JP7005914B2 - Information processing equipment, information processing methods, and information processing programs - Google Patents

Description

The present disclosure relates to techniques for simulating the operation of safety programs.

In order to safely use machines used in many manufacturing sites, safety equipment (safety components) that comply with international standards must be used. This safety device aims to prevent human safety from being threatened by automatically moving devices such as robots. Such safety devices include safety controllers that execute safety programs, detection devices that detect the presence or intrusion of people, input devices that accept emergency operations, and output devices that actually stop the device.

As one of the techniques for ensuring safety at the manufacturing site, for example, Japanese Patent Application Laid-Open No. 2014-137621 (Patent Document 1) is a user program of a safety controller capable of facilitating the design of a user program of a safety controller. Disclose how to support the design of.

In Japanese Patent Application Laid-Open No. 2014-137621 (Patent Document 1), a safety controller and a safety I / O terminal are connected via a bus-type network, and in the safety controller, a safety input device connected to the safety I / O terminal is used. Discloses a configuration that outputs a command for performing safe operation to a safety output device connected to a safety I / O terminal based on the input signal of.

Japanese Unexamined Patent Publication No. 2014-137621

The safety program is generated based on one or more function blocks combined from a plurality of types of function blocks prepared in advance. The safety program controls the target device based on the input signal from the safety device. As one of the function blocks, there is an EDM (External Device Monitoring) function block. The EDM function block is a functional module for monitoring whether or not a target device such as a robot motor is operating as intended. The EDM function block receives the input of the feedback signal indicating the operating state of the target device, and determines whether or not the target device is operating as intended. If it is determined that the target device is not operating as intended, the EDM function block outputs an error and forcibly stops the target device.

The safety program executed by the safety controller must work as intended. Therefore, the designer simulates the operation of the created safety program on an information processing device such as a PC (Personal Computer) before executing the safety program on the safety controller. The designer confirms that the safety program is operating normally on the simulation, and then sends the safety program to the safety controller.

In the simulation, the feedback signal cannot be obtained from the target device because the target device is not connected. Therefore, if the EDM function block is included in the safety program, an error will be output during the simulation of the safety program. In order to avoid this error, the designer dares to delete the EDM function block at the time of simulation. Therefore, there is a demand for a technique that can reduce the time and effort required when simulating a safety program.

According to a certain aspect, the information processing device for evaluating the safety program that operates the target device so that the safety is maintained when the predetermined conditions are satisfied is combined from a plurality of types of function blocks prepared in advance. It is provided with a generation unit for generating the above safety program based on one or more function blocks created. The plurality of types of function blocks include a monitoring function block for monitoring the operation of the target device. The monitoring function block outputs a first input unit for receiving the first input signal and a control signal for changing the operating state of the target device based on the change of the first input signal. The first output unit, the second input unit for receiving the second input signal indicating the operating state of the target device, and the second input signal between the change of the control signal and the elapse of a predetermined time. It has a second output unit for outputting an error when it does not change. The information processing apparatus further includes an execution unit for simulating the operation of the safety program. The execution unit invalidates the output of the error by the second output unit when the monitoring function block is included in the function block from which the safety program is generated.

Preferably, the information processing apparatus further includes an emulator for generating a simulated signal that simulates the operating state of the target device. The execution mode of the safety program by the execution unit includes a first simulation mode and a second simulation mode. When the execution mode is the first simulation mode, the execution unit invalidates the output of the error by the second output unit, and when the execution mode is the second simulation mode, the simulation signal is transmitted. Input to the second input unit.

Preferably, when the execution mode is the second simulation mode, the execution unit changes the simulated signal between the time when the control signal changes and the time when the predetermined time elapses.

Preferably, when the function block from which the safety program is generated includes a plurality of the monitoring function blocks, the execution unit invalidates the output of the error for all of the plurality of monitoring function blocks.

Preferably, the information processing apparatus receives an operation of providing a user interface for designing the safety program and an operation of arranging any function block of the plurality of types of function blocks in the user interface. Further equipped with a reception department. The user interface is predetermined to indicate that the output of the error is invalid when the output of the error is set to invalid when the user interface includes the monitoring function block. The monitoring function block is displayed in an embodiment.

Preferably, displaying the monitoring function block in the above aspect includes displaying the monitoring function block in the user interface in a manner different from other function blocks.

According to other aspects, the information processing method for evaluating the safety program that operates the target device so that the safety is maintained when the predetermined conditions are satisfied is a combination of multiple types of function blocks prepared in advance. A step of generating the above safety program based on the one or more function blocks created is provided. The plurality of types of function blocks include a monitoring function block for monitoring the operation of the target device. The processing executed by the monitoring function block includes a step of receiving the first input signal, a step of outputting a control signal that changes the operating state of the target device based on the change of the first input signal, and a step of outputting the control signal. A step of receiving a second input signal indicating the operating state of the target device, and a step of outputting an error when the second input signal does not change between the time when the control signal changes and the time when a predetermined time elapses. And have. The information processing method further includes a step of simulating the operation of the safety program. The simulation step includes a step of invalidating the output of the error in the step of outputting the error when the monitoring function block is included in the function block from which the safety program is generated.

According to other aspects, the information processing program for evaluating the safety program that operates the target device so that the safety is maintained when the predetermined conditions are satisfied is a plurality of types of functions prepared in advance in the computer. The step of generating the above safety program is executed based on one or more function blocks combined from the blocks. The plurality of types of function blocks include a monitoring function block for monitoring the operation of the target device. The processing executed by the monitoring function block includes a step of receiving the first input signal, a step of outputting a control signal that changes the operating state of the target device based on the change of the first input signal, and a step of outputting the control signal. A step of receiving a second input signal indicating the operating state of the target device, and a step of outputting an error when the second input signal does not change between the time when the control signal changes and the time when a predetermined time elapses. And have. The information processing program causes the computer to further perform a step of simulating the operation of the safety program. The simulation step includes a step of invalidating the output of the error in the step of outputting the error when the monitoring function block is included in the function block from which the safety program is generated.

In a certain aspect, it is possible to reduce the time and effort when simulating the safety program.

It is a schematic diagram which shows an example of the schematic structure of the safety system according to an embodiment. It is a schematic diagram which shows an example of the apparatus configuration of the safety controller according to an embodiment. It is a schematic diagram which shows an example of the apparatus configuration of the information processing apparatus according to an embodiment. It is a figure which shows the user interface which is an example of the design screen of the safety program according to the embodiment. It is a figure which shows the function block which is an example of an EDM function block. It is a figure which shows an example of the functional structure of the information processing apparatus according to an embodiment. It is a figure which shows an example of the display mode of the EDM function block at the time of invalidating the output of an EDM error. It is a figure which shows how the simulated signal is output to the function block which is an EDM function block. It is a figure which shows the setting screen for setting the generation rule of a simulated signal. It is a figure which shows the simulation result screen displayed on the display. It is a figure which shows the signal state when the safety program is executed in the 1st simulation mode. It is a figure which shows the signal state when the safety program is executed in the actual machine mode. It is a figure which shows the execution flow of a safety program at the time of a simulation.

Hereinafter, embodiments according to the present invention will be described with reference to the drawings. In the following description, the same parts and components are designated by the same reference numerals. Their names and functions are the same. Therefore, the detailed description of these will not be repeated. In addition, each embodiment and each modification described below may be selectively combined as appropriate.

<A. Overview of Safety System 1>
First, the configuration of the safety system 1 according to the present embodiment will be described. FIG. 1 is a schematic diagram showing an example of a schematic configuration of a safety system 1 according to the present embodiment.

With reference to FIG. 1, the safety system 1 mainly includes a control device 300 for controlling equipment, machines, and the like, and a safety controller 100.

The control device 300 is typically composed of a PLC (programmable controller) or the like, executes a predetermined user program with respect to the input data acquired from the controlled object, and responds to the output data calculated by the execution. Give a command to the controlled object. As a control target shown in FIG. 1, a motor 10 and a driver 12 for driving the motor 10 will be illustrated. The control device 300 outputs a drive command to the driver 12 in order to rotationally drive the motor 10 when a certain drive start condition is satisfied according to a user program. Further, when a certain drive stop condition is satisfied, the output of the drive command to the driver 12 is stopped in order to stop the rotational drive of the motor 10.

In addition to controlling the controlled object by the control device 300, typically, a safety controller 100 is further arranged to ensure the safety of workers and the like related to the controlled object. When the safety controller 100 satisfies a predetermined condition (safety condition) associated with the input signal from the safety input component (safety sensor, safety door switch, safety limit switch, emergency stop switch, safety switch, etc.), Perform safe operation.

In the example shown in FIG. 1, the safety relay 14 is arranged on the power supply line to the driver 12. The safety relay 14 is, for example, a contactor for shutting off an electric circuit. Further, a dangerous area is set around the device driven by the motor 10, and the safety device 16 is arranged around the dangerous area. The safety device 16 includes, for example, a detection device for detecting the presence or intrusion of a person, an input device for receiving an emergency operation, an output device for actually stopping the device, and the like. The safety relay 14 is driven by receiving an input signal from the safety device 16.

As an example, when the safety device 16 as an emergency stop switch receives an emergency stop operation by an operator, the safety controller 100 outputs a control signal to the safety relay 14 in response to the stop signal from the emergency stop switch. The safety relay 14 operates in response to a control signal from the safety controller 100, and cuts off the power supply to the driver 12 that drives the motor 10. As a result, the motor 10 is forcibly stopped. By forcibly stopping the motor 10 in this way, the safety of the operator can be ensured.

As another example, the safety device 16 as a safety sensor detects that the worker has entered the dangerous area. When a worker enters a dangerous area, the safety sensor detects the worker's entry. The safety controller 100 outputs a control signal to the safety relay 14 in response to the detection signal from the safety sensor. The safety relay 14 operates in response to a control signal from the safety controller 100, and cuts off the power supply to the driver 12 that drives the motor 10. As a result, the motor 10 is forcibly stopped. By forcibly stopping the motor 10 in this way, the safety of the operator who has entered the dangerous area can be ensured.

In the configuration example shown in FIG. 1, the safety controller 100 and the control device 300 are connected to each other via the control system network 20, and can exchange data internally held by each other. Further, the safety controller 100 and the control device 300 are connected to the information processing device 200 via the information system network 22.

The information processing device 200 is a support tool for providing functions such as development of a program executed by the safety controller 100 or the control device 300, confirmation of the execution state of the program, and change of the program. The information processing device 200 is, for example, a PC (Personal Computer), a tablet terminal, a smartphone, or another communication terminal.

<B. Device configuration>
Next, the device configuration of each device constituting the safety system 1 according to the present embodiment will be described.

(B1: Safety controller 100)
FIG. 2 is a schematic diagram showing an example of the device configuration of the safety controller 100 according to the present embodiment. With reference to FIG. 2, the safety controller 100 includes a processor 102, a main memory 104, an arithmetic processing unit 108 including a flash memory 106, and various interfaces.

In the arithmetic processing unit 108, the processor 102 realizes functional safety according to the control target by expanding and executing the system program and the safety program stored in the flash memory 106 in the main memory 104.

In the present specification, the "safety program" is a program for operating the target device so that the target device is kept safe when a predetermined condition (safety condition) is satisfied, and is a group of instructions defining the processing of the safety controller. Means. More specifically, the safety program comprises a combination of instructions for determining the value of one or more output signals for one or more input signals.

The safety program may be any entity as long as it defines the processing of the safety controller. That is, the safety program may exist as one or more source codes, may exist as one or more object codes, and may be in a format (execution format) that can be executed by the processor of the safety controller. May be good.

Further, the safety program may be described using a function block diagram (FBD). Alternatively, any one of a ladder diagram (LD: Ladder Diagram), an instruction list (IL: Instruction List), a structured text (ST: Structured Text), and a sequential function chart (SFC: Sequential Function Chart), or these. It may be described in combination. Alternatively, it may be described in a general-purpose programming language such as Javascript (registered trademark) or C language.

In the following description, a safety program described as a variable program will be illustrated. Therefore, the signals (typically, the input signal and the output signal) actually exchanged between the safety controller and the safety component are treated as "variables" in the safety program. Since these real signals and the corresponding variables in the safety program are essentially the same, they are sometimes collectively referred to as "signals" in the following description. That is, in the present specification, the "signal" may include, in addition to the electric signal actually exchanged, a variable that refers to the value assigned to the electric signal on the safety controller.

The safety controller 100 includes a control system network interface 110, an information system network interface 112, a field bus interface 114, a memory card interface 116, a local communication interface 120, and an internal bus interface 122 as interfaces.

The control system network interface 110 mediates communication with other devices via the control system network 20. As the control system network 20, for example, a network protocol such as EtherCAT (registered trademark) that guarantees punctuality is preferable.

The information system network interface 112 mediates communication with other devices via the information system network 22. As the information system network 22, for example, a network protocol such as EtherNet / IP (registered trademark) that guarantees punctuality is preferable.

The fieldbus interface 114 mediates communication with an input / output unit connected via a fieldbus (not shown). As the fieldbus, network protocols such as EtherCAT (registered trademark), EtherNet / IP (registered trademark), DeviceNet (registered trademark), and CompoNet (registered trademark) that guarantee punctuality are preferable.

The memory card interface 116 is configured so that the memory card 118 can be mounted, and reads data from the memory card 118 and writes data to the memory card 118.

The local communication interface 120 is an interface that directly connects to the information processing device 200 or another device, and for example, USB (Universal Serial Bus) or the like is used.

The internal bus interface 122 mediates communication with an input / output unit directly mounted on the safety controller 100 via the internal bus.

(B2: Information processing device 200)
The information processing apparatus 200 according to the present embodiment is typically realized by executing a support program on a general-purpose computer.

FIG. 3 is a schematic diagram showing an example of the device configuration of the information processing device 200 according to the present embodiment. With reference to FIG. 3, the information processing apparatus 200 has, as main components, an operating system (OS: Operating System), a processor 202 that executes various programs as described later, and data necessary for program execution on the processor 202. A main memory 204 that provides a work area for storage, an operation unit 206 (operation reception unit) that accepts user operations such as a keyboard and mouse, and an output unit 208 that outputs processing results such as a display, various indicators, and a printer. , The information system network interface 210 connected to the information system network, the optical drive 212, the local communication interface 216 for communicating with the safety controller 100 and the like, and the auxiliary storage device 220. These components are connected so as to be capable of data communication via an internal bus 218 or the like.

The information processing apparatus 200 has an optical drive 212, and is a computer-readable recording medium 214 of an optical recording medium (for example, a DVD (Digital Versatile Disc)) that non-transiently stores a computer-readable program. Then, various programs are read and installed in the auxiliary storage device 220 or the like.

The various programs executed by the information processing device 200 may be installed via a computer-readable recording medium 214, or may be installed by downloading from a server device or the like on the network. Further, the program related to the functional safety evaluation according to the present embodiment may be realized by using a part of the modules provided by the OS.

The auxiliary storage device 220 is composed of, for example, an HDD (Hard Disk Drive) or an SSD (Flash Solid State Drive), and stores a program executed by the processor 202. Specifically, the auxiliary storage device 220 includes an execution program 222 that generates code (execution module) that can be executed by the processor 202 from the safety program 228 (source program) as a program that provides processing as described later. Includes a plurality of prepared function blocks 224. The auxiliary storage 220 stores various settings 226 associated with the safety program 228.

In FIG. 3, by executing a support program on a general-purpose computer, the functions related to the information processing apparatus 200 according to the present embodiment are realized, but instead of such a configuration, all or a part thereof is hard-wired. It may be mounted in a circuit. For example, the functions provided by the processor 202 by executing the above-mentioned various programs may be implemented by using an ASIC (Application Specific Integrated Circuit) or an FPGA (Field-Programmable Gate Array).

(B3: Control device 300)
Since the controller 300 according to the present embodiment has the same device configuration as the safety controller 100 shown in FIG. 2, detailed description will not be repeated. The safety controller 100 employs a module for duplication such as a processor and a safety module, but generally, such a configuration is not adopted in the controller 300. Further, in the control device 300, a user program is executed instead of the above-mentioned safety program.

<C. Safety program design tools ＞
Next, the safety program design tool will be described. The design tool is provided by an application pre-installed by the information processing apparatus 200. When the application is started, the design screen of the safety program is displayed on the information processing apparatus 200. FIG. 4 is a diagram showing a user interface 250 which is an example of a design screen of a safety program.

The user interface 250 is displayed, for example, on the output unit 208 (see FIG. 3) described above. The designer can design any safety program by combining any function blocks on the user interface 250. More specifically, the designer arranges an arbitrary function block from among a plurality of types of function blocks prepared in advance on the user interface 250, and defines an input / output relationship between the arranged function blocks. Such an operation is performed on, for example, the operation unit 206 (see FIG. 3) described above.

In the example of FIG. 4, the function block 251 is arranged on the user interface 250. The function block 251 is a functional module for monitoring the operating state of the emergency stop switch, which is an example of the safety device 16 (see FIG. 1). In the example of FIG. 4, the contacts of the emergency stop switch are duplicated to ensure safety. When the emergency stop switch is pressed, the pressed state is maintained, and when a release operation (for example, a rotation operation) is performed, the pressed state is released. When the emergency stop switch is pressed, the variables VA1 and VA2 assigned to the emergency stop switch change. The emergency stop switch is in a non-conducting state when pressed, and is in a conductive state when not pressed (when released) (so-called "b contact"). That is, when the emergency stop switch is pressed, the variables VA1 and VA2 are both "0" (FALSE), and when the emergency stop switch is not pressed, the variables VA1 and VA2 are both "1" (TRUE).

When the variables VA1 and VA2 are "0" (FALSE), the function block 251 outputs a signal SG1 indicating "0" (FALSE). When the variables VA1 and VA2 are "1" (TRUE), the function block 251 outputs the signal SG1 indicating "1" (TRUE).

The function block 255 is a functional module for monitoring the state of the reset button, which is an example of the safety device 16 (see FIG. 1). When the reset button is pressed, the variable VA3 assigned to the reset button changes. When the reset button is pressed, it is in a conductive state, and when it is not pressed, it is in a non-conducting state (so-called "a contact"). That is, when the reset button is pressed, the variable VA3 becomes "1" (TRUE), and when the reset button is not pressed, the variable VA3 becomes "0" (FALSE).

The function block 255 sets the value of the signal SG5 from "1" (TRUE) to "0" (FALSE) when the emergency stop switch is pressed (that is, when the value of the signal SG1 is "0" (FALSE)). Change to. The function block 255 sets the value of the signal SG5 to "0" when the reset button is pressed while the emergency stop switch is released (when the values of the signal SG1 and the variable VA3 are "1" (TRUE)). "(FALSE) to" 1 "(TRUE).

The function block 257 is an EDM function block, and is a functional module for monitoring the operation of a target device such as a safety relay 14 (see FIG. 1). When the value of the signal SG5 indicates "0" (FALSE), the function block 257 turns off the contactor, which is an example of the safety relay 14. That is, the control signal SG6 to the contactor is set to "0" (FALSE). As a result, the motor 10 (see FIG. 1) is forcibly stopped. When the value of the signal SG5 indicates "1" (TRUE), the function block 257 turns on the contactor. That is, the control signal SG6 to the contactor is set to "1" (TRUE). As a result, the driving of the motor 10 (see FIG. 1) is started.

If the contacts of the contactor are welded, the contactor will not operate normally. In this case, the operation of the motor 10 does not stop even though the stop signal from the emergency stop switch is output to the contactor. In order to prevent this, the function block 257 monitors whether or not the contactor is operating normally based on the feedback signal SG7 indicating the state of the contact of the contactor.

More specifically, the contactor maintains a conductive state (on state) at normal times and a non-conducting state (off state) at the time of emergency stop (so-called "b contact"). The state of the contactor is reflected in the feedback signal SG7. When the contactor state is the conduction state, the value of the feedback signal SG7 is “0” (FALSE). When the contactor state is the non-conducting state, the value of the feedback signal SG7 is “1” (TRUE). The function block 257 determines that the contactor is not operating normally when the value of the feedback signal SG7 does not change between the time when the value of the control signal SG6 is changed and the time when a predetermined time elapses.

More specifically, the function block 257 changes the value of the control signal SG6 from "0" (FALSE) to "1" (TRUE) until a predetermined time elapses, and the value of the feedback signal SG7. When is changed from "1" (TRUE) to "0" (FALSE), it is determined that the contactor is operating normally. On the other hand, if the feedback signal SG7 does not change during the predetermined time, the function block 257 determines that the contactor is not operating normally.

Similarly, in the function block 257, the value of the feedback signal SG7 is set to "0" during the period from when the value of the control signal SG6 is changed from "1" (TRUE) to "0" (FALSE) until a predetermined time elapses. "(FALSE) changes to" 1 "(TRUE), it is determined that the contactor is operating normally. On the other hand, if the feedback signal SG7 does not change during the predetermined time, the function block 257 determines that the contactor is not operating normally.

The function block 257 outputs an error (hereinafter, also referred to as "EDM error") when it is determined that the target device such as the safety relay 14 (see FIG. 1) is not operating normally. The designer can also further specify in the safety program the process for performing an emergency stop triggered by an EDM error (input).

<D. EDM error invalidation>
The designer simulates the operation of the safety program on the information processing apparatus 200 before setting the designed safety program in the safety controller. After confirming that the safety program is working as intended, the designer sets the safety program on the safety controller.

As described with reference to FIG. 4, the EDM function block monitors the feedback signal indicating the operating state of the target device to determine whether or not the target device is operating normally. However, in the simulation stage of the safety program, since the target device is not connected, the feedback signal from the target device cannot be acquired. Therefore, if the simulation is executed with the EDM function block included, an EDM error will be output. Therefore, the information processing apparatus 200 invalidates the output of the EDM error when the safety program includes the EDM function block.

The EDM error invalidation process will be described with reference to FIG. FIG. 5 is a diagram showing a function block 257, which is an example of an EDM function block.

The function block 257 includes an input unit 270, 274 and an output unit 272, 276.

The input unit 270 (first input unit) receives an input signal (first input signal) indicating the state of the target device such as the safety relay 14 (see FIG. 1). The input signal corresponds to the signal SG5 shown in FIG.

The output unit 272 (first output unit) outputs a control signal to the target device based on the value of the signal SG5. That is, the output unit 272 outputs a control signal for changing the operating state of the target device based on the change in the signal SG5. As an example, when the value of the signal SG5 changes from "1" (TRUE) to "0" (FALSE), the output unit 272 outputs an emergency stop command to the target device as a control signal. On the other hand, when the value of the signal SG5 changes from "0" (FALSE) to "1" (TRUE), the output unit 272 outputs a drive start command as a control signal to the target device.

The input unit 274 (second input unit) receives a feedback signal (second input signal) indicating an operating state of the target device. That is, the feedback signal changes in conjunction with the operating state of the target device.

The output unit 276 (second output unit) outputs an EDM error if the feedback signal does not change between the time when the control signal is output to the target device and the time when a predetermined time elapses. More specifically, the value of the feedback signal SG7 is "1" (TRUE) after the predetermined time elapses after the value of the signal SG5 changes from "0" (FALSE) to "1" (TRUE). ) Does not change from "0" (FALSE), the output unit 276 (second output unit) outputs an EDM error. If not, the output unit 276 outputs a signal indicating a normal state. Similarly, the value of the feedback signal SG7 changes from "0" (FALSE) to "0" (FALSE) during the period from when the value of the signal SG5 changes from "1" (TRUE) to "0" (FALSE) until a predetermined time elapses. If it does not change to "1" (TRUE), the output unit 276 outputs an EDM error. If not, the output unit 276 outputs a signal indicating a normal state.

The information processing device 200 is a case of simulating the operation of the safety program, and when the function block from which the safety program is generated includes the EDM function block (monitoring function block), the EDM error caused by the output unit 276 occurs. Disable output. This eliminates the need for the designer to perform extra operations such as deleting the EDM function block at the time of simulation, and improves the design efficiency of the safety program.

Preferably, when the function block from which the safety program is generated includes a plurality of EDM function blocks, the information processing apparatus 200 invalidates the output of the EDM error for all of the plurality of EDM function blocks. This further improves the design efficiency of the safety program.

<E. Functional configuration of information processing device 200>
The functions of the information processing apparatus 200 will be described with reference to FIGS. 6 to 10. FIG. 6 is a diagram showing an example of the functional configuration of the information processing apparatus 200.

As shown in FIG. 6, the information processing apparatus 200 includes a processor 202, a display 208A which is an example of an output unit 208, and an auxiliary storage device 220 as a main hardware configuration. The processor 202 includes a providing unit 282, a generation unit 284, an execution unit 286, an emulator 288, and an evaluation unit 290 as a functional configuration. Hereinafter, these functional configurations will be described in order.

(E1. Provision 282)
The provider 282 displays the above-mentioned user interface 250 (see FIG. 4) on the display 208A based on the launch of the design tool application.

The designer can arrange an arbitrary function block from the plurality of types of function blocks 224 prepared in advance in the user interface 250, and define the input / output relationship between the function blocks on the user interface 250. Such an operation is performed on, for example, the operation unit 206 (see FIG. 3) described above.

As described with reference to FIG. 4, the output of the EDM error is invalidated during the simulation of the operation of the safety program. In this case, the user interface 250 displays the EDM function block in a predetermined manner indicating that the output of the EDM error is invalid.

FIG. 7 is a diagram showing an example of a display mode of the EDM function block when the output of the EDM error is invalidated. As shown in FIG. 7, when the output of the EDM error is invalidated, the function block 257, which is an EDM function block, is displayed in a manner different from that of other types of function blocks 251,255. As an example, the function block 257 is displayed in a different color than other types of function blocks 251,255. Alternatively, the function block 257 may be displayed blinking. Alternatively, a mark (x mark in the example of FIG. 7) indicating that the output of the EDM error is invalidated may be displayed. By changing the display mode of the EDM function block, the designer can easily grasp that the output of the EDM error is invalidated.

(E2. Generation unit 284)
The generation unit 284 generates the safety program 228 based on one or more function blocks combined from a plurality of types of function blocks 224 prepared in advance. The generated safety program 228 is stored in the auxiliary storage device 220. Typically, the type of the function block, the input / output relationship between the function blocks, and the like are stored in the auxiliary storage device 220.

(E3. Execution unit 286)
The execution unit 286 generates an execution module from the safety program 228 based on the execution mode 226A of the safety program 228. Typically, the execution unit 286 includes functions such as a compiler, an assembler, and a linker.

The execution mode 226A of the safety program 228 is predetermined in the various settings 226 (see FIG. 3) described above. As an example, the execution mode 226A of the safety program 228 includes a first simulation mode and a second simulation mode. The execution mode 226A may be set in advance, or may be arbitrarily set by a designer or the like.

When the execution mode 226A is the first simulation mode, the execution unit 286 invalidates the output of the EDM error by the EDM function block. More specifically, the execution unit 286 generates an execution format program so as to skip the output portion of the EDM error. This invalidates the output of the EDM error by the EDM function block.

When the execution mode 226A is the second simulation mode, the execution unit 286 acquires a simulated signal that simulates the operating state of the target device from the emulator 288 described later, and obtains the simulated signal from the feedback signal S7 (see FIG. 5). ) Is input to the second input unit (see FIG. 5) of the EDM function block. As a result, the EDM function block determines that the target device is virtually operating normally, and the output of the EDM error is invalidated.

(E4. Emulator 288)
The emulator 288 generates simulated signals that simulate the states of various devices (for example, safety devices, monitored devices, etc.) that can be connected to the safety controller 100, and the simulated signals are used to form the safety program 228. Output to the function block. Thereby, the designer can simulate the operation of the safety program 228 on the information processing apparatus 200 without connecting the information processing apparatus 200 to the safety controller 100.

As an example, the emulator 288 generates a feedback signal to the EDM function block as a simulated signal. FIG. 8 is a diagram showing how the simulated signal is output to the function block 257, which is an EDM function block.

Typically, the emulator 288 generates a simulated signal SG9 based on a control signal output from the output unit 272 of the EDM function block to the monitored device. In the example of FIG. 8, the emulator 288 generates a simulated signal SG9 in which the control signal is inverted. The generated simulated signal SG9 is input to the input unit 274 of the function block 257.

Preferably, when the execution mode 226A is the second simulation mode described above, a simulated signal is sent to the input unit 274 from the time when the control signal from the output unit 272 of the function block 257 changes until a predetermined time elapses. Entered. As described above, when the simulated signal is input to the input unit 274 as a feedback signal, the output unit 276 of the function block 257 always outputs a signal indicating normality, and the output of the EDM error is invalidated.

Typically, the rules for generating simulated signals are preset by the designer. FIG. 9 is a diagram showing a setting screen 260 for setting a simulation signal generation rule. The setting screen 260 includes a setting list 40 and a registration list 50. The setting list 40 includes pull-down menus 41 and 42, a time setting area 44, and a check box 45.

Hereinafter, the reference signal for generating the simulated signal is also referred to as a “reference signal”. That is, the emulator 288 generates a simulated signal from the reference signal.

The designer specifies the input destination of the simulated signal in the pull-down menu 41. The input destination is specified by specifying a variable. Typically, the input unit 274 (see FIG. 5) of the EDM function block is designated.

The designer specifies the output source of the reference signal in the pull-down menu 42. The output destination is specified by specifying a variable. Typically, the output unit 272 (see FIG. 5) of the EDM function block is designated.

The designer sets the delay time in the time setting area 44. The designer can set the delay time, for example, between 50 ms and 1000 ms. The EDM function block changes the value of the simulated signal when the set delay time elapses after the value of the reference signal changes.

The designer sets a simulated signal generation rule in the check box 45. When the check box 45 is checked, the emulator 288 generates a signal in which the reference signal is inverted as a simulated signal. If the check box 45 is not checked, the emulator 288 generates a reference signal as a simulated signal.

When the add button 47 is pressed, the setting contents in the setting list 40 are reflected in the registration list 50. The items registered in the registration list 50 are configured to be selectable. As an example, when the delete button 54 is pressed while the item 52 is selected, the selected item 52 is deleted from the registration list 50.

When the OK button 62 is pressed, the registered setting contents in the registration list 50 are written to the above-mentioned various settings 226 (see FIG. 3) as feedback settings. When the cancel button 64 is pressed, the setting screen 260 is closed without reflecting the registered setting contents in the registration list 50.

In the above description, an example in which the emulator 288 generates a simulated signal that simulates the operating state of the safety relay 14 and inputs the simulated signal as a feedback signal to the EDM function block has been described, but the emulator 288 has been described. , It is also possible to generate simulated signals representing the operating state of other devices such as safety devices. The emulator 288 can simulate the operation of the safety program 228 by generating a simulated signal representing the operating state of the safety device according to a predetermined test pattern and inputting the simulated signal to the safety program 228.

(E5. Evaluation Unit 290)
The evaluation unit 290 compares the output value calculated by giving the input value from the emulator 288 to the safety program 228 with the expected output value corresponding to the input value, and outputs the comparison result as a simulation result. The expected output value for the input value to the safety program 228 is preset by the designer.

The simulation result by the evaluation unit 290 is displayed on the display 208A, for example. FIG. 10 is a diagram showing a simulation result screen 291 displayed on the display 208A.

With reference to FIG. 10, the simulation result screen 291 corresponds to a variable name display field 292A for displaying the variable name of the input signal in the safety program 228 and a comment display field 292B for displaying a comment about the corresponding input signal. The reset type display field 292C that displays the reset type for the input signal, the expected value setting field 292D that displays the combination of the output expected value (output signal) for the corresponding input signal, and the result display field 292E that shows the simulation result. , The result comment display field 292F for displaying the comment corresponding to the simulation result, and the date / time display field 292G for indicating the evaluation execution date and time are included.

In the result display column 292E, "Passed" is displayed for those that have passed, and "Failed" is displayed for those for which some error has occurred. Further, when some error occurs, the display mode of the output variable in which the error occurred is different in the expected value setting field 292D. An error message corresponding to the error is displayed in the result comment display field 292F. That is, information that identifies in which phase the abnormality was determined is included in the determination result. In addition, comments according to the phase judged to be abnormal are included in the judgment result. If the simulation is performed with the EDM error output disabled, this is displayed in the result comment display field 292F.

<F. Timing chart>
As described above, the execution mode of the safety program is the first simulation mode in which the EDM error is invalidated, the second simulation mode in which the simulated signal indicating the operating state of the target device is fed back to the EDM function block, and the target device is connected. Includes the actual machine mode to execute the safety program in the state of being executed. Typically, in the first and second simulation modes, the safety program is executed on the information processing apparatus 200. In the actual machine mode, the safety program is executed on the safety controller 100.

In the following, with reference to FIGS. 11 and 12, the operation mode of each safety device when the safety program is executed in each of the first simulation and the actual machine mode will be described.

First, with reference to FIG. 11, the execution mode of the safety program in the first simulation mode will be described. FIG. 11 is a diagram showing a signal state when the safety program is executed in the first simulation mode. It is assumed that the safety program is composed of a combination of function blocks shown in FIG.

Since the information processing apparatus 200 cannot acquire the operating state of each safety device during simulation, it generates a simulated signal in which the operating state of each safety device is virtually changed, and the simulated signal is used as a safety program. Enter in.

At time T1, the safety program generates a simulated signal indicating that the emergency stop switch has been pressed, and inputs the simulated signal to the safety program. As a result, the safety program determines that the emergency stop switch has been pressed. Along with this, the safety program outputs a control signal for turning off the first and second contactors. Normally, if the feedback signal SG7 does not change within a predetermined time Δth after the control signal is output, the safety program outputs an EDM error. However, in the first simulation mode, the output of the EDM error is invalidated. Therefore, in the example of FIG. 11, the EDM error is not output even though the feedback signal SG7 has not changed during the predetermined time Δth.

At time T2, the safety program generates a simulated signal indicating that the stop state of the emergency stop switch has been released, and inputs the simulated signal to the safety program. As a result, the safety program determines that the emergency stop switch has been released.

At time T3, the safety program generates a simulated signal indicating that the emergency stop switch has been pressed, and inputs the simulated signal to the safety program. As a result, the safety program determines that the emergency stop switch has been pressed. Along with this, the safety program outputs a control signal for turning on the first and second contactors. Normally, if the feedback signal SG7 does not change within a predetermined time Δth after the control signal is output, the safety program outputs an EDM error. However, in the first simulation mode, the output of the EDM error is invalidated. As a result, in the example of FIG. 11, although the feedback signal SG7 has not changed during the predetermined time Δth, no EDM error is output.

Next, with reference to FIG. 12, the execution mode of the safety program in the actual machine mode will be described. FIG. 12 is a diagram showing a signal state when the safety program is executed in the actual machine mode. It is assumed that the safety program is composed of a combination of function blocks shown in FIG.

It is assumed that the emergency stop switch is pressed at time T1. Along with this, a control signal indicating "0" (FALSE) is output to the first and second contactors. If the feedback signal SG7 indicating the operating state of the first and second contactors does not change between the time when the control signal is output and the time when the predetermined time Δth elapses, the safety program outputs an EDM error. In the example of FIG. 12, no EDM error is output. That is, it means that the contacts of the first and second contactors are normally driven to the open state.

It is assumed that the emergency stop switch is released at time T2. When the emergency stop switch is released, the contact of the contactor is not closed.

It is assumed that the reset button is pressed at time T3. Along with this, a control signal indicating "1" (TRUE) is output to the first and second contactors. If the feedback signal SG7 indicating the operating state of the first and second contactors does not change between the time when the control signal is output and the time when the predetermined time Δth elapses, the safety program outputs an EDM error. In the example of FIG. 12, no EDM error is output. That is, it means that the contacts of the first and second contactors are normally driven to the closed state.

<G. Control structure of information processing device 200>
The control structure of the information processing apparatus 200 will be described with reference to FIG. FIG. 13 is a diagram showing an execution flow of the safety program at the time of simulation. The process of FIG. 13 is realized by the processor 202 of the information processing apparatus 200 executing the program. In other aspects, some or all of the processing may be performed by circuit elements or other hardware.

In step S110, the processor 202 determines whether or not the safety program execution operation has been received. When the processor 202 determines that the execution operation of the safety program has been received (YES in step S110), the processor 202 switches the control to step S112. If not (NO in step S110), the processor 202 re-executes the process of step S110.

In step S112, the processor 202 reads the function block to be executed from the safety program. The function block to be executed is determined according to, for example, a predetermined test pattern.

In step S120, the processor 202 determines whether or not the function block to be executed is an EDM function block. When the processor 202 determines that the function block to be executed is an EDM function block (YES in step S120), the processor 202 switches the control to step S130. Otherwise (NO in step S120), processor 202 switches control to step S150.

In step S130, the processor 202 determines whether or not the execution mode of the safety program is set to the first simulation mode. When the processor 202 determines that the execution mode of the safety program is set to the first simulation mode (YES in step S130), the processor 202 switches the control to step S132. If not (NO in step S130), the processor 202 determines that the safety program execution mode is the second simulation mode and switches control to step S142.

In step S132, the processor 202 executes an instruction associated with the function block (EDM function block) to be executed.

In step S134, the processor 202 skips the EDM error determination process. This invalidates the output of the EDM error.

In step S142, the processor 202 executes an instruction associated with the function block (EDM function block) to be executed.

In step S144, the processor 202 generates a copycat signal that mimics the feedback signal from the monitored device according to the feedback setting set on the above setting screen 260 (see FIG. 9), and feeds back the copy signal. Input to the EDM function block as a signal.

In step S146, the processor 202 makes an EDM error determination. More specifically, the processor 202 outputs an EDM error when the simulated signal does not change within a predetermined time after the control signal to the target device changes. If not, the processor 202 outputs a determination result indicating normality.

In step S150, the processor 202 executes an instruction associated with the function block to be executed.

In step S160, the processor 202 determines whether or not there is a function block to be executed next. Typically, the processor 202 determines that there is a function block to be executed next if the simulation of the operation of the safety program has not been completed for all test patterns. When the processor 202 determines that the function block to be executed next exists (YES in step S160), the processor 202 switches the control to step S162. Otherwise (NO in step S160), processor 202 ends the process shown in FIG.

In step S162, the processor 202 reads the next function block to be executed from the safety program. As an example, the next function block to be executed is determined according to a predetermined test pattern.

<H. Summary>
As described above, the information processing apparatus 200 invalidates the output of the EDM error when the operation of the safety program is simulated and the function block from which the safety program is generated includes the EDM function block. To. This eliminates the need for the designer to perform extra operations such as deleting the EDM function block when simulating the safety program, and improves the design efficiency of the safety program.

It should be considered that the embodiments disclosed this time are exemplary in all respects and not restrictive. The scope of the present invention is shown by the scope of claims rather than the above description, and is intended to include all modifications within the meaning and scope equivalent to the scope of claims.

1 Safety system, 10 motors, 12 drivers, 14 safety relays, 16 safety equipment, 20 control system network, 22 information system network, 40 setting list, 41, 42 pull-down menu, 44 time setting area, 45 check box, 47 add button , 50 registration list, 52 items, 54 delete button, 62 OK button, 64 cancel button, 100 safety controller, 102,202 processor, 104,204 main memory, 106 flash memory, 108 arithmetic processing unit, 110 control system network interface, 112, 210 Information system network interface, 114 field bus interface, 116 memory card interface, 118 memory card, 120, 216 local communication interface, 122 internal bus interface, 200 information processing equipment, 206 operation unit, 208 output unit, 208A display, 212 Optical drive, 214 Recording medium, 218 Internal bus, 220 Auxiliary storage, 222 Execution program, 224,251,255,257 Function block, 226 Various settings, 226A Execution mode, 228 Safety program, 250 User interface, 260 Setting screen 270,274 Input section, 272,276 Output section, 282 Provider section, 284 generation section, 286 execution section, 288 emulator, 290 evaluation section, 291 simulation result screen, 292A variable name display field, 292B comment display field, 292C reset Type display column, 292D expected value setting column, 292E result display column, 292F result comment display column, 292G date and time display column, 300 control device.

Claims (7)

An information processing device for evaluating a safety program that operates a target device so that safety is maintained when predetermined conditions are met.
It is provided with a generator for generating the safety program based on one or more function blocks combined from a plurality of types of function blocks prepared in advance.
The plurality of types of function blocks include a monitoring function block for monitoring the operation of the target device.
The monitoring function block is
The first input unit for receiving the first input signal and
A first output unit for outputting a control signal that changes the operating state of the target device based on the change in the first input signal, and
A second input unit for receiving a second input signal indicating the operating state of the target device, and
It has a second output unit for outputting an error when the second input signal does not change between the time when the control signal changes and the time when a predetermined time elapses.
The information processing device further includes an execution unit for simulating the operation of the safety program.
The execution unit invalidates the output of the error by the second output unit when the monitoring function block is included in the function block from which the safety program is generated.
The information processing device further includes an emulator for generating a simulated signal that simulates the operating state of the target device.
The execution mode of the safety program by the execution unit includes a first simulation mode and a second simulation mode.
The information processing apparatus further includes a setting unit for setting either the first simulation mode or the second simulation mode of the execution mode of the safety program by the execution unit.
The execution unit
When the execution mode is set to the first simulation mode by the setting unit, the output of the error by the second output unit is invalidated.
An information processing device that inputs the simulated signal to the second input unit when the execution mode is set to the second simulation mode by the setting unit. When the execution mode is set to the second simulation mode by the setting unit, the execution unit changes the simulated signal between the time when the control signal changes and the time when the predetermined time elapses. The information processing apparatus according to claim 1. The execution unit invalidates the output of the error for all of the plurality of monitoring function blocks when the function block from which the safety program is generated includes a plurality of the monitoring function blocks. 2. The information processing apparatus according to 2. The information processing device is
A provider that provides a user interface for designing the safety program,
Further provided with an operation receiving unit for receiving an operation of arranging an arbitrary function block of the plurality of types of function blocks in the user interface.
The user interface is predetermined to indicate that the output of the error is invalid when the output of the error is set to invalid when the user interface includes the monitoring function block. The information processing apparatus according to any one of claims 1 to 3, which displays the monitoring function block in an embodiment. The information processing apparatus according to claim 4, wherein displaying the monitoring function block in the above-described embodiment includes displaying the monitoring function block in a manner different from other function blocks in the user interface. It is an information processing method for evaluating a safety program that operates a target device so that safety is maintained when predetermined conditions are met.
A step of generating the safety program based on one or more function blocks combined from a plurality of types of function blocks prepared in advance is provided.
The plurality of types of function blocks include a monitoring function block for monitoring the operation of the target device.
The processing executed by the monitoring function block is
The step of receiving the first input signal and
A step of outputting a control signal that changes the operating state of the target device based on the change of the first input signal, and
The step of receiving the second input signal indicating the operating state of the target device,
It has a step of outputting an error when the second input signal does not change between the time when the control signal changes and the time when a predetermined time elapses.
The information processing method further comprises a step of simulating the operation of the safety program.
The simulation step includes a step of invalidating the output of the error in the step of outputting the error when the monitoring function block is included in the function block from which the safety program is generated.
Further provided with a step of generating a simulated signal that simulates the operating state of the target device.
The simulation step includes a first simulation mode and a second simulation mode of the execution mode of the safety program.
Further comprising a step of setting either the first simulation mode or the second simulation mode of the execution mode of the safety program.
The simulation step is
When the execution mode is set to the first simulation mode, the step of invalidating the output of the error and
An information processing method including a step of inputting a simulated signal when the execution mode is set to the second simulation mode. An information processing program for evaluating a safety program that operates a target device so that safety is maintained when predetermined conditions are met.
The information processing program is applied to a computer.
The step of generating the safety program is executed based on one or more function blocks combined from a plurality of types of function blocks prepared in advance.
The plurality of types of function blocks include a monitoring function block for monitoring the operation of the target device.
The processing executed by the monitoring function block is
The step of receiving the first input signal and
A step of outputting a control signal that changes the operating state of the target device based on the change of the first input signal, and
The step of receiving the second input signal indicating the operating state of the target device,
It has a step of outputting an error when the second input signal does not change between the time when the control signal changes and the time when a predetermined time elapses.
The information processing program causes the computer to further perform a step of simulating the operation of the safety program.
The simulation step includes a step of invalidating the output of the error in the step of outputting the error when the monitoring function block is included in the function block from which the safety program is generated.
The information processing program causes the computer to further execute a step of generating a simulated signal that simulates the operating state of the target device.
The simulation step includes a first simulation mode and a second simulation mode of the execution mode of the safety program.
The information processing program causes the computer to further execute a step of setting either the first simulation mode or the second simulation mode of the execution mode of the safety program.
The simulation step is
When the execution mode is set to the first simulation mode, the step of invalidating the output of the error and
An information processing program including a step of inputting the simulated signal when the execution mode is set to the second simulation mode.

Images