JP2021082027A - Safety controller - Google Patents

Abstract

To ensure or fix a response time independently of at least one of a user program and communication.SOLUTION: Receiving means receives an input value from an extension module during each period slot that is a repetition cycle of a certain length. An execution engine repeatedly executes a safety program during each period slot. During an i+1-th period slot succeeding an i-th period slot during which the input value is received, the input value is used to compute an output value according to the safety program. When the receipt of the input value by the receiving means is not completed during the i-th period slot, or when computation of the output value by the execution engine is not completed during the i+1-th period slot, a safety output signal is forcibly set to OFF in order to suspend the movement of a safety output device.SELECTED DRAWING: Figure 1

Description

The present invention relates to a safety controller.

Many machines are in operation at product factories that produce products (work). The safety system is an indispensable system for ensuring human safety from machines (Patent Document 1).

Japanese Unexamined Patent Publication No. 2014-16930

The safety system outputs an ON signal if it is safe, and outputs an OFF signal if it is not safe. Here, as an example, a machine that is a source of danger is surrounded by a safety fence, and a safety door or the like provided on the safety fence must be opened in order for a human to approach the machine. When the safety system detects that the safety door has been opened by the door switch, it outputs an OFF signal to the machine to stop the machine. Here, the time from when the safety door is opened and the door switch is turned off until the machine is stopped is called a response time. Based on this response time, the distance from the machine to the safety door (safety distance) is determined. That is, the size of the safety fence is determined according to the response time.

The safety controller of the safety system has an execution engine that repeatedly executes a safety program set by the user in a scan cycle, and outputs safety input signals from one or more safety input devices according to the safety program (ON). It is a control device that generates and outputs a signal (signal or OFF signal). The scan cycle is calculated in the input refresh period, which is the timing to capture the safety input signal, the program execution period in which the input value of the safety input signal captured in the input refresh period and the output value are calculated according to the safety program, and the program execution period. It has an output refresh period for outputting a safety output signal from each output terminal according to the output value, and is one of the factors that affect the response time of the safety controller. Generally, it is said that the shorter the scan cycle of the safety controller, the higher the performance. As a result, the response time of the safety controller generally changes depending on the processing capacity of the safety program and the number of connected units.

However, as a result of process changes and assessments, additional safety input devices and units and increased safety programs will increase response time and extend the safety distance. There was a risk that it would be necessary to review the position and the installation position of the safety fence.

Therefore, an object of the present invention is to provide a safety controller having a fast response time and a constant response time.

The present invention is, for example,
A safety controller having a main module that executes a safety program and an expansion module connected to the main module.
The main module
A receiving means for receiving an input value from the expansion module and a receiving means for receiving an input value from the expansion module for each period slot having a repeating cycle of a fixed length.
An execution engine that repeatedly executes the safety program for each period slot, and uses the input value in the i + 1th period slot next to the i-th period slot in which the input value is received. An execution engine that calculates the output value according to
An output means for outputting a safety output signal corresponding to the output value to a safety output device, and
It has the receiving means and the monitoring means for monitoring the execution engine.
The monitoring means does not complete the reception of the input value by the receiving means in the i-th period slot, or the calculation of the output value by the execution engine in the i + 1th period slot. Provided is a safety controller characterized in that the safety output signal for which the operation of the safety output device is stopped is forcibly set in such a case.

According to the present invention, it is possible to provide a period slot for sequentially executing a period for receiving an input value and a period for executing a safety program in parallel, so that the response time can be made high speed and constant.

Diagram illustrating the safety controller Diagram illustrating the main module and expansion module Diagram illustrating the signal path Diagram illustrating period slots Diagram illustrating the function of the MCU Diagram illustrating the function of the MCU Flow chart explaining the monitoring process Diagram illustrating a function block Flowchart showing program creation process Flowchart showing processing related to communication error The figure explaining the relationship between the number of connected expansion modules and remote I / O units and the response time. Sequence diagram explaining the transmission procedure Diagram illustrating the message format

Hereinafter, embodiments will be described in detail with reference to the accompanying drawings. The following embodiments do not limit the invention according to the claims, and not all combinations of features described in the embodiments are essential to the invention. Two or more of the plurality of features described in the embodiments may be arbitrarily combined. In addition, the same or similar configurations are given the same reference number, and duplicate explanations are omitted.

(Safety controller)
FIG. 1 shows the entire system. In this example, the safety controller 1 has a main module 3 and expansion modules 4a and 4b. The main module 3 executes the safety program transferred from the PC 2 that functions as a creation support device that assists the user in creating the safety program. The main module 3 has a display device 5a, an operation unit 6a, a communication connector 7a, an IO connector 10a, and the like. The PC 2 has a display device 5b and an operation unit 6b. The PC 2 functioning as a creation support device sets the module configuration information indicating the connection relationship between the modules and the allocation information of the devices connected to each terminal of each module in addition to the safety program according to the user input, and sets the main module 3 It is sent to as module configuration information and device allocation information setting information. The communication connector 7a on the main module 3 may be a connector for USB or a wired LAN. The communication cable from the PC 2 is connected to the communication connector 7a. The wired LAN may be an industrial Ethernet®. LAN is an abbreviation for local area network. A safety input device 11a such as an emergency stop switch and a safety input device 11b such as a light curtain are connected to the input terminal of the IO connector 10a. The safety input devices 11a and 11b are installed, for example, at the entrance / exit of a safety fence installed so as to surround a machine that is a source of danger. At this time, when the safety input device 11b detects a person who unexpectedly tries to enter the safety fence, the safety controller 1 outputs an OFF signal to the machine in order to stop the machine. A control signal for shutting off the power source of a machine such as a robot arm is input to the output terminal of the IO connector 10a. A power cutoff device called a contactor is generally used to cut off the power source. A safety controller such as the main module 3 outputs a control signal to the contactor to control whether to supply or cut off power to the machine. The main module 3 executes arithmetic processing according to the safety program on the input value input from the safety input device 11a to obtain an output value, and the power source 12 outputs the output value. For example, when the emergency stop switch, which is a type of safety input device 11a, is pressed down, the main module 3 changes the output value from ON (operating state in which the power source can operate) to OFF (stop state in which the power source cannot operate). To do. As a result, the power source 12 is stopped. In this specification, OFF means to put the hazard into a safe state by stopping the hazard or reducing the danger of the hazard (eg, slowing down the operating speed of the robot). That is, the OFF signal means a signal indicating OFF. It may not be possible to connect all safety input devices and power sources only with the IO connector 10a provided on the main module 3. In such a case, the expansion modules 4a and 4b are connected to the main module 3. The expansion modules 4a and 4b have IO connectors 10b and 10c, respectively, and can connect the safety input device 11b, the power source 12, and the like. The expansion modules 4a and 4b and the main module 3 communicate with each other via the internal bus to pass an input signal (input value) and an output signal (output value). That is, the main module 3 applies the safety program to the input signal (input value) acquired from the safety input device 11a connected to itself and the safety input device 11a connected to the expansion modules 4a and 4b, thereby applying the safety program to the output signal (output signal (input value). Output value) is generated. Further, the main module 3 outputs an output signal generated according to the safety program to the power source 12 connected to itself, or outputs the output signal to the power source 12 connected to the expansion modules 4a and 4b. The remote I / O unit 8 is connected to the main module 3 via a remote bus. The remote I / O unit 8 communicates with the main module 3 to transmit the input signal of the safety input device 11d connected to the remote I / O unit 8 to the main module 3, or the remote I / O unit 8 A signal is output to the power source 12 connected to the power source 12.

(Main module and expansion module hardware)
As shown in FIG. 2, the controller 20a of the main module 3 has two MCUs 23a, 24a and a memory 25a. The MCU (microcontroller unit) is duplicated to improve reliability. The MCUs 23a and 24a each execute a safety program having the same contents held in the memory 25a. The MCUs 23a and 24a are used for the duplicated input signal of the safety input device 11 via the safety input IF21a and / or the input signal (input value) transmitted from the expansion module 4 via the bus IF26a and the safety program. Based on this, output signals are generated and output to the safe output IF22a and / or the expansion module 4. For example, if both the MCUs 23a and 24a output an ON signal, the safety output IF22a outputs an ON signal as a duplicated output signal from the two terminals assigned to the safety output signal. If both the MCUs 23a and 24a output the OFF signal, the OFF signal is output as a duplicated output signal from the two terminals assigned to the safety output signal. On the other hand, when one of the MCUs 23a and 24a outputs an ON signal and the other outputs an OFF signal, the MCUs 23a and 24a monitor each other. Judgment is made and an OFF signal is forcibly output. If the two terminals assigned to the safety output signal output the ON signal and the OFF signal as duplicated output signals in a mismatched state, the safety controller of the device connected to the subsequent stage will fail. Judging that it has been done, it is forcibly turned off. In this way, the controller 20a communicates with the expansion module 4 via the bus IF26a to receive an input signal and transmit an output signal. The communication IF 27a communicates with another device via the communication connector 7a.

Examples of safety input devices include safety laser scanners and light curtains. Safety input devices generally meet safety standards, and the output of safety input devices is duplicated. When a mismatch occurs between the duplicated signals for a certain period of time or longer, the safety controller or the sensor itself can detect it as a failure of the sensor, and can forcibly perform processing such as OFF.

The controller 20b of the expansion module 4a has two MCUs 23b and 24b and a memory 25b. The MCU (microcontroller unit) is duplicated to improve reliability. The MCUs 23b and 24b each execute a control program having the same contents held in the memory 25b. When the controller 20b receives the input signal of the safety input device 11 via the safety input IF 21b, the controller 20b transmits the input signal (input value) to the main module 3 via the bus IF 26b. When the controller 20b receives an output signal (output value) from the main module 3 via the bus IF26b, the controller 20b outputs the output signal (output value) to the power source 12 or the like via the safe output IF22b. For example, if both the MCU 23b and 24b output an ON signal, the safety output IF22b outputs an ON signal as a duplicated output signal from the two terminals assigned to the safety output signal. If both the MCUs 23b and 24b output the OFF signal, the OFF signal is output as a duplicated output signal from the two terminals assigned to the safety output signal. On the other hand, when one of the MCUs 23b and 24b outputs an ON signal and the other outputs an OFF signal, the MCUs 23b and 24b are monitoring each other, so if the output signal mismatch continues for a certain period of time or longer, it is regarded as an abnormality. Judgment is made and an OFF signal is forcibly output. If the two terminals assigned to the safety output signal output the ON signal and the OFF signal as duplicated output signals in a mismatched state, the safety controller of the device connected to the subsequent stage will fail. It is judged that it has been done, and the OFF process is forcibly performed.

The controller 20c of the expansion module 4b has two MCUs 23c and 24c and a memory 25c. The MCU (microcontroller unit) is duplicated to improve reliability. The MCUs 23c and 24c each execute a control program held in the memory 25c. When the controller 20c receives the input signal of the safety input device 11 via the safety input IF 21c, it transmits the input signal to the main module 3 via the bus IF 26c. When the controller 20c receives the output signal from the main module 3 via the bus IF 26c, it outputs the output signal to the power source 12 or the like via the safe output IF 22c.

(Response time)
In the safety controller 1, the safety input device 11 and the safety output device can be connected to the main module 3, and the safety input device 11 and the safety output device can be connected to the expansion module 4. The safety output device may be the power source 12 itself, or may be a safety contactor or a safety relay that cuts off the power supplied to the power source 12. The safety input device 11 has a safety input signal (ON) indicating that the safety input device itself is in a normal state and the area monitored by the safety input device is normal, and that the safety input device itself is not in a normal state and that the safety input device itself is in a normal state. Outputs a safety input signal (OFF) indicating that it cannot be confirmed that the area monitored by is normal. The safety output device supplies power to the machine to which the safety input signal (ON) is input, and cuts off the power supply to the machine to which the safety input signal (OFF) is input.

The safety input signal from the safety input device 11 connected to the main module 3 and the safety input signal from the safety input device 11 connected to the expansion module 4 are processed by the safety program operating in the main module 3, respectively. To. Further, the main module 3 outputs a safety output signal according to the safety program to the safety output device connected to the main module 3 and the safety output device connected to the expansion module 4, respectively. Therefore, the response time differs depending on which safety output device uses the safety input signal of which safety input device.

FIG. 3 is a diagram for explaining the response time. Here, four signal paths P1 to P4 are mainly exemplified. The signal path P1 is indicated by a chain double-dashed line. The signal path P2 is indicated by a broken line. The signal path P3 is shown by a solid line. The signal path P4 is indicated by an alternate long and short dash line.

The signal path P1 is the simplest path, and outputs a safety output signal calculated based on the safety input signal of the safety input device 11a connected to the main module 3 to the power source 12a connected to the main module 3. ..

The signal path P2 outputs a safety output signal calculated based on the safety input signal of the safety input device 11a connected to the main module 3 to the power source 12b connected to the expansion module 4a. In this case, the safety output signal is converted into communication data and transmitted from the bus IF26a to the bus IF26b. A cyclic redundancy check code (CRC) is assigned to the communication data, and the expansion module 4a discards the communication data when it detects a communication error using the CRC. For the communication data transmitted by the main module 3 at a new timing, a communication error is confirmed by using CRC (retry). As a result of confirming the communication error, the expansion module 4a adopts the communication data as the communication data when it is determined that the communication data is normal, and discards the communication data when the communication error is detected. That is, the retry is for reducing erroneous OFF due to a temporary communication failure such as noise. On the other hand, if an abnormality such as a disconnection of a communication line or a failure of a communication circuit occurs, normal communication data cannot be obtained even if retries are repeated. In other words, the retry is for distinguishing a temporary communication failure such as noise from the occurrence of an abnormality related to communication, and increasing the retry period prolongs the period until the occurrence of the abnormality is detected. That's what it means. In short, if the retry period is lengthened, erroneous OFF due to a temporary communication failure is reduced and productivity is improved, but the response time is lengthened by that amount and restrictions on the installation positions of safety input devices and safety fences are increased.

The signal path P3 outputs a safety output signal calculated based on the safety input signal of the safety input device 11b connected to the expansion module 4a to the power source 12a connected to the main module 3. In this example, the safety input signal of the safety input device 11b is converted into communication data and transmitted from the bus IF26b to the bus IF26a. Similar to the signal path P2, the signal path P3 may have a longer response time as the communication is retried. The safety input signal is always transmitted to the main module 3 because the main module 3 has an execution engine for executing the safety program. Specifically, the execution engine is mounted on the MCU 23a and the MCU 24a.

The signal path P4 is the most complicated path, and the safety output signal calculated by the main module 3 based on the safety input signal of the safety input device 11b connected to the expansion module 4a is used as a power source connected to the expansion module 4a. Output to 12b. The safety input signal is sent to the main module 3 and calculated according to the safety program to become a safety output signal. In the signal path P4, since the bus IF26a and the bus IF26b must pass twice, the response time tends to be the longest.

The expansion module 4b may be further connected. In this case, even when the safety input signal input from the safety input device 11c becomes the safety output signal of the power source 12c, the safety input signal is converted into communication data and transmitted to the main module 3. Further, the main module 3 is sent to the expansion module 4b by converting the safety output signal into communication data and transmitting it, where it is converted into a safety output signal and output to the power source 12c. Based on the safety input signals from the safety input devices 11a and 11b, the safety output signal for the power source 12c may be output. In this case as well, communication via the buses IF26a, 26b, and 26c will be executed. However, the combination of the safety input device and the power source is free, and a plurality of safety input devices and one power source may be combined. This combination depends on the safety program created by the user.

As can be seen from FIG. 3, the response time (response speed) may differ depending on the connection position of the safety input device 11 and the connection position of the safety output device such as the power source 12. Here, although it is possible to guarantee the response time (guaranteed response time) in advance, it is conceivable that the actual response time exceeds the guaranteed response time due to a communication error. Similarly, it is possible that the calculation time by the safety program becomes long and the actual response time exceeds the guaranteed response time. The guaranteed response time includes the number of times (or time) that a communication error is allowed and the maximum calculation time allowed for the safety program. The case where the number of communication errors exceeds the permissible number of times or the calculation time exceeds the maximum calculation time is a case such as a failure. These are due to the fact that they do not occur in normal operation. Factors that cause the processing time to exceed the permissible time include, for example, failure of the main body, disconnection of the communication cable, and excessive noise. These are rare events, but they correspond to so-called abnormal conditions such as failures. Therefore, when the actual response time exceeds the guaranteed response time, the main module 3 forcibly turns off the safety output signal. This makes it possible to deal with rare events while guaranteeing response time.

(Period slot)
FIG. 4 is a diagram illustrating a period slot. In this embodiment, a period slot having a repeating cycle of a certain length is introduced. The safety controller 1 has an execution engine 40 that repeatedly executes a safety program set by the user in a scan cycle, and from a safety input signal from one or a plurality of safety input devices 11, a safety output signal (output) according to the safety program. Value) is generated. The scan cycle consists of an input transmission / reception period corresponding to the input refresh period, which is the timing for capturing the safety input signal, an calculation period for calculating the input value of the safety input signal captured in the input transmission / reception period, and an output value according to the safety program. It has an output transmission / reception period in which a safe output signal is output from each output terminal according to the output value calculated in the calculation period. The safety controller 1 executes each process in parallel by dividing it into processes corresponding to the three periods of the input transmission / reception period, the calculation period, and the output transmission / reception period in this scan cycle. For example, in the case of pipeline processing, the more the processing load corresponding to each period is matched, the higher the efficiency of the entire processing will be. The safety controller 1 associates the guarantee period of the input transmission / reception period with the guarantee period of the calculation period to the period slot. The guarantee period of the output transmission / reception period may also be associated with the period slot, but since the guarantee period of the output transmission / reception period is intended for the forced OFF process, the period width may be sufficiently shorter than the period slot. The period slot is determined based on the guaranteed response time. Therefore, each of the MCUs 23a and 24a must complete the calculation by the safety program within the period slot. Further, the main module 3 receives input processing of an input signal from the safety input device 11a connected to itself and an input signal (input data) from the safety input device 11b connected to the expansion module 4 within the period slot. The reception process and must be completed. Further, the main module 3 performs output processing of an output signal to the power source 12a connected to itself and transmission processing of an output signal (output data) to the power source 12b connected to the expansion module 4 within the period slot. And must be completed.

According to FIG. 4, the input processing of the input signal and the transmission / reception processing of the input data are repeatedly executed in each period slot (input transmission / reception period: input period and transmission / reception period). The safety program is also repeatedly executed in each period slot (calculation period). Further, the output processing of the output signal and the transmission / reception processing of the output data are repeatedly executed in each period slot (output transmission / reception period: output period and transmission / reception period).

Generally speaking, the input of the input signal and the reception (transmission) of the input data are executed in the i-th period slot. The input signal is also converted into input data so that it can be calculated by the execution engine 40.

The program calculation of the output data by the execution engine 40 is executed in the i + 1th period slot. Here, the program calculation is applied to the input data obtained in the i-th period slot, and the output data is calculated. Further, the input of the input signal and the reception (transmission) of the input data are also executed in the i + 1th period slot.

Based on the input data obtained in the i-th period slot, the output data calculated in the i + 1th period slot is transmitted to the expansion module 4 in the i + 2nd period slot, and the output data is converted into an output signal for safety. It is output to the output device. Alternatively, the output data is converted into an output signal in the i + 2nd period slot and output to the safety output device of the main module 3. The program calculation of the output data by the execution engine 40 is also executed in the i + second period slot. This is performed using the input data received in the i + 1th period slot. Further, the input of the input signal and the reception (transmission) of the input data are also executed in the i + 2nd period slot.

In this way, the safe input signal (input data) is obtained in the i-th period slot, the safe output signal (output data) is calculated based on the input data in the i + 1th period slot, and the safe output signal is calculated in the i + 2nd period slot. (Output data) is output or transmitted. Therefore, the main module 3 monitors whether the input processing and the receiving processing are completed in each period slot. The main module 3 monitors whether or not the arithmetic processing is completed in each period slot. The main module 3 monitors whether the output processing and the transmission processing are completed in each period slot. If any of the processes is not completed within the period slot, the main module 3 forcibly sets the safety output signal to OFF.

Since it is not necessary to consider the communication failure, the response time in the signal path P1 shown in FIG. 3 is obtained by adding the response time to the output to the period width of the two period slots. For example, when the period slot is 1 millisecond, the response time in the signal path P1 can be set to a constant value longer than 2 milliseconds and 3 milliseconds or less. Further, the response time in the signal path P4 shown in FIG. 3 needs to take into consideration the communication failure, and is obtained by adding the response time to the output to the period width of the two period slots. For example, when the period slot is 1 millisecond, the response time in the signal path P4 can be set to a constant value longer than 4 milliseconds and 5 milliseconds or less.

(MCU function of main module)
FIG. 5 shows the functions realized by the MCU of the main module 3. Although only the MCU 23a is shown in FIG. 5, the MCU 24a also has the same function. The signal processing unit 31 inputs a safety input signal from the safety input device 11a connected to the main module 3 and outputs a safety output signal to the safety output device (power source 12a) connected to the main module 3. .. The input processing unit 32 converts the safety input signal into analog-digital to obtain input data (input value), and outputs the input data (input value) to the execution engine 40. The output processing unit 33 converts the output data (output value) output from the execution engine 40 into a safety output signal and outputs it to the safety output device.

The input processing unit 32 converts an input signal input from a certain input terminal into input data based on the association between the input terminal and the input block in the safety program, and converts the input signal into the input block associated with the input terminal. Input data may be passed. Similarly, the output processing unit 33 may convert the output data output from a certain output block into an output signal and output the output data from the output terminal associated with the output block to the output terminal. In this way, the signal processing unit 31 may execute data bridging between the input / output blocks of the safety program and the input / output terminals. The input processing unit 32 may execute filtering to reduce noise.

The communication processing unit 36 receives the input data transmitted from the expansion module 4 via the bus IF 26a, and transmits the output data to the expansion module 4 via the bus IF 26a. The input data is data for transmitting a safety input signal output from the safety input device 11b connected to the expansion module 4. The output data is data for transmitting a safety output signal output to the power source 12b, which is a safety output device connected to the expansion module 4.

The reception processing unit 37 executes error detection by CRC for the input data. When an error is detected, the reception processing unit 37 requests the expansion module 4 to retransmit the input data. The reception processing unit 37 passes the input data without any error to the execution engine 40. The reception processing unit 37 passes the input data to an appropriate input block constituting the safety program. The relationship between the input data and the input block is associated with the setting information in advance.

The transmission processing unit 38 calculates and adds an error detection code (example: CRC) to the output data output from the execution engine 40, and transmits the error detection code (eg, CRC) to the expansion module 4 via the bus IF26a. Upon receiving the retransmission request from the expansion module 4, the transmission processing unit 38 retransmits the output data. The transmission processing unit 38 transmits the output data output from a certain output block to the safety output device of the expansion module 4 associated with the output block. The relationship between the output data and the safe output device (output terminal) is associated with the setting information in advance.

The execution engine 40 generates output data from the input data by executing the safety program.

The monitoring unit 41 monitors the signal processing unit 31, the communication processing unit 36, and the execution engine 40. The monitoring unit 41 has a determination unit 50, a signal setting unit 60, and a warning unit 70. In addition to detecting a hardware failure of the MCU and monitoring whether the safety output signals of the two paired MCUs match, the monitoring unit 41 monitors the response time in this embodiment. To execute.

In the determination unit 50, the first determination unit 51 determines whether or not the signal processing unit 31 and the communication processing unit 36 have obtained the input data in the period slot. The second determination unit 52 determines whether or not the execution of the safety program is completed within the period slot. Execution of the safety program is to calculate the output data from the input data. The third determination unit 53 determines whether or not the output and transmission of the output data by the signal processing unit 31 and the communication processing unit 36 are completed within the period slot.

In the signal setting unit 60, the first setting unit 61 forcibly sets the safety output signal to OFF when the input data cannot be obtained in the period slot. The second setting unit 62 forcibly sets the safety output signal to OFF when the execution of the safety program is not completed within the period slot. The third setting unit 63 forcibly sets the safety output signal to OFF when the output and transmission of the output data are not completed within the period slot.

In the warning unit 70, the first warning unit 71 outputs warning information to the display device 5a when the input data cannot be obtained in the period slot. The second warning unit 72 outputs warning information to the display device 5a when the execution of the safety program is not completed within the period slot. The third warning unit 73 outputs warning information to the display device 5a when the output and transmission of the output data are not completed within the period slot.

(MCU function of expansion module)
FIG. 6 shows the function of the MCU of the expansion module 4. In FIG. 6, the same reference numerals are given to the functions common to or similar to those in FIG.

The input processing unit 32 inputs a safety input signal from the safety input device 11b connected to the expansion module 4, converts it into input data, and outputs it to the transmission processing unit 38. The transmission processing unit 38 performs CRC processing on the input data and transmits the input data to the main module 3 via the bus IF26b.

The reception processing unit 37 receives the output data from the main module 3 via the bus IF 26b, executes the CRC inspection, and if no error is detected, passes the output data to the output processing unit 33. The reception processing unit 37 may restore the input data from a plurality of received data based on the sequence number assigned to the received data. The output processing unit 33 converts the output data into a safe output signal and outputs the output data to the power source 12b, which is a safe output device. When an error is detected in the output data, the reception processing unit 37 requests the main module 3 to retransmit the output data, and retries the reception of the output data. Alternatively, the reception processing unit 37 may forcibly set the output data to OFF. Such forced OFF is executed when an abnormality occurs, such as when a timeout occurs or when two MCUs output different values.

The monitoring unit 41 may have a determination unit 50 and a signal setting unit 60. In the determination unit 50, the first determination unit 51 monitors whether or not the input processing unit 32 and the reception processing unit 37 can acquire the input data in the period slot. The third determination unit 53 determines whether or not the transmission of the output data is completed in the period slot in the transmission processing unit 38.

The first setting unit 61 forcibly sets the safety output signal to OFF when the input data cannot be obtained in the period slot. The third setting unit 63 forcibly sets the safety output signal to OFF when the transmission of the output data is not completed within the period slot.

(flowchart)
FIG. 7 is a flowchart of the monitoring process executed by the MCU 23a (MCU 24a) of the main module 3. Here, it is assumed that the execution engine 40 is executing the repeated safety program.

In S1, the MCU 23a (example: first determination unit 51) determines whether or not the input data can be obtained in the period slot. If the input data can be obtained in the period slot, the MCU 23a proceeds to S2. If the input data could not be obtained in the period slot, the MCU23a proceeds to S11.

In S2, the MCU 23a (example: second determination unit 52) determines whether or not the calculation of the output data by the safety program is completed within the period slot. If the calculation of the output data is completed in the period slot, the MCU 23a proceeds to S3. If the calculation of the output data is not completed within the period slot, the MCU 23a proceeds to S11.

In S3, the MCU 23a (example: third determination unit 53) determines whether or not the transmission of output data is completed within the period slot. If the transmission of output data is completed within the period slot, the MCU 23a proceeds to S4. If the calculation of the output data is not completed within the period slot, the MCU 23a proceeds to S11.

In S4, the MCU 23a determines whether or not the monitoring end condition is satisfied. The monitoring end condition is, for example, that a monitoring end instruction is input from the operation unit 6a. When the monitoring end condition is satisfied, the MCU 23a ends the monitoring process. If the monitoring end condition is not satisfied, the MCU 23a returns to S1.

In S11, the MCU 23a (signal setting unit 60) forcibly sets the safety output signal to OFF. As a result, the safety output signal is output to the power source 12a connected to the main module 3 and the power source 12b connected to the expansion module 4, respectively. As a result, the power sources 12a and 12b are stopped. The signal setting unit 60 changes the output data so that the output data means that the safe output signal is OFF.

In S12, the MCU 23a (warning unit 70) outputs warning information to the display device 5a. Here, the warning information may include a message or an error code indicating the reason why the warning information is output. For example, the warning information may include information indicating from which safety input device the input signal has failed to be obtained. Further, the warning information may include information indicating to which safety output device the transmission of the safety output signal (output data) has failed. Further, the MCU 23a (warning unit 70) may write warning information or information indicating the content of the error in the error history.

(Function block)
FIG. 8 shows the UI 80 that the PC 2 displays on the display device 5b according to the editing program. The edit button 81 is a button for instructing the editing of the safety program. The simulation button 82 is a button for instructing the simulation of the safety program. The list unit 83 is a display area for displaying a list of function blocks 84 that can be selected by the user. The program creation area 85 has an input arrangement area 86 in which input type function blocks are arranged, and a block arrangement area 87 in which operation type and output type function blocks are arranged. The user selects an arbitrary function block 84 from the list unit 83 and drags and drops it onto the input arrangement area 86 or the block arrangement area 87. The input arrangement area 86 and the block arrangement area 87 can be scroll-displayed, and more function blocks can be arranged.

According to FIG. 8, in the input arrangement area 86, an input block corresponding to the safety input device 11 connected to the main module 3 and the expansion module 4 is arranged. In FIG. 8, in the input arrangement area 86, an input block corresponding to the emergency stop switch, an input block corresponding to the reset switch, an input block corresponding to the light curtain X, and an input block corresponding to the door switch are listed. It is arranged by being dragged and dropped from the part 83.

In the block arrangement area 87, two AND blocks, a reset block, and an output block are arranged. The output block corresponds to any output terminal in the IO connectors 10a to 10c. The icon representing each function block includes an input terminal and an output terminal. The user completes the safety program by connecting the output terminal of a certain function block and the input terminal of another function block with a connection line 88.

In this case, the reset block outputs ON (safety) when the emergency stop button is not pressed. Further, the AND block on the left side outputs ON when the light curtain is ON and the door switch is ON. The output terminal of the reset block and the output terminal of the AND block on the left side are connected to the AND block on the right side. Therefore, when ON is input to both of the two input terminals of the AND block on the right side, the AND block on the right side outputs ON to the output block. When the emergency stop button is pressed, OFF (unsafe) is input to the reset block. As a result, the output of the AND block on the right side is switched from ON to OFF, and OFF is propagated to the output block. The reset block maintains an OFF output unless the reset switch is pressed. The reset block returns the output to ON when the reset switch is pressed.

The CPU of the PC 2 creates setting information including the type information and program components of the function blocks constituting the safety program and the connection information indicating the connection relationship of each function block, and stores the setting information in the storage device of the PC 2. In this case, the safety program is included in the setting information. Alternatively, the CPU may create a safety program by linking program components according to the connection information. When the transfer instruction by the user is input, the CPU transmits the setting information and the safety program to the main module 3 and writes them. The configuration information may be part of the safety program.

In this way, the user can easily create a safety program by combining arbitrary function blocks. When the simulation button 82 is pressed, the CPU displays the simulation UI on the display device 5b.

Here, the arithmetic processing time of each function block of this embodiment may be guaranteed. The PC 2 may restrict the user from creating a safety program so as to meet the response time guaranteed by the product specifications of the safety controller 1. For example, when a user tries to create a safety program on UI80 that includes loop wiring (loop processing) or branch processing between a plurality of function blocks that makes the response time of the safety program indefinite, the CPU issues warning information. You may output or prohibit such creation.

According to FIG. 8, display units 89a and 89b for displaying the current program amount are shown. The CPU may display the current program amount on the display unit 89a of the UI 80 used for creating the program. The CPU may display a ratio indicating the current program amount to the full capacity on the display unit 89b which is a bar graph. The full capacity corresponds to the upper limit of the response time guaranteed in the product specifications. Further, when the current program amount exceeds the full capacity, the CPU may output warning information. Here, the amount of the program may be the storage size, or may be the total time of the calculation times of the plurality of function blocks constituting the program. This will prevent the creation of safety programs that deviate from the response time guaranteed in the product specifications.

The safety controller 1 includes at least one main module 3, but the expansion module 4 is not essential. Therefore, the response time of the safety controller 1 composed of the main module 3 and the response time of the safety controller 1 composed of the main module 3 and the expansion module 4 are different. Therefore, the product specifications may list the response times for each of these system configurations.

The total response time Ta of the safety controller 1 can be calculated from the following equation.
Ta = T0 + T1 + T2 + T3 + T4 + T5 ... (1)
T0 is the basic response time of the main module 3 (eg, 4.8 milliseconds).
T1 is the addition time (eg: 1.7 milliseconds) depending on the connected device to which the safety input device is connected. T1 may be different depending on whether the safety input device is connected to the main module 3 or the expansion module 4.
T2 is the addition time (eg, 0.7 ms) due to the input block. When the input block uses filtering or test output, T2 differs depending on the filtering time or test output time.
T3 is the addition time (eg, 4.5 ms) due to the safety program. When using a timer function such as ON delay or OFF delay, it is necessary to add the delay time due to the timer. Also, when using registers, additional time is required. Further, T3 may be an addition time due to the test output. The test output is, for example, to output a test pulse to confirm that the emergency stop button can operate normally.
T4 is the addition time depending on the connection destination device to which the safety output device is connected. The T4 differs depending on whether the safety output device is connected to the main module 3 (example: 0 ms) or the expansion module 4 (example: 2.4 ms).
T5 is the addition time due to the output block. T5 differs depending on whether the output block is a semiconductor output (example: 0 ms) or a relay output (example: 10 ms).

Equation (1) means the time from the input to the output of the safety controller, but apart from this, Ts and Tr may be considered separately. Ts is the response time of the safety input device. Ts is described in the product specifications of safety input devices and the like. Tr is the response time of the safety output device. Tr is described in the product specifications of safety output devices. Ts is the time required for the safety input device to react and input the OFF signal to the main module 3. Tr is the time required from the output of the OFF signal to the safe stop of the machine. These are items that depend on sensors and machines. These may also be taken into account in the design of the safety controller system.

The user will be able to obtain the total response time Ta for the safety controller 1 that he / she is trying to build, calculate the safety distance, and appropriately arrange the safety input device.

(action mode)
The main module 3 may have a plurality of operation modes. A fixed response time mode that uses a period slot based on a guaranteed response time, a noise-resistant mode that increases the timeout period of communication retries, and a best effort mode that does not execute forced OFF and warning according to the response time are adopted. May be good. The MCU 23a may select any operation mode according to the setting data stored in the memory 25.

<Others>
(Program creation process)
FIG. 9 shows a program creation process executed by the PC 2.

In S21, the CPU of the PC2 accepts the addition of the function block to the program.

In S22, the CPU obtains the current program amount. As described above, the processing time is predetermined for each function block selected by the user as an addition target. For example, the CPU may obtain the total processing time for each function block included in the program as the program amount.

In S23, the CPU determines whether the current program amount is less than or equal to the specified amount corresponding to the guaranteed response time. If the program amount is equal to or less than the specified amount, the CPU proceeds to S24. In S24, the CPU permits the addition of the function block to the program, and proceeds to S25. If the program amount exceeds the specified amount, the CPU proceeds to S26. In S26, the CPU refuses to add the function block. In S27, the CPU outputs warning information. This warning information may include, for example, a message indicating that the guaranteed response time is deviated.

In S25, the CPU determines whether or not the program creation is completed. For example, when the end instruction is input by the user, the CPU determines that the program creation is completed, saves the program, and ends the creation process. If the program creation is not completed, the CPU returns to S21.

(Processing related to communication errors)
The main module 3 and the expansion module 4 each convert a safety input signal and a safety output signal into communication data for communication. When a communication error occurs, an erroneous safety input signal or safety output signal is transmitted. In this case, the safety output signal supplied to the power source 12 should be forcibly turned off. The detection of communication errors is executed not only in the main module 3 but also in the expansion module 4, but an example of execution in the main module 3 will be described below. Further, the MCUs 23 and 24 execute the following processes, respectively, and the case of the MCU23 will be described.

In S31, the MCU 23 receives an input value (input data) from the expansion module 4. For example, it tries to read the input data from the receive buffer provided in the bus IF.

In S32, the MCU 23 determines whether the input value can be received from the expansion module 4. If the input value cannot be received, if the input value can be received but the communication partner of the input value is incorrect, or if the CRC of the received input value does not match, the MCU 23 proceeds to S33. In S33, the MCU 23 determines whether or not the communication is within the period slot. If it is determined that the reception is within the period slot, the process proceeds to S39. In S39, the MCU 23 retries reception and proceeds to S32. On the other hand, if it is determined that the slot is not within the period slot, the MCU 23 proceeds to S40. In S40, the MCU 23 forcibly turns off the output. If the input value can be received, the MCU 23 proceeds to S34.

In S34, the MCU 23 detects a communication error such as a delay or an incorrect arrangement for the input value based on the time stamp, the sequence number, or the like.

In S35, the MCU 23 determines whether or not a communication error has been detected. If no communication error is detected, the MCU 23 proceeds to S36. In S36, the MCU 23 executes the program using the received input value and obtains the execution result (output value). On the other hand, if a communication error is found, the MCU 23 proceeds to S37.

In S37, the MCU 23 forcibly turns off the output value (safety output signal).

In S38, the MCU 23 transmits the output value to the expansion module 3.

Here, a communication error is detected based on the received data, but if the number of retries exceeds the threshold value, S37 may be executed.

(Pattern related to fixed response time)
Although the above-described embodiment is only an example, there are generally three patterns. The first pattern is a pattern in which the response time is guaranteed to be constant even if the program is modified, but the response time changes as the number of connected expansion modules or remote I / O units increases. In the second pattern, when the program is modified, the response time may increase according to the amount of the modified program, but the response time increases even if the number of expansion modules or remote I / O units connected increases. It is a pattern that is guaranteed to be constant. The third pattern is a pattern in which the response time is guaranteed to be constant even if the program is modified, and the response time is guaranteed to be constant even if the number of expansion modules or remote I / O units connected increases. ..

The technique for guaranteeing a constant response time even if the program is modified has already been described. The technology that guarantees a constant response time even if the number of expansion modules connected increases monitors the time required for communication, and when the communication time (number of retries) exceeds the threshold value, the safety output signal is forcibly turned off. It is achievable.

Further, as shown in FIGS. 11 (A) to 11 (E), the guaranteed response time may be changed stepwise according to the number of expansion modules.

FIG. 11 (A) Guaranteed response time when the main module 3 is used alone (example: x milliseconds) and guaranteed response time when one or more expansion modules 4 are connected to the main module 3 (example). : X milliseconds) are the same. The user does not need to review the safety distance because the response time does not change even if the number of expansion modules 4 is increased.

FIG. 11 (B) Guaranteed response time when the main module 3 is used alone (example: x milliseconds) and guaranteed response time when one or more expansion modules 4 are connected to the main module 3 (example). : Y milliseconds) is different. If the number of expansion modules 4 is one or more, the user does not need to review the safety distance because the response time does not change. For example, the response time is obtained by considering the addition time depending on the presence or absence of the expansion module 4 with respect to the basic response time (example: x = 4.8 milliseconds). The addition time (eg: 1.7 ms) is constant if the number of expansion modules 4 is one or more. Therefore, the response time y when one or more expansion modules 4 are connected to the main module 3 is, for example, 6.5 milliseconds. At this time, the monitoring unit 41 has a first number of expansion modules 4 connected to the main module 3 of which is one or more, and a second monitoring unit 41 which is one or more different from the first number. The execution engine 40 and the communication processing unit 36 (reception processing unit 37, etc.) are monitored so that the response time of the safety controller 1 is guaranteed to be constant depending on the number of units.

FIG. 11 (C) Guaranteed response time when the main module 3 is used alone (example: x milliseconds) and guaranteed response time when one expansion module 4 is connected to the main module 3 (example: x). It is the same as (milliseconds), but the guaranteed response time (example: yms) when two or more expansion modules 4 are connected to the main module 3 is not the same. However, x <y. The user needs to review the safety distance, recognizing that the response time increases when the number of expansion modules 4 increases from one to two or more. However, the user needs to review the safety distance only when increasing from two to three.

FIG. 11 (D) The guaranteed response time when the main module 3 is used alone is x milliseconds, and the guaranteed response time when 1 or more and N or less expansion modules 4 are connected to the main module 3 is. A case where the guaranteed response time is y1 ms, and the guaranteed response time when N + 1 or more and M or less expansion modules 4 are connected to the main module 3. However, x <y1 <y2. The user needs to review the safety distance, recognizing that the response time increases when the number of expansion modules 4 increases from 0 to 1. Similarly, the user needs to review the safety distance, recognizing that the response time increases when the number of expansion modules 4 increases from N to N + 1.

Here, the rule that the response time changes according to the number of expansion modules 4 has been described, but as in the case of FIG. 11 (E), the remote I / O unit 8 also has the same or similar response as the expansion module 4. Time rules may be built. For example, the remote I / O unit 8 may be equated with the expansion module 4 in terms of response time. When one or more expansion modules 4 are connected to the main module 3, the monitoring unit 41 determines the safety controller 1 when the remote I / O unit 8 is not connected to the main module 3 and when one is connected. The communication processing unit 36 (reception processing unit 37, etc.) may be monitored so that the response time of the above is guaranteed to be constant. The reception processing unit 37 is configured to receive an input value from the remote I / O unit 8. In any case, when an abnormal state that exceeds the response time occurs, the safety output signal is forcibly turned off.

(Safe communication)
The main module 3 and the expansion module 4 execute communication via an internal bus (fieldbus) including a bus IF. The following errors can occur in this communication.
1) Repeat: Old message is received repeatedly 2) Missing: Message is deleted 3) Insert: Another message is inserted 4) Misalignment: Message reception order is incorrect 5) Falsification: The content of the message is rewritten 6) Delay: Communication is not completed within the specified time 7) Impersonation: Unreliable information is received from an unauthenticated device.

On the other hand, the main module 3 and the extension module 4 identify the source / receiver address. This is to identify both by including the source / recipient address in the message and prevent the insertion of untrusted information from unregistered devices. The main module 3 and the expansion module 4 may use a time stamp. Safety-related information is valid only within a certain period of time. Therefore, the main module 3 and the expansion module 4 identify old safety-related information by using the time stamp, and prevent these from being repeatedly transmitted. The time stamp adds the time when the sender generated the message to the message as a time stamp, and the receiver extracts the time stamp from the message and checks the timeliness of the message based on the time stamp. The main module 3 and the expansion module 4 may be assigned a sequence number. The sequence number indicates the order in which the messages were sent. The receiving side identifies the context of a plurality of received messages based on the sequence number included in the message. Based on the sequence number, it is possible to determine whether a message is missing, an unrelated message is inserted, or a misalignment is made. The main module 3 and the expansion module 4 may execute reception confirmation. In reception confirmation, the receiving side sends the received message back to the sending side, so that the message sent by the sending side is compared with the message sent back. This makes it possible for the receiving side to confirm whether the message has been received correctly. Alternatively, the transmitting side may inspect that the message has been correctly received by causing the receiving side to transmit a confirmation message such as an acknowledge. Normally, if an acknowledgment from the receiving side is not obtained within the permissible time, the transmitting side shifts to the OFF state (timeout function).

A specific transmission procedure executed by the main module 3 and the expansion module 4 will be described with reference to FIGS. 12 and 13.

In S41, the main module 3 (communication processing unit) transmits a message 1301 including a data transmission command, and the expansion module 4 receives the message 1301. As shown in FIG. 13, the message 1301 includes a destination (example: expansion module 4a), a source (example: main module 3), a sequence number, a data transmission instruction, and a calculation result (not included in the first message). , Timestamp, and CRC. As shown in FIG. 13, the CRC is calculated from the data from the destination to the time stamp. It is assumed that this message has a reply deadline (eg, 0.1 ms to 1.0 ms).

In S42, the expansion module 4 calculates the CRC from the data from the destination to the time stamp of the received message, and determines whether or not it matches the CRC added to the message. If the two CRCs do not match, in S43, the expansion module 4 sends a retry request, and the main module 3 retransmits the message.

In S44, the expansion module 4 acquires the safety input signal input from the safety input device.

In S45, the expansion module 4 converts the safety input signal into an input value (input data) and creates a message 1302 for data transmission. As shown in FIG. 13, message 1302 includes a destination (eg, main module 3), a source (eg, expansion module 4a), a sequence number, an input value, a time stamp, and a CRC. As shown in FIG. 13, the CRC is calculated from the data from the destination to the time stamp. The sequence number of the message 1302 is the sequence number included in the message 1301 plus one.

In S46, the expansion module 4 transmits the message 1302 including the input value to the main module 3, and the main module 3 receives the message 1302. The message 1302 may include an acknowledge indicating that the reception of the message 1301 was successful.

In S47, the main module 3 performs a CRC check on message 1302. The main module 3 calculates the CRC from the data from the destination to the time stamp of the received message 1302, and determines whether or not it matches the CRC added to the message 1302. If the two CRCs do not match, in S48, the main module 3 sends a retry request, and the extension module 4 resends the message. Here, assuming that the timeout period is set to 2 milliseconds, it is possible to send and receive a message up to eight times. If the error-free message 1302 is not received within the timeout period, the main module 3 forcibly turns off the safety output signal.

It should be noted that eight messages 1302 may be transmitted in succession. In this case, the main module 3 may adopt the message 1302 that first passed the CRC check among the eight messages 1302. Alternatively, the main module 3 may adopt the message 1302 (that is, the latest data) that finally passed the CRC check among the eight messages 1302. Alternatively, the main module 3 may randomly select the message 1302 that has passed the CRC check from the eight messages 1302.

In S49, the main module 3 calculates and obtains a safety output signal based on the input value (safety input signal) extracted from the message 1302. The calculation method is defined by the user program.

In S50, the main module 3 transmits a message 1301 including a calculation result (safety output signal) to the expansion module 4, and the expansion module 4 receives the message 1301.

In S51, the expansion module 4 executes the above-mentioned CRC check for the message 1301 including the calculation result (safety output signal). If the CRCs do not match, the retry of message 1301 is executed in S52. If the error-free message 1302 is not received within the timeout period, the expansion module 4 forcibly turns off the safety output signal.

In S53, the expansion module 4 converts the calculation result into a safety output signal and outputs it to the contactor of the power source 12.

The main module 3 forcibly turns off the safety output signal only when the correct CRC is not obtained after one scan cycle (about 1 millisecond to 5 milliseconds) has elapsed. However, this is just one example. For example, if the CRC mismatch occurs even once, the main module 3 may forcibly turn off the safety output signal.

(Sequence number)
As described above, the sequence number of the message is updated by the main module 3 and the expansion module 4 alternately one by one. For example, the main module 3 first sets the sequence number to "1" and transmits a data transmission instruction.
Next, the expansion module 4 adds "2" to the sequence number and returns an input value. Next, the main module 3 calculates the safety output signal based on the data in which "2" is added to the sequence number. Next, the main module 3 adds "3" to the sequence number and transmits a new data transmission command with a reply deadline and an output signal based on the calculation result. The correct order of data is maintained by repeating such update and transmission / reception of the sequence number. For example, it is assumed that when the main module 3 transmits data with a sequence number of "1", the extension module 4 receives data with a sequence number of "3". In this case, it is a data sequence error and forced OFF is executed. When the main module 3 detects a sequence error, the error may be displayed or the data in which the error has occurred may be discarded.
The sequence number is managed for each combination of the main module 3 and the expansion module 4. For example, it means that the sequence number managed by the combination of the main module 3 and the expansion module 4a and the sequence number managed by the combination of the main module 3 and the expansion module 4b are independent.

The main module 3 and the expansion module 4 may determine the timeliness of the data based on the time stamp. However, this is based on the premise that the main module 3 and the expansion module 4 are time-synchronized.

<Summary>
As shown in FIG. 1, the safety controller 1 is an example of a safety controller having a main module 3 for executing a safety program and an expansion module 4 connected to the main module 3. As shown in FIG. 4, the bus IF 26a and the reception processing unit 37 function as a receiving means for receiving an input value from the expansion module 4 for each period slot having a repeating cycle of a certain length. The execution engine 40 is an execution engine that repeatedly executes the safety program for each period slot, and is safe using the input value in the i + 1th period slot next to the i-th period slot in which the input value is received. Calculate the output value according to the program. The safety output IF 22, the output processing unit 33, and the transmission processing unit 38 function as output means for outputting the safety output signal corresponding to the output value to the safety output device. The monitoring unit 41 functions as a monitoring means for monitoring the receiving means and the execution engine. The monitoring unit 41 forcibly sets a safety output signal that stops the operation of the safety output device when the reception of the input value by the receiving means is not completed in the i-th period slot. Similarly, the monitoring unit 41 forcibly sets a safety output signal that stops the operation of the safety output device when the calculation of the output value by the execution engine is not completed in the i + 1th period slot. By introducing the concept of period slots into the safety controller in this way, it is possible to guarantee or fix the response time without depending on at least one of the user program and communication.

The period slot may be calculated by the MCU 23 of the main module 3. This is because the MCU 23 of the main module 3 grasps the type of communication implemented in the main module 3 and can further recognize which communication is effective from the user program or setting data.

As shown in FIG. 4, the bus IF26a and the reception processing unit 37 are configured to receive the next input value from the expansion module in parallel with the execution engine seeking the output value in the i + 1th period slot. It may have been done.

As shown in FIG. 5, the first determination unit 51 may function as the first determination means for determining whether or not the input value can be received in the i-th period slot. The first setting unit 61 may function as a first setting means for forcibly setting the output value to the OFF state when the input value cannot be received in the i-th period slot.

As shown in FIG. 5, the first warning unit 71 may function as a first warning means for outputting the first warning information when the input value cannot be received in the i-th period slot.

As shown in FIG. 5, the second determination unit 52 may function as a second determination means for determining whether or not the calculation of the output value is completed within the i + 1th period slot. The second setting unit 62 may function as a second setting means for forcibly setting the output value to the OFF state when the calculation of the output value is not completed in the i + 1th period slot.

As shown in FIG. 5, the second warning unit 72 may function as a second warning means for outputting the second warning information when the calculation of the output value is not completed in the i + 1th period slot. ..

The reception processing unit 37 may be configured to retry the reception of the input value so that the reception of the input value is successful.

The reception processing unit 37 may be configured to execute tampering detection by performing a CRC check on the input value.

The reception processing unit 37 may be configured to return an acknowledge to the expansion module using a sequence number for the input value. As a result, the expansion module 4 can grasp which input value has been successfully transmitted based on the sequence number assigned to the acknowledge. If an acknowledgment (Ack) is not returned, or if a negative response (Nack) is returned, the extension module 4 may perform retransmission of the input value based on the sequence number.

The length of the period slot may be determined independently of the processing volume of the safety program. The period slot may be determined based on the response time guaranteed for the safety controller 1. In this case, the user has the advantage of determining the safety distance before writing the safety program.

As shown in FIG. 4, the transmission processing unit 38 transmits the output value obtained by the execution engine in the i + 1th period slot to another expansion module in the i + 2nd period slot next to the i + 1th period slot. It may function as a transmission means.

As shown in FIG. 5, the third determination unit 53 functions as a third determination means for determining whether or not the transmission of the output value is completed within the i + second period slot. The third setting unit 63 functions as a third setting means for forcibly setting the output value to the OFF state when the transmission of the output value is not completed in the i + second period slot.

The main module 3 may further have a connector (eg, IO connector 10a) that connects to the safety input device. The execution engine 40 may be configured to calculate an output value using the input value acquired via the connector and the input value received by the receiving means for each period slot.

The length of the period slot may be determined to be a constant length regardless of the number of expansion modules connected to the main module 3. In this case, the user has the advantage of determining the safety distance before writing the safety program.

As described with reference to FIG. 11, the response time of the safety controller may be guaranteed to be constant regardless of the number of expansion modules 4 connected to the main module 3. Further, the response time in the case where the expansion module 4 is not connected to the main module 3 is the first response time x, and the response time in the case where one or more expansion modules are connected to the main module 3 is the second response time. It may be y. The response time in the case where the expansion module 4 is not connected to the main module 3 is the first response time x, and the response time in the case where one or more expansion modules 4 are connected to the main module 3 and up to N units are connected. May be the second response time y1. Further, the response time in the case where N + 1 or more expansion modules 4 are connected to the main module 3 may be the third response time y2. Further, the response time in the case where the expansion module is not connected to the main module 3 is the first response time x, and the response time in the case where the remote I / O unit 8 is connected to the main module 3 is the connection of the expansion module 4. The second response time y is independent of the number of units, and the response time in the case where the remote I / O unit 8 is not connected to the main module 3 and one or more expansion modules 4 are connected is the first response time. The response time x may be.

The invention is not limited to the above-described embodiment, and various modifications and changes can be made within the scope of the gist of the invention.

Claims (17)

A safety controller having a main module that executes a safety program and an expansion module connected to the main module.
The main module
A receiving means for receiving an input value from the expansion module and a receiving means for receiving an input value from the expansion module for each period slot having a repeating cycle of a fixed length.
An execution engine that repeatedly executes the safety program for each period slot, and uses the input value in the i + 1th period slot next to the i-th period slot in which the input value is received. An execution engine that calculates the output value according to
An output means for outputting a safety output signal corresponding to the output value to a safety output device, and
It has the receiving means and the monitoring means for monitoring the execution engine.
The monitoring means does not complete the reception of the input value by the receiving means in the i-th period slot, or the calculation of the output value by the execution engine in the i + 1th period slot. A safety controller for forcibly setting the safety output signal at which the operation of the safety output device is stopped. The receiving means is configured to receive the next input value from the expansion module in parallel with the execution engine seeking the output value in the i + 1th period slot. The safety controller according to claim 1. The monitoring means
A first determination means for determining whether or not the input value could be received within the i-th period slot, and
The first or second aspect of claim 1 or 2, further comprising a first setting means for forcibly setting the output value to the OFF state when the input value cannot be received in the i-th period slot. Safety controller. The invention according to any one of claims 1 to 3, further comprising a first warning means for outputting the first warning information when the input value cannot be received in the i-th period slot. Safety controller. The monitoring means
A second determination means for determining whether or not the calculation of the output value is completed in the i + 1th period slot, and
Claims 1 to 1, further comprising a second setting means for forcibly setting the output value to the OFF state when the calculation of the output value is not completed in the i + 1th period slot. The safety controller according to any one of 4. One of claims 1 to 5, further comprising a second warning means for outputting the second warning information when the calculation of the output value is not completed in the i + 1th period slot. The safety controller described in. The safety controller according to any one of claims 1 to 6, wherein the receiving means is configured to retry receiving the input value so as to succeed in receiving the input value. The safety controller according to any one of claims 1 to 7, wherein the receiving means is configured to perform tampering detection by performing a CRC check on the input value. The safety controller according to any one of claims 1 to 8, wherein the receiving means is configured to return an acknowledge to the expansion module using a sequence number for the input value. The safety controller according to any one of claims 1 to 9, wherein the length of the period slot is determined independently of the processing amount of the safety program. The output means transmits the output value obtained by the execution engine in the i + 1th period slot to another expansion module in the i + 2nd period slot next to the i + 1th period slot. The safety controller according to any one of claims 1 to 10, wherein the safety controller is provided. The monitoring means
A third determination means for determining whether or not the transmission of the output value is completed within the i + 2nd period slot, and
The eleventh aspect of claim 11 further includes a third setting means for forcibly setting the output value to the OFF state when the transmission of the output value is not completed within the i + second period slot. Described safety controller. The main module
It also has a connector to connect to safety input devices,
The execution engine is configured to calculate the output value for each period slot by using the input value acquired via the connector and the input value received by the receiving means. The safety controller according to any one of claims 1 to 12, wherein the safety controller is characterized. The length of the period slot is determined to be a constant length without depending on the number of expansion modules connected to the main module, according to any one of claims 1 to 13. Safety controller. A safety controller that has a main module that executes a safety program and an expansion module that is connected to the main module.
The main module
A receiving means for receiving an input value from the expansion module and
An execution engine that calculates an output value according to the safety program using the input value,
An output means for outputting a safety output signal corresponding to the output value to a safety output device, and
The receiving means and the monitoring means for monitoring the execution engine are provided.
The monitoring means is when the number of the expansion modules connected to the main module is one or more in the first number and when the number of the expansion modules is one or more different from the first number in the second number. The safety controller is characterized in that the receiving means and the execution engine are monitored so that the response time of the safety controller is guaranteed to be constant. The response time in the case where the expansion module is not connected to the main module is the first response time.
The safety controller according to claim 15, wherein the response time in the case where one or more of the expansion modules are connected to the main module is the second response time. The safety controller further comprises a remote I / O unit connected to the main module.
The receiving means further receives an input value from the remote I / O unit and receives an input value.
In the monitoring means, the response time of the safety controller is constant when the remote I / O unit connected to the main module is not connected and when one remote I / O unit is connected. The safety controller according to claim 15 or 16, characterized in that the receiving means is monitored to be assured.

Images