BEST MODE FOR CARRYING OUT THE INVENTION

[0042] This invention is explained in detail with reference to the accompanying drawings. Specifically, FIG. 2 shows an example of a safety network system according to this invention. As shown in FIG. 2 , a safety PLC 1 and a plurality of safety slave units 2 are connected to each other through a safety network 3 . Each safety slave unit 2 is connected with an emergency stop switch and other various safety devices 4 such as various input devices and output devices. The safety PLC 1 is configured of a plurality of units including a CPU unit 1 a , a master unit (communication unit) 1 b and an I/O unit 1 c connected to each other.

[0043] Further, a personal computer 5 is connectable as a tool to the CPU unit 1 a and the master unit 1 b of the safety PLC 1 and the safety network 3 . This personal computer 5 , through the safety PLC 1 , collects and manages the information on the safety slave units 2 and the safety devices 4 connected thereto.

[0044] All of the various devices making up this safety network system have a built-in safety (fail-safe) function. The safety function is for confirming the safety and produces an (control) output. Once a hazardous situation arrives, the fail-safe function is activated and the system turns to safety side to halt the operation. Specifically, the safety system is such that when the emergency stop switch is depressed, a sensor such as a light curtain detects the intrusion of a person (a part of human body) or otherwise a hazardous situation of the network system arrives, the fail-safe function works and the system turns to safety side to halt the operation. In other words, this system allows an output to be produced and a machine to operate only in the case where safety is stored by the safety functions. Unless safety cannot be confirmed, therefore, the machine stops.

[0045] Next, of these safety functions, the transmission and receiving of information constituting the essential feature of the invention is explained. The master unit 1 b has a built-in communication function and is adapted to transmit and receive information to and from the safety slave units 2 by the master-slave method. The basic operation is similar to that of the prior art, and as shown in FIG. 1 ( a ), in compliance with the request from the safety PLC 1 (master unit 1 b ), a given safety slave unit 2 that has received the particular request returns the safety information as a safety response. The request is issued to the slave units 2 in the order of (1)→(2)→(3), and the safety information are collected from all the three safety slave units 2 in one communication cycle. This communication cycle is repeatedly executed.

[0046] The master unit 1 b for controlling the communication has an internal structure as shown in FIG. 3 . Specifically, the master unit 1 b has a MPU 10 for reading the program stored in a system ROM 11 and executing a predetermined process appropriately using the memory area of a system RAM 12 . Further, the master unit 1 b has a communication interface 13 connected to the safety network 3 to transmit and receive the data to and from a predetermined safety slave unit 2 . Furthermore, the master unit 1 b has an unsafety information storage unit 14 for storing the unsafety information sent from the safety slave units 2 . Specifically, also according to this embodiment, as in the prior art, the unsafety information is sent from each safety slave unit 2 , and store d by relating it to the addresses of the safety slave units. The unsafety information of the safety slave units stored in the unsafety information storage unit 14 are extracted periodically or in compliance with a read instruction of the personal computer (tool) 5 .

[0047] Naturally, this master unit 1 b also corresponds to the safety network system and has various built-in safety functions. Specifically, though not shown, two MPUs 10 are provided and caused to execute the same program at the same time, and only in the case where the two results are coincident, the output is determined as correct and processed. Other safety functions are of course provided in correspondence with the safety network system.

[0048] As an example of the program executed by the MPU 10 of the master unit 1 b , the MPU 10 issues a request to a predetermined slave unit 2 , and receiving a response to the request, executes a predetermined process in accordance with the contents of the response received. The MPU 10 of course also executes the process of transmitting the information to a predetermined slave unit 2 in compliance with an instruction from the CPU unit 1 a.

[0049] The internal structure of the safety slave unit 2 is shown in FIG. 4 . As shown in this drawing, the safety slave unit 2 includes a communication interface 21 connected to the safety network 3 for transmitting and receiving the data to and from the safety PLC 1 (master unit 1 b ), an input/output interface 22 for transmitting and receiving the data to and from the safety devices 4 connected to the safety slave units 2 , and a MPU 23 for reading the program stored in the system ROM 24 and executing a predetermined process by appropriately using the memory area of the system RAM 25 . The MPU 23 , in compliance with the request to oneself received through the communication interface 21 , executes the process of returning the information (the safety information, etc.) acquired from the safety devices 4 through the input/output interface 22 , to the master unit 1 b through the communication interface 21 and the safety network 3 .

[0050] Further, the MPU 23 has the function of self-diagnosis and monitoring the operating conditions (the turn-on time, the number of times turned on/off, etc.) of the safety devices 4 , and executes the process of storing in the unsafety information storage memory 26 the unsafety information such as the diagnosis result and the operating conditions acquired by activating the various functions. The unsafety information stored in the unsafety information storage memory 26 are also returned in compliance with the request of the master unit 1 b and transmitted to the master unit 1 b.

[0051] Specifically, the request from the master unit 1 b is of two types including the safety information request and the unsafety information request, and the safety slave units 2 return the required type of information as a response. Actually, a request is issued with a sequence No. which is incremented by one each time of transmission, and according to the value of this sequence No., each safety slave unit determines whether a given request concerns the safety information or the unsafety information.

[0052] According to this embodiment, the master unit 1 b has an unsafety information request control unit 15 for arbitrarily setting the timing of collecting the unsafety information from each safety slave unit 2 to execute the required process. Specifically, the unsafety information request control unit 15 , which includes a timer or a counter, sends a trigger signal to the MPU 10 upon each lapse of a predetermined length of time or for each predetermined number of communication cycles. The MPU 10 normally issues a request for acquiring the safety information, and upon receipt of a trigger signal, issues a request to acquire the unsafety information in the next one cycle. By doing so, the unsafety information can be collected in cycles set by the user. This is of course possible even while the system is in operation. The processing function of the MPU 10 with regard to the output of this request is described in detail later.

[0053] The safety slave unit 2 , on the other hand, returns the safety information or the unsafety information in compliance with the request from the master unit 1 b , as described above. In the process, the safety slave unit 2 further executes the process described below. Specifically, in the case where the safety information is requested, the safety information currently available is returned as it is. In the case where the unsafety information is requested, on the other hand, it is first determined whet her the particular safety slave unit 2 is in a safe state or not, and in the case where it is in a safe state, the unsafety information is returned, while in the case where the safety slave unit 2 is not in a safe state (hazardous, or abnormal), the safety information is transmitted. The safety information as used in this case is indicative of a “fault notice”.

[0054] By doing so, in the case where the unsafety information arrives, the safe state of the safety slave unit 2 that has sent the particular unsafety information is guaranteed. Therefore, the master unit 1 b , upon receipt of a response of unsafety information from the safety slave unit 2 in compliance with the unsafety information request, determines that a safe state prevails, and thus can collect the unsafety information as originally intended without the need of the fail-safe process such as emergency stop. In the case where the safety slave unit 2 is not in a safe state, on the other hand, the safety information (fault notice) is sent even in the case where the request of the unsafety information is issued, and therefore a predetermined security process is executed. In this way, the time requiring one communication cycle is guaranteed as a response time in case of a fault.

[0055] As an example, assume that, as shown in FIG. 5 , a normal safety information request is given in the (N−1)th communication cycle while an unsafety information request is issued in the Nth communication cycle. In the case where each safety slave unit 2 is in a safe state, as shown in FIG. 5 ( a ), the type of information requested is returned from each safety slave unit. In the case where a fault occurs after the safety slave unit ( 2 ) returns the safety response in the (N-1)th communication cycle, on the other hand, the safety slave unit ( 2 ) sends a safety response in the next Nth communication cycle. Therefore, the time t from the fault occurrence to the output of the safety response is shorter than the time TO of one communication cycle.

[0056] To realize the above-mentioned process, it is necessary to discriminate whether the information received on the part of the master unit 1 b is the safety information or the unsafety information. According to this embodiment, as shown in FIG. 6 , an identification bit is added to discriminate the safety information and the unsafety information from each other as information stored in the transmission frame. As a result, the master unit 1 b can determine whether the received transmission frame is the safety information or the unsafety information by checking the value of the identification bit.

[0057] Next, an explanation is given about the processing steps executed in the MPU 10 of the safety PLC 1 (master unit 1 b ) and the MPU 23 of the safety slave units 2 for conducting a series of the data communication described above. The MPU 10 of the master unit 1 b has the function of executing the steps of the flowcharts shown in FIGS. 7 to 9 . Assume that there are three safety slave units ( 1 ) to (3) as shown in FIG. 1 , and the unsafety information is updated at intervals in terms of communication cycles and acquired at the rate of one of three communication cycles.

[0058] Once power is switched on, the arrival of the setting input for the unsafety information update period from the user is awaited (ST 1 , ST 2 ). Upon setting of the unsafety information update period (each three communication cycles in this embodiment), the sequence No. 3 is set to unsafety (ST 3 ), and the sequence No. 3 of the slave units (( 1 ) to ( 3 )) is set to request the unsafety information (ST 4 , ST 5 ). According to this embodiment, the update period is set by the unsafety information request control unit 15 .

[0059] In the case where the update timing is once every N times, the conversion to unsafety in step 3 is of course is to set the sequence No. “N” to unsafety. Also, according to this embodiment, the unsafety information is collected in the same communication cycle (the third communication cycle in this embodiment) for all the safety slave units. Alternatively, however, the cycle can be set for each safety slave unit, so that the unsafety information may be collected in different communication cycles. Further, the update period can be varied from one slave unit to another.

[0060] Upon completion of each process described above, the safety network system is actually activated to perform a predetermined control operation. Specifically, the value n of the sequence No. is first set to 1 (ST 6 ) and a request is transmitted to the safety slave unit ( 1 ) (ST 7 ). This request is accompanied by the sequence No. Thus, the first request after power is thrown in is the sequence No. “1”.

[0061] The response from the safety slave unit ( 1 ) is awaited, and upon receipt of the transmission frame from the safety slave unit ( 1 ), the identification bit is analyzed to determine whether th e value is “0” or not (ST 8 ). In the case where the identification bit is not “0”, i.e. it is “1”, the safety information has been transmitted. This data section is analyzed and the safety information of the safety slave unit ( 1 ) is received (ST 9 ). It is then determined whether the safety state is “safe” or not (ST 10 ), and in the case of “safe”, a request with the sequence No. is transmitted to the safety slave unit ( 2 ).

[0062] In the case where the branching decision in step 8 is “Yes”, that is to say, the identification bit is 0 , the information that has been sent is the unsafety information. Therefore, the process jumps to step 11 and the unsafety information for the safety slave unit ( 1 ) is received (step ST 11 ). Also, the current safety state of the safety slave unit ( 1 ) is estimated as safe (ST 12 ). After that, the process proceeds to step 13 for outputting a request to the slave unit ( 2 ).

[0063] A similar process is executed for the safety slave unit ( 2 ) (ST 13 to ST 18 ), and then for the safety slave unit ( 3 ) (ST 19 to ST 24 ). As a result, the safety information or the unsafety information can be collected in one communication cycle.

[0064] Once the information are acquired from the three safety slave units ( 1 ) to ( 3 ), it is determined whether n is 3 or more (ST 25 ), and in the case where n is less than 3, n is incremented by 1 (ST 26 ), while in the case where n is not less than 3, n is set to 1 (ST 27 ). After that, the process returns to step 7 , and the next communication cycle is executed. After that, the process of steps 7 to 28 is repeatedly executed.

[0065] In the case where the determination as to safety in steps 10 , 16 and 22 is “No”, i.e. the received safety information is “not safe”, the process jumps to step 28 , where the safety output is shut off to halt the operation (ST 28 , ST 29 ). By the way, the specific process in steps 28 , 29 is similar to the process for the fault notice (hazardous) in the conventional safety network system, and therefore is not described in detail.

[0066] On the other hand, the operation of the MPU 23 of each safety slave unit is shown in FIG. 10 . Specifically, after power is thrown in, the sequence No. for transmitting the unsafety information sent from the master unit 1 b is acquired and set. In this case, the sequence No. “3” is set as the timing of transmitting the unsafety information (ST 30 , ST 31 ).

[0067] Next, a request from the master unit 1 b is awaited (ST 32 ), and upon receipt of the request, it is determined whether a safe state now prevails or not (ST 33 ). In the case where no safe state prevails “hazardous” is transmitted as the safety information (ST 34 ). In the case where a safe state prevails, on the other hand, the sequence No. added to the request is checked, and in the case where the sequence No. is “3”, the unsafety information is transmitted, while in the case of other than 3, the safety information (safe) is transmitted (ST 35 , ST 36 , ST 37 ). After that, the process of steps 32 to 37 is repeatedly executed.

[0068] The process described above, as viewed from the operation of one safety slave unit, is shown in FIG. 11 . Specifically, the requests sent from the master unit 1 b have added thereto the sequence Nos. 1 to 3 sequentially repeated in such an order as “1→2→3 →1 . . . ”. Upon receipt of the request of the sequence No. “3”, the unsafety information is returned. As a result, as shown in FIG. 11 ( a ), assuming that a safety slave unit is in a safe state, the master unit receives the unsafety information of the particular safety slave unit at the rate of once every three times, and therefore can confirm the safety by receiving the particular unsafety information.

[0069] Also, as shown in FIG. 11 ( b ), in the case where the safety is ended when the sequence No. is “3”, the safety response is given without sending the unsafety information. Thus, the master unit cannot receive the unsafety information but is informed of a hazardous situation from the safety response, and therefore executes a predetermined safety process such as a halt process. By the way, though not shown, in the case where the safety ends with the request of the sequence No. 1 or 2, the safety response (fault notice) is sent as usual, so that a predetermined safety process is executed based on the particular safety response.

[0070] In the embodiment described above, the unsafety information is acquired at the rate of once every N times. However, this invention is not limited to such a rate but the unsafety information can be acquired at regular time intervals. In this case, the sequence No. for transmitting the unsafety information is not determined as described above, but a flag is attached or otherwise to discriminate the normal safety information request and the unsafety information request from each other on the part of the safety slave unit. The unsafety information request control unit 15 has a timer, and each time a set time passes, sends a trigger signal to the MPU 10 . The MPU 10 , which normally issues a safety information request, issues an unsafety information request upon receipt of the trigger signal.

[0071] Also, in the case where the unsafety information is collected by the number of the communication cycles, assume that the master unit issues both the safety information request and the unsafety information request as in the aforementioned case. The unsafety information request control unit 15 may have a counter, and counts the number of times the request is issued. Once a predetermined number of times is reached, a trigger signal is output, and the MPU 10 that has received the trigger signal may output an unsafety information request.

[0072] In the example described above, the timing of acquiring the unsafety information is controlled by the master unit. This invention is not limited to such a configuration, but the acquisition timing may alternatively be controlled on the part of the safety slave unit. In such a case, as shown in FIG. 4 , the safety slave unit 2 is equipped with an unsafety information transmission control unit 28 . This unsafety information transmission control unit 28 includes a timer or a counter and applies a trigger signal for unsafety information transmission to the MPU 23 at a preset timing (after predetermined time or predetermined communication sessions) of updating the unsafety information.

[0073] The MPU 23 , at the request of the master unit 1 b , normally gives a safety response and returns the safety information (safe/hazardous). Upon receipt of a trigger signal, on the other hand, the MPU 23 checks the present safety state in response to a request, and in the case where a safe state prevails, sends the unsafety information. In the case where no safe state prevails (abnormal or hazardous), however, the safety response is returned even when a trigger signal is received. By the way, in order that the master unit may be informed which of the safety information and the unsafety information is transmitted, the MPU 23 attaches a recognition bit in the transmission frame as shown in FIG. 6 also in the case under consideration, and sets it to “0” or “1”.

[0074] The master unit 1 b , on the other hand, transmits a request to the safety slave units sequentially in predetermined communication cycles and waits for a response from a corresponding safety slave unit. Upon receipt of the transmission frame from a safety slave unit, the master unit 1 b confirms the recognition bit and discriminates the safety information and the unsafety information from each other. In the case where the unsafety information is involved, the acquired unsafety information is stored in the unsafety information storage unit 14 , while at the same time recognizing the safety. In the case where the received information is the safety information, on the other hand, the contents thereof are acquired, and in the case where no safe state prevails, a predetermined security process is executed.

[0075] A timing chart for data transmission and receipt between the master unit and the slave units for the above-mentioned operation is shown in FIG. 12 . In the shown case, every safety slave unit is in a safe state, and therefore the respective unsafety information is transmitted at the timing of transmitting the unsafety information. The master unit that has received this unsafety information acquires the unsafety information on the one hand and can confirm the safety at the same time. In the case where no safe state prevails at the timing of transmitting this unsafety information, the safety response is returned. Also, in view of the fact that the transmission timing is managed by each safety slave unit, as shown, the unsafety information is not necessarily sent from all the safety slave units in the same communication cycle, as shown.

[0076] Furthermore, the embodiment described above concerns the master-slave method in which a desired slave unit returns a response to a request from a master unit. Specifically, the right to determine which of the safety information and the unsafety information is to be transmitted may be granted to either the master unit or the safety slave unit, as described already. In any way, the timing of transmission from each slave unit is derived from an external t rigger such as a request of the master unit. The slave unit as it is called in this invention, however, is not limited to the one included in the master-slave communication. Specifically, in spite of the naming “slave”, an arbitrary communication method can be used. In this respect, strictly speaking, the slave unit according to the invention is considered to be different in concept with the generally defined slave. In other words, the slave unit as it is called in this invention can operate on an arbitrary communication protocol for actual transmission and receiving process as long as it has the function of transmitting while switching the safety information and the unsafety information at appropriate timing. Especially, the destination of the unsafety information to be transmitted according to the invention is not confined to the master unit or the controller, but may be other devices than the local node, i.e. other nodes such as the configurator (configuration tool), the monitoring devices or other slave units connected to a network.

[0077] The communication method can also be appropriately selected in accordance with the other party of transmission. The trigger for transmission is of course not limited to an external request such as from the master unit, for example, but the transmission may be based on an internal trigger (internal timer, an event generated when meeting predetermined conditions, etc.).

[0078] The “internal trigger” is based on the result of executing a predetermined process by a slave unit itself and generated in the particular slave unit. One example of an internal trigger is the fact that the unsafety information (the status information of the input/output unit, etc.) acquired by the slave unit develops into a preset status. Specifically, a n internal trigger may be generated in the case where the turn-on time of the input/output devices exceeds 5000 hours or the number of times operated exceeds ten thousands. An internal trigger signal may also be generated periodically upon each lapse of a predetermined time or at a predetermined time point as counted by an internal clock.

[0079] In the case where an internal trigger is generated when a preset status is attained, the frequent transmission of the unsafety information can be suppressed and the safety information can be transmitted in normal communication by appropriately setting the particular status. Thus, the required unsafety information can be transmitted efficiently by transmitting the unsafety information with the internal trigger generated at regular time intervals or when the life of the input/output devices is about to expire, in accordance with the operating conditions of the input/output devices. Specifically, the number of times operated and the turn-on time are not very important information and allowed to change by several times or several minutes from the preceding data. By suppressing the transmission of these information not so important, the safety information and the unsafety information can be transmitted efficiently.

[0080] An example of a time chart for transmitting the information from the safety slave unit based on this internal trigger is shown in FIG. 13 . Specifically, each transmission device (safety slave unit) has an internal timer and generates an internal trigger at intervals of the transmission timer. In response to this internal timer, each safety slave unit outputs the safety information or the unsafety information to a predetermined destination. By setting this destination in advance, the information can be transmitted toward a master unit, other slave units or other nodes connected to the network.

[0081] Each safety slave unit transmits the information based on its own internal timer. In the case where any other slave unit is already transmitting the information, however, the slave unit trying to transmit the information stops the transmission. In the case where an attempt to transmit the information at the same time leads to a conflict on the network, the safety slave unit of higher priority order (smaller node number) continues the communication. As a result, the information can be transmitted from the safety slave units sequentially in a predetermined order in one communication cycle. By setting the transmission timer appropriately, the information can be subsequently repeatedly transmitted smoothly in the same order.

[0082] An example of the function of the MPU of the safety slave unit which executes the above-mentioned transmission process is shown in the flowchart of FIG. 14 . This function basically corresponds to the processing flow shown in FIG. 10 . Specifically, power is switched on first of all, and the unsafety information transmission sequence No. is set (ST 41 ). In this example, the transmission sequence No. is set to “3” for all the safety slave units. This numerical value, however, is arbitrary and can of course be varied from one safety slave unit to another.

[0083] Upon complete setting, the generation of the transmission conditions, i.e. the internal trigger is awaited (ST 42 ). Once the internal trigger is generated, it is determined whether a safe state prevails now or not (ST 43 ), and in the case where no safe state prevails, the safety information (hazardous) is transmitted (ST 44 ). In the case where a safe state prevails, on the other hand, the sequence No. is checked (ST 45 ), and if it is less than 3, the safety information (safe) is transmitted, while at the same time incrementing N representing the sequence No. by 1 (ST 46 , ST 47 ). Then, the process returns to step 42 to wait for the arrival of the next transmission conditions. In the case where the sequence No. is 3 or more, on the other hand, it indicates the unsafety information transmission timing, and therefore the unsafety information is transmitted (ST 48 ). After that, N is set to 1 (ST 49 ), followed by re turning to step 42 to wait for the arrival of the next transmission conditions.

[0084] The threshold value for determination in step 45 is set to “3” because the sequence No. for transmitting the unsafety information is set to “3” in step 41 . In the case where the setting is not 3 in step 41 , the criterion in step 45 is also changed accordingly.

[0085] Also, which of the safety information and the unsafety information is currently transmitted is determined by the identification bit ( FIG. 15 ) set in the transmission frame. The safety slave unit, therefore, sets the identification bit in accordance with one of the safety information and the unsafety information for transmission.

[0086] The device receiving the information from the safety slave unit has the function of executing the process of the flowchart shown in FIG. 16 . Specifically, after power is switched on first, the arrival of a frame sent from the safety slave unit is awaited (ST 51 ). Upon receipt of the frame, it is determined whether the frame is normally received or not, and in the case of abnormal receipt (“No” in step 52 ), the process such as stopping the output is executed by the safety output means (ST 57 ). In the case of normal receipt, on the other hand, the identification bit is checked. In the case where the identification bit is zero, it indicates that the received data is the unsafety information, and therefore the process of receiving the unsafety information is executed (ST 54 ). Specifically, the acquired unsafety information is stored in a predetermined area, the contents of the information are analyzed, or the processing is executed in accordance with the result of analysis. After that, the process returns to step 51 to wait for the arrival of the next frame.

[0087] In the case where the identification bit is 1 , on the other hand, the safety information is involved, and therefore the safety information receiving process is executed (ST 55 ) and it is determined whether the contents of the notice are safe or not (ST 56 ). In the case where the contents of the notice is safe, the process returns to step 51 to wait for the arrival of the next frame. In the case where the contents of the notice is hazardous and not safe, on the other hand, the process of halting the output or other process for safe output is executed (ST 57 ). By the way, the processing after receiving the safety information or the unsafety information is similar to the corresponding processing in the embodiments described above, and therefore is not explained in detail.

[0088] With regard to the identification bit, the foregoing description deals with a case in which the safety information and the unsafety information are indicated by one bit of “1” and “0”, respectively. This invention, however, is not limited to this, but another information may be added. Specifically, in the case of unsafety information, the specific information stored in the data unit include various information such as the accumulated time of conduction or operation, the number of times operated, etc. of the input/output devices connected to the slave units, and in the case where only a numerical value is transmitted, the information associated with the particular numerical value may not be recognized. In such a case, the identification code for specifying the type of the unsafety information may be added in accordance with the contents of the data section. Further, a plurality of I/O terminals are provided. In an assumed case where eight I/O terminals are involved, for example, an 8-bit identification code is prepared so that a bit for identifying the safety information and the unsafety information is set for each I/O terminal. Also, in the case where all the eight I/O terminals transmit the unsafety information or the safety information, all the eight bits constitute the same identification bit. In such a case, the eight bits can be represented by one bit. As a result, the transmission data can be compressed and transmitted within a short length of time. In this case, however, a flag is required to discriminate an uncompressed identification code from a compressed identification code.

INDUSTRIAL APPLICABILITY

[0089] As described above, according to this invention, the unsafety information is transmitted on condition that a safe state prevails. Even in the case where the information other than the safety information (safety signal) is transmitted or received through a network while the system is in operation, therefore, the original response time of the safety information is not delayed.