JP2013196058A - Gateway, system, and method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow safe communications between a safety controller connected to a LAN and respective nodes in a system for safe communications while reducing costs of the entire system.SOLUTION: A gateway communicates with safety nodes performing safety function processing, a safety controller controlling the safety nodes, and non-safety nodes not performing safety function processing. The gateway includes an interface which communicates with the safety controller via a LAN, reception data separating means which separates data addressed to safety nodes or non-safety nodes from data in a prescribed format received from the safety controller via the interface, safety data communication means communicating with the safety nodes via a safety communication line, and non-safety data communication means communicating with the non-safety nodes via a non-safety communication line. The gateway combines data received from the safety nodes or the non-safety nodes with the prescribed format to transmit the data to the safety controller.

Description

  The present invention relates to a gateway, a system, and a method, and more particularly, to a gateway, a system, and a method for connecting a node and a controller that perform safety function processing.

  There is a functional safety standard IEC61508 that defines a safety function standard for a machine requiring high safety used in a machine tool or a chemical plant. By using a “safety device” that conforms to the standard, a safe system can be constructed.

  Patent Document 1 discloses a method for transmitting and receiving safety information between a non-safety node and a safety node in a system in which a plurality of safety devices (safety nodes) are directly connected to a LAN (see FIG. 17A).

  Non-Patent Document 1 discloses a method of connecting one safety node to a LAN and connecting the other to a serial bus (or dual port RAM) connected to another safety node (FIG. 17B). reference).

JP 2009-026063 A JP 2007-193843 A

Training for "PROFIsafe certified designers", February 10-12th, Karlsruhe

  However, in the method described in Patent Document 1, it is necessary for all the safety nodes to mount the LAN interface, which increases the manufacturing cost of the safety nodes. As a result, the cost of the entire system increases.

  In the method described in Non-Patent Document 1, other safety devices are connected in series via one safety node. Therefore, the failure of the safety device spreads to the failure of other safety devices, and the availability is reduced. In addition, it is necessary for all non-safety nodes to be equipped with a LAN interface, which increases the manufacturing cost of the non-safety nodes. As a result, the cost of the entire system is still high.

  On the other hand, Patent Document 2 discloses a controller system provided with a serial bus dedicated to a safety node that is independent from a serial bus to which a non-safety node is connected. However, in this system, the safety node cannot communicate with the controller via the LAN.

  The present invention has been made in view of such problems. In a system that performs safety communication, the cost of the entire system is suppressed, and safety communication is performed between a safety controller connected to a LAN and each node. It aims to be able to do it.

In order to solve the above-described problems and achieve the object, the gateway according to an embodiment of the present invention provides:
A safety node that performs safety function processing, a safety controller that controls the safety node, and a gateway that communicates with a non-safety node that does not perform safety function processing,
An interface for communicating with the safety controller through a LAN;
Received data separation means for separating data in a predetermined format received from the safety controller through the interface into data addressed to the safety node or data addressed to the non-safety node;
Safety data communication means for communicating with the safety node through a safety channel;
Non-secure data communication means for communicating with the non-secure node through a non-secure channel;
Have
The data received from the safety node through the safety channel or the data received from the non-safe node through the non-safe channel is combined with the predetermined format and transmitted to the safety controller.

Moreover, the system in one embodiment of the present invention is:
A safety node that performs safety function processing, a safety controller that controls the safety node, a non-safety node that does not perform safety function processing, and a gateway,
The safety controller is
A first interface for communicating with the gateway through a LAN;
The gateway is
A second interface for communicating with the safety controller;
Received data separating means for separating data in a predetermined format received from the safety controller through the second interface into data addressed to the safety node or data addressed to the non-safety node;
Safety data communication means for communicating with the safety node through a safety channel;
Non-secure data communication means for communicating with the non-secure node through a non-secure channel;
Have
The data received from the safety node through the safety channel or the data received from the non-safe node through the non-safe channel is combined with the predetermined format and transmitted to the safety controller,
The safety node is
A third interface for communicating with the gateway through the safety channel;
The non-safety node is
A fourth interface communicating with the gateway through the non-secure channel;

In addition, the method in one embodiment of the present invention includes:
A method of communicating with a safety node that performs safety function processing, a safety controller that controls the safety node, and a non-safety node that does not perform safety function processing,
A received data separation step of separating data in a predetermined format received from the safety controller through a LAN into data addressed to the safety node or data addressed to the non-safety node;
A safety data communication stage communicating with the safety node through a safety channel;
A non-secure data communication stage communicating with the non-secure node through a non-secure channel;
Combining the data received from the safety node through the safety channel or the data received from the non-safe node through the non-safe channel into the predetermined format;
Transmitting the combined data to the safety controller;
Have

In addition, the method in one embodiment of the present invention includes:
A method for detecting an abnormal state based on data received from a safety controller that controls a safety node that performs safety function processing,
A received data separation step in which the gateway separates data in a predetermined format received from the safety controller through the LAN into data addressed to the safety node or data addressed to the non-safety node;
A replication stage in which the gateway replicates data destined for the secure node;
A data transmission stage in which the gateway transmits the copied data to a plurality of safety nodes through a safety channel different from the non-safety channel to which the non-safety node is connected;
A collation stage in which one of the plurality of safety nodes collates the data received from the gateway with the data received by another safety node different from the safety node;
A detection stage in which one of the plurality of safety nodes detects an abnormal state based on the result of the verification;
Have

  ADVANTAGE OF THE INVENTION According to this invention, in the system which performs safety communication, the cost of the whole system can be suppressed, and safety communication can be performed between the safety controller connected to LAN and each node.

The figure showing the outline | summary of the system in one Embodiment of this invention. The figure showing the example of the hardware constitutions of the safe / non-secure gateway in one Embodiment of this invention. The figure showing the example of the hardware constitutions of the safety controller in one Embodiment of this invention. The figure showing the example of the hardware constitutions of the safety node in one Embodiment of this invention. The figure showing the example of the hardware constitutions of the non-safety node in one Embodiment of this invention. The figure showing the example of the functional block of the system in one Embodiment of this invention. The figure showing the example of the structure of the LAN communication message used with the system in one Embodiment of this invention. The figure showing the example of the structure of the safety communication message used with the system in one Embodiment of this invention. The figure showing the example of the structure of the non-secure communication message used with the system in one embodiment of the present invention. The figure showing the example of the communication path | route of the system in one Embodiment of this invention. The figure showing the example of the communication path | route of the system in one Embodiment of this invention. The figure showing the example of the communication path | route of the system in one Embodiment of this invention. The figure showing the example of the data management table used with the safe / non-secure gateway in one Embodiment of this invention. The figure showing the example of the data management table used with the safe / non-secure gateway in one Embodiment of this invention. The figure showing the example of the data management table used with the safe / non-secure gateway in one Embodiment of this invention. The figure showing the example of the data management table used with the safe / non-secure gateway in one Embodiment of this invention. The figure showing the example of the data management table used with the safety node in one Embodiment of this invention. The figure showing the example of the collation table used with the safety node in one Embodiment of this invention. The figure showing the reception data separation process in one Embodiment of this invention. The figure showing the data used by the reception data separation process in one Embodiment of this invention. The flowchart showing the non-safety data communication process in one Embodiment of this invention. The figure showing the example of a structure of the communication message used by the non-safety data communication process in one Embodiment of this invention. The figure showing the example of the structure of the data used by the non-safety data communication process in one Embodiment of this invention. The flowchart showing the safety data distribution and communication processing in one Embodiment of this invention. The figure showing the example of a structure of the communication message used for communication with a safety node by safety data distribution and communication processing in one embodiment of the present invention. The figure showing the example of a structure of the data passed to a transmission distribution means by the safe data distribution and communication process in one Embodiment of this invention. The figure showing the transmission distribution process in one Embodiment of this invention. The figure showing the example of the structure of the data used by the transmission distribution process in one Embodiment of this invention. The flowchart showing the transmission data combination process in one Embodiment of this invention. The figure showing the example of the structure of the data used by the transmission data combination process in one Embodiment of this invention. The flowchart showing the communication interface process in one Embodiment of this invention. The figure showing the example of the structure of the data used by the communication interface process in one Embodiment of this invention. The figure showing the example of the communication message used by the communication interface process in one Embodiment of this invention. The flowchart showing the safe communication process in one Embodiment of this invention. The figure showing the example of a structure of the data used by the safe communication process in one Embodiment of this invention. The flowchart showing the reception collation process in one Embodiment of this invention. The figure showing the example of a structure of the data used by the reception collation process in one Embodiment of this invention. The flowchart showing the process of the application in one Embodiment of this invention. The figure showing the example of the structure of the data used by the application in one Embodiment of this invention. The figure showing the example of the structure of the data used by the application in one Embodiment of this invention. The figure showing the outline | summary of the safety communication system by a prior art. The figure showing the outline | summary of the safety communication system by a prior art.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

1. Overview 2. 2. Hardware configuration Functional configuration 4. Communication message Communication path 6. Data management table Processing Flow 7.1 Received Data Separation Processing 7.2 Non-safety Data Communication Processing 7.3 Safety Data Distribution / Communication Processing 7.4 Transmission Distribution Processing 7.5 Transmission Data Combination Processing 7.6 Communication Interface Processing 7.7 Safety Communication processing 7.8 Reception verification processing 7.9 Application processing

(1. Overview)
First, an overview of a system according to an embodiment of the present invention will be described with reference to FIG. FIG. 1 shows an overview of a system according to an embodiment of the present invention. In the system according to an embodiment of the present invention, a safety / non-safety gateway is provided between a safety controller and a safety node or a non-safety node, and communication by a LAN is performed between the safety controller and the safety / non-safety gateway.

  The system in one embodiment of the present invention shown in FIG. 1 performs safety communication processing, a safety controller that performs safety communication processing, a LAN communication node that is a LAN interface of the safety controller, a safety node that performs safety communication processing, and safety communication processing. Has no non-secure node and secure / non-secure gateway.

  As shown in FIG. 1, the system also includes a communication means between safety nodes as necessary. The communication means is used to collate received data between a plurality of safety nodes provided for redundancy. Details will be described later.

  The safety / non-safety communication gateway extracts the communication frame transmitted from the safety controller, converts the communication protocol, and transmits it to the safe / non-safety node. Here, in order to satisfy the black channel requirement defined in IEC61508, the secure communication frame is not modified. The safety / non-safety gateway also provides a communication means between the safety node and the non-safety node as necessary.

  With the above configuration, the safety node and the non-safety LAN communication node are unnecessary, and the cost of the entire system can be reduced. Moreover, it becomes easy to add safety nodes and non-safety nodes.

(2. Hardware configuration)
Next, the hardware configuration of the gateway according to the embodiment of the present invention will be described with reference to FIG. 2A. The gateway shown in FIG. 2A includes a CPU 200, a RAM 202, a ROM 204, a LAN interface 206, a serial bus interface 208, a synchronization interface 210, and a bus 212.

  The CPU 200 executes a program that controls the operation of the gateway. The RAM 202 constitutes a work area for the CPU 200. The ROM 204 stores programs executed by the CPU 200 and data used by the programs. The LAN interface 206 is a device having an Ethernet (registered trademark) network interface, for example. The serial bus interface 208 is a device having an interface for serial communication. The dual port interface 210 is a device having an interface for communicating via a dual port RAM. A bus 212 electrically connects the above devices.

  With the gateway having the above-described configuration, the safety controller connected to the LAN and the safety node connected to the serial bus can perform safety communication. In addition, a safe node and a non-safe node connected to different communication paths can communicate with each other through the gateway.

  The serial bus interface 208 and / or the dual port interface 210 may be replaced with a LAN interface. Thereby, safety communication can be performed only by LAN communication.

  Next, the hardware configuration of the safety controller according to the embodiment of the present invention will be described with reference to FIG. 2B. The safety controller illustrated in FIG. 2B includes a CPU 220, a RAM 222, a ROM 224, a LAN interface 226, an input interface 228, and a bus 230.

  The CPU 220 executes a program that controls the operation of the safety controller. The RAM 222 constitutes a work area for the CPU 220. The ROM 224 stores programs executed by the CPU 220 and data used by the programs. The LAN interface 226 is a device having an Ethernet (registered trademark) network interface, for example. The input interface 228 is a device having an interface with an input device such as an external emergency stop switch. A bus 230 electrically connects the above devices.

  The controller having the above configuration can perform safety communication with the safety node via the LAN. The controller can also communicate with non-secure nodes via the LAN.

  Next, the hardware configuration of the safety node in one embodiment of the present invention will be described using FIG. 2C. The safety node shown in FIG. 2C includes a CPU 240, a RAM 242, a ROM 244, a first serial bus interface 246, a second serial bus interface 248, and a bus 250.

  The CPU 240 executes a program that controls the operation of the safety node. The RAM 242 constitutes a work area for the CPU 240. The ROM 244 stores programs executed by the CPU 240 and data used by the programs. The first serial bus interface 246 and the second serial bus interface 248 are devices having an interface for serial communication. A bus 250 electrically connects the above devices.

  The safety node having the above configuration can perform safety communication with the safety controller connected to the LAN via the gateway. Further, the safety node can communicate with the non-safety node via the gateway. In addition, the safety node can collate data transmitted to and received from the safety controller through serial communication with other safety nodes provided as a redundant configuration.

  The second serial bus interface 248 is an optional component.

  The first serial bus interface 246 and / or the second serial bus interface 248 may be replaced with a LAN interface or a dual port interface.

  Next, the hardware configuration of the non-safety node in one embodiment of the present invention will be described using FIG. 2D. The non-safety node shown in FIG. 2D has a CPU 260, a RAM 262, a ROM 264, a dual port interface 266, and a bus 268.

  The CPU 260 executes a program that controls the operation of the non-safety node. The RAM 262 constitutes a work area for the CPU 260. The ROM 264 stores a program executed by the CPU 260 and data used by the program. The dual port interface 266 is a device having an interface for communicating via a dual port RAM. A bus 268 electrically connects the above devices.

  The non-safety node having the above configuration can communicate with the safety controller connected to the LAN via the gateway. Further, the non-safety node can communicate with the safety node via the gateway.

  Note that the dual port interface 266 may be replaced with a LAN interface or a serial bus interface.

(3. Functional configuration)
Next, functional blocks of the system according to an embodiment of the present invention will be described with reference to FIG. The system includes a safety controller 1, a LAN communication node 2, a LAN 3, a safety / non-safety gateway 4, a safety node 5, a safety communication path 6, a non-safety communication path 7, a non-safety node 8, Data management table 9, data management / collation table 10, received data separation means 11, non-safety data communication means 12, safe data distribution / communication means 13, transmission distribution means 14, transmission data combining means 15 A communication interface unit 16, a safety communication unit 17, a reception verification unit 18, an application 19, and a LAN communication interface unit 20.

  The safety controller 1 communicates with the safety node 5 and the non-safety node 8 through the safety / non-safety gateway 4 connected via the LAN. The safety controller 1 performs a safety communication process defined by IEC 61784-3 or IEC 62280.

  The LAN communication node 2 receives a LAN communication frame addressed to the node. Further, the LAN communication node 2 creates a LAN communication frame based on data transmitted from the node.

  The LAN 3 is a network that can use any communication protocol.

  The safe / non-secure gateway 4 is connected to the LAN via the LAN communication interface means 20. The safety / non-safety gateway 4 is connected to the safety node by serial communication, bus connection, or LAN communication with a different protocol. The safety / non-safety gateway 4 is connected to the non-safety node by serial communication, bus connection, or LAN communication with a different protocol.

  The safety node 5 executes an application related to safety. The safety node 5 is connected to the safety / non-safety gateway 4 and other safety nodes by serial communication, bus connection, or LAN communication with different protocols. The safety node 5 may be connected to other safety nodes without going through the safety / non-safety gateway 4.

  The safety communication path 6 is a communication path provided between different safety nodes or between the safety node 5 and the safety / non-safety gateway 4. For the safety communication path 6, serial communication, bus connection, LAN communication with different protocols, or the like can be used.

  The non-safety communication path 7 is a communication path provided between different non-safety nodes or between the non-safety node 8 and the safe / non-safety gateway 4. For the non-secure communication path 7, serial communication, bus connection, LAN communication with different protocols, or the like can be used.

  The non-safety node 8 executes an application not related to safety. The non-safety node 8 is connected to the safe / non-safety gateway 4 or another non-safety node by serial communication, bus connection, or LAN communication with a different protocol.

  The data management table 9 manages data used for processing of the safe / non-secure gateway 4. Details will be described later.

  The data management / collation table 10 manages data used for processing in the safety node 5. Details will be described later.

  The reception data separating means 11 separates the content of the reception data addressed to the safe / non-secure gateway 4 received through the LAN communication interface 20 into safety data and non-safety data. The safety data is passed to the safety data distribution / communication means 13, and the non-safety data is passed to the non-safety data communication means 12.

  The non-safety data communication unit 12 transmits the data passed from the reception data separating unit 11 and the data passed from the transmission distribution unit 14 to the non-safety node 8 using a predetermined protocol. Further, the non-safety data communication unit 12 passes the data received from the non-safety node 8 to the transmission distribution unit 14.

  The safety data distribution / communication means 13 transmits the data passed from the received data separation means 11 and the data passed from the transmission distribution means 14 to the safety node 5 using a predetermined protocol. Further, the safety data distribution / communication means 13 duplicates the data transmitted from the predetermined address, and transmits the duplicated data to each of the plurality of safety nodes 5. The safety data distribution / communication unit 13 passes the data received from the safety node 5 to the transmission distribution unit 14.

  The transmission distribution unit 14 distributes the data received from the non-safe data communication unit 12 to the safe data distribution / communication unit 13 or the transmission data combination unit 15 based on the designated destination address. The transmission distribution unit 14 distributes the data received from the safe data distribution / communication unit 13 to the non-safe data communication unit 12 or the transmission data combination unit 15 based on the designated destination address.

  The transmission data combining unit 15 combines the data received from the transmission distribution unit 14 to create LAN communication data, and passes it to the LAN communication interface 20.

  The communication interface means 16 transmits all data relating to communication processing or data relating to all applications to the safety node 5 or the safety / non-safety gateway 4 using a predetermined protocol. Further, the communication interface means 16 passes the safety data among the data received from the safety node 5 or the safety / non-safety gateway 4 to the safety communication means 17 and passes the non-safety data to the application. Here, the safety data communication interface means and the non-safety data communication interface means are separated in order to maintain safety of safety communication. Further, when the safety communication path between the safety node 5 and the safety / non-safety gateway 4 and the safety communication path between the safety nodes are separated, the communication interface means 16 is provided separately in two. . Thereby, different communication hardware interfaces and communication protocols can be used.

  The safety communication means 17 performs a safety communication process defined by IEC 61784-3 or IEC 62280 for the safety data. Note that the safety communication processing performed with the safety / non-safety gateway 4 and the safety communication processing performed with other safety nodes are performed in order to maintain the flexibility of the safety degree of the safety communication path (that is, respectively). Can be separated because of different failure rates and different safety code formulas and number of bits).

  The reception verification unit 18 transfers the received safety data to another predetermined safety node. Further, the reception collation means 18 collates the received safety data with the safety data received by a predetermined other safety node and transferred to the safety node 5 to confirm whether or not they match. The verification result is notified to the application.

  The application 19 receives the safety data received from the safety communication unit 17, the verification result received from the reception verification unit 18, and the non-safety data received from the communication interface unit 16, and executes the safety function or the non-safety function. . Then, the application 19 outputs the result to the safety communication unit 17 for the safety data and to the communication interface unit 16 for the non-safety data.

  The LAN interface unit 20 extracts a message addressed to the safe / non-secure gateway 4 from the LAN communication message and passes it to the received data separation unit 11. The LAN interface unit 20 creates a LAN communication message based on the data received from the transmission data combining unit 15, designates the destination address as the LAN communication node 2 of the safety controller 1, and transmits it.

  With the above configuration, the safety controller connected to the LAN can communicate with the safety node and the non-safety node via the gateway. In addition, the safety node and the non-safety node can communicate via the gateway. Further, serial communication, bus connection, or LAN communication with a different protocol can be used as communication between the safety node and the non-safety node, and communication flexibility is expanded. In addition, by separating the safety channel and the non-safe channel, there is an advantage that the safety channel is not affected by the failure of the non-safe channel.

(4. Communication message)
Next, communication messages used in the safety communication system will be described with reference to FIGS. 4A-4C.

  FIG. 4A shows a configuration of a LAN communication message used in the LAN 3. The header 1 represents data determined by a communication protocol, such as a serial number. The destination address represents an address of a node or a LAN communication interface that is a transmission destination of the LAN communication message. A transmission source address 1 represents an address of a node or a LAN communication interface that is a transmission source of the LAN communication message. Data identification information 1 represents a frame identification number. The communication data is composed of non-safety data not related to the safety function and an array of safety data related to the safety function. Footer 1 represents a CRC code of the message.

  FIG. 4B shows a configuration of a safety communication message used in the safety communication path 6. The header 2 represents data determined by a communication protocol, such as a serial number. The destination address 2 and the transmission source address 2 represent the transmission destination address and the transmission source address of the safety communication message, respectively. The data identification information 2 is a code indicating that the message is a safety communication message. As the destination address 1, the transmission source address 1, and the data identification information 1, information specified by the LAN communication message can be stored as it is. Details of the destination addresses 1 and 2, the source addresses 1 and 2 and the data identification information 1 and 2 will be described later. The safety data is composed of a data part and safety information. The safety information includes a destination address, a sequence number, a time stamp, and a safety code. The footer 2 represents a cyclic redundancy check (CRC) code of the message.

  FIG. 4C shows the configuration of a non-safe communication message used in the safe communication path 6 or the non-safe communication path 7. The basic configuration is the same as the safety communication message shown in FIG. 4C. Here, the data identification information 2 is a code indicating that the message is a non-safety communication message. In addition, safety information is not stored in the non-safety data included in the non-safety communication message.

  The safety controller 1, the safety / non-safety gateway 4, the safety node 5, and the non-safety node 8 in one embodiment of the present invention can communicate with each other using the communication message as described above.

(5. Communication path)
Next, communication paths between the safety controller 1 and a plurality of safety nodes will be described with reference to FIGS. 5A-5C.

  FIG. 5A shows a communication path of safety data transmitted from the safety controller 1 to the safety node 3. The safety / non-safety gateway 4 distributes the safety data received from the safety controller 1 to a plurality of safety nodes for transmission. Each safety node collates the received safety data with each other, and if they do not match, executes the safety function assuming that an abnormality has occurred. In the example of FIG. 5A, the safety controller 1 does not need to transmit safety data to individual safety nodes. For this reason, there is an advantage that the safety controller 1 side is not affected by the change in the number of safety nodes and addresses.

  FIG. 5B represents another example of the communication path of the safety data transmitted from the safety controller 1 to the safety node 3. Unlike the example of FIG. 5A, the safety / non-safety gateway 4 does not distribute the safety data to a plurality of safety nodes. Instead, the safety controller 1 specifies the destinations of a plurality of safety nodes. In the example of FIG. 5B, there is an advantage that the load of the safe / non-secure gateway 4 can be suppressed. Each safety node collates the received safety data with each other, and if they do not match, executes the safety function assuming that an abnormality has occurred.

  FIG. 5C shows an example of a communication path of safety data transmitted from the safety node 3 to the safety controller 1. The safety controller 1 collates the safety data received from a plurality of safety nodes, and executes the safety function as an abnormality has occurred if they do not match.

  With the above configuration, the safety controller 1 and the safety node 3 in one embodiment of the present invention can perform safety communication through the safety / non-safety gateway 4. Moreover, the number of the safety nodes 3 can be easily increased by the configuration in which the safety / non-safety gateway 4 distributes the safety data to the safety nodes.

  Note that the number of safety nodes is not limited to two, and may be one or three or more.

(6. Data management table)
Next, a data management table used in the secure / non-secure gateway 4 will be described with reference to FIGS. 6A-6D.

  FIG. 6A shows a communication data configuration that the safety / non-safety gateway 4 receives from the safety controller 1 via the LAN 3. This communication data configuration defines a sequence of non-safety data and safety data of communication data in the LAN communication message shown in FIG. 4A. The order represents the order of the arrangement of non-safety data and safety data. The destination address represents the address of each destination of non-safety data or safety data included in the data. The communication data byte number represents the number of bytes of non-safety data or safety data. The type indicates whether the data is non-safety data or safety data, and stores a label such as “unsafe” or “safe”, for example.

  FIG. 6B shows a LAN transmission communication data configuration transmitted from the safety / non-safety gateway 4 to the safety controller 1 via the LAN. This LAN transmission communication data configuration defines a sequence of non-safety data and safety data of communication data in the LAN communication message shown in FIG. 4A. The order represents the order of the arrangement of non-safety data and safety data. The transmission source address indicates the address of the transmission source node of non-safety data or safety data. The communication data byte number indicates the number of bytes of non-safety data or safety data.

  FIG. 6C shows a safety data distribution configuration for the safety / non-safety gateway 4 to copy and distribute the safety data to a plurality of redundant safety nodes. The pre-distribution address represents a destination address before distribution, which is used by the received data separation unit 11 of the secure / non-secure gateway 4. The post-distribution address represents each destination address of a plurality of redundant safety nodes.

  6D shows a case where the transmission distribution means 14 transmits data from the safe / non-safe gateway 4 to the safe communication path 6, a case where data is transmitted from the safe / non-safe gateway 4 to the non-safe communication path, or distribution. Represents a transmission distribution configuration used when The destination address indicates the destination address of the data transmission destination. The type indicates whether the data is transmitted to the non-safe communication channel 7 or the safe communication channel 6, and is represented by a label such as “non-safe” or “safe”, for example.

  With the above data management table, the safety / non-safety gateway 4 can manage communication among the safety controller 1, the safety node 5, and the non-safety node 8.

  Next, a data management / collation table used in the safety node 5 will be described with reference to FIGS. 7A and 7B.

  FIG. 7A represents a transmission distribution configuration used to identify whether the destination node is a secure node or a non-safe node when transmitting data from the secure node. The destination address indicates the destination address of the data transmission destination. The type indicates whether the data is transmitted to the non-safe communication path 7 via the safety / non-safety gateway or to the safety node via the safety communication path 6. "Or" safe ".

  FIG. 7B is a verification table used when safety data is verified between safety nodes. The verification source address represents the address of the safety controller that is the source of the safety data. The collation destination address represents the address of the safety node of the other party that collates the safety data.

  With the above data management / collation table, the safety node 5 can communicate with the safety controller 1, the safety / non-safety gateway 4, other safety nodes, and the non-safety node 8.

(7. Processing flow)
Next, the processing of the safe / non-secure gateway 4 will be described in detail with reference to FIGS. 8A-12B.

(7.1 Received data separation processing)
FIG. 8A shows a flowchart of processing by the reception data separation unit 11. FIG. 8B shows the structure of data passed to the safe data distribution / communication means 13 or the non-safe data communication means 12. In FIG. 8B, the shaded portion represents data that is added or separated by the reception data separation unit 11. Note that the processing by the received data separating means 11 is executed at a regular cycle.
Step S801: The LAN reception communication data configuration of the data management table 9 shown in FIG. 6A is read.
Step S802: Read communication data addressed to the safe / non-secure gateway 4 from the LAN communication interface means 20. Here, communication data from destination address 1 to communication data is read.
Step S803: According to the LAN reception communication data configuration, the safety data and the non-safety data are divided by destination address. The contents of the transmission source address 1 and the data type information 1 are added as they are before the divided safety data or non-safety data. Further, the “destination address” of the LAN reception communication data configuration is written to the destination address 1.
Step S804: Add destination address 2, source address 2, data identification information 2 and footer 2 to each of the divided safety and non-safety data according to the LAN received communication data configuration. Further, the “destination address” of the LAN reception communication data configuration is written in the destination address 2.
Step S805: Write the address of the safe / non-secure gateway 4 to the source address 2. Also, safe / non-safe information is written in the data identification information 2. Further, the CRC code of the message is calculated and written in the footer 2. Next, in accordance with the LAN reception communication data configuration, those with “safety” as “safe” are passed to the safe data distribution / communication means 13, and those with “type” as “unsafe” are passed to the non-safety data communication means 12.

(7.2 Non-safety data communication processing)
FIG. 9A shows a flowchart of processing by the non-safety communication means 12. FIG. 9B shows a configuration of a communication message regarding communication between the non-safety node 8 and the safe / non-safety gateway 4. FIG. 9C shows a configuration of data passed from the non-safety communication unit 12 to the transmission distribution unit 14. Note that the processing by the non-safety communication means 12 is executed at regular intervals.
Step S901: Received data is read from the received data separating means 11.
Step S902: Read non-safety data communication data from the transmission distribution processing means 14. The data delivered from the transmission distribution processing unit 14 will be described later.
Step S903: The destination address 2, the transmission source address 2, and the data identification information 2 are added to the data read in Step S902. The data of the destination address 1 is written to the destination address 2, the address of the safe / non-secure gateway 4 is written to the source address 2, and the safe / non-safe information is written to the data identification information 2. In addition, the CRC code of the message is calculated and written in the footer 2.
Step S904: A header such as a serial number is added according to the communication protocol.
Step S905: Communication with the non-safe node 8 is performed according to the destination address and the communication protocol.
Step S906: The data received from the non-safe node 8 is transferred to the transmission distribution means 14.

(7.3 Safety data distribution / communication processing)
FIG. 10A shows a flowchart of processing by the safety data distribution / communication means 13. FIG. 10B shows the configuration of a communication message used for communication between the safety node 5 and the safety / non-safety gateway 4. FIG. 10C shows the structure of data passed from the safety data distribution / communication means 13 to the transmission distribution means 14. The processing by the safe data distribution / communication means 13 is executed at a regular cycle. The following steps 1001 to 1007 represent communication processing performed from the safety / non-safety gateway 4 to the safety node 5, and steps 1007 to 1008 represent communication processing performed from the safety node 5 to the safety / non-safety gateway 4.
Step S1001: Read received data from the received data separating means 11.
Step S1002: Read non-safety data communication data from the transmission distribution means 14.
Step S1003: Destination address 2, source address 2, and data identification information 2 are added to the data read in step S1002. The data of the destination address 1 is written to the destination address 2, the address of the safe / non-secure gateway 4 is written to the source address 2, and the safe / non-secure information is written to the data identification information 2. In addition, the CRC code of the message is calculated and written in the footer 2.
Step S1004: The safety data distribution configuration of the data management table 9 is read.
Step S1005: Rewrite the destination address to the post-distribution address according to the safety data distribution configuration. Furthermore, the CRC code of the footer is recalculated and rewritten.
Step S1006: A header such as a serial number is added according to the communication protocol.
Step S1007: Communication is performed according to the destination address and the communication protocol.
Step S1008: When the destination address 2 is the local station, the data received from the safety node 5 is passed to the transmission distribution means 14. If the destination address 2 is not its own station, the communication message is transmitted to the address of the destination address 2.

(7.4 Transmission distribution processing)
FIG. 11A shows a flowchart of processing by the transmission distribution means 14. FIG. 11B shows the configuration of data handled by the transmission distribution unit 14. In addition, the process by the transmission distribution means 14 is performed with a fixed period.
-S1101: The transmission distribution configuration of the data management table 9 is read.
S1102: Read the data passed from the safety data distribution / communication means 13 and the non-safety data communication means 12.
-S1103: The data that matches the "destination address" of the transmission distribution configuration and whose "type" is safe is passed to the safe data distribution / communication means 13.
-S1104: The data that matches the "destination address" of the transmission distribution configuration and whose "type" is non-safe is passed to the non-safe data communication means 12.
S1105: Data that does not match the “destination address” of the transmission distribution configuration is passed to the transmission data combining unit 15.

(7.5 Transmission data combination processing)
FIG. 12A shows a flowchart of processing by the transmission data combining unit 15. FIG. 12B shows the structure of data passed to the LAN communication interface means. Note that the processing by the transmission data combining unit 15 is executed at regular intervals.
-S1201: The LAN transmission communication data configuration of the data management table 9 is read.
-S1202: The data passed from the transmission distribution means 14 is read.
-S1203: Embed the data in the communication data structure according to the LAN reception / transmission data structure.
-S1204: Source address 1, data identification information 1, and footer 1 are added. The address of the safe / non-safe gateway 4 is written in the transmission source address 1 and information such as the frame ID is written in the data identification information 1. In addition, the CRC code of the message is recalculated and written in the footer 1.
S1205: Pass the data to the LAN communication interface means 20.

(7.6 Communication interface processing)
Next, the process of the safety node 5 will be described in detail with reference to FIGS. 13A-16C.

FIG. 13A shows a flowchart of processing by the communication interface means 16. FIG. 13B shows the configuration of data used between the safety communication means 17 and the application 19. FIG. 13C shows the configuration of the communication message. Note that the processing by the communication interface means 16 is executed at regular intervals. The following steps S1301-1303 represent communication processing performed from the communication interface means 16 to the safety / non-safety gateway 4 or other safety nodes. Steps S1303-1304 represent communication processing performed from the safe / non-secure gateway 4 or other safety nodes to the communication interface means 16.
-S1301: The safety communication data is read from the safety communication means 17. Further, the non-safety communication data is read from the application 19.
-S1302: Destination address 2, source address 2, and data identification information 2 are added to the data read in step S1301. When the destination address 1 is another safety node, the address of the safety node is written in the destination address 2. Alternatively, when the destination address 1 is other than the safety node, the address of the safe / non-safe gateway 4 is written in the destination address 2. Further, the address of the safety node 5 is written in the transmission source address 2, and safety / non-safety information is written in the data identification information 2. Further, the CRC code of the message is calculated and written in the footer 2. Whether the destination address 1 is a safety node is identified by referring to the transmission distribution configuration of the data management / collation table 10.
S1303: Communicate with the secure / non-secure gateway 4 or other secure node according to the destination address and communication protocol.
-S1304: If the safety / non-safety information of the data identification information 2 included in the data received from the safe / non-safety gateway 4 is safe, the data is passed to the safe communication means 17, If there is, the data is passed to the application 19.

(7.7 Safety communication processing)
FIG. 14A shows a flowchart of processing by the safety communication means 17. FIG. 14B shows data exchanged between the safety communication means 17 and the communication interface means 16, between the safety communication means 17 and the application means 16, and between the safety communication means 17 and the reception verification means 18. The configuration is shown. Note that the safety communication means 17 is executed at regular intervals. The following steps S1401-1403 represent processing performed from the communication interface means 16 to the safety communication means 17. Steps S1404 to S1405 represent processing performed from the safety communication unit 17 to the communication interface unit 16.
S1401: Read data from the communication interface means 16.
-S1402: The safety information of the safety data is checked using the safety information of the safety data. An example of a safety check is shown below.
Check the sequence number and check if the data is received in the correct order Check the time stamp and check if it is updated within the allowable time Check the destination address and check whether the message destination is correct Check the safety code Then, the integrity of the safety data is confirmed—S1403: The data received from the communication interface means 16 is passed to the application 19 and the reception verification means 18.
-S1404: Data is read from the application 19 and the reception verification means 18.
S1405: A sequence number, a time stamp, and a safety code are added to the safety data. In addition, the CRC code of the message is recalculated and written in the footer 1.

(7.8 Reception verification processing)
FIG. 15A shows a flowchart of processing by the reception matching means 18. 15B is exchanged between the reception verification unit 18 and the communication interface unit, between the reception verification unit 18 and the application 19, and between the reception verification unit 18 and the reception verification unit 18 of another safety node. Represents the data structure. The reception verification unit 18 is executed at a regular cycle. The following step S1502 represents a transmission process performed from the reception collation unit 18 to the collation destination. Steps S1503-1505 represent reception processing performed from the collation destination to the reception collation unit 18.
-S1501: Read data from the safety communication means 17.
-S1502: When the transmission source address 1 matches the verification transmission source address in the verification table of FIG. 7B, the verification destination address other than the safety node is written in the destination address 1. Furthermore, the address of the safety node is written in the source address 1. Then, for verification, the data is passed to the safety communication means 17 and the transmission to the verification destination is requested.
-S1503: If the source address 1 matches the collation destination address in the collation table of FIG. 7B, the data transmission source address 1 is the collation source address in the same table from the safety communication means 17 before this processing. And whether the same data identification information 1 is received.
-S1504: If the same data identification information 1 has been received in step S1503, the safety data is verified. If they match as a result of the collation, the application 19 is notified of normality. If they do not match as a result of the collation, the application 19 is notified of an abnormality. If the collation data is not received within the designated time, the application 19 is notified that the time is over.

(7.9 Application processing)
FIG. 16A shows a flowchart of processing by the application 19. FIG. 16B shows the configuration of safe transmission / reception data. FIG. 16C shows the configuration of non-secure transmission / reception data. The application 19 is executed at regular intervals.
-S1601: Data is read from the safety communication means 17.
-S1602: The safety function corresponding to the safety data is processed.
-S1603: Data is read from the reception collation means 18.
-S1604: If the collation result is normal, that fact is recorded. When the collation result is abnormal, the system shifts to a safe state such as a system stop as a reaction corresponding to the abnormality. When the collation result is time-over, the collation destination is abnormal, and the reaction shifts to a safe state such as one-lung driving.
S1605: Data is read from the communication interface means 16.
-S1606: The non-safety function corresponding to non-safety data is processed.
-S1607: Safety transmission data is generated by the output of the safety function processing, and the safety communication means 17 is requested to transmit. Note that the footer 1 of the safe transmission data is blank. (Footer 1 data is created by the processing in the safety communication means 17.)
-S1608: The non-safe transmission data is generated by the output of the safety function / non-safe function processing, and the communication interface means 16 is requested to transmit. If necessary, a footer 1 for non-secure communication data is added. In the case of non-secure communication data, the CRC code of communication data is not essential.

  As described above, in one embodiment of the present invention, a safety / non-safety gateway is provided instead of a LAN communication node at the interface of the safety node and non-safety node included in the safety communication system with the LAN. Thereby, the communication path of the safety node and the communication path of the non-safety node are separated. As a result, the number of nodes for LAN communication can be reduced, and costs can be reduced. In addition, the safety node and the non-safety node can use serial communication, bus connection, and LAN communication with different protocols, and communication flexibility is expanded. Furthermore, by separating the communication path of the safety node and the communication path of the non-safety node, the safety communication path is not affected by the failure of the non-safety communication path, and the availability is improved. Furthermore, the number of safety nodes can be easily increased, and the expandability of the safety nodes is improved.

1 Safety controller 2 LAN communication node 3 LAN
4 Safety / non-safety gateway 5 Safety node 6 Safety communication path 7 Non-safety communication path 8 Non-safety node 9 Data management table 10 Data management / collation table 11 Received data separation means 12 Non-safety data communication means 13 Safe data distribution / communication means 14 Transmission distribution means 15 Transmission data combination means 16 Communication interface means 17 Safety communication means 18 Reception collation means 19 Application 20 LAN communication interface means

Claims (8)

A safety node that performs safety function processing, a safety controller that controls the safety node, and a gateway that communicates with a non-safety node that does not perform safety function processing,
An interface for communicating with the safety controller through a LAN;
Received data separation means for separating data in a predetermined format received from the safety controller through the interface into data addressed to the safety node or data addressed to the non-safety node;
Safety data communication means for communicating with the safety node through a safety channel;
Non-secure data communication means for communicating with the non-secure node through a non-secure channel;
Have
Data received from the safety node through the safety channel or data received from the non-safe node through the non-safe channel is combined with the predetermined format and transmitted to the safety controller.
gateway. The safety data communication means replicates data addressed to the safety node and transmits the data to a plurality of safety nodes, respectively.
The data transmitted to the plurality of safety nodes is collated between the plurality of safety nodes, and an abnormal state is detected based on the result of the collation.
The gateway according to claim 1. The safety channel and the non-safe channel are provided independently,
The gateway according to claim 1 or 2. The safety channel is configured by a serial bus, and the non-safe channel is configured using a dual port RAM.
The gateway according to claim 3. The safety channel and the non-safe channel each constitute a LAN.
The gateway according to claim 3. A safety node that performs safety function processing, a safety controller that controls the safety node, a non-safety node that does not perform safety function processing, and a gateway,
The safety controller is
A first interface for communicating with the gateway through a LAN;
The gateway is
A second interface for communicating with the safety controller;
Received data separating means for separating data in a predetermined format received from the safety controller through the second interface into data addressed to the safety node or data addressed to the non-safety node;
Safety data communication means for communicating with the safety node through a safety channel;
Non-secure data communication means for communicating with the non-secure node through a non-secure channel;
Have
Data previously received from the safety node through the safety channel or data received from the non-safe node through the non-safe channel, coupled to the predetermined format and transmitted to the safety controller;
The safety node is
A third interface for communicating with the gateway through the safety channel;
The non-safety node is
A fourth interface for communicating with the gateway through the non-secure channel;
system. A method of communicating with a safety node that performs safety function processing, a safety controller that controls the safety node, and a non-safety node that does not perform safety function processing,
A received data separation step of separating data in a predetermined format received from the safety controller through a LAN into data addressed to the safety node or data addressed to the non-safety node;
A safety data communication stage communicating with the safety node through a safety channel;
A non-secure data communication stage communicating with the non-secure node through a non-secure channel;
Combining the data received from the safety node through the safety channel or the data received from the non-safe node through the non-safe channel into the predetermined format;
Transmitting the combined data to the safety controller;
Having a method. A method for detecting an abnormal state based on data received from a safety controller that controls a safety node that performs safety function processing,
A received data separation step in which the gateway separates data in a predetermined format received from the safety controller through the LAN into data addressed to the safety node or data addressed to the non-safety node;
A replication stage in which the gateway replicates data destined for the secure node;
A data transmission stage in which the gateway transmits the copied data to a plurality of safety nodes through a safety channel different from the non-safety channel to which the non-safety node is connected;
A collation stage in which one of the plurality of safety nodes collates the data received from the gateway with the data received by another safety node different from the safety node;
A detection stage in which one of the plurality of safety nodes detects an abnormal state based on the result of the verification;
Having a method.

Images