JP2020043445A - Radio communication system and radio communication method - Google Patents

Abstract

To prevent unintended operation of an industrial machinery surely at the time of emergency or the like.SOLUTION: An encryption processing part 67b of a portable operation unit 30 generates a safety state release code as data of multiple bits, by encryption processing using a key stored in the portable operation unit 30. The safety state release code is data transmitted wirelessly from a remote control side communication unit 67a of the portable operation unit 30, for indicating that operation of a stacker crane 12 is permitted by an enable switch 65 of the portable operation unit 30. A verification processing part 28b of a second receiving part 22 determines whether or not the data, received by a communication part 28a wirelessly, indicates permission of operation of the stacker crane 12, by verification processing using the key stored in the second receiving part 22. When the verification processing part 28b determines that operation of the stacker crane 12 is permitted, the second receiving part safety section 29 of the second receiving part 22 permits the operation.SELECTED DRAWING: Figure 4

Description

  The present invention relates mainly to wireless communication systems.

  2. Description of the Related Art Communication systems capable of operating industrial machines using wireless communication have been known. Patent Document 1 discloses this type of automatic driving device system.

  Patent Document 1 discloses an automatic driving device system including a control device and an operation terminal. The control device and the operation terminal can transmit and receive information via wireless communication. The control device is a device that controls the operation of the stacker crane. A portable device used for remote operation of the stacker crane is communicably connected to the operation terminal. The operation terminal includes a push-button enable switch for enabling manual operation of the stacker crane via the portable device.

  In this automatic driving device system, when the enable switch is pressed by the operator, the operation instruction from the portable device is determined to be valid, and the operation instruction is output to the control device. Then, the control device controls the operation of the stacker crane based on an operation instruction from the mobile device.

JP 2018-39625 A

  However, in the configuration of Patent Document 1, for example, when a falsified or spoofed signal is wirelessly received, the operation instruction of the portable device becomes valid even though the enable switch is not pressed. there is a possibility. Therefore, there is a need to reduce the possibility that the stacker crane operates without the intention of the operator.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a wireless communication system capable of reliably preventing an industrial machine from unintentionally operating in an emergency or the like.

Means and effects for solving the problem

  The problem to be solved by the present invention is as described above. Next, means for solving the problem and its effects will be described.

  According to a first aspect of the present invention, there is provided a wireless communication system having the following configuration. That is, this wireless communication system includes a transmitter and a receiver. The transmitter wirelessly transmits the instruction. The receiver controls an industrial machine according to an instruction received from the transmitter. The transmitter includes an enable operation unit, an encryption processing unit, and a transmission unit. The enable operation unit is operated to permit an operation of the industrial machine according to an operation of the transmitter. The encryption processing unit generates the operation permission data as a plurality of bits of data by performing an encryption process using a key stored in the transmitter. The operation permission data is data that is wirelessly transmitted from the transmitter to indicate that the operation of the industrial machine is permitted by the enable operation unit. The transmitting unit wirelessly transmits the operation permission data generated by the encryption processing unit to the receiver. The receiver includes a receiving unit, a check processing unit, and a control unit. The receiving unit receives a plurality of bits of data. The check processing unit, by a check process using a key stored in the receiver, the multi-bit data wirelessly received by the receiving unit, the operation of the industrial machine is permitted by the enable operation unit It is determined whether or not it indicates that The control unit performs control for permitting the operation of the industrial machine when the verification processing unit determines that the data indicates that the operation of the industrial machine is permitted.

  Accordingly, the operation permission data indicating that the operation of the industrial machine is permitted is encrypted, so that it is difficult to falsify and disguise the signal. Therefore, unintended operation of the industrial machine in an emergency can be reliably prevented. In addition, security when operating the industrial machine with the transmitter can be improved.

  In the above wireless communication system, the following configuration is preferable. That is, while the operation of the industrial machine is permitted by the operation of the enable operation unit, the transmission unit repeatedly transmits the operation permission data. The encryption processing unit changes the key used for the encryption process for generating the operation permission data every time the transmission unit transmits the operation permission data. The verification processing unit changes the key used for the verification process each time the reception unit receives the operation permission data from the transmission unit.

  As a result, the key of the encryption process changes every time the operation permission data is transmitted, so that it becomes more difficult to falsify and disguise the signal.

  In the above wireless communication system, the following configuration is preferable. That is, the encryption processing unit determines the key used in the encryption process for generating the operation permission data based on a communication count value that is a value obtained by counting the number of times that the transmission unit performs wireless communication. The verification processing unit determines the key used for the verification processing based on the communication count value.

  Thus, by changing the key of the encryption process according to the number of times of wireless communication, it is possible to make it difficult to falsify and disguise a signal with a simple configuration.

  In the above wireless communication system, the following configuration is preferable. That is, the encryption processing unit generates the operation permission data based on identification information for uniquely identifying the transmitter. The check processing unit performs the check processing based on the identification information of the transmitter.

  As a result, the safety state release code differs depending on the transmitter. Therefore, falsification and disguise of the signal can be made more difficult.

  In the above wireless communication system, the following configuration is preferable. That is, in the transmitter, when the operation of the industrial machine is not permitted by the enable operation unit, the transmission unit transmits operation inhibition data to the receiver. In the receiver, when the receiving unit receives the operation prohibition data, the control unit controls the industrial machine so as not to operate.

  This makes it possible to appropriately realize a state where the industrial machine is stopped in an emergency or the like.

  In the above wireless communication system, the following configuration is preferable. That is, the transmitter includes a portable terminal and a transmitter main body. The mobile terminal is operated to operate the industrial machine. The transmitter main body is provided with the enable operation unit. The transmitter body is connected to the mobile terminal via a wired cable. The mobile terminal performs wireless communication for operating the industrial machine in accordance with an operation of the mobile terminal. The transmitter main body performs wireless communication for permitting operation of the industrial machine.

  Thereby, the industrial machine can be controlled by linking the portable terminal and the transmitter body.

  According to a second aspect of the present invention, the following wireless communication method is provided. That is, this wireless communication method includes an encryption step, a transmission step, a check step, a first control step, and a second control step. In the encrypting step, in a communication system including a transmitter that wirelessly transmits an instruction and a receiver that controls an industrial machine in accordance with the instruction received from the transmitter, the transmission is performed by an enable operation unit included in the transmitter. When the operation of the industrial machine according to the operation of the machine is permitted, the transmitter converts the operation permission data into data of a plurality of bits by an encryption process using a key stored in the transmitter. Generate. The operation permission data is data indicating that the operation of the industrial machine is permitted. In the transmitting step, the transmitter transmits the operation permission data to the receiver. In the checking step, whether or not the multi-bit data received by the receiver wirelessly indicates that the operation of the industrial machine is permitted is determined by using a key stored in the receiver. Judge by the verification process. In the first control step, when the data indicates that the operation of the industrial machine is permitted in the checking step, control for permitting the operation of the industrial machine is performed. In the second control step, if the data does not indicate that the operation of the industrial machine is permitted in the checking step, control is performed so that the industrial machine is not operated.

  Accordingly, the operation permission data indicating that the operation of the industrial machine is permitted is encrypted, so that it is difficult to falsify and disguise the signal. Therefore, unintended operation of the industrial machine in an emergency can be reliably prevented. In addition, security when operating the industrial machine with the transmitter can be improved.

The top view which shows typically the structure of the automatic warehouse in which the wireless communication method which concerns on one Embodiment of this invention is performed. The figure explaining the structure of one stacker crane which comprises an automatic warehouse. FIG. 2 is a block diagram illustrating a configuration of a control system of the stacker crane. FIG. 2 is a block diagram showing a configuration of a safety signal system. FIG. 4 is a perspective view showing a configuration of a second receiving unit. FIG. 2 is a front view showing a portable operation unit configured by attaching a tablet to a portable remote controller. The side view of a portable operation unit. The figure explaining the generation | occurrence | production procedure of a safe state release code. FIG. 9 is a sequence diagram illustrating communication performed between the portable remote controller and the second receiving unit regarding permission of operation of the stacker crane in the manual operation mode. The figure explaining the generation | occurrence | production procedure of the safe state release code in a modification.

  Next, an embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a plan view schematically showing a configuration of an automatic warehouse 1 in which a wireless communication method according to one embodiment of the present invention is performed. FIG. 2 is a diagram illustrating a configuration of one stacker crane 12 that configures the automatic warehouse 1. FIG. 3 is a block diagram showing a configuration of the control system 10 of the stacker crane 12. FIG. 4 is a block diagram showing a configuration of the safety signal system 20.

  The automatic warehouse 1 shown in FIG. 1 includes a plurality of stacker racks 11 and a plurality of stacker cranes (industrial machines) 12. The stacker rack 11 has a large number of storage spaces capable of storing luggage such as parts and materials. The stacker crane 12 automatically carries in / out the load into / from the storage space of the stacker rack 11. The automatic warehouse 1 can automatically store the luggage in the stacker rack 11 and automatically unload the luggage stored in the stacker rack 11 via the stacker crane 12.

  As shown in FIG. 2, each stacker crane 12 includes a traveling vehicle 13 that travels along a track, an elevating platform 14 that can move up and down, and a crane controller that controls the operations of the traveling vehicle 13 and the elevating platform 14. A machine controller) 2.

  The stacker crane 12 can operate by selecting an operation mode from an automatic operation mode and a manual operation mode. In the automatic operation mode, the stacker crane 12 moves automatically according to pre-programmed rules. In the manual operation mode, the stacker crane 12 moves according to an operation instruction of an operator.

  The crane controller 2 shown in FIGS. 2 and 3 includes, for example, a known control unit including a CPU, a ROM, a RAM, an input / output unit, and the like. The ROM stores various programs, data (rules) related to automatic driving, and the like. The CPU can read various programs from the ROM and execute them.

  When the automatic operation mode is selected as the operation mode of the stacker crane 12, the crane controller 2 controls the operation of the traveling vehicle 13 and the elevator 14 based on the stored data on the automatic operation and the like.

  When the manual operation mode is selected as the operation mode of the stacker crane 12, the crane controller 2 receives the operation instruction from the operator received via the first receiving unit 21 and the operation instruction received via the second receiving unit 22. The operation of the traveling vehicle 13 and the lift 14 is controlled according to the state signal of the switch.

  In order to prevent contact with luggage and the like, an area including an operation area of the stacker crane 12 in the automatic warehouse 1 is partitioned by a fence 9 or the like as shown in FIG. 2, and the area is defined as a restricted area. For example, a sensor is provided on a door provided on the fence 9 to detect that the operator enters the operation area for performing maintenance or the like. However, doors and sensors are omitted in FIG. When the sensor detects that the door has been opened while the stacker crane 12 is moving in the automatic operation mode, the operation of the stacker crane 12 automatically stops.

  The automatic warehouse 1 includes a first receiving unit 21 and a second receiving unit (receiver) 22. The first receiving unit 21 and the second receiving unit 22 are each configured as a communication device, and are installed near the crane controller 2 in the stacker crane 12. The first receiving unit 21 and the second receiving unit 22 are electrically connected to the crane controller 2. The first receiving unit 21 and the second receiving unit 22 are provided one for each stacker crane 12.

  The first receiving unit 21 wirelessly communicates with a tablet 5 described later via a wireless LAN. A wireless LAN has a plurality of wireless communication channels, and transmits data using radio waves, infrared rays, and the like. In the present embodiment, Wi-Fi (Wi-Fi is a registered trademark) is used as the wireless LAN. Through this wireless communication, the first receiving unit 21 receives an operation instruction input to the tablet 5 when the operator operates the tablet 5. Examples of the operation instruction include an instruction to run the traveling vehicle 13 and an instruction to move the elevator 14 up and down. The first receiving unit 21 outputs signals indicating these instructions to the crane controller 2 as control signals for controlling the operation of the stacker crane 12.

  The second receiving unit 22 wirelessly communicates with a portable remote controller 6 described later via a wireless LAN. Through this wireless communication, the second receiving unit 22 receives various status signals. Examples of the state signal include a state signal of an emergency stop switch, a state signal of an enable switch for validating an operation instruction from the tablet 5, and the like. The second receiving unit 22 outputs the received state signal to the crane controller 2 as a control signal for controlling the operation of the stacker crane 12. The first receiving unit 21 and the second receiving unit 22 each perform wireless communication using different frequency bands or channels.

  Next, the second receiving unit 22 will be described in detail with reference to FIG. FIG. 5 is a perspective view showing the configuration of the second receiving unit 22.

  As shown in FIG. 5, the second receiving unit 22 includes a second receiving unit status display unit 23 and a second receiving unit power connector 24.

  The second receiving unit status display unit 23 includes three lamps including a power lamp, a status lamp, and a WLAN lamp. Each lamp is configured as an LED. The second receiving unit status display unit 23 indicates various operating states of the second receiving unit 22 by a combination of a lighting color and a lighting state (lighting / flashing) of each LED.

  A power cable 91 is connected to the second receiving section power connector 24. Power required for the operation of the second receiving unit 22 is supplied via the power cable 91. The power cable 91 includes a plurality of electric wires, and the power cable 91 functions not only as a power supply but also as a signal cable for inputting and outputting signals.

  The second receiving unit 22 is provided with a connector (not shown) for electrically connecting the antenna cable 93 in addition to the second receiving unit power connector 24. A radio antenna (not shown) for transmitting and receiving radio waves is connected to the antenna cable 93.

  As shown in FIG. 4, the second receiving unit 22 includes a second receiving unit radio unit 28 and a second receiving unit safety unit (control unit) 29. The second receiving unit radio unit 28 and the second receiving unit safety unit 29 are connected by, for example, a UART and perform serial communication. UART is an abbreviation for Universal Asynchronous Receiver / Transmitter.

  The second receiving unit wireless unit 28 is configured as a computer (specifically, a wireless communication module) and includes a CPU, a ROM, a RAM, and the like. The second receiving unit wireless unit 28 performs wireless communication with the portable remote controller 6. Specifically, the second receiving unit radio unit 28 includes a communication unit (receiving unit) 28a and a check processing unit 28b. The communication section 28a can transmit and receive data to and from the portable remote controller 6 (specifically, a remote-control-side communication section 67a provided in a portable remote-control wireless section 67 described later). In a predetermined case, the verification processing unit 28b determines whether the multi-bit data received by the communication unit 28a is genuine by performing an appropriate calculation. The detailed configuration of the second receiving unit wireless unit 28 will be described later.

  The second receiving unit safety unit 29 is configured as a computer, and includes a CPU, a ROM, a RAM, and the like. The second receiving unit safety unit 29 is used as a functional safety unit. Specifically, the second receiving unit safety unit 29 determines whether or not the stacker crane 12 should be in a safe state in which the stacker crane 12 does not operate, based on the result of the communication of the second receiving unit wireless unit 28 with the portable remote controller 6. And outputs a safety state request signal to the crane controller 2 as necessary.

  As shown in FIG. 3, the automatic warehouse 1 of the present embodiment includes a control system 10 for controlling a stacker crane 12. The control system 10 includes a control instruction transmitter 3 for an operator to instruct the stacker crane 12. The control instruction transmitter 3 includes one or a plurality of transmitters. Each of the transmitters communicates with the crane controller 2 by wireless LAN via the first receiving unit 21 and the second receiving unit 22.

  The control instruction transmitter 3 includes a portable operation unit (transmitter) 30. The portable operation unit 30 will be described in detail with reference to FIGS. FIG. 6 is a front view showing the portable operation unit 30 configured by attaching the tablet 5 to the portable remote controller 6. FIG. 7 is a side view of the portable operation unit 30.

  The portable operation unit 30 includes a tablet (portable terminal) 5 and a portable remote controller (transmitter main body) 6. The remote control is an abbreviation of a remote controller.

  The tablet 5 constituting the portable operation unit 30 is a known tablet computer including a CPU, a ROM, a RAM, an input / output unit, and the like. The tablet 5 is provided with a touch panel display 51. The touch panel display 51 has a configuration in which a touch panel (operation unit) operated by an operator touching with a finger and a display (display unit) for displaying various information are integrated.

  The tablet 5 has a built-in wireless antenna (not shown), and can wirelessly communicate with the first receiving unit 21 as shown in FIG. The tablet 5 receives various instructions such as an instruction to switch the operation mode of the stacker crane 12 and an operation instruction to move the stacker crane 12 in the manual operation mode of the stacker crane 12 according to the operation of the operator. 21 by radio.

  The portable remote control 6 is used in combination with the tablet 5 to control the operation of the stacker crane 12 in the manual operation mode of the stacker crane 12. The portable remote controller 6 has a built-in wireless antenna (not shown), and can wirelessly communicate with the second receiver 22 as shown in FIG.

  As shown in FIGS. 6 and 7, the portable remote controller 6 has a portable remote controller status display section 60, a power button 61, a remote controller power connector 62, a USB cable (wired cable) 64, and an enable switch (enable operation). ) 65 and a portable-side emergency stop switch 66.

  As shown in FIG. 6, the portable remote control status display unit 60 includes three lamps including a power lamp, a charging lamp, and a status lamp. Each lamp is configured as an LED. The portable remote control state display unit 60 indicates various operation states of the portable remote controller 6 by a combination of a lighting color of each LED and a lighting state (lighting / flashing).

  The power button 61 is configured as a push button switch. By pressing the power button 61, it is possible to switch whether or not power is supplied from a rechargeable battery (not shown) included in the portable remote controller 6. Thereby, ON / OFF of the power supply of the portable remote controller 6 is realized.

  A cable (not shown) for charging the above-described rechargeable battery can be connected to the remote control power supply connector 62.

  The USB cable 64 is drawn out of the housing of the portable remote controller 6. The USB cable 64 is configured as a data communication cable, and can be connected to the tablet 5. By attaching the tablet 5 to a holder provided in the portable remote controller 6 and connecting the USB cable 64 to the tablet 5, the tablet 5 and the portable remote controller 6 can function as the portable operation unit 30 in cooperation with each other.

  The enable switch 65 is composed of, for example, a push button switch. The enable switch 65 is provided on a side surface of the portable remote controller 6 so that the operator can press the portable remote controller 6 while holding the same with one hand. When the stacker crane 12 is in the manual operation mode, the enable switch 65 is pressed with a certain operation force to indicate that the operation of the stacker crane 12 is permitted. Even if the enable switch 65 is once pressed, if the operating force is released, it returns from the pressed state to the original state. Therefore, when an unexpected situation such as falling down occurs for the operator, the operation of the stacker crane 12 can be immediately rejected.

  In the present embodiment, the enable switch 65 is configured as a three-position switch. When the operator presses the enable switch 65 with a strong force, it is handled in the same manner as when the enable switch 65 is not pressed. Accordingly, even when the operator does not release the finger from the enable switch 65 in an emergency and presses the switch strongly strongly, the operation of the stacker crane 12 can be appropriately stopped.

  The portable-side emergency stop switch 66 is configured as, for example, a push button switch. The portable emergency stop switch 66 is provided on the front of the portable remote controller 6. The portable emergency stop switch 66 is pressed when the stacker crane 12 is to be emergency stopped in the manual operation mode of the stacker crane 12. Once depressed, the portable emergency stop switch 66 remains depressed, even if the operating force is released. The pressed state is released by turning or pulling the mobile-side emergency stop switch 66 to the right.

  As shown in FIG. 4, the portable remote controller 6 is provided with a portable remote controller wireless unit 67 and a portable remote controller safety unit 68. The portable remote controller wireless section 67 and the portable remote controller safety section 68 are connected by, for example, a UART and perform serial communication.

  The portable remote control wireless section 67 is configured as a computer (specifically, a wireless communication module) and includes a CPU, a ROM, a RAM, and the like. The portable remote control wireless section 67 performs wireless communication with the second receiving section wireless section 28 included in the second receiving section 22. Specifically, the portable remote control wireless section 67 includes a remote control communication section 67a (transmitting section) and an encryption processing section 67b. The remote control side communication unit 67a can transmit and receive data to and from the second reception unit 22 (specifically, the communication unit 28a included in the second reception unit wireless unit 28). The encryption processing unit 67b encrypts a plurality of bits of data transmitted by the remote control communication unit 67a in a predetermined case. The detailed configuration of the portable remote control wireless section 67 will be described later.

  The portable remote controller safety section 68 is configured as a computer, and includes a CPU, a ROM, a RAM, and the like. The portable remote control safety section 68 is used as a functional safety section. Specifically, the portable remote control safety section 68 is electrically connected to the enable switch 65 and the portable emergency stop switch 66.

  Then, the portable remote control safety section 68 outputs a safety state release signal or a safety state request signal to the portable remote control wireless section 67 according to the states of the enable switch 65 and the portable emergency stop switch 66.

  The safe state means a state in which the operation of the stacker crane 12 is stopped, and is a state required in an emergency. The release of the safe state means a state in which the operation of the stacker crane 12 is permitted.

  When the enable switch 65 is pressed with an appropriate operation force and the portable emergency stop switch 66 is not pressed, the portable remote controller 6 outputs a safe state release signal to the portable remote controller wireless unit. 67 is output. In response to this, the portable remote controller wireless section 67 transmits a safe state release signal to the second receiver wireless section 28 of the second receiver 22.

  When the enable switch 65 is not pressed or strongly pressed, the portable remote controller 6 outputs a safe state request signal to the portable remote controller wireless section 67. When the portable emergency stop switch 66 is pressed, the portable remote controller 6 outputs a safety state request signal to the portable remote controller wireless section 67. In response to this, the portable remote controller wireless section 67 transmits a safety state request signal to the second receiver wireless section 28 of the second receiver 22.

  As described above, the control system 10 controls the operation of the stacker crane 12 in an emergency in addition to the operation instruction signal system (the first receiving unit 21 and the tablet 5) for communicating an operation instruction signal for operating the stacker crane 12. A safety signal system (wireless communication system) 20 is provided for communicating a signal for blocking and realizing a safe state. As shown in FIG. 4, the safety signal system 20 includes a second receiving unit 22 and the portable remote controller 6.

  Focusing on the wireless communication path, when operating the stacker crane 12 in the manual operation mode, signals are exchanged between the crane controller 2 and the portable operation unit 30 operated by the operator through two wireless communication paths. Will be. The first wireless communication path is established between the first receiving unit 21 and the tablet 5. The second wireless communication path is established between the second receiving unit 22 and the portable remote controller 6.

  As described above, since the wireless communication path of the operation instruction signal for controlling the operation of the stacker crane 12 and the signal for realizing the safety state of the stacker crane 12 are separated, the safety state request signal is transmitted in an emergency. The transmission is transmitted to the second receiving unit 22 without delay, so that the stacker crane 12 can be stopped immediately without fail.

  In the present embodiment, a safety signal system 20 is constructed by wireless communication in addition to the signal system for operating the stacker crane 12. Therefore, the signal cable does not get caught on the machine, and the handling is excellent. Further, the portable operation unit 30 can be made lighter by the amount of the signal cable, and the burden on the operator can be reduced.

  However, since it is not necessary to physically connect the communication devices with each other with a signal cable, it is difficult to notice, for example, when someone attempts to transmit some signal with the intention of disguise.

  In the safety signal system 20, a plurality of portable remote controllers 6 and second receiving units 22 may exist. In consideration of this, in the safety signal system 20, appropriate identification information is used to uniquely identify the portable remote controller 6 and the second receiver 22. The identification information facilitates identification of a communication partner and management of devices. The format of the identification information is arbitrary, but in the present embodiment, the lower 24 bits of the MAC address used in the wireless LAN are extracted. Hereinafter, this identification information may be referred to as an ID.

  In order to communicate with the second receiving unit 22, each portable remote controller 6 is used as the portable operation unit 30 with the tablet 5 mounted. Therefore, in relation to the second receiving section 22, the portable remote controller 6 can be identified with the portable operation unit 30 including the same. That is, the corresponding portable operation unit 30 can be substantially uniquely identified by the ID of the portable remote controller 6. Also in the following description, the portable remote control 6 may substantially mean the portable operation unit 30.

  Next, transmission of the safe state release signal and the safe state request signal from the portable remote controller 6 will be described. FIG. 8 is a diagram illustrating a procedure for generating a safe state release code.

  In the IEEE 802.11 wireless LAN standard, a format of a frame of a wireless packet exchanged between wireless stations is defined in a MAC layer which is a part of a data link layer in the OSI network reference model. This frame is called a MAC frame. In the safety signal system 20 of the present embodiment, the remote control communication section 67a of the portable remote control radio section 67 and the communication section 28a of the second reception section radio section 28 perform communication frames according to the MAC frame format when wirelessly transmitting data. Generate

  The portable remote controller wireless section 67 included in the portable remote controller 6 generates a communication frame in order to transmit either the secure state release signal or the secure state request signal to the second receiver wireless section 28 via a wireless LAN. This communication frame includes a frame body, a MAC header, and an error detection unit.

  The frame body is a portion where substantial data is described. The frame body stores a plurality of bit strings indicating a safe state release signal or a safe state request signal.

  The MAC header is added to the head of the frame body. The MAC header contains various control information such as the MAC address of the destination. In a predetermined portion (sequence control field) of the MAC header, a sequence number defined so as to increase by one each time one communication frame is transmitted is described. This sequence number corresponds to the communication count value.

  The error detector is added to the end of the frame body, and stores the MAC header and the error detection code of the frame body.

  When transmitting the communication frame of the secure state release signal, the remote controller side communication unit 67a describes a bit string (safety state release code) generated by the encryption processing unit 67b by a predetermined algorithm in the frame body. This safe state release code corresponds to the operation permission data.

  A bit string correspondence table shown in FIG. 8 is stored in the portable remote control wireless unit 67 in advance. This table associates key numbers from 0 to F in hexadecimal with 16 different keys. Each key is a bit string composed of a plurality of bits (8 bits in this embodiment).

  When the remote-control-side communication unit 67a of the portable remote control wireless unit 67 generates a communication frame to transmit the secure state release signal, the encryption processing unit 67b extracts the lower 4 bits of the sequence number to be described in the MAC header. . The encryption processing unit 67b specifies a number corresponding to the lower 4 bits of the sequence number from the key numbers in the table of FIG. 8, and acquires a key corresponding to the key number.

  The encryption processing unit 67b extracts the lower 8 bits of the ID of the own device and obtains the logical product with the bit string of the key. The bit string obtained in this manner is stored in the frame body as information (safety state release code) indicating a safe state release signal.

  A specific example will be described. It is assumed that the portable remote control safety unit 68 detects a state in which the enable switch 65 is pressed with an appropriate operation force and the portable emergency stop switch 66 is not pressed. In this case, the portable remote control safety unit 68 outputs to the portable remote control wireless unit 67 a message indicating that a safe state release signal should be transmitted.

  The encryption processing unit 67b of the portable remote control wireless unit 67 acquires the sequence number for the next transmission of the communication frame from the storage unit provided in the portable remote control wireless unit 67, and extracts the lower 4 bits. If the sequence number is “0A24” in hexadecimal, and the lower 4 bits are extracted, the key number becomes “4” in hexadecimal. Therefore, it can be seen from the key table that the corresponding key is “11001100” in binary. On the other hand, if the ID of the portable remote controller 6 is “1D2B55” in hexadecimal, the lower 8 bits of the ID are “55” in hexadecimal, which is “01010101” in binary. The logical product of the lower 8 bits of the ID and the key bit string is “01000100”.

  The result of this logical product “01000100” is the safe state release code. In the present embodiment, a series of processes from acquisition of a key number to calculation of a logical product corresponds to an encryption process (encryption step).

  The remote-control-side communication unit 67a of the portable remote control wireless unit 67 stores the bit string “01000100” in the frame body, and as a communication frame of the sequence number “0A24”, the second reception unit wireless unit 28 of the second reception unit 22 Send to

  When the communication unit 28a receives a communication frame from the portable remote control wireless unit 67, the check processing unit 28b included in the second reception unit wireless unit 28 sets the bit string “01000100” (received data) stored in the frame body to the safe state. Check whether the code is correct as the release code.

  Hereinafter, a specific description will be given. The second reception unit radio unit 28 stores the same key table as that stored in the portable remote control radio unit 67. The verification processing unit 28b of the second receiving unit wireless unit 28 acquires the sequence number “0A24” from the MAC header of the communication frame. Then, the key “11001100” is obtained from the key table based on the key number (“4” in hexadecimal) indicated by the lower 4 bits of the sequence number.

  When the second receiving unit wireless unit 28 establishes a wireless connection with the portable remote controller 6, IDs are exchanged with each other, and a process is performed in which both devices store the other party's ID. Therefore, the second receiving unit wireless unit 28 stores the ID “1D2B55” of the portable remote controller 6 in advance. The verification processing unit 28b of the second receiving unit wireless unit 28 calculates the logical product of the lower 8 bits “01010101” of the ID of the portable remote controller 6 that has received the communication frame and the key generation bit string “11001100”. Ask. The result of the logical product is “01000100”.

  The verification processing unit 28b compares the result of the logical product “01000100” with the bit string stored in the frame body. In the present embodiment, a series of processes from acquisition of a key number to comparison of a bit string corresponds to a verification process (a verification step).

  The bit string of the logical product matches the bit string stored in the frame body. Accordingly, the verification processing unit 28b determines that the secure state release code is genuine (in other words, the secure state release signal has been received), and the second receiving unit wireless unit 28 determines that the secure state release code is correct. Output to the unit 29. In response, the second receiving unit safety unit 29 outputs a signal to the effect that the operation of the stacker crane 12 is permitted to the crane controller 2. Thereby, the operation instruction to the stacker crane 12 by the tablet 5 becomes effective.

  As described above, of the data transmitted from the portable remote controller 6 to the second receiving unit 22, the bit string (safety state release code) indicating the secure state release signal is determined according to the sequence number of the communication frame and the portable state. It changes variously according to the ID of the type remote controller 6. In particular, as will be described later, when the operator operates the stacker crane 12 in the manual operation mode, the communication frame including the safety state release signal is repeatedly transmitted from the portable remote controller 6 to the second receiver 22. Since the key changes cyclically as the number increases, a signal having a different content (bit string) is transmitted as a safe state release signal each time.

  For example, when the ID of the portable remote controller 6 is “1D2B55”, in the communication frame with the sequence number “0A24”, the safe state release code is “01000100”, whereas the communication number with the next transmitted sequence number “0A25” is transmitted. In the communication frame, the safe state release code is “00000101”.

  Therefore, it is difficult to falsify and disguise the safe state release signal, and security can be improved.

  Next, a case where the portable remote controller 6 transmits a safety state request signal will be described. It is assumed that the portable remote control safety unit 68 detects a state where the enable switch 65 is not pressed, a state where the enable switch 65 is strongly pressed, or a state where the portable emergency stop switch 66 is pressed. In this case, the portable remote control safety unit 68 outputs to the portable remote control wireless unit 67 that a safety state request signal should be transmitted.

  The portable remote controller radio section 67 does not particularly encrypt the bit string when transmitting the secure state request signal. In the portable remote controller wireless section 67, the remote controller communication section 67 a stores a specific bit string, for example, “11111111” in the frame body and transmits the bit string to the second receiver wireless section 28 of the second receiver 22. This bit string (safe state request code) is constant regardless of the ID of the portable remote controller 6 and the sequence number. The safe state request code corresponds to the operation prohibition data.

  By the way, in the above-described key table described with reference to the safe state release signal, it is determined that the bit string of the key always includes the bit “0” regardless of the key number. Since a secure state release code is created by ANDing the bit string of this key, the secure state release code always includes a bit of “0”. As described above, the safe state release code does not coincide with the safe state request code “11111111” by accident.

  When the communication unit 28a receives the communication frame from the portable remote control wireless unit 67, the second receiving unit wireless unit 28 determines whether the bit string stored in the frame body is “11111111”. When the bit string matches “11111111”, the second receiving unit radio unit 28 determines that the secure state request code (the secure state request signal) has been received, and outputs the fact to the second receiving unit secure unit 29. The second receiving unit safety unit 29 immediately stops the operation of the stacker crane 12 and outputs a signal to the crane controller 2 to prohibit the operation.

  Considering practically, the portable remote controller 6 is operated to indicate one of a state in which the safety state may be released and a state in which the safety state is not released. When these two types of states are assigned to the binary numbers “1” and “0”, the portable remote control radio section 67 encrypts the 1-bit information of “1” or “0” to form an 8-bit state. Can be regarded as being generated. Therefore, the key used at this time is an encryption key. The obtained bit string is wirelessly transmitted from the portable remote controller 6 to the second receiver 22.

  The second receiving unit 22 determines whether the safety state can be released or not, based on the bit string received from the portable remote controller 6. The second receiving unit wireless unit 28 merely judges by comparing the bit strings, but considers that the information of the original “1” or “0” is extracted by decoding the 8-bit bit strings. be able to. Therefore, the key used at this time is a decryption key.

  As described above, in the present embodiment, 1-bit information of “1” or “0” is not described (in plain text) in the frame body as information indicating whether the safety state can be released. An 8-bit bit string generated by encryption is described. This makes it difficult to falsify and disguise the signal.

  Even if the bit string received by the portable remote control wireless unit 67 is different from the safety state request code, if the bit string is not correct as the safe state release code, the portable remote control safety unit 68 receives the safe state request code. In the same manner as described above, control for not operating the stacker crane 12 is performed. In this case, it is preferable that a record indicating that an incorrect signal has been received is created and stored in, for example, the second receiving unit 22.

  Although it has been described that the secure state release code is generated by the encryption, the communication between the portable remote control wireless unit 67 and the second receiving unit wireless unit 28 is performed by an appropriate method in order to prevent eavesdropping and the like. Encrypted. The encryption method may be, for example, a method using a known AES algorithm, but is not limited to this.

  Therefore, the contents of the frame body and the error detection unit in the communication frame described above are protected by encryption. In this embodiment, it can be said that the security state release code is double-encrypted.

  Next, a communication flow relating to the secure state release signal or the secure state request signal will be described with reference to FIG. FIG. 9 is a sequence diagram illustrating communication performed between the portable remote controller 6 and the second receiving unit 22 regarding permission of the operation of the stacker crane 12 in the manual operation mode. In the description of the communication flow, the “sequence number” means a sequence number in the sequence diagram of FIG. 9 instead of the above-described sequence number described in the MAC frame unless otherwise specified.

  After a wireless connection is established between the portable remote controller 6 and the second receiving unit 22, the second receiving unit safety unit 29 included in the second receiving unit 22 sends a request for state confirmation to the second receiving unit wireless unit 28. (Sequence number 1). The state confirmation means confirming the states of the enable switch 65 and the portable emergency stop switch 66 of the portable remote controller 6. In response to this, the second receiving unit wireless unit 28 wirelessly transmits a state confirmation signal to the portable remote control wireless unit 67 (sequence number 2).

  When receiving the status confirmation signal, the portable remote control radio section 67 outputs a request for status confirmation to the portable remote control safety section 68 (sequence number 3).

  In response to this, the portable remote control safety unit 68 checks the states of the enable switch 65 and the portable emergency stop switch 66. At this time, it is assumed that the enable switch 65 has been pressed with an appropriate operation force and the portable emergency stop switch 66 has not been pressed.

  In this case, the portable remote control safety unit 68 outputs a request to release the safety state to the portable remote control wireless unit 67 (sequence number 4). In response to this, the portable remote controller wireless section 67 wirelessly transmits a safe state release signal to the second receiver wireless section 28 (sequence number 5). At this time, since the second receiving unit wireless unit 28 performs the above-described encryption processing, the secure state release signal is transmitted in the form of the secure state release code.

  Upon receiving the secure state release signal, the second receiving unit wireless unit 28 checks the secure state release code. If the secure state release code is correct, the second receiving unit radio unit 28 outputs a secure state release request to the second receiving unit safety unit 29 (sequence number 6). In response to this, the second receiving unit safety unit 29 outputs a signal to the crane controller 2 to release the safety state of the stacker crane 12 and permit the operation of the stacker crane 12 (sequence number 7).

  The second receiving unit safety unit 29 repeatedly requests the second receiving unit radio unit 28 to check the state at sufficiently short time intervals. Therefore, the same processing as that of sequence numbers 1 to 7 is repeatedly performed (sequence numbers 8 to 14,...). Since the encryption key changes every time, the security state release code transmitted from the portable remote control wireless section 67 to the second receiving section wireless section 28 with the sequence numbers 5, 12,.

  When the second receiving unit safety unit 29 makes a state confirmation request with the sequence number 51, a state confirmation signal is transmitted from the second receiving unit wireless unit 28 in the same manner as described above (sequence number 52). Upon receiving the state confirmation signal, the portable remote controller wireless section 67 requests the portable remote controller safety section 68 to confirm the state in the same manner as described above (sequence number 53).

  The portable remote control safety unit 68 checks the states of the enable switch 65 and the portable emergency stop switch 66. At this time, the operator has released his / her hand from the portable remote controller 6 for some reason such as falling down. Suppose it was not pressed. Here, the case where the enable switch 65 is not pressed will be described. However, the same applies to a state where the enable switch 65 is pressed strongly or a state where the portable emergency stop switch 66 is pressed.

  In this case, the portable remote control safety unit 68 requests the portable remote control wireless unit 67 for a request for a safety state (sequence number 54). In response to the request for the safety state request, the portable remote control wireless section 67 wirelessly transmits a safety state request signal to the second receiving section wireless section 28 (sequence number 55). As described above, the security state request code transmitted from the portable remote controller wireless section 67 to the second receiver wireless section 28 at this time is not particularly encrypted.

  Upon receiving the secure state request signal, the second receiving section wireless section 28 outputs a request for a secure state request to the second receiving section secure section 29 (sequence number 56). In response to this, the second receiving unit safety unit 29 outputs a signal to the crane controller 2 to prohibit the operation of the stacker crane 12 and to set it in a safe state (sequence number 57).

  With the above control, it is possible to prevent falsification and falsification of the safety state release signal for allowing the operation of the stacker crane 12. Accordingly, it is possible to reliably prevent the stacker crane 12 from operating in an emergency.

  Referring to the sequence diagram of FIG. 9, sequence number 5 corresponds to the transmission step, sequence numbers 6 and 7 correspond to the first control step, and sequence numbers 56 and 57 correspond to the second control step.

  Next, with reference to FIG. 10, a modified example regarding the generation of the safe state release code will be described. FIG. 10 is a diagram illustrating a procedure for generating a safe state release code according to the modification.

  In the modification shown in FIG. 10, the portable remote controller wireless section 67 generates a safe state release code using both the ID of the portable remote controller 6 and the ID of the second receiver 22.

  As described above, IDs are exchanged when the portable remote controller 6 establishes a wireless connection with the second receiving unit 22. The portable remote controller 6 stores the ID of the second receiving unit 22 acquired at this time.

  The portable remote controller wireless section 67 calculates an exclusive OR between the lower 8 bits of the ID of the portable remote controller 6 and the lower 8 bits of the ID of the second receiver 22. For example, when the lower 8 bits of the ID of the portable remote controller 6 are “01010101” and the lower 8 bits of the ID of the second receiver 22 are “11110011”, the bit string of the exclusive OR is “10100110”. Becomes

  The portable remote controller radio section 67 calculates the logical product of the bit string “11001100” obtained from the key table and the bit string “10100110” of the exclusive OR. The portable remote controller wireless section 67 stores the obtained result “10000100” as a safe state release code in the frame body of the communication frame.

  In this modification, the safe state release code differs not only according to the portable operation unit 30 but also according to the second receiving unit 22. Therefore, falsification and disguise of the signal can be made more difficult.

  Although the preferred embodiments and modified examples of the present invention have been described above, the above configuration can be changed as follows, for example.

  In the key table of FIG. 8, instead of using 16 keys, for example, two, four, eight, or 256 keys may be used. Also, the contents of the bit string of each key can be arbitrarily determined.

  The bit length of the safe state release code may be, for example, 16 bits instead of 8 bits. In this case, the bit length of each key table is set to 16 bits, the lower 16 bits of the ID of the portable remote controller are taken out, and the logical product of both is obtained to obtain the safe state release code.

  The bit length of the secure state request code can be any length, like the secure state release code.

  The method of generating the safe state release code in the above embodiment is an example, and can be variously changed. For example, instead of or in addition to the logical product of two bit strings, an appropriate bit operation such as a logical sum, an exclusive logical sum, or a bit shift may be performed.

  A key may be obtained from the key table in FIG. 8 based on the sequence number described in the MAC frame, and the key may be used as the security state release code as it is. In other words, the safe state release code may be generated without using the ID of the portable remote controller 6.

  For example, a key can be obtained from the key table of FIG. 8 using the lower 4 bits of the ID of the portable remote controller 6 as a key number, and the key can be used as a safe state release code as it is. In this case, the secure state release code does not change even if the sequence number of the MAC frame increases.

  In the above-described embodiment, the key table having the same contents is stored in both the portable remote controller 6 (portable operation unit 30) and the second receiving unit 22, which is based on the common key cryptosystem (symmetric key cryptosystem). Equivalent to. However, a modification may be made such that the encryption / decryption processing by the asymmetric key encryption method is performed.

  The configuration using the asymmetric key cryptosystem can be realized, for example, as follows. That is, 16 pairs of arbitrary asymmetric keys are created in advance, one of the 16 pairs is stored in the key table of the portable remote controller 6 (portable operation unit 30), and the other is stored in the key table of the second receiver 22. Remember. At this time, keys having the same key number in the two key tables are paired.

  When transmitting the secure state release signal, the encryption processing unit 67b included in the portable remote controller 6 performs an exclusive OR operation on the lower 4 bits of the sequence number and the lower 4 bits of the ID of the portable remote controller 6. , Get the key number. The encryption processing unit 67b acquires a key (one of a pair of asymmetric keys) corresponding to the key number with reference to the key table. The encryption processing unit 67b encrypts a predetermined arbitrary bit string (for example, “0101010101010101”) using the obtained key. The remote controller side communication unit 67a stores the bit string obtained by the encryption process in the frame body as a security state release code, and wirelessly transmits the communication frame to the second receiver 22.

  In the second receiving unit 22, when the communication unit 28a of the second receiving unit wireless unit 28 wirelessly receives the communication frame, the check processing unit 28b determines the lower 4 bits of the sequence number and the lower 4 bits of the ID of the portable remote controller 6. The key number is obtained by exclusive ORing the bit with the bit. The verification processing unit 28b refers to the key table and acquires a key (the other of the pair of asymmetric keys) corresponding to the key number. The verification processing unit 28b decodes the bit string stored in the frame body of the communication frame using the obtained key. If the bit sequence obtained by the decoding process matches the above-described bit sequence “0101010101010101”, the verification processing unit 28b determines that the decoding was successful (that is, the received bit sequence was genuine as the safe state release code). I do. In this configuration, a series of steps including a bit string decoding process and a comparison process correspond to a verification process.

  The data indicating the state of the enable switch 65 and the data indicating the state of the portable emergency stop switch 66 may be separately transmitted from the portable remote control wireless section 67 as the operation permission data or the operation prohibition data.

  In the portable remote controller 6, the portable emergency stop switch 66 may be omitted.

  As the enable operation unit, a unit that detects an operation using a device other than a switch (for example, a potentiometer) may be used.

  The safety signal system 20 may include a fixed remote controller fixedly installed near the stacker crane 12. For example, it can be configured as follows. The fixed remote control includes a fixed emergency stop switch having the same configuration as the portable emergency stop switch 66 of the portable remote control 6. When the fixed-side emergency stop switch is pressed, the fixed remote control transmits an emergency stop signal to the second receiving unit 22. The fixed remote control is used alone without being combined with a tablet. Unlike the portable remote controller 6, the fixed remote controller is not provided with an enable switch. When the fixed emergency switch of the fixed remote controller is not pressed, the fixed remote controller wirelessly transmits the safety state release code to the second receiver 22.

  The safety signal system 20 can be applied to industrial machines other than the stacker crane 12.

5 tablets (mobile terminals)
6 Portable remote control (transmitter body)
12 Stacker crane (industrial machinery)
20 Safety signal system (wireless communication system)
22 Second receiver (receiver)
28a Communication unit (receiving unit)
28b Check processing unit 29 Second receiving unit safety unit (control unit)
30 Mobile operation unit (transmitter)
64 USB cable (wired cable)
65 Enable switch (Enable operation part)
67a Remote control side communication unit (transmission unit)
67b Encryption processing unit

Claims (7)

A transmitter for wirelessly transmitting instructions;
A receiver for controlling an industrial machine according to instructions received from the transmitter,
With
The transmitter is
An enable operation unit that is operated to permit operation of the industrial machine in accordance with operation of the transmitter;
An encryption process using a key stored in the transmitter, the operation permission data being data wirelessly transmitted from the transmitter to indicate that the operation of the industrial machine is permitted by the enable operation unit. An encryption processing unit that generates as multi-bit data by
A transmission unit that wirelessly transmits the operation permission data generated by the encryption processing unit to the receiver,
With
The receiver,
A receiving unit that receives a plurality of bits of data,
Whether the multi-bit data wirelessly received by the receiving unit by the checking process using the key stored in the receiver indicates that the operation of the industrial machine is permitted by the enable operation unit. A verification processing unit for determining whether or not
When the check processing unit determines that the data indicates that the operation of the industrial machine is permitted, a control unit that performs control to permit the operation of the industrial machine,
A wireless communication system comprising: The wireless communication system according to claim 1, wherein
While the operation of the industrial machine is permitted by the operation of the enable operation unit, the transmission unit repeatedly transmits the operation permission data,
The encryption processing unit, every time the transmission unit transmits the operation permission data, to change the key used for the encryption process for generating the operation permission data,
The wireless communication system, wherein the verification processing unit changes the key used for the verification processing every time the reception unit receives the operation permission data from the transmission unit. The wireless communication system according to claim 2, wherein
The encryption processing unit, based on a communication count value that is the value of the number of times the transmission unit wirelessly communicated, based on the key used in the encryption process for generating the operation permission data,
The wireless communication system according to claim 1, wherein the check processing unit determines the key used for the check processing based on the communication count value. The wireless communication system according to any one of claims 1 to 3, wherein
The encryption processing unit generates the operation permission data based on identification information for uniquely identifying the transmitter,
The wireless communication system according to claim 1, wherein the check processing unit performs the check processing based on identification information of the transmitter. The wireless communication system according to any one of claims 1 to 4, wherein
In the transmitter, when the operation of the industrial machine is not permitted by the enable operation unit, the transmission unit transmits operation inhibition data to the receiver,
In the receiver, when the receiving unit receives the operation prohibition data, the control unit controls the industrial machine so as not to operate. The wireless communication system according to any one of claims 1 to 5,
The transmitter is
A mobile terminal operated to operate the industrial machine,
A transmitter body provided with the enable operation unit,
With
The transmitter body is connected to the mobile terminal via a wired cable,
The mobile terminal performs wireless communication for operating the industrial machine in accordance with the operation of the mobile terminal,
The wireless communication system, wherein the transmitter body performs wireless communication for permitting operation of the industrial machine. In a communication system including a transmitter that wirelessly transmits an instruction and a receiver that controls an industrial machine in accordance with the instruction received from the transmitter, an enable operation unit included in the transmitter responds to an operation of the transmitter. When the operation of the industrial machine is permitted, the transmitter transmits operation permission data indicating that the operation of the industrial machine is permitted using an encryption process using a key stored in the transmitter. An encryption step of generating as multi-bit data by
A transmitting step in which the transmitter transmits the operation permission data to the receiver,
It is determined whether or not the multi-bit data wirelessly received by the receiver indicates that the operation of the industrial machine is permitted by a verification process using a key stored in the receiver. Checking step,
In the checking step, when the data indicates that the operation of the industrial machine is permitted, a first control step of performing control to permit the operation of the industrial machine,
In the checking step, when the data does not indicate that the operation of the industrial machine is permitted, a second control step of performing control not to operate the industrial machine,
A wireless communication method comprising:

Images