The present invention relates to a programmable controller, and more particularly to a programmable controller having self-diagnosis unit for self-diagnosing whether or not a RAM is normal by inspecting sequentially a plurality of memory areas to which the address is individually allocated in the sequenced inspection units.
In a technical field of FA (factory automation), a programmable controller (hereafter referred to as a “PLC”) is used to control various kinds of devices. The PLC is applied to various kinds of unitary industrial machines, such as machine tools, automatic assembling machines and automatic welding machines. Herein, the PLC is constituted of a computer having a CPU, a ROM and a RAM. And some PLCs have a self-diagnosis function of performing the self-diagnosis as to whether there is any breakdown inside the PLC to secure enough reliability for the PLC itself to operate normally. The above-mentioned self-diagnosis is performed at an appropriate time after the power is turned on in the PLC. The self-diagnosis performed in preparation before the PLC starts the usual operation immediately after the power is turned on is hereafter referred to as an “initial self-diagnosis”, and the self-diagnosis repeatedly performed at appropriate times during the usual operation of the PLC is hereinafter referred to as a “normal self-diagnosis”.
The self-diagnosis mainly involves inspecting whether or not the RAM is normal. Generally, as the self-diagnosis, two or more memory areas to which the address is individually allocated are inspected sequentially in the sequence of the address. Referring to
First of all, the data stored in all the memory areas to be inspected from the first address to the nth address is stored in a stack as the backup. Next, it is checked whether or not the data for inspection is correctly written into the memory area in the first address, and the data of the memory areas in other addresses from the second address to the nth address are unchanged by comparing the data of the memory areas in other addresses with the backed up data. Thereby, it is possible to inspect whether the memory area in the first address is not opened (ruptured), and the memory area in the first address is not shorted (short-circuited) with other memory areas.
Such inspection of the memory area is sequentially performed for each memory area in the second address and beyond in the sequence of the address. Herein, for the inspection of the memory area in the second address and beyond, it is unnecessary to compare the memory area where the inspection is already completed, such as the memory area in the first address, with the backed up data, because it is checked not to be short-circuited with other memory areas. Therefore, the memory area where the inspection is already completed is saved.
All the memory areas to be inspected are repeatedly inspected by n times in total, and upon completing the inspection of the memory area in the last nth address, the inspection of all the memory areas to be inspected is completed, that is, the self-diagnosis of one cycle is ended.
In the conventional PLC, the self-diagnosis of one cycle is performed as an initial self-diagnosis immediately after turning on the power, or as a normal self-diagnosis during the normal operation. Herein, though in the initial self-diagnosis, the self-diagnosis of one cycle is performed continuously through a series of processings, the PLC during the normal operation can not secure a sufficient spare time for performing the self-diagnosis of one cycle continuously through a series of processings, because a process for controlling various devices is always performed. Hence, for the normal self-diagnosis, the self-diagnosis of one cycle is not performed continuously through a series of processings, but subdivided, using the spare time allotted to the self-diagnosis. In the conventional PLC, though it is natural that in the initial self-diagnosis the inspection is started from the memory area in the top address, the inspection is started from the memory area in the top address in the normal self-diagnosis at the first time after the power is turned on.
The above-mentioned background art is the general matter, and the present applicant knows no documents having a description of specifying this background art at the time of application.
In the above self-diagnosis, it takes a long time to finish the self-diagnosis of one cycle, because all the memory areas to be inspected are repeatedly inspected sequentially in the sequence of the address. Hence, the conventional PLC had the following problems, when the initial self-diagnosis and the normal self-diagnosis are noted individually. First of all, noting the initial self-diagnosis, it takes a time of about 15 to 30 seconds to perform the initial self-diagnosis in the conventional PLC, for example. Hence, the conventional PLC had the problem that the start-up after turning on the power is slow, and it cannot be operated at once after turning on the power.
Since the PLC has the normal self-diagnosis, it is simply considered to make the start-up faster by omitting the initial self-diagnosis. However, even though the normal self-diagnosis is performed, this normal self-diagnosis is performed employing the spare time during operation, whereby it takes a long time to finish the self-diagnosis of one cycle. For instance, to finish the normal self-diagnosis of one cycle, it is required to operate the PLC continuously without turning off the power over a long time of about 20 to 30 minutes. Herein, if an event that the power is turned off before” the normal self-diagnosis of one cycle is ended occurs repeatedly due to some factors, the memory area where the inspection is not completed by the normal self-diagnosis will always exist, remarkably decreasing the reliability of the PLC. Therefore, the initial self-diagnosis cannot be omitted.
In particular, when the PLC is adopted as the PLC for fail safe, or a so-called “safety PLC”, that controls various kinds of devices to the safety side, such as stopping or operating various kinds of devices of control object to the safety side upon an input signal from an input device for safety such as an emergency stop button, a human body detection sensor, or a detector for detecting the disconnection of signal line, the higher reliability is demanded. In such safety PLC, it is not suitable that the initial self-diagnosis is omitted.
Considering the normal self-diagnosis, if the event that the power is turned off before the normal self-diagnosis of one cycle is ended occurs repeatedly, the memory area where the inspection is not completed by the normal self-diagnosis will always exist. Therefore, the conventional PLC could not ensure enough reliability according to the normal self-diagnosis process.
Also, since it takes a long time to finish the normal self-diagnosis of one cycle, the normal self-diagnosis of one cycle is not always ended, when the operation is stopped by turning off the power of the PLC. Therefore, as the power of the PLC is repeatedly turned on/off over a long time use, the number of inspections for the memory area with the later sequence of inspection is remarkably smaller than the memory area with the earlier sequence of inspection. Hence, the conventional PLC had the problem that there are variations in the inspection frequency between the individual memory areas, and the uniform reliability cannot be achieved.
The present invention has been achieved in the light of the above-mentioned problems, and it is an object of the invention to provide a PLC in which noting the initial self-diagnosis, the time required to perform the initial self-diagnosis is shortened, whereby the start-up after turning on the power is made faster, while noting the normal self-diagnosis, enough reliability is ensured, and uniform reliability is achieved for individual memory areas to be inspected.
In order to accomplish the above object, the present invention provides a programmable controller having self-diagnosis unit for self-diagnosing whether or not a RAM is normal by inspecting sequentially a plurality of memory areas to which the address is individually allocated in the sequenced inspection units, the self-diagnosis unit characterized by comprising a data storage unit for storing data pertaining to an inspection unit for which the inspection is completed, and an inspection start unit for starting the inspection from the next inspection unit of the inspection unit for which the inspection is already completed at the time before the power is turned on, when performing a self-diagnosis that occurs after the power is turned on, based on the data stored in the data storage unit.
Herein, the self-diagnosis performed by the self-diagnosis unit may be the initial self-diagnosis, or the normal self-diagnosis. Also, the data stored in the data storage unit may be the data pertaining to the inspection unit for which the inspection is completed, to enable the inspection start unit to start the inspection from the next inspection unit of the inspection unit for which the inspection is already completed, in other words, the data for specifying the inspection unit to start in the self-diagnosis at the next time. Hence, such data may be the data indicating the inspection unit for which the inspection is completed, the data indicating the next inspection unit of the inspection unit for which the inspection is completed, and the data of appropriate substance, for example.
In the PLC of the above configuration, if the power is turned off and then turned on again, the self-diagnosis starts the inspection from the next inspection unit of the inspection unit for which the inspection is already completed before the power is turned off at the previous time. In other words, the self-diagnosis after the power is turned on is continued from the self-diagnosis before the power is turned off at the previous time. Therefore, in a case where the self-diagnosis is the initial self-diagnosis, the inspection is completed for all the inspection units sequenced from the first inspection unit to the last inspection unit by repeatedly turning on and off the power, whereby it is unnecessary to inspect all the memory areas to be inspected through one initial self-diagnosis. Therefore, the inspection subject through one initial self-diagnosis may be a part of the memory areas. And by doing so, the time required for the initial self-diagnosis is shortened, and the start-up after turning on the power is made faster.
On the other hand, in a case where the self-diagnosis is the normal self-diagnosis, the inspection is continued from the next inspection unit of the inspection unit for which the inspection is completed before the power is turned off at the previous time, every time the power is turned on, even if the power is repeatedly turned off in a short time at the stage before the normal self-diagnosis of one cycle is ended, whereby the inspection for the inspection unit with later sequence is securely performed along with the passage of the total time for which the power is turned on. Hence, this normal self-diagnosis ensures the enough reliability for the PLC. Also, the initial self-diagnosis may be omitted, because the normal self-diagnosis ensures the enough reliability for the PLC. And the start-up of the PLC after the power is turned on is made remarkably faster by omitting the initial self-diagnosis.
Also, the inspection is continued from the next inspection unit of the inspection unit for which the inspection is completed after the power is turned on again, even if the power is turned off at the stage where the normal self-diagnosis of one cycle is not ended, whereby there is no variation in the number of inspections between the inspection unit with earlier sequence and the inspection unit with later sequence. Hence, the uniform reliability for individual memory areas to be inspected is achieved.
In this manner, with the PLC of the above configuration, noting the initial self-diagnosis, the time required for the initial self-diagnosis is shortened, whereby the start-up after turning on the power is made faster. On the other hand, noting the normal self-diagnosis, the enough reliability is securely achieved. And the uniform reliability for individual memory areas to be inspected is achieved.
In the programmable controller of the invention, the self-diagnosis unit may be initial self-diagnosis unit for performing an initial self-diagnosis immediately after the power is turned on, the initial self-diagnosis unit performs the self-diagnosis for one inspection unit every time the power is turned on, where the memory area groups into which all the memory areas to be inspected are subdivided are the inspection units.
In the PLC of the above configuration, in the initial self-diagnosis, since the initial self-diagnosis for one memory area group that is one inspection unit is performed, the time required for the initial self-diagnosis is shorter than inspecting all the memory areas to be inspected. Hence, in the PLC of the above configuration, the start-up after turning on the power is securely made faster.
Also, in one initial self-diagnosis, the self-diagnosis is made for only a part of all the memory areas to be inspected, a plurality of inspection units are sequentially self-diagnosed individually through the initial self-diagnosis <′>, every time the power is repeatedly turned on, whereby all the inspection units are self-diagnosed through the initial self-diagnosis. Hence, there is no inspection unit that is not self-diagnosed, and the reliability is not crippled.
The programmable controller of the invention may further comprise, in addition to the initial self-diagnosis unit, a normal self-diagnosis unit for self-diagnosing whether or not the RAM is normal by inspecting sequentially all the memory areas to be inspected from the first memory area to the last memory area in the sequence in which the address is allocated, while the programmable controller itself is normally operating.
In the PLC of the above configuration, the normal self-diagnosis is performed in addition to the initial self-diagnosis, the reliability is further increased. This normal self-diagnosis may start the inspection from the memory area in the top address at any time, as conventionally, or start the inspection from the memory area in the next address of the memory area for which the inspection is completed at the previous time after the power is turned off and then turned on again.
In the programmable controller of the invention, all the memory areas to be inspected may be divided into two memory area groups.
In the PLC of the above configuration, since the inspection unit is the memory area group in which all the memory areas are divided into two, the execution of the inspection is assured for all the memory areas to be inspected with the initial self-diagnosis when the power is turned on at the first time and the initial self-diagnosis when the power is turned on at the second time. That is, all the memory areas to be inspected are inspected because the power is turned on twice. Hence, even though the power is turned off due to some factors, if the power is thereafter turned on, all the memory areas to be inspected are completely inspected through the initial self-diagnosis after turning on the power, together with the initial self-diagnosis at the previous time, whereby the reliability is precisely secured.
In the programmable controller of the invention, the self-diagnosis unit may be normal self-diagnosis unit for performing the normal self-diagnosis while the programmable controller itself is operating, and the normal self-diagnosis unit may make the self-diagnosis for individual memory areas to which the address is allocated as the inspection units.
In the PLC of the above configuration, the self-diagnosis is performed as the normal self-diagnosis, and the normal self-diagnosis performed after the power is turned on starts the inspection from the memory area in the next address, continued from the memory area for which the inspection is already completed when the power is turned off at the previous time. Therefore, even if the power is repeatedly turned off in a short time at the stage before the normal self-diagnosis of one cycle is ended, the inspection for the inspection unit with later sequence of the address is securely performed along with the total time for which the power is turned on. Hence, this normal self-diagnosis can attain the sufficient reliability of the PLC.
Also, there is no variation in the number of inspections between the memory area with earlier sequence of the address and the memory area with later sequence.
The programmable controller of the invention may further comprise an emergency self-diagnosis unit for inspecting sequentially all the memory areas to be inspected from the first memory area to the last memory area in the sequence in which the address is allocated, immediately after the power is turned on, when the inspection unit to start the inspection can not be specified by the inspection start unit.
The state where the inspection unit to start the inspection can not be specified by the inspection start unit is an abnormal state, such as a state where all are reset to the initial state, state where the data stored in the data storage unit is lost, or state where the inspection start unit can not perform the processing based on this data the data stored in the data storage unit. In such abnormal state, all the memory areas to be inspected are sequentially inspected from the first memory area to the last memory area in the sequence in which the address is allocated in the PLC of the above configuration by the emergency self-diagnosis unit, immediately after the power is turned on. That is, the initial self-diagnosis is performed for all the memory areas, as conventionally. Hence, the reliability of the PLC is further increased.
In the accompanying drawings:
One embodiment of a PLC according to the present invention will be described below in detail with reference to the drawings.
The apparatus has a safety PLC 50, which is connected to an input device for safety 20 such as an emergency stop button, a human body detection sensor, or a detector for detecting the disconnection of a signal line, and the output device 30. This safety PLC 50 controls the output device 30 to the safety side, such as stopping the operation of the output device 30 by turning off the power of the output device 30, or activating the output device 30 to the side without causing danger, if a signal is inputted from the input device for safety 20, and implements a so-called “fail safe”. And the PLC according to the embodiment of the invention is employed as the safety PLC 50. Besides the safety PLC 50, the PLC according to the embodiment of the invention may be employed as the PLC for controlling the normal operation of the output device 30, like the PLC 40.
The safety PLC 50 will be described below in detail. The safety PLC 50, like the conventional PLC, is constituted of a computer comprising a CPU, a ROM and a RAM, and has a self-diagnosis function of self-diagnosing whether or not there is any failure in the RAM. Also, the safety PLC 50 of the embodiment performs the self-diagnoses, including an initial self-diagnosis made in preparation before starting the normal operation immediately after turning on the power, a normal self-diagnosis repeatedly performed at appropriate times during the normal operation, and an emergency self-diagnosis made at the emergency time such as when data stored inside is lost or the process based on data is not normally performed. As shown in
The normal self-diagnosis performed by the normal self-diagnosis unit 70 and the emergency self-diagnosis performed by the emergency self-diagnosis unit 80 are identical to those of the conventional self-diagnoses, in which the memory areas to be inspected are inspected sequentially from the memory area in the first address to the memory area in the last address in the sequence of the address, supposing that the memory areas to which the address is allocated are individual inspection units, but the initial self-diagnosis unit 60 performs the self-diagnosis differently from the conventional self-diagnosis.
The initial self-diagnosis unit 60 will be described below in detail. The initial self-diagnosis unit 60 performs the initial self-diagnosis for one inspection unit, every time the power is turned on, where the memory area groups into which all the memory areas to be inspected are subdivided are the inspection units. Also, the initial self-diagnosis unit 60 comprises data storage unit 61 and inspection start unit 62, as shown in
In the embodiment, all the memory areas to be inspected from the memory area in the first address to the memory area in the nth address are divided into two memory areas of the first memory area group and the second memory area group, as shown in
Therefore, immediately after the power is turned on, the safety PLC 50 of the embodiment performs the initial self-diagnosis for the next memory area group of the memory area group of one set that is one inspection unit for which the inspection is completed (made) immediately after the power is turned on at the previous time. For example, if the initial self-diagnosis for the first memory area group is made at the previous time when the power is turned on, the initial self-diagnosis is performed for the second memory area group at the next time when the power is turned on. Herein, in performing the initial self-diagnosis for the memory area group of one set, the memory areas to which the address is allocated are inspected sequentially in the sequence of the address by the almost same method as conventionally performed.
Although all the memory areas are divided into two in the embodiment, the memory areas may be divided into three or more. In this case, it is preferable that the memory areas are divided so that the memory area groups may be even. Because the time required to make the initial self-diagnosis every time of turning on the power can be constant.
Although in the embodiment the normal self-diagnosis of one cycle is repeatedly performed by the normal self-diagnosis unit 70 during the normal operation, as conventionally performed, this normal self-diagnosis unit 70 may perform the normal self-diagnosis by inspecting sequentially the memory areas to be inspected in the sequence of the address, where the memory areas to which the address is allocated are the inspection units, in which the normal self-diagnosis unit 70 may comprise data storage unit 71 for storing data pertaining to the inspection unit for which the inspection is completed, and inspection start unit 72 for starting the inspection from the next inspection unit of the inspection unit for which the inspection is already completed at the time before turning on the power, in performing the self-diagnosis made after turning on the power, based on the data stored in the data storage unit 71, as shown in parentheses in
In this manner, even if the power is turned off, before the inspection for all the memory areas to be inspected is completed, in other words, the normal self-diagnosis of one cycle is completed, it is possible to start the inspection from the memory area in the next address of the memory area <′> for which the inspection is already completed, without duplicately inspecting the memory area for which the inspection is already completed before turning off the power at the previous time, in performing the first normal self-diagnosis during the normal operation after turning on the power on at the next time. For example, in the case where the memory areas from the first address to the nth address are inspected, even if the power is turned off when the inspection is completed from the memory area in the first address to the memory area in the xth address (see the oblique line part in the figure shown in
When the inspection unit to start the inspection by the inspection start unit 62, 72 can not be specified in a state where the data stored in the data storage unit 61, 71 is lost, or a state where the self-diagnosis is not started from the next inspection unit by the inspection start unit 62, 72 even if the data is stored, there is possibility that the safety PLC 50 is abnormal. Thus, in such a case, all the memory areas to be inspected are sequentially inspected from the first memory area to the last memory area in the sequence in which the address is allocated by the emergency self-diagnosis unit 80, immediately after the power is turned on. That is, the emergency self-diagnosis having the same substance as the conventional initial self-diagnosis is performed. Thereby, when there is a failure inside the safety PLC 50, the failure is detected, preventing nonconformity that the normal operation is started with the possibility of the abnormal condition.
Referring to a flowchart of
First of all, immediately after turning on the power (at the timing of performing the first normal self-diagnosis during operation), it is determined at step S1O whether or not the inspection unit to start can be specified. Herein, the inspection unit is the memory area group (memory area), and if the inspection unit to start can be specified by the inspection start unit 62 (72), based on the data stored in the data storage unit 61 (71), that is, if the answer is “YES” at step S1O, the procedure goes to step S20 to perform the initial self-diagnosis (normal self-diagnosis process) to start the inspection from this inspection unit. Thereafter, the procedure goes to step S40.
On the other hand, if it is determined that the inspection unit can not be specified, that is, if the answer is “NO” at step S1O, the procedure goes to step S30 to perform the emergency self-diagnosis. Thereafter, the procedure goes to step S40.
At step S40, the data pertaining to the inspection unit for which the inspection is completed is stored in the data storage unit 61 (71), and the procedure is ended. Herein, the data storage unit 61 (71) may store the data itself indicating the inspection unit for which the inspection is completed, or the data indicating the inspection unit to start the inspection at the next time. Also, the data stored after the emergency self-diagnosis is performed is the data pertaining to the inspection unit to which the memory area in the last address belongs.
The timing of storing the data in the data storage unit 71 in the normal self-diagnosis may occur every time the inspection for individual inspection units is completed. However, in this case, since a process for storing the data is needed every time the inspection is completed, it takes a longer time to perform the normal self-diagnosis of one cycle while the safety PLC 50 is operating. Hence, power interruption detecting means for detecting that the power is turned off is provided separately, and after it is detected that the power is turned off by this power interruption detecting means, the data pertaining to the inspection unit for which the inspection is already completed is preferably stored, employing a back-up power source.
As described above, with the invention, noting the initial self-diagnosis, the time required for the initial self-diagnosis is shortened, whereby it is possible to provide the PLC in which the start-up after turning on the power is made faster. On the other hand, noting the normal self-diagnosis, the enough reliability is securely achieved, whereby it is possible to provide the PLC in which the uniform reliability for individual memory areas to be inspected is achieved.
The present invention relates to a technique for detecting a communication error between safety control devices which ensure safety of an object to be controlled.
Conventionally, control apparatuses, such as programmable controllers (PLCs), have been employed in factory automation (FA) for controlling mechanical devices. In recent years, such a control apparatus is desired to have a safety function of stopping a mechanical device when an anomaly occurs, to thus ensure safety. Hence, safety control devices equipped with such a safety function have been proposed (see, e.g., JP-A-2002-358106).
In FA, a plurality of control apparatuses are connected by way of communication lines and form a network system, to thus perform simultaneous control of a plurality of mechanical devices. Hence, a communication error which arises between safety control devices must be detected accurately for enhancing the reliability of the safety function.
Meanwhile, among safety control devices forming a network system as described above, communication is carried out with use of frames in accordance with, e.g., the high-level data link control (HDLC) protocol. During the course of communication, a communication error is detected by a parity check or by a cyclic redundancy check (CRC), and corrected.
The related-art parity check or the CRC can detect presence/absence of a bit error in a frame/however, the number of bits with errors cannot be detected. Accordingly, the number of bit errors which have occurred in a predetermined period of time cannot be determined accurately. This causes a bottleneck in enhancing the reliability of the safety function.
The present invention has been conceived in view of the above problem, and aims at providing a safety control device whose safety function is highly reliable, as well as a safety control system.
The invention also aims at providing a method for detecting a communication error which can enhance reliability of a safety function provided by a safety control device.
The invention defined in claim 1 is a safety control device for ensuring safety of an object to be controlled, including: a communication unit which is used for communication with another safety control device and uses a frame including a test bit string having correlation with a base bit string; and a detection unit which compares the test bit string included in the frame having been received from another safety control device with the base bit string, thereby determining the number of bit errors in the frame. In the invention, the test bit string has correlation with the base bit string. Accordingly, when the test bit string included in a frame having been received from another safety control device is compared with the base bit string in consideration of the correlation, the number of bit errors in the received frame can be determined accurately. Hence, since communication errors are detected accurately, reliability of a safety function for ensuring safety of an object to be controlled can be enhanced.
According to the invention defined in claims 2 and 4, at least a portion of the test bit string is a copied bit string of the base bit string. Accordingly, the number of bit errors can be determined easily by means of merely performing bit comparison between the base bit string and the copied bit string of the test bit string included in the received frame. Hence, a time required for comparing the test bit string with the base bit string for determining the number of bit errors is reduced.
When an error due to a stack out, in which a certain bit is fixed to “0” or “1,” has arisen in a copied bit string of a test bit string included in a received frame, detection of the bit error itself through bit comparison between the copied bit string and a base bit string sometimes fails.
According to the invention defined in claims 3 and 4, at least a portion of the test bit string is a reversed bit string of the base bit string. Therefore, even when an error due to a stack out has occurred in the bit string of the reversed bit string of the test portion included in the received frame, the error can be detected without fail by means of bit comparison between a re-reversed bit string—which is a re-inversion of the reversed bit string—with the base bit string. Therefore, the number of bit errors can be accurately determined.
Even when a bit error has occurred in a test bit string in a received frame, there may be a case where no change arises in the correlation between the test bit string and a base bit string. In this case, detecting the bit error through comparison between the test bit string and the base bit string becomes impossible.
According to the invention defined in claim 5, the base bit string and the test string vary with time while maintaining mutual correlation. Accordingly, even when detection of a bit error has failed at a certain point in time, the bit error can be detected by means of comparison between a base bit string and a test bit string, each of which has varied with time after the failure. Therefore, accuracy in determination of the number of bit errors can be enhanced.
According to the invention defined in claim 6, the frame includes the base bit string and the test bit string. Accordingly, the base bit string can be used in common among safety control devices which carry out communication, irrespective of time-varying changes in the base bit string. In addition, in such a case where an additional safety control device is to be connected to a system which is configured such that a plurality of safety control devices are connected together, a base bit string which is common to all the safety control devices can be embodied.
The invention defined in claim 7 further includes counting unit for incrementing a count value every configured cycle. The base bit string indicates the count value of the counting unit. Accordingly, the base bit string varies every configured cycle, whereby the test bit string having correlation with the base bit string also varies every configured cycle. Hence, comparison between the base bit string and the test bit string, which vary with time while maintaining mutual correlation, can be attained by means of a comparatively simple method.
The invention defined in claim 8 further includes storage unit for storing an accumulated value of the number of bit errors detected by the detection unit. Accordingly, the number of bit errors having occurred within, e.g., a predetermined period of time, can be determined accurately.
The inventions defined in claims 9 and 10 further include safety-ensuring unit which performs, when the accumulated value of the number of bit errors within a set period of time exceeds an allowable value, control for ensuring safety of the object to be controlled. Accordingly, when bit errors occur in a number exceeding the allowable value, safety of the object to be controlled can be ensured instantaneously, whereby the reliability of the safety function can be ensured. The invention defined in claim 11 is a safety control system configured such that a plurality of safety control devices defined in any one of claims 1 to 10 are connected by way of communication lines. Accordingly, effects of the safety control device defined in any one of claims 1 to 10 constituting the safety control system can be yielded.
The invention defined in claim 12 is a method by means of which a safety control device for ensuring safety of an object to be controlled detects an error in communication with another safety control device, including: a receiving step of receiving, from another safety control device, a frame including a test bit string having correlation with a base bit string; and a detection step of comparing with the base bit string the test bit string included in the frame having been received in the receiving step, thereby determining the number of bit errors in the frame. In the invention, the test bit string has correlation with the base bit string. Accordingly, when the test bit string included in the frame having been received from another safety control device is compared with the base bit string in consideration of the correlation, the number of bit errors in the received frame can be determined accurately. Hence, since a communication error is detected accurately, the reliability of a safety function for ensuring safety of an object to be controlled can be enhanced.
The invention defined in claim 13 is a method for detecting a communication error among a plurality of safety control devices for ensuring safety of an object to be controlled, including: a generation step of, in a first safety control device, generating a frame so that the frame includes a test bit string having correlation with a base bit string; a transmission step of transmitting to a second safety control device the frame generated by the first safety control device; and a detection step of, in the second safety control device, comparing with the base bit string the test bit string included in the frame having been received from the first safety control device, thereby determining the number of bit errors in the frame. In the invention, the test bit string has correlation with the base bit string. Accordingly, when, in the second safety control device, the test bit string included in the frame having been received from the first safety control device is compared with the base bit string in consideration of the correlation, the number of bit errors in the received frame can be determined accurately. Hence, since a communication error is detected accurately, the safety function for ensuring safety of an object to be controlled can be provided more reliably.
Meanwhile, in the inventions defined in claims 1 to 13, the term “bit string” is to be understood as encompassing data of one bit in addition to data whose bit length is two or larger.
In addition, the invention defined in claim 13 may be practiced such that at least one of a plurality of safety control devices is selected as the first safety control device, and at least another one of the same is selected as the second safety control device. In this case, the apparatuses selected as the first safety control device and as the second safety control device may be sequentially replaced with lapse of time.
In the accompanying drawings:
Hereinbelow, an embodiment of the present invention will be described by reference to the drawings.
In the safety control system 1, the safety control device denoted with reference numeral 10 functions as a master device, and the remaining safety control devices denoted with reference numerals 11 and 12 function as slave devices. An input device 3, such as an emergency button or a safety sensor, and an output device 4, such as a motor or a robot, are connected to each of the safety control devices 10 to 12 by way of communication lines 5. By means of cooperative operation of the respective safety control devices 10 to 12, the safety control system 1 controls the respective output devices 4 on the basis of input data supplied from the respective input devices 3, thereby ensuring safety of the respective output devices 4.
As shown in
As shown in
The MPU 22 is connected to the input/output module 30 by way of the bus module 40. The MPU 22, which has ROM 27, executes a program stored in the ROM 27, thereby controlling the HDLC controller 24 and the input/output module 30. In particular, the ROM 27 in the safety control device 10 stores a sequence program written in a ladder language. The MPU 22 of the safety control device 10 executes the sequence program, thereby controlling the entire safety control system 1. More specifically, the safety control device 10 can be considered a programmable controller (PLC); and the safety control system 1 including the same can be said to be a PLC system. In the RAM 23, a variety of data—such as a count value and the number of bit errors—exchanged between the MPU 22 and the HDLC controller 24, and between the MPU 22 and the input/output module 30 are stored sequentially.
The interface 25 has an output connector 28 and an input connector 29. The output connector 28 is connected, by way of a communication line 2, to one of the other two safety control devices other than that on which the output connector 28 is disposed. The input connector 29 is connected to the other one of the safety control devices by way of another communication line 2.
The HDLC controller 24 generates a frame in conformance with the HDLC protocol, and transmits the thus-generated frame to a safety control device-connected to the output connector 28. The HDLC controller 24 analyze and processes, among frames received from a safety control device connected with the input connector 29, a frame which includes a portion indicating the safety control device on which the HDLC controller 24 is disposed as the destination of the frame. By means of utilizing a result of this analysis, the HDLC controller 24 processes a communication error. In addition, the HDLC controller 24 transmits to the safety control device connected with the output connector 28, among the received frames, a frame which includes, as the destination of the frame, a safety control device other than the safety control device equipped with the HDLC controller 24.
The input/output module 30 is connected to the input device 3 and the output device 4 by way of the communication lines 5. Upon receipt of a command from the MPU 22 connected by way of the bus module 40, the input/output module 30 supplies to the MPU 22 data pertaining to the input device 3. Upon receipt of a command from the MPU 22, the input/output module 30 powers-on/powers-off the output device 4.
In the safety control system 1 configured as above, the MPU 22 of the safety control device 10 manages communication of the entire safety control system 1 in accordance with the sequence program of the ROM 27. Under this management, the respective safety control devices 10 to 12 carry out communication with use of frames, in a predetermined order per cycle.
Heretofore, an overview of the safety control system 1 has been described.
Hereinbelow, features of the safety control system 1 will be described in more detail.
First, a frame for use in communication among the respective safety control devices 10 to 12 will be described in detail.
As schematically shown in
The flag sequence F is a bit string of one byte, and defined as “01111110” in the HDLC protocol. The destination address portion DA is a bit string of one byte indicating an address of a safety control device serving as the destination of the frame. The source address portion SA is a bit string of one byte indicating an address of a safety control device serving as the source of the frame. The frame-type portion FT is a bit string of two bytes indicating a frame type defined by a combination of: a command description for the destination of the frame, a serial number of the frame, information pertaining to occurrence of a serial failure, and the like. The bit length portion L is a bit string of two bytes indicating a total bit length of the information portion I and the test portion T.
The information portion I is a bit string of one byte or larger which indicates a plurality of control data sets to be supplied to the destination of the frame. In the present embodiment, the last one byte of the information portion I is a base bit string B which indicates, among control data sets to be supplied to the destination of the frame, a count value stored in the RAM 23 of the source of the frame. The test portion T is a test bit string of two bytes, and includes a copied bit string C, which is a copy of the base bit string B/ and a reversed bit string R, which is an inversion of the base bit string B. The frame check sequence FCS is a bit string of two bytes indicating data for the CRC.
Next, generation of a frame by the HDLC controller 24 of one of the safety control devices 10 to 12 will be described.
Upon receipt of a command from the MPU 22, the HDLC controller 24 in the safety control device 10, 11, or 12 executes frame-generation processing. More specifically, the HDLC controller 24 generates the destination address portion DA, the source address portion SA, and the frame-type portion FT so as to respectively indicate a destination address, a source address, and a frame type supplied from the MPU 22.
In addition, the HDLC controller 24 generates the base bit string B so that the base bit string B indicates a count value of the RAM 23 at a start time of processing. The thus-generated base bit string B is merged with a bit string indicating control data supplied from the MPU 22, thereby generating the information portion I. Simultaneously, the HDLC controller 24 generates the copied bit string C, which is a copy of the base bit string B, and the reversed bit string R, which is an inversion of the base bit string B, thereby generating the test portion T constituted of the bit strings C and R. Furthermore, the HDLC controller 24 generates the bit length portion L from the thus-generated information portion I and the test portion T.
Still furthermore, the HDLC 24 generates the frame check sequence FCS from the thus-generated respective portions DA, SA, FT, I, T, and L.
Next, analysis of a frame by the HDLC controller 24 of each of the safety control devices 10 to 12 will be described.
Upon receipt of a frame to be analyzed, the HDLC controller 24 in the corresponding one of the safety control device 10 to 12 executes frame-analysis processing. More specifically, the HDLC controller 24 extracts a frame type from the frame-type portion FT of the frame to be analyzed, and supplies the thus-extracted frame type to the MPU 22. In addition, the HDLC controller 24 extracts data for the CRC from the frame check sequence FCS of the frame to be analyzed, and executes the CRC by utilization of the thus-extracted data.
Furthermore, the HDLC controller 24 extracts the copied bit string C and the reversed bit string R from the test portion T of the frame to be analyzed, and supplies the MPU 22 with the thus-extracted bit strings C and R. Simultaneously, the HDLC controller 24 extracts the base bit string B from the information portion I of the frame to be analyzed, and supplies the MPU 22 with the thus-extracted base bit string B.
Next, a method for processing a communication error executed by the safety control devices 10 to 12 will be described by reference to a flowchart shown in
In each of the safety control device 10 to 12, when the bit strings C, R, and B are supplied from the HDLC controller 24, the MPU 22 executes processing of a communication error. More specifically, the MPU 22 performs bit comparison between the copied bit string C and the base bit string B, sequentially from the highest order bit or from the lowest order bit. Simultaneously, the MPU 22 performs bit comparison between a re-reversed bit string R′, which is a re-inversion of the reversed bit string R, and the base bit string B, sequentially from the highest order bit or from the lowest order bit (step S1). When, consequently, a bit which fails to match at least one of the bit strings C and R′ is detected in the reference bit B (step S2), the MPU 22 stores the cumulative number of the thus-detected bits in the RAM 23 as the number of bit errors (step S3). This storage of the number of bit errors into the RAM 23 is performed in such a manner as to add the number of error bits onto the number of bit errors having been stored in advance. Meanwhile, the MPU 22 also has a function of updating the number of bit errors stored in the RAM 23 every set period of time. Accordingly, the number of bit errors stored in the RAM 23 is an accumulated value within the set period of time. As described above, the MPU 22 monitors the number of bit errors stored in the RAM 23. When the accumulated value of the number of bit errors in the set time; that is, a bit error rate, exceeds an allowable value (step S4), the MPU 22 determines that a serious failure has occurred (step S5 and S9).
When the MPU 22 of the safety control device 10 determines that a serious failure has occurred (step S5), the MPU 22 powers off the output device 4 connected to the input/output module 30 of the same safety control device 10 (step S[beta]). In conjunction therewith, the MPU 22 of the safety control device 10 causes the HDLC controller 24 to generate and transmit frames including the frame-type portion FT which indicates a frame type commanding power-off of the output devices 4, and the destination address portion DA whose destination addresses are the safety control devices 11 and 12 (step S6). Consequently, in each of the safety control devices 11 and 12 which has received the frame, the command to power-off the output device 4 is extracted from the frame-type portion FT and supplied to the MPU 22 in accordance with an analysis performed by the HDLC controller 24 (step S7). The MPU 22 powers-off the output device 4 connected to the input/output module 30 (step S8).
When the MPU 22 determines that a serious failure has occurred in the safety control device 11 or 12 (step S9), the MPU 22 causes the HDLC controller 24 to generate and transmit a frame including the frame-type portion FT which indicates a frame type indicating occurrence of the serious failure, and the destination address portion DA whose destination address is the safety control device 10 (step S10). Consequently, in the safety control device 10 which has received the frame, data pertaining to occurrence of the serious failure is extracted from the frame-type portion FT and supplied to the MPU 22 in accordance with analysis performed by the HDLC controller 24 (step S1). The same processing as in the case where the MPU 22 has determined that a serious failure has occurred is executed (steps S6 to 8). Therefore, all the output devices 4 connected to the input/output modules 30 of the respective safety control devices 10 to 12 are powered-off.
As described above, the HDLC controllers 24 of the respective safety control devices 10 to 12 correspond to communication unit; the MPUs 22 of the same correspond to detection unit and safety-ensuring unit; and pieces of RAM 23 and the MPUs 22 correspond to storage unit.
Next, storage of a count value in the RAM 23 of each the safety control devices 10 to 12 will be described.
In the safety control device 10, the MPU 22 increments a count value of the RAM 23 every time the MPU 22 starts one communication cycle.
In each of the safety control devices 11 and 12, the HDLC controller 24 performs analysis of the information portion I of the frame to be analyzed having been received from the safety control device 10 as described above, thereby extracting the base bit string B. The MPU 22 stores in the RAM 23 a count value indicated by the thus-extracted base bit string B. Accordingly, count values to be stored in the pieces of RAM 23 of the safety control devices 11 and 12 are basically those having been incremented every configured cycle.
Thus, the MPUs 22 of the respective safety control devices 10 to 12 correspond to counting unit. The process of steps S1-5 and S9 corresponds to a method for detecting an error according to the present invention.
The above-described safety control system 1 uses a frame including the test portion T formed from the copied bit string C of the base bit string B, and the reversed bit string R of the base bit string B during the course of communication among the respective safety control devices 10 to 12. Accordingly, each of the safety control devices 10 to 12 performs bit comparison between the copied bit string C of the test portion T of a received frame and the base bit string B, thereby attaining immediate determination of the number of bit errors having occurred in the frame. In addition, even when a bit error due to a stack out has occurred in the bit string C of the test portion T of the received frame, to thus hinder detection of the number of errors by means of bit comparison between the copied bit string C and the base bit string B, determination of the number of bit errors can be attained by means of performing bit comparison between the re-reversed bit string R′ of the reversed bit string R and the base bit string B. As described above, each of the safety control devices 10 to 12 compares the respective bit strings C and R of the test portion T included in a received frame in accordance with correlation with respect to the base bit string B, thereby attaining accurate detection of the number of bit errors included in the frame.
Furthermore, each of the safety control devices 10 to 12 of the safety control system 1 generates a base bit string B of the frame so that the reference bit B indicates a count value to be incremented every configured cycle. Therefore, the base bit string B varies with time; and accordingly, the test portion T generated from the copied bit string C of the base bit string B, and the reversed bit string R of the base bit string B also vary with time while maintaining correlation with the base bit string B. Hence, in such a case where, in spite of occurrence of a bit error in the bit strings C and R of the test portion T in the received frame, at a certain point in time, correlation between the bit string C and the base bit string B, or that between the bit string R and the base bit string B, does not exhibit any change, whereby error detection is prevented, the error can be detected by means of comparing a base bit string B which has subsequently varied with time, and respective bit strings C and R which have also varied with time. In other words, accuracy in determination of the number of bit errors is enhanced.
Furthermore, according to the safety control system 1, when any one of the safety control devices 10 to 12 determines occurrence of such a serious failure that the accumulated value of the number of bit errors in a set period of time exceeds an allowable value, all the output devices 4 connected to the respective safety control devices 10 to 12 are powered-off. Accordingly, safety of all the output devices 4 to be controlled is secured instantaneously.
As described above, according to the safety control system 1, accuracy in determination of the number of bit errors which represents communication errors is improved; and, furthermore, safety of all the output devices 4 can be secured instantaneously by utilization of the result of the detection. Hence, high reliability of safety function can be ensured.
Moreover, a frame including the base bit string B, in addition to the test portion T, is utilized in communication among the respective safety control devices 10 to 12 of the safety control system 1. Accordingly, the base bit string B which varies with time as described above can be used in common by all the safety control devices 10 to 12. In addition, in such a case where another safety control device of similar configuration with the safety control device 11 or 12 is to be additionally connected to the safety control system 1 shown in
Hithertofore, an embodiment of the present invention has been described; however, the present invention should not be understood to be limited to the embodiment. For instance, in the above-described embodiment, the single input device 3 and the single output device 4 are connected to each of the safety control devices 10 to 12 respectively. However, the number of input devices and output devices to be connected to the safety control device can be set arbitrarily.
In addition, in the embodiment, of the safety control devices 10 to 12, only the safety control device 10 functioning as a master device is configured as a PLC. However, the safety control device functioning as a slave device may also be configured as a PLC.
Furthermore, in the above-mentioned embodiment, the communication module 20 and the input/output module 30 of each of the safety control devices 10 to 12 are configured as separate modules connected by way of the bus module 40. However, such a communication module and an input/output module may be configured as a single module.
Still furthermore, in the embodiment, the test portion T serving as a test bit string is formed from a copied bit string C of the base bit string B, and the reversed bit string R of the base bit string B. For instance, however, the test portion T may be formed from only one of the copied bit string C and the reversed bit string R. Alternatively, the test portion T may be configured such that the test portion T is formed from only the copied bit string C at a certain point in time, and the same is formed from only the reversed bit string R at another point in time. Even when a bit string which constitutes the test portion T is formed so as to vary with lapse of time, the test portion T can be embodied by means of a comparatively easy method.
As described above, according to the invention, there is provided a safety control device whose safety function is highly reliable, as well as a safety control system. The invention also provides a method for detecting a communication error which can enhance reliability of a safety function provided by a safety control device.
Number | Date | Country | Kind |
---|---|---|---|
P.2004-221736 | Jul 2004 | JP | national |
This application contains subject matter related to Japanese and International applications JP2004-221736, JP2004-222101, PCT/JP2005/013888 and PCT/JP2005/013889, the entire contents of which being incorporated herein by reference in their entirety. Priority applications PCT/JP2005/013889 and JP2004-221736 were filed on Jul. 22, 2005 and Jul. 29, 2004 respectively.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/JP2005/013889 | Jul 2005 | US |
Child | 11668242 | Jan 2007 | US |