Patent Grant
7050860
This application is a National Stage application of PCT/JP02/06243, filed Jun. 21, 2002, which claims priority from Japanese patent application 2001-190419, filed Jun. 22, 2001. The entire contents of each of the aforementioned applications are incorporated herein by reference.
The present invention relates to a safe network system, safe slaves, and a communication method.
A programmable controller (hereinafter referred to as PLC) used in factory automation (hereinafter referred to as FA) performs its control function by entering ON/OFF information from input devices such as switches and sensors; executing logical calculation along a sequence program (also referred to as a user program) written in latter language; and outputting ON/OFF information signals to output devices such as relays, valves, and actuators in accordance with the obtained calculation results.
In some cases, the input and output devices are directly connected with the PLC, and in other cases, these devices are connected via a network. In a network system established with this network, the ON/OFF information are transmitted and received via the network. In this case, information is exchanged by a master-slave system where the PLC is the master and the devices are slaves.
On the other hand, a fail-safe system has been recently introduced into the control by a PLC. In this fail-safe system the network have a safety function therein, not to mention the PLC and devices. The term “safety function” indicates the function of verifying safety and performing an output. A safe system indicates that if the network system causes a dangerous condition, for example, an emergency shutdown switch is pushed or a light curtain or another sensor detects entry of a person (part of the body), fail-safe works and the system is shifted to the safe side to stop the operation. In other words, the system allows an output and machine operation only when the safety function verifies safety. If safety is not verified, the machines come to a stop.
Some of facility systems are equipped with production robots, pressure press machines and cutting machines, which are operated by men. In such a workplace there is a fear of dangerous accidents, such as the arm of a production robot touches a man's body, the pressure of a pressure press machine is applied on a part of a man's body, or the blade of a cutting machine touches a man's body. In an attempt to prevent such accidents, if there is a dangerous condition, the facility system brings the operation of the facility into a standstill (stops the operations of the production robots, pressure press machines and cutting machines). In some cases these machines are not brought to a full stop, but their operations are slowed down enough not to cause a danger to a person by reducing the moving speed of the arm of the production robot or decreasing the pressure of the pressure press machine. Thus, the safe system controls keeping the facility system out of a dangerous condition.
In the network system equipped with the aforementioned safety function (safe network system), it is necessary to fix a maximum response time elapsed between the occurrence of an abnormal or dangerous condition and the execution of a safety operation (stopping of the operation of a device, for example). To be more specific, as is well known, in the case where information is transmitted by the master-slave system, as shown in
According to the specific procedure of data transmission and reception between the safe PLC and the safe slaves, the safe PLC makes a request to one of the safe slaves connected with the safe network, and the safe slave received the request sends back safety information. For example, when there are three safe slaves {circle around (1)} to {circle around (3)}, the safe PLC can make a request to the safe slaves {circle around (1)}, {circle around (2)}, and {circle around (3)} in this order to collect safety information from the three safe slaves in the same order.
Since the sequence of sending back a safety response from the safe slaves is fixed in one communication cycle, the safety response from the safe slave {circle around (1)} is transmitted comparatively quickly to the safe PLC, whereas the safety response from the safe slave {circle around (3)}, which is the last in one communication cycle, is transmitted late.
As the number of slaves (nodes) to be connected increases, the time for one communication cycle gets longer. The result is that the aforementioned maximum response time becomes longer. Consequently, in the same communication cycle, the data to be received first and the data to be received last have a larger time difference. Hence, when a safe system is designed, the maximum response time must always be taken into consideration.
On the other hand, when a danger (a failure or a dangerous factor) has actually been detected, it is ideal to perform safe control (output interruption) as soon as possible. To be more specific, when the safe system is designed by taking the maximum response time into consideration, if information about an abnormality (danger) can be reported early in one communication cycle, the time elapsed between the report and the maximum response time becomes longer (safe margin becomes larger), so as to carry out the safety function more securely and to make fail-safe work with a sufficient amount of time, thereby shifting the system to the safe side and stopping the operation.
However, the communication inside the network is under the control of the PLC side which is the master, so it has been impossible for the conventional system to make the slave which has detected a danger transmit safety information early in one communication cycle. In other words, the PLC cannot know there is a slave in an abnormal (dangerous) condition until it receives safety information (the presence of a danger) from all the slaves. Therefore, all it can do is to acquire safety information from the slaves in turn in accordance with the predetermined rule (the sequence of node addresses, for example).
This invention has an object of providing a safe network system, safe slaves, and a communication method which can inform the master (controller) and other devices of the occurrence of an abnormality (a danger) detected by a safe slave or the like as soon as possible.
The safe network system of the present invention is composed of a safe controller and safe slaves which are connected with each other via a safe network. The safe controller has the function of transmitting a request for safety information by broadcast message to the safe slaves. The safe slaves are each provided with a safety information transmission function for transmitting safety information indicative of whether it is in a safe condition or not, and a changing means for changing the priority of a transmission frame which carries the safety information. The changing means is designed so as to set the priority higher when the safe slave is not in a safe condition than when it is in a safe condition.
The term “set the priority high” means that the priority becomes higher when the slave is in a dangerous condition than in a safe condition. To be more specific, it is possible to raise the priority when the safe slave is not in a safe condition by using the safe condition as the reference, or to lower the priority when the safe slave is in the safe condition by using an unsafe condition as the reference. In the latter case, the priority becomes higher when the safe slave is not in a safe condition, making it possible to transmit its safety information earlier than the safety information of the other safe slaves as will be described below.
The safe slave of the present invention is a safe slave to be connected with a safe network system which is composed of a safe controller and safe slaves connected with each other via a safe network, and is provided with a safety information transmission function for transmitting safety information indicative of whether the safe slave is in a safe condition or not; and a changing means for changing the priority of a transmission frame which carries the safety information, the changing means setting the priority higher when the safe slave is not in the safe condition than when the safe slave is in the safe condition.
The communication method of the present invention is a communication method in a safe network system composed of a safe controller and safe slaves which care connected with each other via a safe network. The safe controller provides the safe slaves connected with the safe network a transmission request for safety information by broadcast message at a prescribed timing. Then, the safe slave received the transmission request transmits safety information indicative of whether or not the safe slave is in a safe condition as a response to the transmission request. In this case, the priority is changed according to the contents of the safety information to be transmitted.
The safety information is information for the fail-safe control of the system. One example of the safety information is information indicative of whether a safety device connected to the safe slave is in a safe condition or not (whether or not the emergency shutdown button has been pushed, whether or not entry of a man into a dangerous zone has been detected, or the like). Another example is information indicative of whether the safe slave or the safety device itself is in a safe condition or not (whether the safe slave has a failure or abnormality, or whether the safety device has a failure or abnormality, or the like) Further another example is information indicative of whether the network is in the safe condition or not (whether or not there is an error in the network communication due to noise or there is a communication abnormality due to network interruption).
The term “safety function” indicates a so-called fail-safety function, which is a system to produce an output and to operate the machine provided that the system is in a safe condition. When the system is not in the safe condition, the output is stopped. When an abnormality occurs in the control of the controller or there is a communication abnormality, the control is shutdown and the operation of the controller is stopped so as to keep the devices for output and the control devices in a safe condition.
This control shutdown is required, for example, in the following dangerous conditions: when the CPU and other processing parts of the controller are doubled in number and a disagreement between them has been detected; when the network has an abnormality due to some reason; when the emergency shutdown switch of the machine system has been pushed; and when entry of a man (or part of the body) into the dangerous region has been detected by a multi-optical axis photoelectric sensor such as a light curtain. In these cases, the safety function secures the safe operation of the machine system which is the control target; brings the operation into a stop under the safe condition in addition to this operation; or makes fail-safe work so that the operation of the machine system is forcibly stopped in the safe condition.
In this invention, when the safe slave transmits safety information (safe/abnormal (dangerous) or the like) in response to the request from the safe controller, the priority is set according to the contents of the safety information. Therefore, the transmission frame indicative of the occurrence of an abnormality (danger) is assigned a higher priority and is transmitted to the safe controller earlier than the other transmission frames indicative of safety information (safety) of the other safe slaves. In short, the safety information with the higher priority is transmitted early in one communication cycle. Hence, when the safe slave or another device has detected an abnormality (danger), it can be reported to the master (safe controller) as soon as possible.
Thus, the present invention has a feature that in the transmission of transmission frames of the same kind such as a safety response, the priority is changed with changing external factors such as the detection of an abnormality (danger). A system (communication protocol) for transmitting a transmission frame with a higher priority earlier than the other transmission frames provided with priority information can be realized by various kinds of conventional algorism.
The safe controller of the present invention, as will be described in the embodiment, includes not only PLC (master), but also a configuration tool, a monitoring tool, a monitor device and the like, which are connected with the safe network.
a) shows a diagram of an example of the data configuration of the transmission frame, and
a) and 7(b) show a diagram explaining the effects.
a) and 8(b) show a diagram explaining the effects.
The present invention will be described in detail as follows with reference to the appended drawings.
All the devices composing this safe network system have a safety function (fail-safe) contained therein. This safety function verifies safety and produces an output (control). In a dangerous condition, fail-safe works to shift the system on the safe side, thereby stopping the operation. To be more specific, the safe system enables fail-safe to work so as to shift the system on the safe side, thereby stopping the operation when the network system is put in a dangerous condition, such as when the emergency shutdown switch of the machine system has been pushed or when a light curtain or another sensor has detected entry of a man (or part of the body) into the dangerous region. In other words, the safe system produces an output and operates the machines only when the safety function verifies safety. Therefore, if safety is not verified, the machines come to a stop.
Next, of these safety functions, the transmission and reception of information which is the main part of the present invention will be described as follows. The safe PLC1 has communication facility built therein so as to perform the exchange of information with the safe slaves 2 by the master-slave system. Basically in the same manner as the conventional system, the safe PLC1 makes a request to one of the safe slaves 2 via the safe network 3, and the safe slave 2 received the request sends back safety information as a safety response.
In the present invention, the request from the safe PLC1 is a broadcast message, and the safe slaves 2 connected with the safe network 3 can response to the safe PLC1 at the same time (it goes without saying that the safe PLC1 actually receives the safety response from one safe slave 2 at a time). To be more specific, the system is provided with the function of performing the operation shown in the flowchart of
When the power is turned on, the safe PLC1 makes a transmission request by a broadcast message to the safe slaves at the prescribed timing (ST1, ST2). Later, the safe PLC1 waits for a response to come from the slaves until the timeout of the reception time (ST3, ST4). The timeout of the reception time occurs when the time which is set as one communication cycle time has elapsed after a transmission is requested.
As will be described later, when responses from all target slaves have not been received before the timeout of the reception time, it is concluded that there has been an abnormality on the network, so the flow jumps to step 7 to stop the communication process and to interrupt the output (ST8). In short, a fail-safe process in the ordinary abnormality time is executed. In the example of this flowchart, it is designed that communication stops immediately when there is a safe slave that fails to give a response. Instead, by taking one time margin, when there is a safe slave that fails to give a response two times on end, it is regarded as an abnormality and the communication is stopped.
On the other hand, when there is a response from a safe slave (Yes in the branch determination of Step 4), the flow goes to step 5 to determine whether the contents of the safety response (received safety information) indicate a safe condition or not. When there is an abnormality (danger), the flow goes to step 7 to stop the communication and to execute an output interruption process in the same manner as when the timeout of the reception time is received (ST7, ST8).
When the received contents indicate a safe condition, it is determined whether the responses from the target slaves, that is, all the safe slaves 2 connected with the safe network 3 have been received or not (ST6). Needless to say, for this determination, the process of storing the numbers of the safe slaves from which safety responses have been received is performed. When there is a safe slave from which a safety response has not been received, the flow goes back to step 3 to wait for the reception of a next safe slave. When responses have been received from all the safe slaves, the communication cycle this time is complete, and the flow goes back to step 2 where transmission is requested to the safe slaves by broadcast message for the next communication cycle. Hereafter the aforementioned processes are repeated.
On the other hand, the safe slave 2 transmits a transmission frame (safety response) equipped with a priority of transmission, and is provided with a changing function for changing the priority of the transmission frame. This changing function makes a safety response in a safe condition which is the normal condition have a low priority of transmission, and raises the priority of transmission only when the safe slave 2 (the safety device connected to it) has detected the presence of a danger.
According to the communication protocol, as will be described later, a transmission frame with a high priority can be transmitted on the safe network 3 ahead of others so as to reach the safe PLC1 quickly. The result is a reduction in the response time when the presence of a danger has been detected.
The safe slave 2 has an internal structure shown in
It is possible that the safe slave 2 itself can be the safety device, and in that case the safety device interface 22 becomes a safety device part for detecting whether it is safe or not. The aforementioned configuration and theory of operation of the safe slave 2 are not explained in detail here because they are the same as conventional devices.
In the present invention, the safe slave 2 has a priority-of-transmission control part 26 which provides the transmission frame carrying safety information with priority information. The priority-of-transmission control part 26 sets an abnormality flag on detecting the presence of an abnormality (danger) from the IO information of the safety device interface 22. The detection of a danger includes the cases that the emergency shutdown button has been pushed or entry of a man into a dangerous area has been detected.
The MPU 23 generates and outputs a transmission frame with a raised priority when the abnormality flag is on. The processing function of the MPU 23 in the present invention is shown in the flowchart of
Thus, in the present embodiment, the priority assigned to the same kind of transmission frames indicating safety response (safety information) is changed based on the presence or absence of an abnormality resulting from external reasons such as the pushing of the emergency shutdown button or the detection of entry of a man into a dangerous area, the presence of absence of an abnormality resulting from internal reasons such as a failure or an abnormality of the safe slave itself and the safety device.
The following is a description about how a transmission frame with a high priority is transmitted earlier than the other transmission frames to the safe PLC1 as the master by outputting a transmission frame containing the priority information. First, as shown in
The address part stores a receiver's address and a transmitter's address. The data part stores safety information. The safety information includes the distinction between safety and an abnormality (danger), or the contents of an abnormality, if any. When the contents of such an abnormality are spontaneously transmitted from the safe slave, it is preferable to transmit it in the fourth place.
On the other hand, the transmission and reception of data on the safe network 3 by the network interface 21 and communication protocol are based on CAN (Controller Area Network). As is well known, in CAN, priorities are managed by the data link layer, and when the data on the communication line are wired ORed, and data “1” and data “0” are overlapped, data “0” appear on the line.
Assume that three safe slaves concurrently transmit the data shown in
In this case, each safe slave 2 transmits their transmission frame (safety information), monitors the data on the line to determine whether the data on the line agree with the data that they have transmitted. When these data do not agree, each safe slave determines that they are not authorized for transmission this time and stops the transmission of the subsequent data. For example, in
When the transmission from the safe slave {circle around (1)} is thus complete, no communication is carried out on the line, so the safe slaves {circle around (2)} and {circle around (3)} which have not finished data transmission restart the transmission of data (the safe slave which has finished the transmission of a safety response does not perform transmission until the next request arrives). In this retransmission, too, according to the same principle as described above, one of the safe slaves completes data transmission, making it possible that the safety response from this safe slave is received by the safe PLC.
Through the repetition of such processes, all the safe slaves 2 can transmit safety responses within one communication cycle. As for the sequence of communication, if all the safe slaves have the same priority of transmission, the leading two bits are the same and the receiver's address is also identical; however, the transmitters' addresses are different. Therefore, the transmission of safety responses by the nodes is performed in descending order of transmitters' addresses.
On the other hand, when a safe slave 2 suffers an abnormality (danger) and the priority information becomes “00”, the other safe slaves 2 in the safe condition have transmission frames whose priority information is “01”, so these safe slaves in the safe condition do not transmit the third and the subsequent bits of data because the second bit of the priority information is different from the data on the line. As a result, the safety response from the safe slave 2 in the abnormal condition can be transmitted to the safe PLC1 ahead of others.
Therefore, when the safe slaves are all in the safe condition, as shown in
On the other hand, when a danger has been detected (the occurrence of an abnormality) from the safe slave {circle around (3)}, in the conventional case, the sequence of transmission is {circle around (1)}, {circle around (2)}, and {circle around (3)} as shown in
In this manner, the response of the safe slave from which a danger has been detected is transmitted ahead of others, so in the safety interruption part (safety monitor or master), the data from the safe slave from which a danger has been detected can be received ahead of others, thereby speeding up the safety operation. As a result, in the condition where the safe system is working properly, the effective response time of the system to be operated inherently when a dangerous factor has been detected is speeded up.
As for the relation between the transmission frame shown in
Since the address part is composed of 4 bits (in the case where it corresponds to 16 safe slaves at the maximum),
Therefore, the case with the transmission frames shown in
As shown in
Although the safe controller explained in the aforementioned embodiment is a PLC (master), the safe controller of the present invention is not restricted to this and contains a device for collecting and monitoring information such as a configuration tool or a monitoring device.
The aforementioned embodiment shows an example where the slaves exchange I/O information with the master unit, and exchange the I/O information with the controller (PLC) via the master unit. The master unit and the slaves are in the master-slave relation where the appropriate slave sends back a response to the request from the master. However, the slave referred to in the present invention is not restricted to those that perform master-slave communication. In short, although it is referred to as the slave, it can use an arbitrary communication system. In this aspect, strictly speaking, the slave of the present invention includes a different concept from the slave generally defined.
The request from the safe controller is based on the command that the slave has received via the safe network, and that is generated outside the slave. Some examples of such a request are, in addition to an information request command from the master to the slave as explained in the embodiment, an information request command from the monitoring device (monitoring tool) to the slave, an information request command from a configurator (configuration tool), and a command which is transmitted from a tool via the PLC or the master.
According to the present invention, when there is an abnormality (when a danger has been detected), safety information is transmitted by a transmission frame having a raised priority, so that when a safe slave or another device has detected an abnormality (danger), the abnormality can be reported to the safe controller as soon as possible.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2001-190419 | Jun 2001 | JP | national |
| Filing Document | Filing Date | Country | Kind | 371c Date |
|---|---|---|---|---|
| PCT/JP02/06243 | 6/21/2002 | WO | 00 | 6/7/2004 |
| Publishing Document | Publishing Date | Country | Kind |
|---|---|---|---|
| WO03/001307 | 1/3/2003 | WO | A |
| Number | Name | Date | Kind |
|---|---|---|---|
| 4625308 | Kim et al. | Nov 1986 | A |
| 4715031 | Crawford et al. | Dec 1987 | A |
| 4750171 | Kedar et al. | Jun 1988 | A |
| 5218680 | Farrell et al. | Jun 1993 | A |
| 5400018 | Scholl et al. | Mar 1995 | A |
| 5732094 | Petersen et al. | Mar 1998 | A |
| 5850338 | Fujishima | Dec 1998 | A |
| 5907689 | Tavallaei et al. | May 1999 | A |
| H1882 | Asthana et al. | Oct 2000 | H |
| 6389480 | Kotzur et al. | May 2002 | B1 |
| 6574234 | Myer et al. | Jun 2003 | B1 |
| 6640268 | Kumar | Oct 2003 | B1 |
| 20020082060 | Kang et al. | Jun 2002 | A1 |
| 20030037170 | Zeller et al. | Feb 2003 | A1 |
| 20030148760 | Takayanagi | Aug 2003 | A1 |
| 20040018817 | Kanayama | Jan 2004 | A1 |
| 20040125821 | Kuhl | Jul 2004 | A1 |
| 20040181296 | Muneta et al. | Sep 2004 | A1 |
| 20040210326 | Muneta | Oct 2004 | A1 |
| 20040210620 | Muneta | Oct 2004 | A1 |
| 20040215354 | Nakayama | Oct 2004 | A1 |
| 20050017875 | Nakayama | Jan 2005 | A1 |
| Number | Date | Country |
|---|---|---|
| 0905594 | Mar 1999 | EP |
| 2267984 | Dec 1993 | GB |
| 2307068 | May 1997 | GB |
| 60-062482 | Apr 1985 | JP |
| 03-116395 | May 1991 | JP |
| 04-045697 | Feb 1992 | JP |
| 05-37980 | Feb 1993 | JP |
| 6-324719 | Nov 1994 | JP |
| 7-282090 | Oct 1995 | JP |
| 08-211792 | Aug 1996 | JP |
| 11-24744 | Jan 1999 | JP |
| 2000-259215 | Sep 2000 | JP |
| 2000-269996 | Sep 2000 | JP |
| 2001-83002 | Mar 2001 | JP |
| 2001-084014 | Mar 2001 | JP |
| 2002-71519 | Mar 2002 | JP |
| 2002-73121 | Mar 2002 | JP |
| WO 02098065 | Dec 2002 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20040210323 A1 | Oct 2004 | US |
