the output of the AND circuit 33B. The output of the latch circuit 33C is transmitted to the timing synchronization signal receiving circuit 44 as an external interrupt signal.

  The timing synchronization signal receiving circuit 44 detects the rising edge of the timing synchronization signal and generates an interrupt signal to the CPU 42. The timing synchronization signal receiving circuit 44 detects the falling edge of the timing synchronization signal and generates an interrupt signal to the CPU 42. The falling edge detection circuit 44B is provided. Further, the timing synchronization signal is input to the terminal # 1 (first external input terminal) of the CPU. An external signal can be input to any terminal.

  The timing synchronization signal generation circuit 43 and the timing synchronization signal reception circuit 34 also have the same circuit configuration as described above, and send a timing synchronization signal from the CPU 42 to the CPU 32.

  Thus, the timing synchronization means 40 connects the processors with the external interrupt signal line. In FIG. 1, the external interrupt signal is bidirectional. However, for example, when the CPU 42 is synchronized with the CPU 32, only one direction of the CPU 32 to the CPU 42 functions. This signal is expressed as “1” if it is 2.0 V or higher using a certain voltage threshold, for example, 2.0 V as a boundary value, and “0” if it is lower than 2.0 V. When defined by active low (active low: negative logic), “1” is inactive and “0” is active. Hereinafter, description will be made assuming that the logic is negative.

  At this time, normally, when this signal becomes active (at the time of falling), the CPU executes a predetermined process (interrupt process) as an external interrupt. Depending on the setting, there may be a case of inactive state (at the time of rising), or both (at the time of both edges).

  When a problem occurs in the signal line, such as noise, disconnection, short circuit, or failure of the other arithmetic unit, interrupt processing may operate at an unexpected timing, resulting in a delay in the operation of the safety function. There is a risk of causing problems.

  In the present embodiment, the time until the inactive state (active time) based on the time when the active state is reached and the time when the next active state is reached based on the time when the active state is reached The generation timing of the external interrupt is controlled using the interval (activation interval).

  FIG. 3 shows the relationship between the timing synchronization signal waveform and each signal name and time name in negative logic. The active time and the activation interval each have two threshold values, a lower limit value and an upper limit value. In general, negative logic (active low) is used for an interrupt signal or the like. Therefore, when the signal is “0” (GND level), it is considered positive (ON).

(Input signal abnormality judgment processing)
FIG. 4 shows a conventional abnormality determination example using such a threshold value. FIG. 4A shows a case where the ON time exceeds the specified time (exceeding the specified ON time). This is because it is assumed that a failure such as wire breakage / short circuit or element failure (hereinafter collectively referred to as “device failure”) is caused, and the controlled device (electric motor 4) is in a dangerous state. It was necessary to perform safety control such as system shutdown. In FIG. 4 (B), when the ON time is shorter than the specified time, it is assumed that there is a device failure or a temporary or periodic abnormal signal such as noise. There was a need to do. In FIG. 4C, even when the ON / OFF interval is shorter than the specified value, it is necessary to perform safety control such as system shutdown in the same manner because an apparatus failure is assumed in addition to the influence of noise.
As described above, conventionally, noise and device failure cannot be determined separately, and therefore, when an abnormal signal pattern is detected, control must be performed in a uniform stop direction.

  In this embodiment, the cause of the failure is determined with higher accuracy, and if the possibility of transient noise is high as an abnormal signal, the system is not limited to the system stop direction, but is limited to a speed that can ensure safety, for example. This enables highly effective fail-safe processing.

(Functional configuration of CPUs 32 and 42)
Hereinafter, although the function of the CPU 32 of the arithmetic unit 31 will be described as a representative, the CPU 42 has the same function.
FIG. 5 is a functional block diagram of the CPU 32. Here, the CPU 32 receives an interrupt signal or timing synchronization signal from the timing synchronization signal receiving circuit 34 and stores an input means 35 for detecting a signal abnormality and a threshold value or a reference value for detecting the signal abnormality. A threshold timer 79 that updates the threshold stored in the threshold storage 79 based on a command from the threshold storage 79, the controller 20, or another CPU, and a monitoring timer that counts based on a command from the input 35 A75, monitoring timer B76, an abnormality notification means 38 for updating the monitoring result file 77 based on the abnormality notification from the input means 35 and notifying the monitoring means 37 of the occurrence of the abnormality, activated when the timing synchronization signal is normal Task 73 is provided.

  As will be described later, the input unit 35 may input a plurality of timing synchronization signals and other external signals in order to determine the cause of the malfunction. In this case, a matrix table 74 for storing the relationship between a combination of failure factors (normal, signal abnormality, device failure) of the plurality of external signals and the contents of the fail safe processing is provided.

(Initial setting of threshold)
The setting of the power converter 60 before operation (before operation) can be set (user setting) by the external controller 2 using the network 3. In addition, when changing the operation parameter, the command frequency (command value of the operation frequency) or the carrier frequency of the power converter 60, the storage data relating to the command frequency before the change is acquired and the active time is changed and stored. Further, when changing the communication cycle, the storage data relating to the storage time before the change is acquired, and the activation interval is changed and stored. The storage destination is stored in, for example, a memory area of the arithmetic devices 31 and 41.

(Operation of input means 35)
FIG. 6 shows an operation flowchart of the input means 35. In the present embodiment, the time and interval are measured by the monitoring timer A76 and the monitoring timer B77 inside the arithmetic device (arithmetic devices 31, 41) in accordance with the change of the signal, and the value and control to the power converter 60 are measured. By comparing a threshold value determined based on the command value (the rotational speed of the electric motor 4), a normal signal and a signal due to a device failure or noise are separated. The threshold value storage unit 79 stores in advance an initial value used when the control device 20 is activated, and the ON / OFF time is changed as needed according to the change in the operating frequency of the power converter 60 in which the threshold value update unit 80 is operating. (FIG. 4C) and the threshold value of the ON time (FIG. 4B) are updated.

  As a method of changing the threshold value, one cycle of the operating frequency or carrier frequency (hereinafter simply referred to as “operating frequency”) is used as the threshold value, and when harmonics are generated, the monitoring time depends on the order. It is conceivable to shorten the length. It should be noted that the way in which noise is applied to the operating frequency is measured in advance in a factory test or the like, and the relational expression between the operating frequency and the noise interval or the reference value of the noise interval for each operating frequency section is stored in the threshold storage means 79. May be.

  The power converter 60 is a powerful noise source, and there is a possibility of affecting the control device 20 due to installation conditions, environmental changes, component deterioration, and the like. Changing the threshold (this is called “dynamic” change of the threshold) has a very high effect.

  When the input means 35 according to the present embodiment is activated by an interrupt signal due to a falling edge (signal is OFF => ON), when the monitoring timer B76 is first operating ("YES" in S1), the monitoring means B76 A value is acquired (S2), and compared with the threshold value of the ON / OFF interval (see FIG. 4C) stored in the threshold value storage means 79, it is determined whether or not the threshold value is exceeded (S3). If the result of this determination is that the ON / OFF interval is not greater than or equal to the threshold value, an abnormality (type is noise) is notified to the monitoring means 37 via the abnormality notification means 38 (S4).

  If the result of determination in step S3 is that the ON / OFF interval is greater than or equal to the threshold, the input means 35 starts the operation of the monitoring timer A75 and restarts the monitoring timer B76 (S5, S6). If the specified ON time (see FIG. 4A) stored in the threshold value storage means 79 has elapsed (see “YES” in S7), the operation of the monitoring timer B76 is stopped. Later (S8), the abnormality is notified to the monitoring means 37 via the abnormality notifying means 38 (type is apparatus failure) (S9).

  Further, as shown in FIG. 7, when another interrupt routine of the input means 35 is started by an interrupt signal due to a rising edge (signal is ON → OFF), the operation of the monitoring timer A75 is stopped (S21), After acquiring the timer count value (S22), it is determined from the timer count value whether the ON time is within a predetermined range (S23). 73 is started (S24).

  On the other hand, if the result of determination in step S12 is not within the specified range, the input means 71 further monitors the ON time threshold value stored in the threshold value storage means 79 (see FIG. 4B). When the timer count value of the timer A75 is equal to or smaller than the threshold value (“YES” in S25), the monitoring unit 37 is notified of an abnormality (type is noise) via the abnormality notification unit 38 (S26), while the monitoring timer A75 is used. If the timer count value is larger than the threshold value (“NO” in S25), an abnormality (type is apparatus failure) is notified to the monitoring means 37 via the abnormality notification means 38 (S27).

(Operation of abnormality notification means 38)
When the abnormality notification unit 38 receives the abnormality notification from the input unit 35, if there are a plurality of input terminals for each type of abnormality, the abnormality notification unit 38 further records the number of occurrences for each input terminal, and sets a predetermined value (1 If the above is exceeded, the monitoring means 37 is notified of the abnormality.
When the occurrence count is not counted, the abnormality notification from the input unit 35 may be transmitted directly to the monitoring unit 37 without providing the abnormality notification unit 38.

(Operation of the monitoring means 37)
When the monitoring unit 37 receives an abnormality notification for each type from the abnormality notification unit 38, the monitoring unit 37 executes a fail-safe process associated with the type.

  According to the present embodiment, trouble factors such as noise and device failure are constantly detected during operation, and the threshold value is updated dynamically by the threshold update means 80 based on the operating frequency or carrier frequency. It is possible to secure the safety by suppressing the decline in the operation rate. Therefore, when noise is detected, the motor 4 may be stopped immediately (for example, an escalator, a large machine tool, a belt conveyor, etc.), and the motor 4 is immediately stopped according to the type and risk of the noise. If it is better to stop after time or deceleration (for example, an elevator, an electric vehicle, etc.), such as when the elevator box arrives at the nearest floor, or when it is retreated from an intersection, etc. It is possible to easily cope with control according to the above. Furthermore, transient noise may be dealt with by limiting the speed. In addition, in cooperation with notification means such as monitor and audio output and other switching devices (safety devices), "Stop at the nearest floor" "Stop the car in a safe place" "Switch to gasoline mode It is also possible to perform notifications such as “” and system switching.

[Second Embodiment]
Next, a second embodiment of the present invention will be described. In the present embodiment, in addition to the functions of the first embodiment, the abnormality determination matrix table 78 is used to determine whether the apparatus is abnormal based on a plurality of input signals.
Hereinafter, based on FIG. 8 thru | or FIG. 14, the specific example of the safety control system 1 which concerns on this embodiment is demonstrated. In the following description, components having the same or similar functions as those in the configuration of the first embodiment are given the same names and symbols.

  As shown in FIG. 8, in the safety control system 1 of the present embodiment, arithmetic devices 31 and 41 having a safety function, a power converter 60, and a power converter are provided in a casing of a power converter (not shown). A power supply 61 that supplies power to 60 and an electric motor 4 are provided. In the present embodiment, the calculation devices 31 and 41 are described as being provided in the safety device 30, but one of the duplicated calculation devices may be provided in the control device 20.

  The safety device 30 includes the arithmetic devices 31 and 41 of FIG. 8, and the CPUs 32 and 42 of the arithmetic devices 31 and 41 have two input means 35 and 36 and input means 45 and 46, respectively, and one monitoring means. 37, 47. The input means 35 and 36 and the monitoring means 37 and the input means 45 and 46 and the monitoring means 47 are connected by abnormality notification means 38 and 48. The abnormality notification means 38 and 48 have a function of transferring the abnormality notification and the type of abnormality generated in the input means 35 and 36 and the input means 45 and 46 to the monitoring means 37 and 47, respectively.

  As in the first embodiment, the input means 35 and 36 and the input means 45 and 46 are interrupt signals input from one of input ports (not shown) provided in the arithmetic devices 31 and 41, etc. By determining the waveform of the timing synchronization signal (for example, a timing synchronization signal) using a threshold that dynamically changes based on the operating frequency, it has a function of distinguishing between noise and device failure and detecting an abnormality.

  The monitoring units 37 and 47 monitor the states of the input units 35 and 36 and the input units 45 and 46 that are connected with a fixed period of time of several ms to several tens of ms, and when a plurality of abnormalities are detected. Sends a safety command to the power converter 60 according to the situation and performs fail-safe processing.

(Overview of operation)
Next, an outline of the operation of the safety control system 1 according to the present embodiment will be described with reference to FIG.
When the safety control system 1 is started by turning on the power or the like, the safety control system 1 executes an initialization routine, and the variables used by the input means 35, 36, 45, 46, the abnormality notification means 38, 48, and the monitoring means 37, 47 Initial setting of the file is performed (S11). Here, as shown in FIG. 10, initialization processing of a plurality of terminal abnormality type variables used by each input means, reset of a counter variable storing the number of abnormality detections used by each abnormality notification means, and each input means There are a threshold value specification for condition determination used in the abnormality detection process, initialization of the abnormality determination matrix table 78, and the like.

  Next, the safety control system 1 starts the operation of the monitoring means 37 and 47 and validates the monitoring function / safety function (S12).

The safety control system 1 activates the input means 35 and 36 and the input means 45 and 46, monitors the input signal at regular intervals (S13), and determines whether there is an abnormality (S14).
When detecting an abnormality, the input means 35 and 36 and the input means 45 and 46 activate the abnormality notification means 38 and 48, respectively, and execute an abnormality type determination process (FIG. 11) described later (S15). If the abnormality detection is valid, the abnormality notification means 38, 48 proceeds to the next step S16. If the abnormality detection is invalid, the abnormality notification means 38, 48 detects abnormality of the detected terminal as an abnormality detection process (S17). The type is initialized (S17-1), and there is no abnormality (invalid), and then the abnormality monitoring of the terminal is resumed in the same manner as other terminals (S17-2).

If the abnormality notification means 38, 48 determines that the abnormality detection is effective as a result of the abnormality type determination processing in step S15 (“YES” in S15), the abnormality notification means 38, 48 notifies the monitoring means 37, 47 of abnormality and Pass the type.
When the abnormality type is passed, the monitoring units 37 and 47 execute a fail-safe process corresponding to the abnormality type described later (S16), and notifies the occurrence of the abnormality to the outside (S18).

Hereinafter, details of the processing contents of steps S15 and S16 will be described.
(Details of the abnormality type determination process in step S15)
First, details of the abnormality type determination processing by the abnormality notification means 38 and 48 shown in step S15 will be described with reference to FIG.

  The abnormality notification means 38 and 48 initialize the abnormality type variable and the fail-safe transition flag variable (S15-1), treat the input signals of the input means 35 and 36 and the input means 45 and 46 as terminals, Abnormal states from # 1 to terminal #n (n is an integer) are detected.

  Specifically, when it is determined that the terminal # 1 is in an abnormal state (S15-2), the abnormality notification unit 38, 48 first proceeds to step S15-3 as the abnormal terminal detection process # 1, The abnormality type of terminal # 1 is set (S15-3A), the abnormality counter addition of terminal # 1 is performed (that is, the abnormality occurrence counter variable is incremented) (S15-3B), and the process proceeds to the next step S15-4. Transition.

  In the same manner, the abnormality notification means 38 and 48 determine whether there is an abnormality in terminal # 2 to terminal #n and perform abnormality detection processing when there is an abnormality (S15-4 to S15-7). ).

  Next, the abnormality notifying means 38 and 48 execute an inter-terminal abnormality detection process (S15-8). As an abnormality detection process between a plurality of terminals, the abnormality notification means 38 and 48 first access the abnormality determination matrix table 78 (S15-8A), and read the abnormality counter value of each terminal (S15-8B-1). If the counter value exceeds a predetermined threshold value (S15-8B-2), the ID of the safety function (fail-safe process) corresponding to the corresponding terminal combination in the abnormality determination matrix table 78 is extracted as the determination result. (S15-8B-3). Here, the process from step S15-8B-1 to step S15-8B-3 is referred to as an abnormal terminal counter threshold value determination process (S15-8B).

  As the safety function ID, a higher number is assigned as the priority / importance is higher, and when there are a plurality of safety functions extracted from the abnormality determination matrix table 78, the maximum number is extracted. . For example, in FIG. 14, when terminal # 1 and terminal # 2 are abnormal in signal and terminal # 3 is a device failure, both speed limitation and deceleration stop are extracted. If “1” and deceleration stop are assigned “2”, the deceleration stop (safety function ID = 2) having the larger number is finally selected. In the present embodiment, the method for mounting the abnormality determination matrix is described using the table method, but a branch instruction method may be employed.

  Next, the abnormality notifying means 38, 48 writes the determination result in the fail safe transition flag variable (S15-8C), and if the transition flag variable is “1” or more, that is, “abnormal”, the process proceeds to step S16. If the transition flag variable is “0”, that is, “invalid”, the process proceeds to step S17. The above is the content of the abnormality type determination process.

  As described above, the monitoring means 37 and 47 can flexibly cope with the case where the meaning of the input signal or the function differs depending on the input means 35 and 36 and the input means 45 and 46 by using the abnormality determination matrix. .

  The signals connected to the input means 35, 36 and the input means 45, 46 are mainly processing timing synchronization and data transmission / reception timing synchronization. Therefore, as shown in FIG. 14, the wirings 39A and 39B opened around the circuit (for example, the arithmetic devices 31 and 41) mounted on the control device (control board) 20 or outside the circuit are signaled by pull-up or pull-down. Even when the external noise and abnormality are detected by monitoring the displacement of the received signal through these wirings 39A and 39B, the abnormality determination matrix is provided. It is possible to apply.

  In this case, in particular, when the terminal of the antenna detection signal becomes abnormal, it is possible to distinguish the failure contents with high accuracy by preferentially determining as noise (signal abnormality), thereby increasing the operating rate. be able to.

(Details of fail-safe processing in step S16)
Next, details of the fail-safe process shown in step S16 will be described with reference to FIG. The monitoring units 37 and 47 select a safety function (fail-safe process) set in advance for the fail-safe process target (step S16-1), and depending on the type of the motor 4 and the applied device / device, Abnormal processing (mode) such as free-run stop (step S16-2), deceleration stop (step S16-3), speed limit (step S16-3) is selected.

  In addition, including the options shown in FIG. 13, it is possible to include processes other than the abnormal processes described above according to the type of the electric motor 4 and the applied device / device.

  Thereby, based on the output results of the plurality of terminals # 1 to #n with respect to the noise type, the monitoring means 37 and 47 determine the abnormality in a majority manner as shown in FIG. It is possible to improve the situation in which the electric motor 4 is uniformly stopped only by the presence of noise and the operating rate of the electric motor 4 is reduced.

[Third Embodiment]
Next, the safety control system 1 according to the third embodiment will be described with reference to FIGS. 15 and 16 focusing on the difference from the second embodiment. In the second embodiment, the monitoring units 37 and 47 of the arithmetic units 31 and 41 operate independently. In the present embodiment, the abnormality determination results of the monitoring units 37 and 47 are linked to each other.

  That is, as shown in FIG. 15, mutual communication is possible between the arithmetic devices 31 and 41 (monitoring means 37 and 47) via a wiring 21 such as a serial communication line such as UART or SPI or a parallel communication line. By using the wiring 21 as the mutual communication means, the counter variable of the number of abnormality detections detected by the input means 35 and 36 and the input means 45 and 46 managed by the one monitoring means 37 and 47 is several hundred ms to 1000 ms. The other monitoring means 37 and 47 communicate with each other at regular intervals.

  Further, the number of times of abnormality detection of one monitoring means 37, 47 obtained from the communication result is different from the number of times of abnormality detection managed by the other monitoring means 37, 47 (of the arithmetic units 31, 41). Counter value).

  The monitoring units 37 and 47 perform an abnormal terminal counter threshold value determination different from the abnormal terminal counter threshold value determination in the abnormality detection process between multiple terminals in the abnormality type determination shown in the second embodiment.

  Specifically, in the abnormal terminal counter threshold value determination process according to the present embodiment, as shown in FIG. 16, after reading the counter value storing the number of times of abnormality detection of each arithmetic unit 31, 41 (step S15-8B). -4) The counter values of the other arithmetic units 31, 41 are read (step S15-8B-5), and the counter values storing the number of times of abnormality detection of the one arithmetic unit 31, 41 are summed, averaged, and the difference from the previous time. After calculating (step S15-8B-6), a calculation method and a threshold value selected in advance are used to determine and select which is used for comparison with the threshold value with reference to the initial setting (step S15-8B-6). S15-8B-7). For example, a timing synchronization signal wired in the same route is input to the same terminal of two arithmetic devices, both of the abnormality counters of the terminals are equal to or greater than a predetermined threshold value, and the difference between the values of both abnormality counters is less than a certain value. In this case, it can be determined that the possibility of noise is large.

  Then, a comparison is made between the calculation method and the threshold value, and if the threshold value is exceeded, the safety functions (deceleration stop, free-run stop, speed limit, etc.) selected in advance by default before the operation of the power converter 60 are promptly performed. (Step S15-8B-8).

  Thus, according to the safety monitoring system according to the present embodiment, the plurality of arithmetic devices 31 and 41 are used, and the abnormality determination regarding noise by the monitoring means 37 and 47 is made flexible so that the operation of the electric motor 4 is performed. It is possible to ensure safety while suppressing a decrease in rate. Further, by making the threshold dynamic, it is possible to provide flexibility in dealing with abnormality determination in consideration of the type of the motor 4 and the model / type / environment of the entire apparatus, for example, a low risk level. Continue to operate or slow down the motor 4 (or power converter 60) for signals (transient noise, etc.), and stop operation for high-risk signals (failure, short circuit, disconnection) As a result, versatility can be improved.

DESCRIPTION OF SYMBOLS 1 ... Safety control system 4 ... Electric motor 20 ... Control apparatus 31 ... Arithmetic device (calculation means)
35 ... Input means 36 ... Input means 37 ... Monitoring means 38 ... Abnormality notification means 41 ... Arithmetic device 45 ... Input means 46 ... Input means 47 ... Monitoring means 48 ... Abnormality notification means 60 ... Power converter (power conversion circuit)
73 ... Task 75 ... Monitoring timer A
76 ... Monitoring timer B
77 ... Monitoring result file (fail sale transition flag variable)
78 ... Abnormality determination matrix table 79 ... Threshold storage means 80 ... Threshold update means

Claims (3)

A control device that outputs a control signal to a power converter, and a safety device that includes a calculation means for executing a fail-safe process such as outputting a stop command to the power converter,
The computing means is
A threshold value determined based on the operating frequency or carrier frequency of the power converter when an external interrupt signal is input and the waveform of the interrupt signal includes an abnormal signal that is assumed to be noise or equipment failure Based on the input means for determining the abnormality type of noise or device failure, and outputting an abnormality notification together with the abnormality type to the outside when detecting an abnormality signal;
A safety control system comprising: a monitoring unit that receives the abnormality notification and executes fail-safe processing corresponding to the abnormality type. The arithmetic means comprises a plurality of the input means, and an abnormality determination matrix table that defines fail-safe processing to be executed based on a combination of abnormality types for each input means,
2. The safety according to claim 1, wherein the monitoring unit executes a fail-safe process selected based on the abnormality determination matrix when receiving an abnormality notification from any of the plurality of input units. Control system. The safety device has a plurality of the calculation means, and each calculation means has a counter variable for storing the number of times of abnormality detection for each input means,
The plurality of computing means are connected by the mutual communication means to exchange the value of the counter variable stored in the monitoring means, and perform fail-safe processing using a predetermined threshold value and the exchanged counter variable value. The safety control system according to claim 1, wherein the safety control system is executed.

Images