JP7332442B2 - safety controller - Google Patents

Description

The present invention relates to safety controllers.

A large number of machines are in operation in a product factory that produces products (works). A safety system is a system indispensable for ensuring the safety of humans from machines (Patent Document 1).

JP 2014-16930 A

The safety system outputs an ON signal if it is safe, and outputs an OFF signal if there is a possibility that it is not safe. Here, as an example, a machine that is a source of danger is surrounded by a safety fence, and a person must open a safety door or the like provided in the safety fence in order to approach the machine. When the safety system detects that the safety door is opened by the door switch, it outputs an OFF signal to the machine to stop the machine. Here, the time from when the safety door is opened and the door switch is turned off to when the machine stops is called the response time. Based on this response time, the distance from the machine to the safety door (safety distance) is determined. That is, the size of the safety fence is determined according to the response time.

The safety controller of the safety system has an execution engine that repeatedly executes a safety program set by the user in scan cycles, and converts safety input signals from one or more safety input devices into safety output signals (ON signal and OFF signal) and outputs it. The scan cycle is calculated during the input refresh period, which is the timing at which the safety input signal is captured, the program execution period, during which the output value is calculated according to the input value of the safety input signal captured during the input refresh period and the safety program, and the program execution period. and an output refresh period for outputting a safety output signal from each output terminal according to the determined output value, which is one of the factors that affect the response time of the safety controller. In general, the shorter the scan cycle of a safety controller, the higher its performance. As a result, the response time of a safety controller generally varies depending on the safety program processing capacity and the number of connected units.

However, as a result of process changes and assessments, safety input devices and units are added, and safety programs are increased, which increases the response time and extends the safety distance. There was a risk that it would be necessary to review the position and review the installation position of the safety fence.

SUMMARY OF THE INVENTION Accordingly, an object of the present invention is to provide a safety controller with a fast and constant response time.

The present invention, for example,
A safety controller having a main module that executes a safety program and an expansion module connected to the main module,
The main module is
receiving means for receiving an input value from the expansion module for each period slot, which is a repetition period of a fixed length;
an execution engine that iteratively executes the safety program for each of the period slots, using the safety program in the i+1 period slot following the i period slot in which the input value was received; an execution engine that computes output values according to
output means for outputting a safety output signal corresponding to the output value to a safety output device;
monitoring means for monitoring the receiving means and the execution engine;
The monitoring means determines whether or not the reception of the input value by the receiving means has been completed in the i-th period slot, or the calculation of the output value by the execution engine has not been completed in the i+1-th period slot. A safety controller forcibly sets the safety output signal to stop the operation of the safety output device when the

According to the present invention, it is possible to provide a period slot in which a period for receiving an input value and a period for executing a safety program are sequentially executed in parallel, thereby making the response time fast and constant.

Diagram explaining the safety controller Diagram explaining the main module and extension modules Diagram explaining the signal path Diagram explaining duration slots Diagram explaining MCU functions Diagram explaining MCU functions Flowchart explaining the monitoring process Diagram explaining function blocks Flowchart showing program creation processing Flowchart showing processing related to communication errors Diagram for explaining the relationship between the number of connected extension modules and remote I/O units and the response time Sequence diagram explaining the transmission procedure Diagram explaining the message format

Embodiments are described in detail below with reference to the accompanying drawings. It should be noted that the following embodiments do not limit the invention according to the claims, and not all combinations of features described in the embodiments are essential to the invention. Two or more of the features described in the embodiments may be combined arbitrarily. Identical or similar configurations are given the same reference numerals, and duplicate descriptions are omitted.

(safety controller)
FIG. 1 shows the overall system. In this example, the safety controller 1 has a main module 3 and expansion modules 4a, 4b. The main module 3 executes a safety program transferred from the PC 2 that functions as a creation support device that assists the user in creating a safety program. The main module 3 has a display device 5a, an operation section 6a, a communication connector 7a, an IO connector 10a, and the like. The PC 2 has a display device 5b and an operation section 6b. The PC 2, which functions as a creation support device, sets module configuration information indicating connection relationships between modules and allocation information of devices connected to each terminal of each module, in addition to the safety program, according to user input. as module configuration information and device allocation information setting information. The communication connector 7a of the main module 3 may be a connector for USB or wired LAN. A communication cable from the PC 2 is connected to the communication connector 7a. The wired LAN may be industrial Ethernet. LAN is an abbreviation for local area network. A safety input device 11a such as an emergency stop switch and a safety input device 11b such as a light curtain are connected to the input terminals of the IO connector 10a. The safety input devices 11a and 11b are installed, for example, at the entrance of a safety fence installed so as to surround a machine that becomes a hazard. At this time, when the safety input device 11b detects a person trying to enter the safety fence unexpectedly, the safety controller 1 outputs an OFF signal to the machine to stop the machine. A control signal for shutting off the power source of a machine such as a robot arm is input to the output terminal of the IO connector 10a. A power cutoff device called a contactor is generally used to cut off the power source. A safety controller such as the main module 3 outputs a control signal to the contactor to control whether to supply or cut off power to the machine. The main module 3 performs arithmetic processing according to the safety program on the input value input from the safety input device 11a to obtain an output value, which the power source 12 outputs. For example, when an emergency stop switch, which is a kind of safety input device 11a, is pushed down, the main module 3 changes the output value from ON (operational state in which the power source can be operated) to OFF (stopped state in which the power source cannot be operated). do. As a result, the power source 12 is stopped. In this specification, "OFF" means that the hazard is brought to a safe state by stopping the hazard or reducing the danger of the hazard (e.g., by slowing down the movement speed of the robot). The OFF signal means a signal indicating OFF. In some cases, the IO connector 10a provided on the main module 3 alone cannot connect all safety input devices and power sources. In such a case, the expansion modules 4a, 4b are connected to the main module 3. FIG. The extension modules 4a and 4b have IO connectors 10b and 10c, respectively, and can be connected to the safety input device 11b, the power source 12, and the like. The expansion modules 4a, 4b and the main module 3 exchange input signals (input values) and output signals (output values) by communicating with each other via an internal bus. That is, the main module 3 applies the safety program to the input signal (input value) acquired from the safety input device 11a connected to itself and the safety input devices 11a connected to the extension modules 4a and 4b, thereby outputting the output signal ( output value). Furthermore, the main module 3 outputs the output signal generated according to the safety program to the power source 12 connected to itself or to the power source 12 connected to the expansion modules 4a and 4b. A remote I/O unit 8 is connected to the main module 3 via a remote bus. The remote I/O unit 8 communicates with the main module 3 to transmit the input signal of the safety input device 11d connected to the remote I/O unit 8 to the main module 3, and output a signal to the power source 12 connected to the .

(main module and expansion module hardware)
As shown in FIG. 2, the controller 20a of the main module 3 has two MCUs 23a, 24a and a memory 25a. The MCU (microcontroller unit) is duplicated to improve reliability. The MCUs 23a and 24a each execute the same safety program held in the memory 25a. The MCUs 23a and 24a receive the duplicated input signal of the safety input device 11 and/or the input signal (input value) sent from the expansion module 4 via the bus IF 26a and the safety program via the safety input IF 21a. Based on this, each output signal is generated and output to the safety output IF 22 a and/or the extension module 4 . For example, if both MCUs 23a and 24a output ON signals, the safety output IF 22a outputs ON signals as duplicated output signals from two terminals assigned to safety output signals. Also, if both MCUs 23a and 24a output OFF signals, the OFF signals are output as duplicated output signals from the two terminals assigned to the safety output signals. On the other hand, when one of the MCUs 23a and 24a outputs an ON signal and the other outputs an OFF signal, the MCUs 23a and 24a monitor each other. It determines and forcibly outputs an OFF signal. If the ON signal and the OFF signal are output as duplicated output signals from the two terminals assigned to the safety output signals in a mismatched state, the device connected to the subsequent stage will cause a failure in the safety controller. It judges that it has been done, and forcibly performs OFF processing. Thus, the controller 20a communicates with the expansion module 4 via the bus IF 26a to receive input signals and transmit output signals. The communication IF 27a communicates with other devices via the communication connector 7a.

Examples of safety input devices include safety laser scanners and light curtains. Safety input devices generally meet safety standards, and the outputs of safety input devices are duplicated. When the duplicated signals do not match for a certain period of time or longer, the safety controller or the sensor itself can detect that the sensor has failed, and can forcibly turn it off.

The controller 20b of the expansion module 4a has two MCUs 23b, 24b and a memory 25b. The MCU (microcontroller unit) is duplicated to improve reliability. The MCUs 23b and 24b each execute the control program with the same content held in the memory 25b. Upon receiving an input signal from the safety input device 11 via the safety input IF 21b, the controller 20b transmits an input signal (input value) to the main module 3 via the bus IF 26b. Upon receiving an output signal (output value) from the main module 3 via the bus IF 26b, the controller 20b outputs it to the power source 12 or the like via the safety output IF 22b. For example, if both MCUs 23b and 24b output ON signals, the safety output IF 22b outputs ON signals as duplicated output signals from the two terminals assigned to the safety output signals. Also, if both the MCUs 23b and 24b are outputting OFF signals, the OFF signals are output as duplicated output signals from the two terminals assigned to the safety output signals. On the other hand, when one of the MCUs 23b and 24b outputs an ON signal and the other outputs an OFF signal, the MCUs 23b and 24b monitor each other. It determines and forcibly outputs an OFF signal. If the ON signal and the OFF signal are output as duplicated output signals from the two terminals assigned to the safety output signals in a mismatched state, the device connected to the subsequent stage will cause a failure in the safety controller. It judges that it has been done, and forcibly performs OFF processing.

The controller 20c of the expansion module 4b has two MCUs 23c, 24c and a memory 25c. The MCU (microcontroller unit) is duplicated to improve reliability. The MCUs 23c and 24c each execute control programs held in the memory 25c. When the controller 20c receives the input signal of the safety input device 11 via the safety input IF 21c, it transmits it to the main module 3 via the bus IF 26c. When the controller 20c receives an output signal from the main module 3 via the bus IF 26c, it outputs it to the power source 12 or the like via the safety output IF 22c.

(response time)
In the safety controller 1 , the safety input device 11 and safety output device can be connected to the main module 3 , and the safety input device 11 and safety output device can be connected to the extension module 4 . The safety output device may be the power source 12 itself, or may be a safety contactor or a safety relay that cuts off the power supplied to the power source 12 . The safety input device 11 receives a safety input signal (ON) indicating that the safety input device itself is in a normal state and that the area monitored by the safety input device is normal, and a safety input signal (ON) indicating that the safety input device itself is not in a normal state. outputs a safety input signal (OFF) indicating that the monitored area cannot be confirmed to be normal. A safety output device supplies power to a machine to which a safety input signal (ON) is input, and cuts off the power supply to a machine to which a safety input signal (OFF) is input.

The safety input signal from the safety input device 11 connected to the main module 3 and the safety input signal from the safety input device 11 connected to the expansion module 4 are processed by the safety program running in the main module 3 respectively. be. The main module 3 also outputs safety output signals according to the safety program to the safety output device connected to the main module 3 and the safety output device connected to the extension module 4, respectively. Therefore, the response time differs depending on which safety output device uses the safety input signal of which safety input device.

FIG. 3 is a diagram for explaining response time. Here, four signal paths P1 to P4 are mainly illustrated. A signal path P1 is indicated by a two-dot chain line. Signal path P2 is indicated by a dashed line. Signal path P3 is shown in solid lines. A signal path P4 is indicated by a dashed line.

The signal path P1 is the simplest path, and outputs a safety output signal calculated based on the safety input signal of the safety input device 11a connected to the main module 3 to the power source 12a connected to the main module 3. .

The signal path P2 outputs a safety output signal calculated based on the safety input signal of the safety input device 11a connected to the main module 3 to the power source 12b connected to the expansion module 4a. In this case, the safety output signal is converted into communication data and transmitted from the bus IF 26a to the bus IF 26b. A cyclic redundancy check code (CRC) is added to the communication data, and the extension module 4a discards the communication data when a communication error is detected using the CRC. The communication data transmitted at new timing by the main module 3 is checked for a communication error using the CRC (retry). As a result of confirming the communication error, the extension module 4a adopts the communication data as communication data when it determines that the communication data is normal, and discards the communication data when detecting the communication error. In other words, the retry is for reducing erroneous OFF due to temporary communication failure such as noise. On the other hand, when an abnormality such as disconnection of a communication line or failure of a communication circuit occurs, normal communication data cannot be obtained even after repeated retries. In other words, the retry is for distinguishing between a temporary communication failure such as noise and the occurrence of an abnormality related to communication. That's what it means. In short, if the retry period is lengthened, erroneous OFF due to temporary communication failure is reduced and productivity is improved.

The signal path P3 outputs to the power source 12a connected to the main module 3 a safety output signal calculated based on the safety input signal of the safety input device 11b connected to the extension module 4a. In this example, the safety input signal of the safety input device 11b is converted into communication data and transmitted from the bus IF 26b to the bus IF 26a. As with the signal path P2, the signal path P3 may have a longer response time due to communication retries. The reason why the safety input signal is always sent to the main module 3 is that the main module 3 has an execution engine that executes the safety program. Specifically, the execution engine is implemented in the MCU 23a and the MCU 24a.

The signal path P4 is the most complicated path, and the safety output signal calculated by the main module 3 based on the safety input signal of the safety input device 11b connected to the expansion module 4a is transferred to the power source connected to the expansion module 4a. 12b. The safety input signal is sent to the main module 3 and calculated according to the safety program to become a safety output signal. Since the signal path P4 must pass through the bus IF26a and the bus IF26b twice, the response time tends to be the longest.

Note that an extension module 4b may be further connected. In this case, even if the safety input signal input from the safety input device 11c becomes the safety output signal of the power source 12c, the safety input signal is converted into communication data and transmitted to the main module 3. Further, the main module 3 converts the safety output signal into communication data and transmits it to the extension module 4b, where it is converted into a safety output signal and output to the power source 12c. A safety output signal for the power source 12c may be generated based on the safety input signals from the safety input devices 11a, 11b. Also in this case, communication is executed through the bus IFs 26a, 26b, and 26c. However, safety input devices and power sources can be freely combined, and multiple safety input devices and one power source may be combined. This combination depends on the safety program written by the user.

As can be seen from FIG. 3 , the response time (response speed) may differ depending on the connection position of the safety input device 11 and the connection position of the safety output device such as the power source 12 . Although it is possible to guarantee the response time (guaranteed response time) in advance, the actual response time may exceed the guaranteed response time due to a communication error. Similarly, it is conceivable that the operation time by the safety program becomes long and the actual response time exceeds the guaranteed response time. The guaranteed response time includes the allowable number of times (or time) for communication errors and the maximum computation time allowed for the safety program. A case in which the number of communication errors exceeds the allowable number of times or the calculation time exceeds the maximum calculation time is a failure case. These are caused by things that do not occur in normal operation. Factors that cause the processing time to exceed the allowable time include, for example, failure of the main body, disconnection of communication cables, excessive noise, and the like. These are rare events, but correspond to so-called abnormal conditions such as failures. Therefore, when the actual response time exceeds the guaranteed response time, the main module 3 forcibly turns off the safety output signal. This makes it possible to handle rare events while guaranteeing response time.

(period slot)
FIG. 4 is a diagram for explaining period slots. In this embodiment, a period slot is introduced, which is a repeating period of constant length. The safety controller 1 has an execution engine 40 that repeatedly executes a safety program set by the user in a scan cycle, and from safety input signals from one or more safety input devices 11, safety output signals (output value). The scan cycle consists of an input transmission/reception period corresponding to the input refresh period, which is the timing for capturing the safety input signal, an operation period for calculating the output value according to the safety program and the input value of the safety input signal captured during the input transmission/reception period, and and an output transmission/reception period for outputting a safety output signal from each output terminal according to the output value calculated during the calculation period. The scan cycle is divided into three processes corresponding to the input transmission/reception period, the calculation period, and the output transmission/reception period, and the safety controller 1 executes each process in parallel. For example, in the case of pipeline processing, the more the processing load corresponding to each period matches, the higher the efficiency of the entire processing. The safety controller 1 associates the guaranteed period of the input transmission/reception period and the guaranteed period of the operation period with the period slots. The guaranteed period of the output transmission/reception period may also be associated with the period slot, but since the guaranteed period of the output transmission/reception period is intended for forced OFF processing, the period width may be sufficiently shorter than the period slot. Period slots are determined based on guaranteed response times. Therefore, the MCUs 23a and 24a must each complete operations according to the safety program within the period slot. In addition, the main module 3 performs input processing of input signals from the safety input device 11a connected to itself and processing of input signals (input data) from the safety input device 11b connected to the extension module 4 within the period slot. receive processing must be completed. Further, the main module 3 performs output processing of an output signal to the power source 12a connected to itself and transmission processing of an output signal (output data) to the power source 12b connected to the expansion module 4 within the period slot. must be completed.

According to FIG. 4, input signal input processing and input data transmission/reception processing are repeatedly executed in each period slot (input transmission/reception period: input period and transmission/reception period). The safety program is also repeatedly executed in each period slot (calculation period). Further, in each period slot (output transmission/reception period: output period and transmission/reception period), output signal output processing and output data transmission/reception processing are repeatedly executed.

Generalizing, the input of the input signal and the reception (transmission) of the input data are performed in the i-th period slot. The input signal is also converted into input data so that it can be operated on by the execution engine 40 .

The program operation of the output data by execution engine 40 is performed in the i+1 th period slot. Here, a program operation is applied on the input data obtained in the ith period slot to compute the output data. Furthermore, the input of the input signal and the reception (transmission) of the input data are also performed in the i+1-th period slot.

Based on the input data obtained in the i-th period slot, the output data calculated in the i+1-th period slot is transmitted to the expansion module 4 in the i+2-th period slot, and the output data is converted into an output signal for safety. Output to the output device. Alternatively, the output data is converted into an output signal in the (i+2)th period slot and output to the safety output device of the main module 3 . The program operation of the output data by the execution engine 40 is also executed in the (i+2)th period slot. This is done using the input data received in the i+1 th period slot. Furthermore, the input of the input signal and the reception (transmission) of the input data are also performed in the i+2-th period slot.

Thus, the safety input signal (input data) is obtained in the i-th period slot, the safety output signal (output data) is calculated based on the input data in the i+1-th period slot, and the safety output signal is obtained in the i+2-th period slot. (output data) is output or transmitted. Therefore, the main module 3 monitors whether input processing and reception processing are completed within each period slot. The main module 3 monitors whether the arithmetic processing is completed within each period slot. The main module 3 monitors whether output processing and transmission processing are completed within each period slot. If any processing is not completed within the period slot, the main module 3 will force the safety output signal to OFF.

The response time in the signal path P1 shown in FIG. 3 is the sum of the period width of two period slots and the response time up to the output, since it is not necessary to consider a communication failure. For example, if the duration slot is 1 millisecond, the response time in signal path P1 can be set to a constant value greater than 2 milliseconds and less than or equal to 3 milliseconds. Also, the response time in the signal path P4 shown in FIG. 3 must take communication failure into consideration, and is the sum of the period width of two period slots and the response time up to the output. For example, if the period slot is 1 millisecond, the response time on signal path P4 can be set to a constant value greater than 4 milliseconds and less than or equal to 5 milliseconds.

(MCU function of main module)
FIG. 5 shows functions realized by the MCU of the main module 3. As shown in FIG. Although only MCU 23a is shown in FIG. 5, MCU 24a has the same function. The signal processing unit 31 inputs a safety input signal from the safety input device 11a connected to the main module 3, and outputs a safety output signal to the safety output device (power source 12a) connected to the main module 3. . The input processing unit 32 converts the safety input signal from analog to digital to obtain input data (input value), and outputs the input data to the execution engine 40 . The output processing unit 33 converts the output data (output value) output from the execution engine 40 into a safety output signal and outputs the safety output signal to the safety output device.

Note that the input processing unit 32 converts an input signal input from a certain input terminal into input data based on the association between the input terminal and the input block in the safety program, and outputs the input signal to the input block associated with the input terminal. You can pass input data. Similarly, the output processing unit 33 may convert output data output from a certain output block into an output signal, and output the signal from an output terminal associated with the output block to the output terminal. In this way, the signal processing unit 31 may perform data bridging between the input/output blocks of the safety program and the input/output terminals. The input processor 32 may perform filtering to reduce noise.

The communication processing unit 36 receives input data transmitted from the extension module 4 via the bus IF 26a, and transmits output data to the extension module 4 via the bus IF 26a. The input data is data for transmitting the safety input signal output from the safety input device 11b connected to the extension module 4. FIG. The output data is data for transmitting a safety output signal output to the power source 12b, which is a safety output device connected to the expansion module 4. FIG.

The reception processing unit 37 performs error detection by CRC on the input data. If an error is detected, the reception processing unit 37 requests the expansion module 4 to resend the input data. The reception processing unit 37 passes error-free input data to the execution engine 40 . The reception processing unit 37 passes the input data to appropriate input blocks forming the safety program. The relationship between input data and input blocks is associated in advance by setting information.

The transmission processing unit 38 calculates and adds an error detection code (eg, CRC) to the output data output from the execution engine 40, and transmits it to the extension module 4 via the bus IF 26a. Upon receiving a resend request from the expansion module 4, the transmission processing unit 38 resends the output data. The transmission processing unit 38 transmits the output data output from a certain output block to the safety output device of the extension module 4 associated with the output block. The relationship between the output data and the safety output device (output terminal) is associated in advance by setting information.

The execution engine 40 generates output data from input data by executing the safety program.

The monitoring unit 41 monitors the signal processing unit 31 , the communication processing unit 36 and the execution engine 40 . The monitoring unit 41 has a determination unit 50 , a signal setting unit 60 and a warning unit 70 . The monitoring unit 41 detects a hardware failure of an MCU, monitors whether the safety output signals of two MCUs forming a pair match, and, in this embodiment, performs monitoring related to response time. to run.

In the determination unit 50, the first determination unit 51 determines whether the signal processing unit 31 and the communication processing unit 36 have obtained the input data within the period slot. The second determination unit 52 determines whether the execution of the safety program has been completed within the period slot. Execution of the safety program means computing output data from input data. The third determination unit 53 determines whether the signal processing unit 31 and the communication processing unit 36 have completed the output and transmission of the output data within the period slot.

A first setting unit 61 in the signal setting unit 60 forcibly sets the safety output signal to OFF when the input data cannot be obtained within the period slot. The second setting unit 62 forcibly sets the safety output signal to OFF when the execution of the safety program is not completed within the period slot. The third setting unit 63 forcibly sets the safety output signal to OFF when the output and transmission of the output data are not completed within the period slot.

In the warning section 70, the first warning section 71 outputs warning information to the display device 5a when the input data cannot be obtained within the period slot. The second warning unit 72 outputs warning information to the display device 5a when the execution of the safety program is not completed within the period slot. The third warning unit 73 outputs warning information to the display device 5a when the output and transmission of the output data are not completed within the period slot.

(MCU function of expansion module)
FIG. 6 shows the functions of the MCU of the extension module 4. As shown in FIG. In addition, in FIG. 6, the same reference numerals are given to functions that are common or similar to those in FIG.

The input processing unit 32 receives a safety input signal from the safety input device 11 b connected to the extension module 4 , converts it into input data, and outputs the input data to the transmission processing unit 38 . The transmission processing unit 38 performs CRC processing on the input data and transmits it to the main module 3 via the bus IF 26b.

The reception processing unit 37 receives the output data from the main module 3 via the bus IF 26b, performs a CRC check, and passes the output data to the output processing unit 33 if no error is detected. The reception processing unit 37 may restore the input data from a plurality of pieces of reception data based on the sequence numbers assigned to the reception data. The output processing unit 33 converts the output data into a safety output signal and outputs the safety output signal to the power source 12b, which is a safety output device. When an error is detected in the output data, the reception processing unit 37 requests the main module 3 to resend the output data and retries the reception of the output data. Alternatively, the reception processing unit 37 may forcibly set the output data to OFF. Such forced OFF is executed when an abnormality occurs, such as when a timeout occurs or when two MCUs output different values.

The monitoring section 41 may have a determination section 50 and a signal setting section 60 . A first determination unit 51 in the determination unit 50 monitors whether or not the input processing unit 32 and the reception processing unit 37 have acquired input data within the period slot. The third determination unit 53 determines whether or not the transmission processing unit 38 has completed the transmission of the output data within the period slot.

The first setting unit 61 forcibly sets the safety output signal to OFF when the input data cannot be obtained within the period slot. The third setting unit 63 forcibly sets the safety output signal to OFF when the transmission of the output data is not completed within the period slot.

(flowchart)
FIG. 7 is a flowchart of monitoring processing executed by the MCU 23a (MCU 24a) of the main module 3. FIG. Here, it is assumed that the execution engine 40 is executing a repeating safety program.

In S1, the MCU 23a (eg, the first determination unit 51) determines whether or not the input data has been obtained within the period slot. If the input data can be obtained within the period slot, the MCU 23a proceeds to S2. If the input data could not be obtained within the period slot, the MCU 23a proceeds to S11.

In S2, the MCU 23a (eg, the second determination unit 52) determines whether or not the calculation of the output data by the safety program has been completed within the period slot. If the calculation of the output data is completed within the period slot, the MCU 23a proceeds to S3. If the calculation of the output data has not been completed within the period slot, the MCU 23a proceeds to S11.

In S3, the MCU 23a (eg, the third determination unit 53) determines whether or not the transmission of the output data has been completed within the period slot. If the transmission of the output data is completed within the period slot, the MCU 23a proceeds to S4. If the calculation of the output data has not been completed within the period slot, the MCU 23a proceeds to S11.

In S4, the MCU 23a determines whether or not the monitoring termination condition is satisfied. The monitoring termination condition is, for example, that a monitoring termination instruction is input from the operation unit 6a. When the monitoring end condition is satisfied, the MCU 23a ends the monitoring process. If the monitoring end condition is not satisfied, the MCU 23a returns to S1.

In S11, the MCU 23a (signal setting unit 60) forcibly sets the safety output signal to OFF. As a result, safety output signals are output to the power source 12a connected to the main module 3 and the power source 12b connected to the expansion module 4, respectively. As a result, the power sources 12a and 12b are stopped. Note that the signal setting unit 60 changes the output data so that the output data means that the safety output signal is OFF.

In S12, the MCU 23a (warning unit 70) outputs warning information to the display device 5a. Here, the warning information may include a message indicating the reason for outputting the warning information and an error code. For example, the warning information may include information indicating from which safety input device the input signal failed to be obtained. The warning information may also include information indicating to which safety output device transmission of the safety output signal (output data) has failed. Furthermore, the MCU 23a (warning unit 70) may write warning information or information indicating the content of the error in the error history.

(function block)
FIG. 8 shows a UI 80 displayed on the display device 5b by the PC 2 according to the editing program. The edit button 81 is a button for instructing editing of the safety program. A simulation button 82 is a button for instructing simulation of the safety program. The list portion 83 is a display area for selectively displaying a list of function blocks 84 that can be selected by the user. The program creation area 85 has an input placement area 86 in which input type function blocks are placed, and a block placement area 87 in which operation type and output type function blocks are placed. The user selects an arbitrary function block 84 from the list portion 83 and drags and drops it to the input placement area 86 or block placement area 87 . The input placement area 86 and the block placement area 87 can be scrolled to display more function blocks.

According to FIG. 8, input blocks corresponding to the safety input devices 11 connected to the main module 3 and the expansion module 4 are arranged in the input arrangement area 86 . In FIG. 8, in the input arrangement area 86, an input block corresponding to the emergency stop switch, an input block corresponding to the reset switch, an input block corresponding to the light curtain X, and an input block corresponding to the door switch are listed. It is arranged by dragging and dropping from the section 83 .

Two AND blocks, a reset block, and an output block are arranged in the block arrangement area 87 . An output block corresponds to one of the output terminals of the IO connectors 10a-10c. An icon representing each function block includes an input terminal and an output terminal. The user completes the safety program by connecting the output terminal of a certain function block and the input terminal of another function block with the connection line 88 .

In this case, if the emergency stop button has not been pressed, the reset block will output ON (safe). The left AND block outputs ON when the light curtain is ON and the door switch is ON. The output terminal of the reset block and the output terminal of the left AND block are connected to the right AND block. Therefore, when ON is input to both input terminals of the right AND block, the right AND block outputs ON to the output block. When the emergency stop button is pushed, OFF (not safe) is input to the reset block. As a result, the output of the right AND block switches from ON to OFF, and OFF is propagated to the output block. The reset block keeps the OFF output unless the reset switch is pressed. The reset block returns the output to ON when the reset switch is pressed.

The CPU of the PC 2 creates setting information including type information and program parts of the function blocks constituting the safety program, and connection information indicating the connection relationship of each function block, and stores it in the storage device of the PC 2 . In this case, the safety program is included in the setting information. Alternatively, the CPU may create a safety program by linking program parts according to the connection information. When the user inputs a transfer instruction, the CPU transmits and writes the setting information and the safety program to the main module 3 . Configuration information may be part of the safety program.

In this way, users can easily create safety programs by combining arbitrary function blocks. Note that when the simulation button 82 is pressed, the CPU displays the simulation UI on the display device 5b.

Here, each function block of the present embodiment may be guaranteed its own arithmetic processing time. The PC 2 may limit the creation of safety programs by the user so as to satisfy the response time guaranteed by the product specifications of the safety controller 1 . For example, if the user attempts to create a safety program on the UI 80 that includes loop wiring (loop processing) or branch processing between multiple function blocks that would make the response time of the safety program undefined, the CPU will issue warning information. You may output it or prohibit such creation.

According to FIG. 8, display portions 89a and 89b for displaying the current program amount are shown. The CPU may display the current program amount on the display section 89a of the UI 80 used for creating the program. The CPU may display the ratio of the current program amount to the full capacity on the display section 89b, which is a bar graph. Full capacity corresponds to the upper limit of response time guaranteed in the product specification. Also, the CPU may output warning information when the current program amount exceeds the full capacity. Here, the program amount may be the storage size, or may be the total time of the operation times of a plurality of function blocks forming the program. As a result, it will be possible to suppress the creation of safety programs that deviate from the response time guaranteed by the product specifications.

Safety controller 1 includes at least one main module 3, but expansion module 4 is not essential. Therefore, the response time of the safety controller 1 consisting of the main module 3 and the response time of the safety controller 1 consisting of the main module 3 and the extension module 4 are different. Therefore, the product specification may list response times for each of these system configurations.

The total response time Ta of the safety controller 1 can be calculated from the following formula.
Ta = T0 + T1 + T2 + T3 + T4 + T5 (1)
T0 is the basic response time of the main module 3 (eg 4.8 ms).
T1 is the added time (eg, 1.7 milliseconds) by the destination device to which the safety input device is connected. T1 may be different between when the safety input device is connected to the main module 3 and when it is connected to the expansion module 4 .
T2 is the additional time (eg, 0.7 milliseconds) due to the input block. If the input block uses filtering or test output, T2 will vary depending on the filtering time and test output time.
T3 is the additional time (eg, 4.5 milliseconds) due to the safety program. When using a timer function such as an ON delay or an OFF delay, it is necessary to add the delay time of the timer. Also, when using a register, additional time is required. Alternatively, T3 may be an addition time resulting from the test output. The test output is, for example, outputting a test pulse to confirm that the emergency stop button can operate normally.
T4 is the addition time by the connected device to which the safety output device is connected. T4 differs between when the safety output device is connected to the main module 3 (eg 0 ms) and when it is connected to the extension module 4 (eg 2.4 ms).
T5 is the addition time due to the output block. T5 differs depending on whether the output block is a semiconductor output (eg 0 ms) or a relay output (eg 10 ms).

Equation (1) means the time from the input to the output of the safety controller, but apart from this, Ts and Tr may be considered separately. Ts is the response time of the safety input device. Ts is described in the product specification of the safety input device. Tr is the response time of the safety output device. Tr is described in the product specification of the safety output device. Ts is the time required for the safety input device to react and input the OFF signal to the main module 3 . Tr is the time required for the machine to stop safely after the OFF signal is output. These are sensor and machine dependent items. These may also be considered in the design of the safety controller system.

The user will be able to obtain the total response time Ta for the safety controller 1 that he/she is going to construct, calculate the safety distance, and appropriately arrange the safety input devices.

(action mode)
The main module 3 may have multiple operating modes. A fixed response time mode that uses a period slot based on a guaranteed response time, a noise resistant mode that increases the timeout period of communication retry, and a best effort mode that does not execute forced OFF and warning according to the response time. good too. The MCU 23 a may select one of the operation modes according to setting data stored in the memory 25 .

<Others>
(Program creation process)
FIG. 9 shows the program creation process executed by the PC2.

In S21, the CPU of PC2 accepts addition of function blocks to the program.

In S22, the CPU obtains the current program amount. As described above, the processing time is predetermined for each function block selected by the user as an addition target. For example, the CPU may obtain the total processing time for each function block included in the program as the program amount.

At S23, the CPU determines whether the current program amount is less than or equal to the specified amount corresponding to the guaranteed response time. If the program amount is equal to or less than the specified amount, the CPU proceeds to S24. In S24, the CPU permits addition of function blocks to the program, and proceeds to S25. If the program amount exceeds the specified amount, the CPU proceeds to S26. At S26, the CPU refuses to add the function block. In S27, the CPU outputs warning information. This warning information may include, for example, a message indicating that the guaranteed response time will be exceeded.

In S25, the CPU determines whether or not the creation of the program has ended. For example, when the user inputs an end instruction, the CPU determines that the creation of the program is finished, saves the program, and ends the creation process. If the creation of the program has not ended, the CPU returns to S21.

(Processing related to communication errors)
The main module 3 and the expansion module 4 respectively convert the safety input signal and the safety output signal into communication data for communication. If a communication error occurs, an erroneous safety input signal or safety output signal is transmitted. In this case, the safety output signal supplied to power source 12 should be forced OFF. The communication error detection is performed not only in the main module 3 but also in the expansion module 4, but an example performed in the main module 3 will be described below. Also, the MCUs 23 and 24 each execute the following processes, but the case of the MCU 23 will be explained.

The MCU 23 receives an input value (input data) from the expansion module 4 in S31. For example, an attempt is made to read input data from a receive buffer provided in the bus IF.

In S32, the MCU 23 determines whether the input value has been received from the expansion module 4. If the input value could not be received, if the input value was received but the communication partner of the input value is not correct, or if the CRC of the received input value does not match, the MCU 23 proceeds to S33. In S33, the MCU 23 determines whether the communication is within the period slot. If it is determined that the reception is within the period slot, the process proceeds to S39. In S39, the MCU 23 retries the reception and proceeds to S32. On the other hand, if it is determined that it is not within the period slot, the MCU 23 proceeds to S40. In S40, the MCU 23 forcibly turns off the output. If the input value can be received, the MCU 23 proceeds to S34.

In S34, the MCU 23 detects a communication error such as delay or misalignment of the input value based on the time stamp, sequence number, and the like.

In S35, the MCU 23 determines whether or not a communication error has been detected. If no communication error is detected, the MCU 23 proceeds to S36. In S36, the MCU 23 executes the program using the received input values and obtains execution results (output values). On the other hand, if a communication error is found, the MCU 23 proceeds to S37.

In S37, the MCU 23 forcibly turns off the output value (safety output signal).

The MCU 23 transmits the output value to the expansion module 3 in S38.

Although a communication error is detected based on the received data here, S37 may be executed when the number of retries exceeds the threshold.

(Pattern for fixed response time)
Although the embodiments described above are only examples, there are generally three patterns. The first pattern is a pattern in which a constant response time is guaranteed even if the program is modified, but the response time changes as the number of connected expansion modules or remote I/O units increases. In the second pattern, when the program is modified, the response time may increase according to the amount of the modified program. It is a pattern that is guaranteed to be constant. The third pattern is a pattern in which a constant response time is guaranteed even if the program is modified, and a constant response time is guaranteed even if the number of connected expansion modules or remote I/O units increases. .

The technique for guaranteeing a constant response time even if the program is modified has already been explained. The technology that guarantees a constant response time even if the number of connected expansion modules increases, monitors the time required for communication, and forcibly turns off the safety output signal when the communication time (number of retries) exceeds a threshold. can be achieved by

Furthermore, as shown in FIGS. 11(A) to 11(E), the guaranteed response time may change stepwise according to the number of expansion modules.

FIG. 11A shows the guaranteed response time (example: x milliseconds) when the main module 3 is used alone and the guaranteed response time (example: x milliseconds) when one or more extension modules 4 are connected to the main module 3. : x milliseconds) are assumed to be the same. Even if the number of expansion modules 4 is increased, the user does not need to review the safety distance because the response time does not change.

FIG. 11B shows the guaranteed response time (example: x milliseconds) when the main module 3 is used alone and the guaranteed response time (example: x milliseconds) when one or more extension modules 4 are connected to the main module 3. : y milliseconds) are different. If the number of extension modules 4 is one or more, the user does not need to review the safety distance because the response time does not change. For example, the response time is obtained by considering the additional time depending on the presence or absence of the expansion module 4 with respect to the basic response time (eg, x=4.8 milliseconds). The additional time (eg, 1.7 milliseconds) is constant as long as the number of extension modules 4 is one or more. Therefore, the response time y when one or more extension modules 4 are connected to the main module 3 is, for example, 6.5 milliseconds. At this time, the monitoring unit 41 monitors when the number of extension modules 4 connected to the main module 3 is a first number of one or more, and when the second number is one or more different from the first number. The execution engine 40 and the communication processing unit 36 (the reception processing unit 37, etc.) are monitored so that the response time of the safety controller 1 is guaranteed constant regardless of the number of units.

FIG. 11C shows the guaranteed response time (example: x milliseconds) when the main module 3 is used alone and the guaranteed response time (example: x milliseconds) when one expansion module 4 is connected to the main module 3. milliseconds), but the guaranteed response time (eg y milliseconds) is not the same when two or more extension modules 4 are connected to the main module 3. However, x<y. When the number of expansion modules 4 increases from one to two or more, the user needs to recognize that the response time will increase and review the safety distance. However, the user needs to review the safety distance only when increasing from two to three.

FIG. 11(D) The guaranteed response time when the main module 3 is used alone is x milliseconds, and the guaranteed response time when the main module 3 is connected to 1 or more and N or less expansion modules 4 is A case where the guaranteed response time is y2 milliseconds when N+1 or more and M or more expansion modules 4 are connected to the main module 3 . However, x<y1<y2. When the number of expansion modules 4 increases from 0 to 1, the user needs to recognize that the response time will increase and review the safety distance. Similarly, when the number of expansion modules 4 increases from N to N+1, the user needs to recognize the increase in response time and review the safety distance.

Here, the rule that the response time changes according to the number of expansion modules 4 has been explained, but the remote I/O unit 8 also has the same or similar response as the expansion module 4, as in the case of FIG. 11(E). A time rule may be constructed. For example, remote I/O unit 8 may be equated with expansion module 4 in terms of response time. When one or more extension modules 4 are connected to the main module 3, the monitoring unit 41 detects whether the remote I/O unit 8 is not connected to the main module 3 or when one remote I/O unit 8 is connected. The communication processing unit 36 (reception processing unit 37, etc.) may be monitored so that a constant response time is guaranteed. The reception processing section 37 is configured to receive input values from the remote I/O unit 8 . In any event, the safety output signal is forcibly turned OFF when an abnormal condition occurs that exceeds the response time.

(safety communication)
The main module 3 and expansion module 4 communicate via an internal bus (fieldbus) including a bus IF. The following errors can occur in this communication:
1) Repetition: Old messages are received repeatedly 2) Missing: Messages are deleted 3) Insertions: Another message is inserted 4) Misorder: Messages are received out of order 5) Falsification: The content of a message is rewritten 6) Delay: Communication is not completed within a specified period of time 7) Forgery: Unreliable information is received from an unauthenticated device.

On the other hand, the main module 3 and the extension module 4 identify the sender/receiver address. This is to identify both by including the source/destination address in the message and prevent the insertion of untrusted information from unregistered devices. The main module 3 and extension module 4 may use timestamps. Safety-related information is valid only for a certain period of time. Therefore, the main module 3 and the extension module 4 use time stamps to identify old safety-related information and suppress repeated transmission of these information. The time stamp is where the sender attaches the time when the message was generated as a time stamp to the message, and the receiver extracts the time stamp from the message and checks the timeliness of the message based on the time stamp. The main module 3 and extension module 4 may be assigned sequence numbers. Sequence numbers indicate the order in which messages were sent. The receiver identifies the context of the received messages based on the sequence numbers included in the messages. Based on the sequence number, it is possible to determine missing messages, insertion of irrelevant messages, and misalignment. The main module 3 and the extension module 4 may perform acknowledgment. In acknowledgment, the receiver sends the received message back to the sender and compares the message sent by the sender with the message sent back. This makes it possible to check whether the receiving side has correctly received the message. Alternatively, the sender may verify that the message was received correctly by causing the receiver to send a corresponding acknowledgment or other confirmation message. Normally, if an acknowledgment from the receiver is not obtained within an allowable time, the sender transitions to the OFF state (timeout function).

A specific transmission procedure executed by the main module 3 and the extension module 4 will be described with reference to FIGS. 12 and 13. FIG.

In S41, the main module 3 (communication processing unit) transmits a message 1301 including a data transmission command, and the extension module 4 receives it. As shown in FIG. 13, a message 1301 includes a destination (eg, extension module 4a), a source (eg, main module 3), a sequence number, a data transmission command, and an operation result (not included in the first message). , timestamp, and CRC. As Figure 13 shows, the CRC is computed from the data from the destination to the timestamp. It is assumed that this message has a reply deadline (eg, 0.1 milliseconds to 1.0 milliseconds).

In S42, the extension module 4 calculates a CRC from the data from the destination to the time stamp in the received message, and determines whether it matches the CRC added to the message. If the two CRCs do not match, at S43 the extension module 4 sends a retry request and the main module 3 resends the message.

In S44, the extension module 4 acquires the safety input signal input from the safety input device.

In S45, the extension module 4 converts the safety input signal into an input value (input data) and creates a message 1302 for data transmission. As shown in FIG. 13, message 1302 includes destination (eg, main module 3), source (eg, extension module 4a), sequence number, input value, time stamp, and CRC. As Figure 13 shows, the CRC is computed from the data from the destination to the timestamp. The sequence number of message 1302 is the sequence number included in message 1301 plus one.

At S46, the extension module 4 sends the message 1302 including the input value to the main module 3, and the main module 3 receives the message 1302. FIG. Message 1302 may include an acknowledgment that message 1301 was successfully received.

The main module 3 performs a CRC check on the message 1302 in S47. The main module 3 calculates a CRC from the data from the destination to the time stamp in the received message 1302 and determines whether it matches the CRC added to the message 1302 . If the two CRCs do not match, at S48 the main module 3 sends a retry request and the extension module 4 resends the message. Assuming that the timeout period is set to 2 milliseconds, a maximum of 8 messages can be sent and received. If no error-free message 1302 is received within the timeout period, the main module 3 forcibly turns off the safety output signal.

Note that eight messages 1302 may be sent in succession. In this case, the main module 3 may adopt the message 1302 that first passes the CRC check among the eight messages 1302 . Alternatively, the main module 3 may adopt the last message 1302 (that is, the latest data) that passed the CRC check among the eight messages 1302 . Alternatively, the main module 3 may randomly select messages 1302 that pass the CRC check among the eight messages 1302 .

In S<b>49 , the main module 3 calculates and obtains a safety output signal based on the input value (safety input signal) extracted from the message 1302 . The calculation method is defined by the user program.

In S50, the main module 3 transmits a message 1301 including the calculation result (safety output signal) to the extension module 4, and the extension module 4 receives the message 1301. FIG.

In S51, the expansion module 4 performs the above-described CRC check on the message 1301 including the calculation result (safety output signal). If the CRC does not match, the message 1301 is retried in S52. If no error-free message 1302 is received within the timeout period, expansion module 4 forces the safety output signal OFF.

In S53, the expansion module 4 converts the calculation result into a safety output signal and outputs the safety output signal to the contactor of the power source 12 or the like.

The main module 3 forcibly turns off the safety output signal only when a correct CRC is not obtained after one scan cycle (approximately 1 to 5 milliseconds) has elapsed. However, this is only an example. For example, if a CRC mismatch occurs even once, the main module 3 may forcibly turn off the safety output signal.

(sequence number)
As described above, the message sequence number is alternately updated by one by the main module 3 and the extension module 4 . For example, the main module 3 first sets the sequence number to "1" and transmits a data transmission command.
Next, the extension module 4 adds "2" to the sequence number and returns the input value. Next, the main module 3 calculates a safety output signal based on the data with the sequence number "2". Next, the main module 3 assigns "3" to the sequence number and transmits a new data transmission command with a reply deadline and an output signal based on the calculation result. The correct order of the data is maintained by repeating the update and transmission/reception of the sequence numbers in this way. For example, assume that the main module 3 sends data with a sequence number of "1" and receives data with a sequence number of "3" from the expansion module 4. FIG. In this case, it is a data sequence error, and forced OFF is executed. When the main module 3 detects a sequence error, it may display the error or discard the error data.
A sequence number is managed for each combination of the main module 3 and the extension module 4 . For example, it means that the sequence number managed by the combination of the main module 3 and the expansion module 4a and the sequence number managed by the combination of the main module 3 and the expansion module 4b are independent.

The main module 3 and extension module 4 may determine the timeliness of the data based on the timestamp. However, this assumes that the main module 3 and the extension module 4 are time-synchronized.

<Summary>
As shown in FIG. 1, the safety controller 1 is an example of a safety controller that has a main module 3 that executes a safety program and an extension module 4 connected to the main module 3 . As shown in FIG. 4, the bus IF 26a and the reception processing unit 37 function as reception means for receiving an input value from the expansion module 4 for each period slot, which is a repetition period of a certain length. Execution engine 40 is an execution engine that iteratively executes a safety program for each period slot, and in the i+1 period slot next to the i-th period slot in which the input value is received, the safety program is executed using the input value. Calculate the output value according to the program. The safety output IF 22, the output processing unit 33, and the transmission processing unit 38 function as output means for outputting a safety output signal corresponding to the output value to a safety output device. The monitoring unit 41 functions as monitoring means for monitoring the receiving means and the execution engine. The monitoring unit 41 forcibly sets a safety output signal to stop the operation of the safety output device when the reception of the input value by the receiving means is not completed in the i-th period slot. Similarly, the monitoring unit 41 forcibly sets a safety output signal that stops the operation of the safety output device when the execution engine does not complete the calculation of the output value in the i+1-th period slot. Thus, by introducing the concept of period slots into the safety controller, it is possible to guarantee or fix the response time independently of the user program and/or communication.

The period slots may be computed by MCU 23 of main module 3 . This is because the MCU 23 of the main module 3 is aware of the type of communication implemented in the main module 3, and can recognize which communication is valid from the user program or setting data.

As shown in FIG. 4, the bus IF 26a and the reception processing unit 37 are configured to receive the next input value from the extension module in parallel with the execution engine obtaining the output value in the (i+1)th period slot. may have been

As shown in FIG. 5, the first determination unit 51 may function as first determination means for determining whether an input value has been received within the i-th period slot. The first setting unit 61 may function as first setting means for forcibly setting the output value to the OFF state when the input value cannot be received within the i-th period slot.

As shown in FIG. 5, the first warning unit 71 may function as first warning means for outputting first warning information when an input value cannot be received within the i-th period slot.

As shown in FIG. 5, the second determination unit 52 may function as second determination means for determining whether or not the calculation of the output value has been completed within the (i+1)th period slot. The second setting unit 62 may function as second setting means for forcibly setting the output value to the OFF state when the calculation of the output value is not completed within the (i+1)th period slot.

As shown in FIG. 5, the second warning unit 72 may function as second warning means for outputting second warning information when the calculation of the output value is not completed within the i+1-th period slot. .

The reception processing unit 37 may be configured to retry the reception of the input value so as to successfully receive the input value.

The reception processing unit 37 may be configured to detect falsification by performing a CRC check on the input value.

The reception processing unit 37 may be configured to return an acknowledgment to the expansion module using the sequence number for the input value. Thereby, the extension module 4 can grasp which input value has been successfully transmitted based on the sequence number attached to the acknowledge. If no positive acknowledgment (Ack) is returned, or if a negative acknowledgment (Nack) is returned, the expansion module 4 may perform retransmission of the input value based on the sequence number.

The length of the period slot may be determined independently of the throughput of the security program. A period slot may be defined based on a guaranteed response time for the safety controller 1 . In this case, the user has the advantage that the safety distance is determined before creating the safety program.

As shown in FIG. 4, the transmission processing unit 38 transmits the output value obtained by the execution engine in the i+1-th period slot to the other expansion modules in the i+2-th period slot next to the i+1-th period slot. You may function as a transmission means to transmit.

As shown in FIG. 5, the third judging section 53 functions as a third judging means for judging whether or not the transmission of the output value is completed within the (i+2)th period slot. The third setting unit 63 functions as third setting means for forcibly setting the output value to the OFF state when the transmission of the output value is not completed within the (i+2)th period slot.

The main module 3 may further have a connector (eg, IO connector 10a) that connects with a safety input device. The execution engine 40 may be arranged to compute an output value for each period slot using the input values obtained via the connector and the input values received by the receiving means.

The length of the period slot may be determined to be a fixed length regardless of the number of extension modules connected to the main module 3 . In this case, the user has the advantage that the safety distance is determined before creating the safety program.

As explained using FIG. 11 , a constant response time of the safety controller may be guaranteed independently of the number of extension modules 4 connected to the main module 3 . The response time x is the first response time x when the extension module 4 is not connected to the main module 3, and the second response time x is the response time when one or more extension modules are connected to the main module 3. It may be y. Also, the response time in the case where the main module 3 is not connected to the extension module 4 is the first response time x, and the response time in the case where the main module 3 is connected to one or more extension modules 4 up to N units. may be the second response time y1. Also, the response time in the case where the main module 3 is connected to N+1 or more extension modules 4 may be the third response time y2. Also, the response time in the case where the main module 3 is not connected to the expansion module is the first response time x, and the response time in the case where the main module 3 is connected to the remote I/O unit 8 is the connection of the expansion module 4. The second response time y is independent of the number of units, and the response time in the case where the remote I/O unit 8 is not connected to the main module 3 and one or more expansion modules 4 are connected is the first response time. It may be the response time x.

The invention is not limited to the above embodiments, and various modifications and changes are possible within the scope of the invention.

Claims (17)

A safety controller having a main module that executes a safety program and an expansion module connected to the main module,
The main module is
receiving means for receiving an input value from the expansion module for each period slot, which is a repetition period of a fixed length;
an execution engine that iteratively executes the safety program for each of the period slots, using the safety program in the i+1 period slot following the i period slot in which the input value was received; an execution engine that computes output values according to
output means for outputting a safety output signal corresponding to the output value to a safety output device;
monitoring means for monitoring the receiving means and the execution engine;
The monitoring means determines whether or not the reception of the input value by the receiving means has been completed in the i-th period slot, or the calculation of the output value by the execution engine has not been completed in the i+1-th period slot. a safety controller forcibly setting the safety output signal to stop the operation of the safety output device when The receiving means is arranged to receive the next input value from the expansion module concurrently with the execution engine determining the output value in the i+1 period slot. The safety controller of Claim 1. The monitoring means
a first determination means for determining whether the input value could be received within the i-th duration slot;
3. The apparatus according to claim 1, further comprising first setting means for forcibly setting the output value to an OFF state when the input value cannot be received within the i-th duration slot. safety controller. 4. The apparatus according to any one of claims 1 to 3, further comprising first warning means for outputting first warning information if said input value is not received within said i-th duration slot. safety controller. The monitoring means
a second determination means for determining whether or not the calculation of the output value has been completed within the i+1-th period slot;
2. A second setting means for forcibly setting the output value to an OFF state when the calculation of the output value is not completed within the i+1-th period slot. 5. The safety controller according to any one of Claims 4. 6. The apparatus according to any one of claims 1 to 5, further comprising second warning means for outputting second warning information when the calculation of said output value has not been completed within said i+1-th period slot. safety controller as described in . 7. A safety controller according to any one of claims 1 to 6, wherein said receiving means is arranged to retry receiving said input value so that said input value is successfully received. 8. A safety controller according to any one of claims 1 to 7, wherein said receiving means is configured to perform tampering detection by performing a CRC check on said input value. 9. A safety controller according to any one of claims 1 to 8, wherein the receiving means is configured to acknowledge the input value to the expansion module using a sequence number. 10. The safety controller according to any one of claims 1 to 9, wherein the length of the period slot is determined independently of the throughput of the safety program. The output means transmits the output value obtained by the execution engine in the i+1-th period slot to another expansion module in the i+2-th period slot next to the i+1-th period slot. 11. A safety controller as claimed in any preceding claim, comprising: The monitoring means
a third determining means for determining whether or not the transmission of the output value has been completed within the i+2-th period slot;
12. The apparatus according to claim 11, further comprising third setting means for forcibly setting the output value to an OFF state when the transmission of the output value is not completed within the i+2th period slot. Safety controller as described. The main module is
It further has a connector that connects with a safety input device,
The execution engine is configured to compute the output value using input values obtained through the connector and the input values received by the receiving means for each period slot. 13. A safety controller according to any one of claims 1 to 12, characterized in that: 14. The length of the period slot according to any one of claims 1 to 13, characterized in that the length of the period slot is determined to be a constant length regardless of the number of extension modules connected to the main module. safety controller. A safety controller having a main module that executes a safety program and an expansion module connected to the main module,
The main module is
receiving means for receiving input values from the expansion module;
an execution engine that uses the input values to compute an output value according to the safety program;
output means for outputting a safety output signal corresponding to the output value to a safety output device;
monitoring means for monitoring the receiving means and the execution engine;
When the number of extension modules connected to the main module is a first number of one or more, and when the number is a second number of one or more different from the first number. and monitoring said receiving means and said execution engine to ensure a constant response time of said safety controller. the response time in the case where the extension module is not connected to the main module is a first response time;
16. The safety controller as claimed in claim 15, wherein the response time for a case in which one or more extension modules are connected to the main module is a second response time. the safety controller further comprises a remote I/O unit connected to the main module;
the receiving means further receives an input value from the remote I/O unit;
The monitoring means keeps the response time of the safety controller constant when the remote I/O unit connected to the main module is not connected and when one remote I/O unit is connected. 17. Safety controller according to claim 15 or 16, characterized in that it monitors the receiving means to ensure.

Images