CONTROL SYSTEM, CONTROL METHOD, AND DRIVE DEVICE

TECHNICAL FIELD

The present invention relates to a control system, a control method in a control system, and a drive device included in a control system.

BACKGROUND ART

In many manufacturing sites, the introduction of safety systems is progressing in order to use facilities and machines safely. The safety systems are used to provide safety functions conforming to international standards, and include safety components such as a safety controller, a safety sensor, a safety switch, and a safety relay.

A safety system is also required to provide the safety function to a drive device that drives a servomotor or the like for driving a facility or a machine. In a safety system, Ethernet for Control Automation Technology (EtherCAT) (registered trademark) may be employed as a network for exchanging data, and Non-Patent Literature 1 discloses some provisions regarding safety functions in the standards of the EtherCAT Technology Group (ETG) which is an organization related to EtherCAT.

CITATION LIST
Non-Patent Literature

[Non-Patent Literature 1]

Safety Drive Profile Generic Safety Drive Profile for adjustable speed electrical power drive systems that are suitable for use in safety-related application PDS(SR) Document: ETG.6100.2S(R) V1.2.0

SUMMARY OF INVENTION
Technical Problem

According to the provisions disclosed in Non-Patent Literature 1, all safety functions executed by a drive device are set in advance to be enabled as a default. More specifically, in designation information for designating enabling or disabling of the safety functions, all flags assigned to respective bits of a first byte are fixed to flags indicating enabling.

However, in the actual use, there may be cases where enabled/disabled settings of the safety functions are required to be changed depending on work details in a process, such as enabling the safety functions in one process and disabling the safety functions in another process. In such a case, a user is required to separately prepare a program for changing the enabled/disabled settings of the safety functions from the default state, which may increase an amount of work. In the programming work, since source code is required to be written, there is a risk that the user will unintentionally write erroneous setting details. In a case where a plurality of driver devices is provided in the system, the program is required to be created for all the driver devices, which causes a problem that a work amount becomes enormous. In a case where a separate program is prepared to disable the safety function, the number of programs to be executed increases, and thus there is concern that a control cycle in the system may deteriorate and the execution performance may degrade.

The present invention has been made to solve the above problems, and an objective thereof is to facilitate setting of enabling or disabling of safety functions.

Solution to Problem

According to an example of the present disclosure, there is provided a control system. The control system includes a drive device that is connected to a network, has at least one or more safety functions, and drives a motor; and a controller that manages data exchange between devices including the drive device connected to the network. The controller transmits a parameter related to setting of the drive device to the drive device via the network when connection in the network is established. The parameter includes designation information for designating enabling or disabling of each of the at least one or more safety functions. The drive device disables a specific safety function that is designated to be disabled by the designation information included in the parameter among the at least one or more safety functions.

According to this disclosure, a user designates disabling of a specific safety function by using the parameter, and can thus disable the specific safety function for the drive device when the connection in the network is established. Since the user transmits the parameter to the drive device via the network and can thus disable the specific safety function, the execution performance of the system does not degrade compared with a case where a program separately prepared to disable the safety function is executed. Consequently, it is possible to easily set enabling or disabling of a safety function.

In the above disclosure, the parameter is a safety-related application (SRA) parameter.

According to this disclosure, the user can disable a specific safety function by using the SRA parameter defined in the ETG standards.

In the above disclosure, the designation information includes information for designating enabling or disabling of each of the at least one or more safety functions by using a bit string in which bits respectively corresponding to the at least one or more safety functions are arranged.

According to this disclosure, the user can disable a specific safety function by using the bit string.

In the above disclosure, the control system includes a support device that supports setting related to the at least one or more safety functions. The support device provides a user interface for setting the designation information.

According to this disclosure, the user can disable a specific safety function by using the user interface provided by the support device.

In the above disclosure, in response to designation of disabling of the specific safety function among the at least one or more safety functions, the support device prohibits use of a variable referred to by a program related to the specific safety function.

According to this disclosure, it is possible to prevent a situation in which the user unintentionally sets the variable referred to by a program related to the disabled safety function.

In the above disclosure, the support device provides a notification of prohibition of use of the variable.

According to this disclosure, it is possible to notify the user that the variable referred to by a program related to the disabled safety function is prohibited from being used.

According to this disclosure, the control system includes a second controller that transmits a safety command related to operations of the at least one or more safety functions to the drive device. The safety command includes second designation information for designating enabling or disabling of each of the at least one or more safety functions. The drive device enables or disables each of the at least one or more safety functions on the basis of the designation information included in the parameter and the second designation information included in the safety command.

According to this disclosure, since each of the safety functions can be enabled or disabled on the basis of the designation information for designating enabling or disabling of the safety function in the parameter and the second designation information for designating enabling or disabling of the safety function in the safety command transmitted from the second controller, the user can enable or disable the safety function depending on an actual situation.

According to another example of the present disclosure, there is provided a control method in a control system. The control system includes a drive device that is connected to a network, has at least one or more safety functions, and drives a motor, and a controller that manages data exchange between devices including the drive device connected to the network. The control method includes transmitting, by the controller, a parameter including designation information for designating enabling or disabling of each of the at least one or more safety functions to the drive device via the network when connection in the network is established; and disabling, by the drive device, a specific safety function that is designated to be disabled by the designation information included in the parameter among the at least one or more safety functions.

According to still another example of the present disclosure, there is provided a drive device that is connected to a network, has at least one or more safety functions, and drives a motor. Data exchange between devices including the drive device connected to the network is managed by a controller. The drive device includes a reception part that receives, from the controller, a parameter including designation information for designating enabling or disabling of each of the at least one or more safety functions via the network when connection in the network is established; and a disabling part that disables a specific safety function that is designated to be disabled by the designation information included in the parameter among the at least one or more safety functions.

Effects of Invention

According to the present invention, it is possible to facilitate setting of enabling or disabling of safety functions.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram illustrating an application example of a control system according to the present embodiment.

FIG. 2 is a schematic diagram illustrating information of a first byte for designating enable/disable setting of safety functions defined in the ETG standards.

FIG. 3 is a schematic diagram illustrating a hardware configuration example of a standard controller constituting the control system according to the present embodiment.

FIG. 4 is a schematic diagram illustrating a hardware configuration example of a safety controller constituting the control system according to the present embodiment.

FIG. 5 is a schematic diagram illustrating a hardware configuration example of a safety driver and a servomotor constituting the control system according to the present embodiment.

FIG. 6 is a schematic diagram illustrating a hardware configuration example of a support device constituting the control system according to the present embodiment.

FIG. 7 is a schematic diagram illustrating an example of function sharing in the control system according to the present embodiment.

FIG. 8 is a sequence diagram illustrating an example of a process procedure related to the safety functions of the safety driver of the control system according to the present embodiment.

FIG. 9 is a diagram illustrating an example of a motion safety function provided by the control system according to the present embodiment.

FIG. 10 is a schematic diagram illustrating installation examples of standard control, safety control, and SRA parameter transfer in the control system according to the present embodiment.

FIG. 11 is a schematic diagram illustrating an example of transition in enabling or disabling of the motion safety function according to the present embodiment.

FIG. 12 is a diagram illustrating an example of a user interface for performing enable/disable setting of the motion safety function in the SRA parameter provided by the support device according to the present embodiment.

FIG. 13 is a diagram illustrating an example of a user interface for performing enable/disable setting of the motion safety function in the SRA parameter provided by the support device according to the present embodiment.

FIG. 14 is a diagram illustrating an example of a user interface for setting variables in a safety program provided by the support device according to the present embodiment.

FIG. 15 is a flowchart for describing a safety enable/disable setting process executed by the support device according to the present embodiment.

FIG. 16 is a flowchart for describing an SRA parameter reception process executed by the safety driver according to the present embodiment.

FIG. 17 is a flowchart for describing a safety command reception process executed by the safety driver according to the present embodiment.

FIG. 18 is a flowchart for describing a safety command reception process executed by a safety driver according to a modification example.

FIG. 19 is a flowchart for describing a safety command reception process executed by a safety driver according to a modification example.

FIG. 20 is a schematic diagram illustrating an example of transition in enabling or disabling of the motion safety function according to the modification example.

FIG. 21 is a flowchart for describing a safety command reception process executed by a safety driver according to a modification example.

FIG. 22 is a schematic diagram illustrating an example of transition in enabling or disabling of the motion safety function according to the modification example.

DESCRIPTION OF EMBODIMENTS

An embodiment of the present invention will be described with reference to the drawings. The same or similar portions in the drawings will be given the same reference numeral, and description thereof will not be repeated.

A. Application Example

First, an application example of the present invention will be described.

FIG. 1 is a schematic diagram illustrating an application example of a control system 1 according to the present embodiment. The control system 1 according to the present embodiment provides not only safety functions defined in, for example, IEC 61508 but also some safety functions related to a drive device, such as safe torque off (STO), safe stop 1 (SS1), safe stop 2 (SS2), and safe operation stop (SOS) defined in Non-Patent Literature 2 (“IEC 61800-5-2: 2016 Adjustable speed electrical power drive systems—Part 5-2: Safety requirements—Functional”, International Electrotechnical Commission, 2016-04-18).

With reference to FIG. 1, the control system 1 generally includes a standard controller 100, and a safety controller 200 and one or a plurality of safety drivers (safety servo drivers) 300 connected to the standard controller 100 via a field network 2. Each of the safety drivers 300 drives a servomotor 400 electrically connected thereto. The servomotor 400 is only an example, and any type of motor may be used. An entity of the safety driver 300 may be a servo driver, and may be a general-purpose inverter device. In the following description, the safety driver 300 will be described as an example of a “drive device”.

The standard controller 100 corresponds to a “controller” and executes standard control (standard control 150 that will be described later) on control targets including the servomotor 400 according to a standard control program (a standard control program 1104 that will be described later) that is created in advance. Typically, the standard controller 100 executes control calculation in a cyclic manner in accordance with input signals from one or a plurality of sensors (not illustrated) to calculate commands for an actuator such as the servomotor 400 in a cyclic manner.

The safety controller 200 transmits a safety command related to an operation of a safety function (a safety function 250 that will be described later) to the safety driver 300 according to a safety program (a safety program 2104 that will be described later). The safety controller 200 executes monitoring and control calculation for realizing the safety function 250 for a control target in a cyclic manner separately from the standard controller 100.

The safety controller 200 may receive an input signal from any safety device 240 and/or may output a command to any safety device 240. The safety program 2104 is created in advance by a user by using a development environment provided by a support device 500 that is communicatively connected to the safety controller 200, and is transferred to the safety controller 200.

The safety driver 300 supplies power to the servomotor 400 in response to a command from the standard controller 100 to drive the servomotor 400. The safety driver 300 calculates a rotation position, a rotation speed, a rotation acceleration, and a generated torque of the servomotor 400 in a cyclic manner on the basis of a feedback signal or the like from the servomotor 400.

The safety driver 300 executes a predetermined safety function 250 (a motion safety function 360 that will be described later) related to driving of the servomotor 400 in response to a safety command from the safety controller 200. More specifically, the safety driver 300 provides state information necessary for the safety function 250 to the safety controller 200, and executes a motion safety program (a motion safety program 3204 that will be described later) corresponding to the required safety function 250 to adjust or interrupt power supplied to the servomotor 400.

The servomotor 400 has a motor (a three-phase AC motor 402) that is rotated by receiving power from the safety driver 300, and outputs a detection signal as a feedback signal from an encoder (an encoder 404 that will be described later) coupled to a rotation shaft of the motor to the safety driver 300.

The support device 500 supports development on the standard controller 100 side and development on the safety controller 200 side. More specifically, the support device 500 supports development of a standard control program (the standard control program 1104 that will be described later) executed by the standard controller 100, setting related to the standard control 150, and the like as the development on the standard controller 100 side. The support device 500 supports development of a safety program (the safety program 2104 that will be described later) executed by the safety controller 200, setting related to the safety function 250, and the like as the development on the safety controller 200 side. The support device 500 combines one or more pieces of instruction information with each other to provide development environments (a program creation/editing tool, a parser, a compiler, and the like) for generating a program to a user.

In the present specification, “device” is a general term for devices that can perform data communication with other devices via any network such as the field network 2. In the control system 1 according to the present embodiment, the “device” includes the standard controller 100, the safety controller 200, and the safety driver 300.

In the present specification, the terms “standard control” and “safety control” are used in contrast. “Standard control” is a general term for processes for controlling a control target according to a predefined requirement specification. On the other hand, “safety control” is a general term for processes for preventing human safety from being threatened by facilities or machines. The “safety control” is designed to satisfy the requirements for realizing the safety functions defined in IEC 61508 and the like.

In the present specification, safety functions specific to the drive device (safety driver 300) are collectively referred to as a “motion safety function” or simply a “safety function”. Typically, the “function” includes the safety functions related to the drive device defined in Non-Patent Literature 2 described above. For example, the “function” includes control for monitoring a position or a speed of a control shaft to secure safety.

In the present specification, “process data” is a general term for data used in at least either the standard control or the safety control. Specifically, the “process data” includes input information that is acquired from a control target, output information that is output to the control target, internal information that is used for control calculation in each device, and the like.

The input information includes, for example, an ON/OFF signal (digital input) detected by a photoelectric sensor or the like, a physical signal (analog input) detected by a temperature sensor or the like, and a pulse signal (pulse input) generated by a pulse encoder or the like. The output information includes, for example, ON/OFF (digital output) for driving a relay or the like, a speed command (analog output) for giving an instruction for a rotation speed or the like of a servomotor, and a displacement command (pulse output) for giving an instruction for a movement amount or the like of a step motor. The internal information includes, for example, a state information determined through control calculation in which any process data is input.

In the field network 2 of the control system 1, process data communication is performed, and a communication frame 600 is circulated in a cyclic manner (for example, every several to several tens of msec) among devices with the standard controller 100 as a communication master. A cycle in which the communication frame 600 is transferred will be referred to as a process data communication cycle. In the present embodiment, EtherCAT is used as an example of a protocol for the field network 2 via which the communication frame 600 is transferred in a cyclic manner.

A data region is allocated to each device in the communication frame 600. When the communication frame 600 transferred in a cyclic manner is received, each device writes the current value of preset data into a data region allocated to the device in the received communication frame 600. The communication frame 600 in which the current value has been written is sent to the device in the next stage. The current value of data written by each device can be referred to by other devices.

Since each device writes the current value of the present data into the communication frame 600, the communication frame 600 that is circulated through the field network 2 and returned to the communication master (standard controller 100) includes the latest value collected by each device.

In the present embodiment, a logical connection 4 is formed between the safety controller 200 and each safety driver 300 by using the process data communication. The logical connection 4 is used to exchange data for realizing the safety function 250.

As described above, in a case where EtherCAT is used as a protocol for the field network 2, the logical connection 4 may be formed by using a protocol called FailSafe over EtherCAT (FSoE).

More specifically, a dedicated data region for storing commands exchanged to form the logical connection 4 is allocated to the communication frame 600. The logical connection 4 is formed by exchanging commands between the devices by using the dedicated data region.

As illustrated in FIG. 1, each safety driver 300 stores a safety status 70 for managing enabling or disabling of the motion safety function 360. The motion safety function 360 realized by the safety driver 300 includes safe torque off (STO), safe stop 1 (SS1), safe stop 2 (SS2), safe operation stop (SOS), safe speed range (SSR), safe direction positive (SDIp), and safe direction negative (SDIn). Designation information for designating enabling or disabling of each motion safety function 360 is disposed in a region provided for each bit included in the safety status 70. Error acknowledge (Error Ack) is a function for canceling an error when an error occurs, and is enabled at all times.

Each safety driver 300 has only the motion safety function 360 that is determined in advance. For example, the specific safety driver 300 does not have SSR and has the other functions such as STO, SS1, SS2, SOS, SDIp, and SDIn among the motion safety functions 360 illustrated in FIG. 1. This is only an example, and the remaining safety drivers 300 also have only the motion safety functions 360 that are determined in advance.

The safety driver 300 enables or disables each motion safety function 360 according to the designation information included in the safety status 70. The “designation information” may be any information as long as the information is used to designate enabling or disabling of each of the motion safety functions 360. In the present embodiment, the designation information designates enabling or disabling with a flag represented by “0” or “1”. More specifically, when the flag is “0”, the motion safety function 360 is enabled, and, when the flag is “1”, the motion safety function 360 is disabled.

Flags are fixed such that all of the motion safety functions 360 are enabled during starting (that is, as a default), and details thereof cannot be changed by a user. In other words, all of the motion safety functions 360 are fixed to be enabled as a default. This is required in the provisions disclosed in Non-Patent Literature 1 described above.

Here, with reference to FIG. 2, enabling/disabling setting of the security functions in the safety status 70 defined in the ETG standards will be described. FIG. 2 is a schematic diagram illustrating information of a first byte for designating enable/disable setting of safety functions defined in the ETG standards.

As illustrated in FIG. 2, Non-Patent Literature 1 discloses information of a first byte for designating enable/disable setting of safety function setting. Specifically, control words 700 related to the motion safety functions 360 disclosed in Non-Patent Literature 1 include a bit field 702, a name field 704, and a description field 706. The respective bits such as a zeroth bit to a seventh bit included in the first byte are disposed in the bit field 702. An abbreviated name of the motion safety function 360 correlated with each bit is displayed in the name field 704. An official name of each motion safety function 360 and an operating state associated with the flag are displayed in the description field 706.

In the present embodiment, the flags are fixed to “0” indicating enabling in a default state with respect to all of the motion safety functions 360. Each motion safety function 360 is required to be set to the flag of “0” as a default.

In the first byte in which enable/disable setting of the safety function as illustrated in FIG. 2 is designated, the flag in each bit from the zeroth bit to the seventh bit is fixed to “0” as a default, and the default state cannot be changed by the user. Although not illustrated, the default state can be changed by the user in a second byte.

“Enabling” of the safety function refers to that a function for performing safety control is in an operating state. For example, STO, SS1, SS2, SOS, and SSR are “active” when the flag is “0”. This indicates that the functions for performing safety control are in an operating state. SDIp and SDIn are “disabled” when the flag is “0”. This indicates that the motor is prohibited from operating in a positive direction or a negative direction, that is, the functions for performing safety control are in an operating state.

On the other hand, “disabling” of the safety function refers to that the functions for performing safety control is in a non-operating state. For example, STO, SS1, SS2, SOS, and SSR are “deactivated” when the flag is “1”. This indicates that the functions for performing safety control are in a non-operating state. SDIp and SDIn are “enabled” when the flag is “1”. This indicates that the motor is permitted to operate in the positive direction or the negative direction, that is, the functions for performing safety control are in a non-operating state.

With reference to FIG. 1 again, in each safety driver 300, the flags corresponding to all of the motion safety functions 360 are set to “0” as a default regardless of whether or not the motion safety functions 360 is installed. Thus, regarding the installed motion safety function 360, the default setting is fixed to enabling, so that the function is enabled. In a case where there is the uninstalled motion safety function 360, regarding the uninstalled motion safety function 360, even if a flag is set to enabling, the motion safety function 360 is not executed.

As described above, in each safety driver 300, the default setting is fixed to enabling with respect to all of the motion safety functions 360 regardless of whether or not the motion safety function 360 is installed. However, in actual use, it may be necessary to change the enabled/disabled settings of the safety functions according to work details in the process, such as enabling or disabling the motion safety functions 360.

As a method of changing enabling or disabling of the specific motion safety function 360 afterward, it is conceivable that a safety command from the safety controller 200 includes designation information for enabling or disabling the specific motion safety function 360. For example, in the present embodiment, after the logical connection 4 is established, the safety command can be transmitted to the safety driver 300 from the safety controller 200. When designation information for enabling or disabling the specific motion safety function 360 is included in the safety command, it is possible to change enabling or disabling of the specific motion safety function 360 afterward.

However, in this case, a user is required to create the safety program 2104 by using a tool such as the support device 500 in order to change the enabled/disabled settings of the specific motion safety function 360 from the default state. Thus, a situation in which a work amount increases may occur. Therefore, if the user frequently creates the safety program 2104, the efficiency will be reduced. Since the user writes the source code in the programmable work, there is a risk that the user will unintentionally write erroneous setting contents. In a case where a plurality of safety drivers 300 is provided in the control system 1, the safety program 2104 is required to be created for all the safety drivers 300, which causes a problem that a work amount becomes enormous.

Therefore, in the control system 1 according to the present embodiment, as another method of changing enable/disable setting of the motion safety function 360 from a default state, an SRA parameter 60 is used. The SRA parameter is defined in the ETG standards as disclosed in Non-Patent Literature 3 (EtherCAT Protocol Enhancements, Amendments to ETG.5100 FSoE Specification, Document: ETG.5120 S(R)V1.1.0″, EtherCAT Technology Group, 2017-07-14). The SRA parameter 60 is an example of a “parameter” related to setting of the safety driver 300.

The SRA parameter 60 is transferred from the standard controller 100 that manages data exchange between devices in the field network 2 with respect to a slave (in the present embodiment, the safety driver 300) of FSoE. Specifically, after connection in the field network 2 is established, the standard controller 100 causes the SRA parameter 60 to be included in an initial command, and thus transmits the SRA parameter 60 to the safety driver 300. The safety driver 300 executes the motion safety function 360 while referring to the SRA parameter 60 when the motion safety program 3204 is executed.

The SRA parameter 60 includes designation information for designating enabling or disabling of each of one or more motion safety functions 360. The “designation information” may be any information as long as the information is information for designating enabling or disabling of each of the motion safety functions 360. In the present embodiment, in the designation information, enabling or disabling of each of the motion safety functions 360 is designated by a flag indicated by “0” or “1” by using a bit string in which bits respectively corresponding to the motion safety functions 360 are arranged. The user can set a flag in the designation information by using a tool such as the support device 500 and can thus change enabling or disabling of the specific motion safety function 360 from a default state.

For example, as illustrated in FIG. 1, the flags of all of the motion safety functions 360 are fixed to “0” as a default. Here, when it is desired to disable SS2, SOS, and SDIp for the motion safety functions 360 of the specific safety driver 300, the user may designate setting of a flag corresponding to each of SS2, SOS, and SDIp to “1” (disabled state) as designation information in the SRA parameter 60. In above-described way, the user sets the designation information in the SRA parameter 60, and can thus change afterward enabled/disabled settings of the motion safety function 360 defined as a default.

As described above, the user designates disabling of a specific motion safety function by using the SRA parameter 60, and can thus change the specific motion safety function from an enabled state as a default to a disabled state for the safety driver 300 when connection in the field network 2 is established. Since the user transmits the SRA parameter 60 to the safety driver 300 via the field network 2 and thus the specific motion safety function 360 can be enabled or disabled, the execution performance of the control system 1 does not degrade compared with a case where a program separately prepared to change enabled/disabled settings of the motion safety function 360 as a default is executed. A control cycle of the safety controller 200 does not deteriorate due to an increase in the number of programs for performing enable/disable setting of the motion safety function 360.

B. Configuration Example of Device Included in Control System 1

Next, a configuration example of the device included in the control system 1 will be described.

(b1: Standard Controller 100)

FIG. 3 is a schematic diagram illustrating a hardware configuration example of the standard controller 100 constituting the control system 1 according to the present embodiment. With reference to FIG. 3, the standard controller 100 includes a processor 102, a main memory 104, a storage 110, a higher-level network controller 106, a field network controller 108, a Universal Serial Bus (USB) controller 120, a memory card interface 112, and a local bus controller 116. These components are connected to each other via a processor bus 118.

The processor 102 generally corresponds to a calculation processing part executing control calculation related to the standard control 150, and is configured with a central processing unit (CPU) or a graphics processing unit (GPU). Specifically, the processor 102 reads programs (for example, a system program 1102 and the standard control program 1104) stored in the storage 110, loads the programs to the main memory 104, and executes the programs to realize control calculation related to a control target (for example, the safety driver 300 or the servomotor 400) and various processes that will be described later.

The main memory 104 is configured with a volatile storage device such as a dynamic random access memory (DRAM) or a static random access memory (SRAM). The storage 110 is configured with a nonvolatile storage device such as a solid state drive (SSD) or a hard disk drive (HDD).

The storage 110 stores not only the system program 1102 for realizing fundamental functions but also the standard control program 1104 that is created in accordance with a control target. The storage 110 stores setting information 1106 for setting a variable or the like that will be described later. The storage 110 stores the SRA parameter 60 created by the support device 500. The SRA parameter 60 is transmitted to the safety driver 300 that is a slave via the field network 2 with the standard controller 100 as a master.

The higher-level network controller 106 exchanges data with any information processing device via a higher-level network.

The field network controller 108 exchanges data with any devices including the safety controller 200 and the safety driver 300 via the field network 2. In the control system 1 illustrated in FIG. 1, the field network controller 108 of the standard controller 100 functions as a communication master of the field network 2.

The USB controller 120 exchanges data with the support device 500 or the like via USB connection.

The memory card interface 112 accepts a memory card 114 that is an example of an attachable and detachable recording medium. The memory card interface 112 can record data on the memory card 114 or read the various types of data (a log, trace data, or the like) from the memory card 114.

The local bus controller 116 exchanges data with any unit connected to the standard controller 100 via a local bus.

FIG. 3 illustrates the configuration example in which the necessary functions are provided by the processor 102 executing the programs, but some or all of the provided functions may be installed by using a dedicated hardware circuit (for example, an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA)). Alternatively, main parts of the standard controller 100 may be realized by using hardware (for example, an industrial PC based on a general-purpose PC) conforming to a general-purpose architecture. In this case, a virtualization technique may be used to execute a plurality of operating systems (OSs) having different uses in parallel and also to execute necessary applications on each OS. A configuration in which functions of a display device, a support device, or the like are integrated into the standard controller 100 may be used.

(b2: Safety Controller 200)

FIG. 4 is a schematic diagram illustrating a hardware configuration example of the safety controller 200 constituting the control system 1 according to the present embodiment. With reference to FIG. 4, the safety controller 200 includes a processor 202, a main memory 204, a storage 210, a field network controller 208, a USB controller 220, and a safety local bus controller 216. These components are connected to each other via a processor bus 218.

The processor 202 generally corresponds to a calculation processing part executing control calculation related to the safety control, and is configured with a CPU or a GPU. Specifically, the processor 202 reads programs (for example, a system program 2102 and the safety program 2104) stored in the storage 210, loads the programs to the main memory 204, and executes the programs to realize control calculation for providing the necessary safety function 250 and various processes that will be described later.

Particularly, the safety controller 200 executes the safety program 2104, and thus outputs a safety command including designation information for designating enabling or disabling of the motion safety function 360 of the safety driver 300 to the safety driver 300. The designation information included in the safety status 70 of the safety driver 300 may be updated on the basis of the designation information included in the safety command.

The main memory 204 is configured with a volatile storage device such as a DRAM or an SRAM. The storage 210 is configured with a nonvolatile storage device such as an SSD or an HDD.

The storage 210 stores not only the system program 2102 for realizing fundamental functions but also the safety program 2104 that is created in accordance with the required safety function 250. The storage 210 stores setting information 2106 for setting a variable or the like.

The field network controller 208 exchanges data with any devices including the standard controller 100 and the safety driver 300 via the field network 2. In the control system 1 illustrated in FIG. 4, the field network controller 208 of the safety controller 200 functions as a communication slave of the field network 2.

The USB controller 220 exchanges data with an information processing device such as the support device 500 via USB connection.

The safety local bus controller 216 exchanges data with any safety unit connected to the safety controller 200 via a safety local bus. FIG. 4 illustrates a safety I/O unit 230 as an example of the safety unit.

The safety I/O unit 230 exchanges input and output signals with any safety device 240. More specifically, the safety I/O unit 230 receives an input signal from the safety device 240 such as a safety sensor or a safety switch. Alternatively, the safety I/O unit 230 outputs a command to the safety device 240 such as a safety relay.

FIG. 4 illustrates the configuration example in which the necessary functions are provided by the processor 202 executing the programs, but some or all of the provided functions may be installed by using a dedicated hardware circuit (for example, an ASIC or an FPGA). Alternatively, main parts of the safety controller 200 may be realized by using hardware (for example, an industrial PC based on a general-purpose PC) conforming to a general-purpose architecture.

(b3: Safety Driver 300 and Servomotor 400)

FIG. 5 is a schematic diagram illustrating a hardware configuration example of the safety driver 300 and the servomotor 400 constituting the control system 1 according to the present embodiment. With reference to FIG. 5, the safety driver 300 includes a field network controller 302, a control part 310, a drive circuit 330, and a feedback reception circuit 332.

The field network controller 302 exchanges data with any devices including the standard controller 100 and the safety controller 200 via the field network 2. In the present embodiment, the field network controller 302 functions as a “reception part” that receives an initial command including the SRA parameter 60 from the standard controller 100. In the control system 1 illustrated in FIG. 5, the field network controller 302 of the safety driver 300 functions as a communication slave of the field network 2.

The control part 310 executes a calculation process required to operate the safety driver 300. As an example, the control part 310 includes processors 312 and 314, a main memory 316, and a storage 320.

The processor 312 generally corresponds to a calculation processing part executing control calculation for driving the servomotor 400. The processor 314 generally corresponds to a calculation processing part executing control calculation for providing the safety function 250 related to the servomotor 400. In the present embodiment, the processor 314 functions as a “disabling part” that disables the specific motion safety function 360 in response to the SRA parameter 60 or the safety command. Both of the processors 312 and 314 are configured with CPUs and the like.

The main memory 316 is configured with a volatile storage device such as a DRAM or an SRAM. The storage 320 is configured with a nonvolatile storage device such as an SSD or an HDD.

The storage 320 stores a servo control program 3202 for realizing servo control 350 that will be described later, a motion safety program 3204 for realizing the motion safety function 360 that will be described later, and setting information 3206 for setting a variable or the like that is open to other devices. The safety status 70 for managing enable/disable setting of the motion safety function 360 is stored in the setting information 3206.

FIG. 5 exemplifies a configuration in which the two processors 312 and 314 execute control calculation for different purposes to improve reliability, but the present invention is not limited thereto, and any configuration may be employed as long as the configuration can realize the required safety function 250. For example, in a case where a single processor includes a plurality of cores, control calculation corresponding to each of the processors 312 and 314 may be executed. FIG. 5 illustrates the configuration example in which the necessary functions are provided by the processors 312 and 314 executing the programs, but some or all of the provided functions may be installed by using a dedicated hardware circuit (for example, an ASIC or an FPGA).

The drive circuit 330 includes a converter circuit, an inverter circuit, and the like, generates power with designated voltage, current, and phase in response to a command from the control part 310, and supplies the power to the servomotor 400.

The feedback reception circuit 332 receives a feedback signal from the servomotor 400, and outputs the reception result to the control part 310.

The servomotor 400 typically includes a three-phase AC motor 402 and an encoder 404 provided at a rotation shaft of the three-phase AC motor 402.

The three-phase AC motor 402 is an actuator that receives power supplied from the safety driver 300 and generates torque. FIG. 5 illustrates the three-phase AC motor as an example, but the present invention is not limited thereto, and a DC motor may be used, and a single-phase AC motor or a multi-phase AC motor may be used. An actuator that generates torque along a straight line, such as a linear servo, may be used.

The encoder 404 outputs a feedback signal (typically, a pulse signal corresponding to a rotation speed) corresponding to the rotation speed of the three-phase AC motor 402.

(b4: Support Device 500)

FIG. 6 is a schematic diagram illustrating a hardware configuration example of the support device 500 constituting the control system 1 according to the present embodiment. The support device 500 is implemented by using hardware (for example, a general-purpose PC) conforming to a general-purpose architecture as an example.

With reference to FIG. 6, the support device 500 includes a processor 502, a main memory 504, an input part 506, an output part 508, a storage 510, an optical drive 512, and a USB controller 520. These components are connected to each other via a processor bus 518.

The processor 502 is configured with a CPU or a GPU, reads programs (for example, an OS 5102 and a support program 5104) stored in the storage 510, loads the programs to the main memory 504, and executes the programs to perform various processes that will be described later. In other words, the processor 502 has a function of a computer executing the support program 5104.

The main memory 504 is configured with a volatile storage device such as a DRAM or an SRAM. The storage 510 is configured with a nonvolatile storage device such as an HDD or an SSD.

The storage 510 stores not only the OS 5102 for realizing fundamental functions but also the support program 5104 for providing functions of the support device 500. In other words, the support program 5104 is executed by a computer connected to the control system 1 to implement the support device 50 according to the present embodiment.

The storage 510 stores project data 5106 that is created by the user in a development environment that is provided by executing the support program 5104.

In the present embodiment, the support device 500 provides a development environment in which setting on each device included in the control system 1 and creation of a program executed by each device can be integrally performed. The project data 5106 includes data generated by using such an integrated development environment. Typically, the project data 5106 includes a standard control source program 5108, standard controller setting information 5110, a safety source program 5117, safety controller setting information 5114, and safety driver setting information 5116. The SRA parameter 60 created by the user is stored in the safety driver setting information 5116.

The standard control source program 5108 is converted into object codes that are then transmitted to the standard controller 100 to be stored in the standard control program 1104 (refer to FIG. 3). The standard control source program 5108 may be transmitted to the standard controller 100 without being converted into object codes. Similarly, the standard controller setting information 5110 is also transmitted to the standard controller 100 to be stored in the setting information 1106 (refer to FIG. 3).

The safety source program 5117 is converted into object codes that are then transmitted to the safety controller 200 to be stored in the safety program 2104 (refer to FIG. 4). The safety source program 5117 may be transmitted to the safety controller 200 without being converted into object codes. Similarly, the safety controller setting information 5114 is also transmitted to the safety controller 200 to be stored in the setting information 2106 (refer to FIG. 4).

The safety driver setting information 5116 including the SRA parameter 60 is transmitted to the safety driver 300 and is stored as the setting information 3206 (refer to FIG. 5). The designation information included in the safety status 70 stored in the setting information 3206 may be updated on the basis of the designation information included in the SRA parameter 60.

The input part 506 is configured with a keyboard or a mouse and receives a user operation. The output part 508 is configured with a display, various indicators, a printer, and the like, and outputs a processing result or the like from the processor 502.

The USB controller 520 exchanges data with the standard controller 100 or the like through USB connection.

The support device 500 has the optical drive 512, and a program is read from a recording medium 514 (for example, an optical recording medium such as a digital versatile disc (DVD)) that stores computer-readable programs in a non-transitory manner and is installed in the storage 510 or the like.

The support program 5104 or the like executed by the support device 500 may be installed via the computer-readable recording medium 514, or may be downloaded from a server device or the like on the network to be installed. The functions provided by the support device 500 according to the present embodiment may be realized in a form of using some modules provided by the OS.

FIG. 6 illustrates the configuration example in which the necessary functions of the support device 500 are provided by the processor 502 executing the programs, but some or all of the provided functions may be installed by using a dedicated hardware circuit (for example, an ASIC or an FPGA).

During an operation of the control system 1, the support device 500 may be detached from the standard controller 100.

C. Function Sharing in Control System 1

Next, an example of function sharing in the control system 1 will be described. FIG. 7 is a schematic diagram illustrating an example of function sharing in the control system 1 according to the present embodiment.

With reference to FIG. 7, the safety driver 300 executes the servo control 350 in relation to the standard control 150 executed by the standard controller 100. The standard control 150 includes a process of cyclically calculating commands for driving the servomotor 400 according to a user program that is set in a control target in advance. The servo control 350 includes control for driving the servomotor 400 in response to commands that are cyclically calculated through the standard control 150 and a process of outputting a state value indicating an operation state of the servomotor 400. The servo control 350 is performed by the processor 312 (refer to FIG. 5) of the safety driver 300.

On the other hand, the safety driver 300 provides the motion safety function 360 in correspondence to the safety function 250 provided by the safety controller 200. The motion safety function 360 is realized by the processor 314 (refer to FIG. 5) of the safety driver 300.

When a predefined condition is established, the safety function 250 enables the predefined safety function 250 on the basis of a state value stored in the standard control 150 executed by the standard controller 100, a state value indicated by a signal from the safety device 240, a state value stored in the safety driver 300, and the like.

The process of enabling the predefined safety function 250 includes, for example, output of a safety command for the safety driver 300 or output of a safety command for the safety device 240 (for example, a safety relay related to the supply of power to a specific device is turned off).

The safety driver 300 executes the motion safety program 3204 to realize the designated motion safety function 360 in response to a safety command from the safety controller 200. The motion safety function 360 that can be executed is defined in advance in each safety driver 300. Depending on the type of the designated motion safety function 360, a process of intervening in the control of the servomotor 400 based on the servo control 350 to interrupt the supply of power to the servomotor 400, or a process of monitoring whether or not a state value of the control of the servomotor 400 based on the servo control 350 is within a predefined restriction range is executed. The motion safety program 3204 enables or disables each motion safety function 360 in accordance with enable/disable setting of a safety function designated by designation information included in the safety status 70.

FIG. 8 is a sequence diagram illustrating an example of a process procedure related to the safety functions 250 of the safety driver 300 of the control system 1 according to the present embodiment. With reference to FIG. 8, a command is cyclically calculated through the standard control 150 of the standard controller 100 and is output to the safety driver 300 (servo control 350) (sequence SQ2). The servo control 350 of the safety driver 300 drives the servomotor 400 in response to the command from the standard control 150 (sequence SQ4).

When a safety event from the safety device 240 (for example, a safety sensor) occurs at a certain timing (sequence SQ6), the safety controller 200 outputs a safety command to the safety driver 300 (motion safety function 360) (sequence SQ8). The motion safety function 360 of the safety driver 300 enables the designated safety function 250 in response to the safety command (sequence SQ10).

In response to enabling of the safety function 250, a command corresponding to the enabled safety function 250 is calculated and output from the standard control 150 of the standard controller 100 (sequence SQ12). On the other hand, the safety driver 300 (motion safety function 360) monitors whether or not an operation state of the servomotor 400 is within a predefined restriction range. When it is determined that the operation state of the servomotor 400 is not within the predefined restriction range, or a predefined stoppage time comes, the safety driver 300 (motion safety function 360) interrupts the supply of power to the servomotor 400 (sequence SQ14).

As described above, the safety driver 300 can drive the servomotor 400 in response to a command from the standard controller 100 (standard control 150), and can also realize the motion safety function 360 for the safety controller 200 (safety function 250) in response to a command for enabling the safety function 250.

D. Motion Safety Function 360 of Control System 1

Next, an example of the motion safety function 360 provided by the control system 1 will be described.

FIG. 9 is a diagram illustrating an example of the motion safety function 360 provided by the control system 1 according to the present embodiment. FIG. 9(A) illustrates an example of a behavior of the servomotor 400 corresponding to STO, and FIG. 9(B) illustrates an example of a behavior of the servomotor 400 corresponding to SS1.

With reference to FIG. 9(A), when a safety command (STO) is output at time point t1 in a state in which the servomotor 400 is being operated at a certain rotation speed, the safety driver 300 interrupts the supply of power to the servomotor 400 to make torque generated by the servomotor 400 zero. As a result, the servomotor 400 is rotated by the inertia and is then stopped. In a case where the servomotor 400 is provided with a brake, the servomotor 400 may be immediately stopped.

With reference to FIG. 9(B), when a safety command (SS1) is output at time point t1 in a state in which the servomotor 400 is being operated at a certain rotation speed, the safety driver 300 reduces the rotation speed at a predefined acceleration. In this case, the safety driver 300 may perform power recovery (that is, regeneration) from the servomotor 400. When the rotation speed of the servomotor 400 becomes zero at time point t2, the safety driver 300 interrupts the supply of power to the servomotor 400 to make torque generated by the servomotor 400 zero. After time point t2, the same state as the state corresponding to STO illustrated in FIG. 9(A) is brought.

Of STO illustrated in FIG. 9(A) and SS1 illustrated in FIG. 9(B), a safety function that causes more safe stoppage is selected as appropriate in accordance with characteristics or the like of a facility that is mechanically connected to the servomotor 400.

Non-Patent Literature 1 described above defines not only the motion safety functions illustrated in FIGS. 9(A) and 9(B) but also a plurality of motion safety functions. Settings for defining a behavior of the servomotor 400 are necessary to realize each motion safety function.

E. Installation Examples of Standard Control, Safety Control, and SRA Parameter Transfer

As described above, in the control system 1 according to the present embodiment, safety communication can be performed through data communication and the logical connection 4. Next, installation examples of standard control, safety control, and transfer of the SRA parameter 60 using each type of communication will be described.

FIG. 10 is a schematic diagram illustrating installation examples of standard control, safety control, and SRA parameter transfer in the control system 1 according to the present embodiment. For convenience of description, FIG. 10 illustrates an example of the control system 1 including the single safety driver 300 in addition to the standard controller 100, the safety controller 200, and the support device 500.

As illustrated in FIG. 10, the standard controller 100 includes a data communication layer 170 and an I/O management module 172 as principal functional constituents. The safety controller 200 includes a data communication layer 270, an I/O management module 272, a logical connection layer 276, and a safety function state management engine 278 as principal functional constituents. The safety driver 300 includes a data communication layer 370, a logical connection layer 376, and a motion safety function state management engine 378, a servo control execution engine 352, and a motion safety function execution engine 362 as principal functional constituents.

The data communication layer 170, the data communication layer 270, and the data communication layer 370 are used to transfer the communication frame 600 on the field network 2.

The logical connection layer 276 of the safety controller 200 and the logical connection layer 376 of the safety driver 300 exchange safety communication frames 630. In other words, the logical connection layer 276 and the logical connection layer 376 exchange commands and data by using the safety communication frame 630 included in the communication frame 600 according to a protocol (FSoE in the present embodiment) for establishing the logical connection 4. The safety controller 200 includes an establishment module 277 for establishing the logical connection 4 with the safety driver 300 via the logical connection layer 276.

In the standard controller 100, the I/O management module 172 exchanges signals with a control target to update process data 174. The standard control program 1104 executed in the standard controller 100 executes control calculation by referring to the process data 174, and updates the process data 174 as an execution result of the control calculation.

In the safety controller 200, the I/O management module 272 exchanges signals with the safety device 240 to update process data 274.

The safety program 2104 executed in the safety controller 200 executes control calculation by referring to the process data 274 and the safety function state management engine 278, and updates the process data 274 or outputs an internal command to the safety function state management engine 278 on the basis of an execution result of the control calculation.

The safety function state management engine 278 generates a safety command for enabling or disabling the specific motion safety function 360 for the specific safety driver 300 in accordance with the execution result of the control calculation performed by the safety program 2104. The logical connection layer 276 exchanges necessary commands and data with the logical connection layer 376 of the target safety driver 300 by using the safety communication frames 630 in response to the command from the safety function state management engine 278.

In the safety driver 300, the servo control execution engine 352 executes control calculation related to servo control by referring to process data 374 and information regarding a feedback signal acquired via the feedback reception circuit 332. The servo control execution engine 352 updates the process data 374 and outputs an internal command to the drive circuit 330 on the basis of an execution result of the control calculation. The drive circuit 330 drives the servomotor 400 in response to the command from the servo control execution engine 352.

The motion safety function state management engine 378 manages a state of the motion safety function 360 in response to a safety command from the safety controller 200 or the SRA parameter 60 from the standard controller 100. The safety status 70 is stored in the motion safety function state management engine 378. The motion safety function state management engine 378 outputs an internal command to the motion safety function execution engine 362 according to designation information included in the safety status 70.

In the motion safety function execution engine 362, the motion safety program 3204 is executed to realize the designated motion safety function 360.

The logical connection layer 376 exchanges necessary commands and data with the logical connection layer 276 of the safety controller 200 by using the safety communication frames 630 in response to a command from the motion safety function state management engine 378.

The support device 500 includes a data communication layer 533 and a parameter manager 532 as principal functional constituents. The data communication layer 533 exchanges data with each device including the standard controller 100. The parameter manager 532 sets the SRA parameter 60 in response to the user's operation that is received by an operation reception part 530 via the input part 506. Specifically, the SRA parameter 60 is set, and thus enable/disable setting of the safety function is performed. The SRA parameter 60 is transferred to the target safety driver 300 via the field network 2.

F. Example of Enabling or Disabling of Motion Safety Function

FIG. 11 is a schematic diagram illustrating an example of transition in enabling or disabling of the motion safety function 360 according to the present embodiment.

As described above, in the safety driver 300, the flags corresponding to all of the motion safety functions 360 are set to “0” as a default regardless of whether or not the motion safety functions 360 is installed. In other words, the flags of all bits included in the safety status 70 are set to “0” as a default.

When a user sets the flag of the second bit corresponding to SS2 to “1” in order to disable SS2, the flag of the third bit corresponding to SOS to “1” in order to disable SOS, and the flag of the fifth bit corresponding to SDIp to “1” in order to enable SDIp, in the designation information included in the SRA parameter 60, the designation information included in the safety status 70 is updated according to the designation information in the SRA parameter 60 included in the initial command. More specifically, the designation information included in the safety status 70 is overwritten to be the same as the designation information included in the SRA parameter 60.

Thereafter, when the user creates the safety program 2104 such that the flag of the second bit corresponding to SS2 is set to “0” in order to enable SS2 again, and the flag of the first bit corresponding to SS1 is set to “1” in order to disable SS1, the designation information included in the safety status 70 is updated according to a safety command. More specifically, in the designation information included in the safety status 70, a flag corresponding to SS2, that is, the flag of the second bit is changed to “0”, and a flag corresponding to SS1, that is, the flag of the first bit is changed to “1”.

As described above, in the control system 1 according to the present embodiment, after connection in the field network 2 is established, setting of enabling or disabling of the specific motion safety function 360 can be changed from a default state by using the SRA parameter 60 or the safety command.

G. User Interface Related to Motion Safety Function 360

Next, an example of a user interface related to the motion safety function 360 provided by the support device 500 will be described.

FIGS. 12 and 13 are diagrams illustrating examples of user interfaces for setting enabling or disabling of the motion safety function 360 in the SRA parameter 60 provided by the support device 500 according to the present embodiment. FIG. 14 is a diagram illustrating an example of a user interface for setting a variable in the safety program 2104 provided by the support device 500 according to the present embodiment. The user may execute the support program 5104 in the support device 500 to display screens related to user interfaces as illustrated in FIGS. 13 to 15.

As illustrated in FIG. 12, a multiview explorer field 610 is provided on the left of a screen related to a user interface 601. The multiview explorer field 610 includes a switching switch 612 for designating a development target program. In this example, “new_SafetyCPU0” corresponding to the safety program 2104 is designated in the switching switch 612.

The multiview explorer field 610 includes a configurations and setup switch 614 for setting a constituent connected to a network in the control system 1. A lower-level layer developed by the configurations and setup switch 614 includes an SRA parameter icon 616 for developing the SRA parameter 60 and an I/O map icon 618 for mapping a variable referred to by the safety program 2104. The “variable” includes data and a container or a storage region in which the data is stored. For example, the variable referred to by the safety program 2104 is correlated with a state value of the servomotor 400 or the like, and each motion safety function 360 is realized according to the state value correlated with the variable.

The SRA parameter icon 616 is provided in each of one or a plurality of safety drivers 300 connected to the control system 1, and, in this example, the SRA parameter icon 616 corresponding to the safety driver 300 of Node10 is selected.

A screen 620 for setting the SRA parameter 60 is displayed at the center of the screen related to the user interface 601. The screen 620 includes a number field 622 and a flag field 624.

In the number field 622, numbers are shown for the respective motion safety functions 360 in order from the first bit in the same order as the designation information included in the safety status 70. In this example, since the motion safety function 360 of SSR in the fourth bit is not installed, all information corresponding to the fourth bit is “Reserved”.

The flag field 624 is provided with a check box that can be checked by the user. In the designation information included in the SRA parameter 60, the check box of the flag field 624 is checked such that the flag is set to “0”, and the check box of the flag field 624 is unchecked such that the flag is set to “1”. In above-described way, the user can easily perform enable/disable setting of the motion safety function 360 in the SRA parameter 60 by checking or unchecking the check box of the flag field 624.

With respect to enable/disable setting of the motion safety function 360, the user can change the default state in the second byte of the safety status 70, and, as illustrated in FIG. 12, the user can easily perform enable/disable setting in the second byte by using the SRA parameter 60.

In the example illustrated in FIG. 12, SS2, SOS, and SDIp are unchecked in the check box of the flag field 624. Thus, In the safety command, the flags corresponding to SS2, SOS, and SDIp are designated as “1” in the SRA parameter 60.

As illustrated in FIG. 13, when the specific motion safety function 360 is disabled in the check box of the flag field 624, the screen is switched to a screen related to a user interface 602, and the screen is disabled, and a notification that the variable correlated with the disabled specific motion safety function 360 has been canceled is provided in an output window 670 located at the lower part of the screen.

As illustrated in FIG. 14, when the I/O map icon 618 is selected, the screen is switched to a screen related to a user interface 603. A screen 650 for mapping a variable to each motion safety function 360 is displayed at the center of the screen related to the user interface 603. The screen 650 includes a port field 652, a variable field 654, and a variable comment field 656.

Each motion safety function 360 installed in the selected safety driver 300 (Node 10 in this example) is shown in the port field 652. A variable correlated with each motion safety function 360 is shown in the variable field 654. A comment to the variable correlated with each motion safety function 360 is shown in the variable comment field 656.

Here, as illustrated in FIG. 13, when the specific motion safety function 360 is disabled in the check box of the flag field 624, the variable correlated with the disabled specific motion safety function 360 is canceled. Thus, the variable field 654 and the variable comment field 656 become blank in the screen related to the user interface 603 illustrated in FIG. 14. For example, in this example, since SS2 and SOS are disabled in the check boxes of the flag field 624, and the variables are canceled, the variable field 654 and the variable comment field 656 corresponding to SS2 and SOS become blank.

As described above, in response to designation of disabling of the specific motion safety function 360, the support device 500 prohibits the use of the variable referred to by the safety program 2104 related to the specific motion safety function 360. Consequently, it is possible to prevent a situation in which the user unintentionally sets a variable referred to by the safety program 2104 related to the disabled motion safety function 360.

H. Safety Enable/Disable Setting Process

Next, a safety enable/disable setting process executed by the support device 500 will be described. FIG. 15 is a flowchart for describing a safety enable/disable setting process executed by the support device 500 according to the present embodiment.

As illustrated in FIG. 15, the support device 500 determines whether or display of a setting screen for the SRA parameter 60 has been received (S502). In a case where a setting screen for the SRA parameter 60 has not been received (NO in S502), the support device 500 finishes the present process.

On the other hand, in a case where a setting screen for the SRA parameter 60 has been received (YES in S502), the support device 500 whether or not there is support for safety function enable/disable setting (S504). In a case where there is no support for safety function enable/disable setting (NO in S504), the support device 500 displays the setting screen for the SRA parameter 60 in a mode in which the safety function enable/disable setting is not possible (S506). For example, the support device 500 makes the details of the check box of the flag field 624 uneditable in the screen related to the user interface 601 illustrated in FIG. 12. Thereafter, the support device 500 finishes the present process.

On the other hand, in a case where there is support for safety function enable/disable setting (YES in S504), the support device 500 displays the setting screen for the SRA parameter 60 in a mode in which the safety function enable/disable setting is possible (S508). For example, the support device 500 makes the details of the check box of the flag field 624 editable in the screen related to the user interface 601 illustrated in FIG. 12.

Next, the support device 500 determines whether or not safety function enable/disable setting has been received (S510). Specifically, the support device 500 whether the check box of the flag field 624 has been checked or unchecked by a user in the screen related to the user interface 601 illustrated in FIG. 12. In a case where safety function enable/disable setting has not been received (NO in S510), the support device 500 repeatedly performs the process in S510 until enable/disable setting is received.

On the other hand, in a case where safety function enable/disable setting has been received (YES in S510), the support device 500 reflects the safety function enable/disable setting in the SRA parameter 60 (S512). The support device 500 determines whether or not a variable has been mapped to the motion safety function 360 set to be disabled (S514). In a case where a variable has not been mapped to the motion safety function 360 set to be disabled (NO in S514), the support device 500 finishes the present process.

On the other hand, in a case where a variable has been mapped to the motion safety function 360 set to be disabled (YES in S514), the support device 500 cancels the variable corresponding to the motion safety function 360 set to be disabled (S516), and performs a notification of cancelation (S518). For example, the support device 500 provides a notification that the variable correlated with the disabled specific motion safety function 360 has been canceled in the output window 670 illustrated in FIG. 13.

The support device 500 prohibits mapping of a variable to the motion safety function 360 set to be disabled (S520), and finishes the present process.

The support device 500 can notify the user that a variable referred to by the safety program 2104 related to the disabled motion safety function 360 is prohibited from being used.

I. SRA Parameter Reception Process

Next, an SRA parameter reception process executed by the safety driver 300 will be described. FIG. 16 is a flowchart for describing an SRA parameter reception process executed by the safety driver 300 according to the present embodiment. The safety driver 300 executes an SRA parameter reception process illustrated in FIG. 16 when the initial command is received from the standard controller 100.

As illustrated in FIG. 16, the safety driver 300 determines whether or not the SRA parameter 60 has been received (S302). In other words, the safety driver 300 determines whether or not the SRA parameter 60 is included in the initial command received from the standard controller 100. In a case where the SRA parameter 60 has not been received (NO in S302), the safety driver 300 maintains enable/disable setting of all of the motion safety functions 360 according to the designation information in the safety status 70 in a default state (S304). In other words, all of the motion safety functions 360 are enabled. Thereafter, the safety driver 300 finishes the present process.

On the other hand, in a case where the SRA parameter 60 has been received (YES in S302), the safety driver 300 performs enable/disable setting of the specific motion safety function 360 according to the designation information in the SRA parameter 60 (S308). For example, as illustrated in FIG. 11, in a case where the SRA parameter 60 including the designation information indicating that SS2 and SOS are disabled and SDIp is enabled has been received, the safety driver 300 disables SS2 and SOS and enables SDIp in the designation information in the safety status 70. Thereafter, the safety driver 300 finishes the present process.

As described above, the safety driver 300 can change enabled/disabled settings of the specific motion safety function 360 from the default state according to the SRA parameter 60.

J. Safety Command Reception Process

Next, a safety command reception process executed by the safety driver 300 will be described. FIG. 17 is a flowchart for describing a safety command reception process executed by the safety driver 300 according to the present embodiment. The safety driver 300 executes a safety command reception process illustrated in FIG. 17 after connection in the field network 2 is established and the logical connection 4 is established.

As illustrated in FIG. 17, the safety driver 300 determines whether or not a safety command has been received from the safety controller 200 (S322). In a case where a safety command has not been received (NO in S322), the safety driver 300 finishes the present process.

On the other hand, in a case where a safety command has been received (YES in S322), the safety driver 300 determines whether or not enable/disable setting of the motion safety function 360 is included in the safety command (S324). In a case where enable/disable setting of the motion safety function 360 is not included in the safety command (NO in S324), the safety driver 300 finishes the present process.

On the other hand, in a case where enable/disable setting of the motion safety function 360 is included in the safety command (YES in S324), the safety driver 300 performs enable/disable setting of the specific motion safety function 360 according to designation information included in the safety command (S326). For example, as illustrated in FIG. 11, in a case where the safety command including designation information indicating that SS2 is enabled and SS1 is disabled has been received, the safety driver 300 also enables SS2 and disables SS1 in the designation information included in the safety status 70. Thereafter, the safety driver 300 finishes the present process.

As described above, the safety driver 300 performs enable/disable setting of the motion safety function 360 in response to a safety command that is received after the logical connection 4 is established, prior to enable/disable setting based on the SRA parameter 60 executed when the initial command is received. The safety driver 300 updates the designation information in the safety status 70 according to the latest enable/disable setting at all times even when the SRA parameter 60 is received or a safety command is received afterward. Consequently, the user can realize the motion safety function 360 according to the latest enable/disable setting regardless of either the SRA parameter 60 or the safety command.

K. Modification Examples

In the above-described embodiment, the user realizes the motion safety function 360 according to the latest enable/disable setting performed by the user regardless of either the SRA parameter 60 or the safety command, but the present invention is not limited thereto.

(k1: Enable/Disable Setting Using Prioritized SRA Parameter 60)

For example, as illustrated in FIG. 18, the motion safety function 360 may be realized by preferentially referring to the SRA parameter 60 over the safety command. FIG. 18 is a flowchart for describing a safety command reception process executed by a safety driver 300a according to a modification example. The safety driver 300a executes a safety command reception process illustrated in FIG. 18 after connection in the field network 2 is established and the logical connection 4 is established.

As illustrated in FIG. 18, the safety driver 300a determines whether or not a safety command has been received from the safety controller 200 (S342). In a case where a safety command has not been received (NO in S342), the safety driver 300 finishes the present process.

On the other hand, in a case where a safety command has been received (YES in S342), the safety driver 300a determines whether or not enable/disable setting of the motion safety function 360 is included in the safety command (S344). In a case where enable/disable setting of the motion safety function 360 is not included in the safety command (NO in S344), the safety driver 300a finishes the present process.

On the other hand, in a case where enable/disable setting of the motion safety function 360 is included in the safety command (YES in S344), the safety driver 300a determines whether or not enable/disable setting of the specific motion safety function 360 has been performed according to designation information in the SRA parameter 60 that is received when the initial command is received (S346).

In a case where enable/disable setting of the motion safety function 360 has not been performed yet according to the designation information in the SRA parameter 60 (NO in S346), the safety driver 300a performs enable/disable setting of the specific motion safety function 360 according to the designation information in the safety command (S348).

On the other hand, in a case where enable/disable setting of the motion safety function 360 has already been performed according to the designation information in the SRA parameter 60 (YES in S346), the safety driver 300a prioritizes the SRA parameter 60 and maintains enable/disable setting of all of the motion safety functions 360 according to the designation information in the SRA parameter 60 (S350). After S348 or S350, the safety driver 300a finishes the present process.

As described above, in the modification example as illustrated in FIG. 18, the safety driver 300a performs enable/disable setting of the motion safety function 360 according to the SRA parameter 60 received together with the initial command in preference to the safety command received after the logical connection 4 is established. Consequently, even if the user unintentionally writes a source code with erroneous setting details, the erroneous setting details are not reflected in enable/disable setting of the motion safety function 360.

(k2: Enable/Disable Setting Using AND of SRA Parameter 60 and Safety Command)

For example, as illustrated in FIGS. 19 and 20, the motion safety function 360 may be realized on the basis of an AND calculation result of a flag of designation information included in the SRA parameter 60 and a flag of designation information included in a safety command. FIG. 19 is a flowchart for describing a safety command reception process executed by a safety driver 300b according to a modification example. The safety driver 300b executes a safety command reception process illustrated in FIG. 19 after connection in the field network 2 is established and the logical connection 4 is established. FIG. 20 is a schematic diagram illustrating an example of transition in enabling or disabling of the motion safety function 360 according to the modification example.

As illustrated in FIG. 19, the safety driver 300b determines whether or not a safety command has been received from the safety controller 200 (S362). In a case where a safety command has not been received (NO in S362), the safety driver 300b finishes the present process.

On the other hand, in a case where a safety command has been received (YES in S362), the safety driver 300b determines whether or not enable/disable setting of the motion safety function 360 is included in the safety command (S364). In a case where enable/disable setting of the motion safety function 360 is not included in the safety command (NO in S364), the safety driver 300b finishes the present process.

On the other hand, in a case where enable/disable setting of the motion safety function 360 is included in the safety command (YES in S364), the safety driver 300b performs AND calculation between, for the specific motion safety function 360, enable/disable setting that has been designated and enable/disable setting designated by the designation information in the received safety command, and determines whether or not the AND calculation result is “0” (S366). For example, in a case where enable/disable setting of the motion safety function 360 has been already performed according to designation information in the SRA parameter 60, the safety driver 300b determines whether or not an AND calculation result between enable/disable setting designated by the SRA parameter 60 and enable/disable setting designated by the designation information in the received safety command is “0”.

In a case where the AND calculation result is not “0” (NO in S366), the safety driver 300b sets a flag of the designation information in the safety status 70 corresponding to the specific motion safety function 360 that is a calculation target to “1” (S368). For example, as illustrated in FIG. 20, in a case where the flag of SOS has been set to “1” by using the SRA parameter 60, and the flag of SOS is “1” in designation information 80 in the safety command, an AND calculation result is “1”. In this case, the safety driver 300b sets the flag of SOS in the designation information in the safety status 70 to “1”.

On the other hand, in a case where the AND calculation result is “0” (YES in S366), the safety driver 300b sets the flag of the designation information in the safety status 70 corresponding to the specific motion safety function 360 that is a calculation target to “0” (S370). For example, as illustrated in FIG. 20, in a case where the flag of SS2 has been set to “1” by using the SRA parameter 60, and the flag of SS2 is “0” in the designation information 80 in the safety command, an AND calculation result is “0”. In this case, the safety driver 300b sets the flag of SS2 in the designation information in the safety status 70 to “0”.

After S368 or S370, the safety driver 300b determines whether or not calculation has been completed for all of the motion safety functions 360 (S372). In a case where calculation has not been completed for all of the motion safety functions 360 (NO in S372), the safety driver 300b repeatedly performs the process in S366. On the other hand, in a case where calculation has been completed for all of the motion safety functions 360 (YES in S372), the safety driver 300b finishes the present process.

As described above, in the modification example illustrated in FIGS. 19 and 20, the safety driver 300b performs enable/disable setting of the motion safety function 360 on the basis of an AND calculation result of a flag of designation information included in the SRA parameter 60 and a flag of designation information included in a safety command. Consequently, the user can enable or disable the motion safety function 360 according to an actual situation by taking into consideration both the SRA parameter 60 and the safety command.

(k3: Enable/Disable Setting Using OR of SRA Parameter 60 and Safety Command)

For example, as illustrated in FIGS. 21 and 22, the motion safety function 360 may be realized on the basis of an OR calculation result of a flag of designation information included in the SRA parameter 60 and a flag of designation information included in a safety command. FIG. 21 is a flowchart for describing a safety command reception process executed by a safety driver 300c according to a modification example. The safety driver 300c executes a safety command reception process illustrated in FIG. 21 after connection in the field network 2 is established and the logical connection 4 is established. FIG. 22 is a schematic diagram illustrating an example of transition in enabling or disabling of the motion safety function 360 according to the modification example.

As illustrated in FIG. 21, the safety driver 300c determines whether or not a safety command has been received from the safety controller 200 (S382). In a case where a safety command has not been received (NO in S382), the safety driver 300c finishes the present process.

On the other hand, in a case where a safety command has been received (YES in S382), the safety driver 300c determines whether or not enable/disable setting of the motion safety function 360 is included in the safety command (S384). In a case where enable/disable setting of the motion safety function 360 is not included in the safety command (NO in S384), the safety driver 300c finishes the present process.

On the other hand, in a case where enable/disable setting of the motion safety function 360 is included in the safety command (YES in S384), the safety driver 300c performs OR calculation between, for the specific motion safety function 360, enable/disable setting that has been designated and enable/disable setting designated by the designation information in the received safety command, and determines whether or not the OR calculation result is “0” (S386). For example, in a case where enable/disable setting of the motion safety function 360 has been already performed according to designation information in the SRA parameter 60, the safety driver 300c determines whether or not an OR calculation result between enable/disable setting designated by the SRA parameter 60 and enable/disable setting designated by the designation information in the received safety command is “0”.

In a case where the OR calculation result is not “0” (NO in S386), the safety driver 300c sets a flag of the designation information in the safety status 70 corresponding to the specific motion safety function 360 that is a calculation target to “1” (S388). For example, as illustrated in FIG. 22, in a case where the flag of SS2 has been set to “1” by using the SRA parameter 60, and the flag of SS2 is “0” in the designation information 80 in the safety command, an OR calculation result is “1”. In this case, the safety driver 300c sets the flag of SS2 in the designation information in the safety status 70 to “1”.

On the other hand, in a case where the OR calculation result is “0” (YES in S386), the safety driver 300c sets the flag of the designation information in the safety status 70 corresponding to the specific motion safety function 360 that is a calculation target to “0” (S390). For example, as illustrated in FIG. 22, in a case where the flag of STO has been set to “0” by using the SRA parameter 60, and the flag of STO is “0” in the designation information 80 in the safety command, an OR calculation result is “0”. In this case, the safety driver 300c sets the flag of STO in the designation information in the safety status 70 to “0”.

After S388 or S390, the safety driver 300c determines whether or not calculation has been completed for all of the motion safety functions 360 (S392). In a case where calculation has not been completed for all of the motion safety functions 360 (NO in S392), the safety driver 300c repeatedly performs the process in S386. On the other hand, in a case where calculation has been completed for all of the motion safety functions 360 (YES in S392), the safety driver 300c finishes the present process.

As described above, in the modification example illustrated in FIGS. 21 and 22, the safety driver 300c performs enable/disable setting of the motion safety function 360 on the basis of an OR calculation result of a flag of designation information included in the SRA parameter 60 and a flag of designation information included in a safety command. Consequently, the user can enable or disable the motion safety function 360 according to an actual situation by taking into consideration both the SRA parameter 60 and the safety command.

L. Appendix

The present embodiment described above includes the following technical concept.

[Configuration 1]

A control system (1) including:

a drive device (300) that is connected to a network (2), has at least one or more safety functions, and drives a motor (400); and

a controller (100) that manages data exchange between devices including the drive device connected to the network,

in which the controller transmits a parameter (60) related to setting of the drive device to the drive device via the network when connection in the network is established,

in which the parameter includes designation information for designating enabling or disabling of each of the at least one or more safety functions, and

in which the drive device disables a specific safety function that is designated to be disabled by the designation information included in the parameter among the at least one or more safety functions.

[Configuration 2]

The control system according to Configuration 1,

in which the parameter is a safety-related application (SRA) parameter.

[Configuration 3]

The control system according to Configuration 1 or 2,

in which the designation information includes information for designating enabling or disabling of each of the at least one or more safety functions by using a bit string in which bits respectively corresponding to the at least one or more safety functions are arranged.

[Configuration 4]

The control system according to any one of Configurations 1 to 3, including:

a support device (500) that supports setting related to the at least one or more safety functions,

in which the support device provides a user interface (600) for setting the designation information.

[Configuration 5]

The control system according to Configuration 4,

in which, in response to designation of disabling of the specific safety function among the at least one or more safety functions, the support device prohibits use of a variable referred to by a program (2104) related to the specific safety function.

[Configuration 6]

The control system according to Configuration 5,

in which the support device provides a notification of prohibition of use of the variable.

[Configuration 7]

The control system according to any one of Configurations 1 to 6, including:

a second controller (200) that transmits a safety command related to operations of the at least one or more safety functions to the drive device,

in which the safety command includes second designation information for designating enabling or disabling of each of the at least one or more safety functions, and

in which the drive device enables or disables each of the at least one or more safety functions on the basis of the designation information included in the parameter and the second designation information included in the safety command.

[Configuration 8]

A control method in a control system (1), the control system (1) including a drive device (300) that is connected to a network (2), has at least one or more safety functions, and drives a motor (400), and a controller (100) that manages data exchange between devices including the drive device connected to the network, the control method including:

transmitting, by the controller, a parameter (60) including designation information for designating enabling or disabling of each of the at least one or more safety functions to the drive device via the network when connection in the network is established; and disabling, by the drive device, a specific safety function that is designated to be disabled by the designation information included in the parameter among the at least one or more safety functions.

[Configuration 9]

A drive device (300) that is connected to a network (2), has at least one or more safety functions, and drives a motor (400), in which data exchange between devices including the drive device connected to the network is managed by a controller (100), the drive device (300) including:

a reception part (302) that receives, from the controller, a parameter (60) including designation information for designating enabling or disabling of each of the at least one or more safety functions via the network when connection in the network is established; and

a disabling part (314) that disables a specific safety function that is designated to be disabled by the designation information included in the parameter among the at least one or more safety functions.

M. Advantages

In the control system 1 according to the present embodiment, a user designates the specific motion safety function 360 to be disabled by using the SRA parameter 60, and can thus disable the specific motion safety function 360 for the safety driver 300 when connection in the field network 2 is established. Since the user transmits the SRA parameter 60 to the safety driver 300 via the field network 2 and can thus disable the specific motion safety function 360, the execution performance of the control system 1 does not degrade compared with a case where a program separately prepared to disable the motion safety function 360 is executed.

It should be considered that the embodiments disclosed this time are exemplary in all respects and not limited. The scope of the present invention is shown by the claims, not the above description, and is intended to include all modifications within the meaning and the scope equivalent to the claims.

REFERENCE SIGNS LIST

- 1 Control system
- 2 Field network
- 4 Logical connection
- 60 SRA parameter
- 70 Safety status
- 80 Designation information
- 100 Standard controller
- 102, 202, 312, 314, 502 Processor
- 104, 204, 316, 504 Main memory
- 106 Higher-level network controller
- 108, 208, 302 Field network controller
- 110, 210, 320, 510 Storage
- 112 Memory card interface
- 114 Memory card
- 116 Local bus controller
- 118, 218, 518 Processor bus
- 120, 220, 520 USB controller
- 150 Standard control
- 170, 270, 370, 533 Data communication layer
- 172, 272 Management module
- 174, 274, 374 Process data
- 200 Safety controller
- 216 Safety local bus controller
- 230 Safety I/O unit
- 240 Safety device
- 250 Safety function
- 276, 376 Logical connection layer
- 277 Establishment module
- 278 Safety function state management engine
- 300, 300a, 300b, 300c Safety driver
- 310 Control part
- 330 Drive circuit
- 332 Feedback reception circuit
- 350 Servo control
- 352 Servo control execution engine
- 360 Motion safety function
- 362 Motion safety function execution engine
- 378 Motion safety function state management engine
- 400 Servomotor
- 402 Three-phase AC motor
- 404 Encoder
- 500 Support device
- 506 Input part
- 508 Output part
- 512 Optical drive
- 514 Recording medium
- 530 Operation reception part
- 532 Parameter manager
- 600 Communication frame
- 601, 602, 603 User interface
- 610 Multiview explorer field
- 612 Switching switch
- 614 Setting switch
- 616 Parameter icon
- 618 I/O map icon
- 620, 650 Screen
- 622 Number field
- 624 Flag field
- 630 Safety communication frame
- 652 Port field
- 654 Variable field
- 656 Variable comment field
- 670 Output window
- 700 Control word
- 702 Bit field
- 704 Name field
- 706 Description field
- 1102, 2102 System program
- 1104 Standard control program
- 1106, 2106, 3206 Setting information
- 2104 Safety program
- 3202 Servo control program
- 3204 Motion safety program
- 5104 Support program
- 5106 Project data
- 5108 Standard control source program
- 5110 Standard controller setting information
- 5114 Safety controller setting information
- 5116 Safety driver setting information
- 5117 Safety source program

CONTROL SYSTEM, CONTROL METHOD, AND DRIVE DEVICE

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

International Classifications

Abstract

Description

Claims

Priority Claims (1)

PCT Information