1. Technical Field
The present invention relates to a control system that control drive of a load, particularly to a control system that secures safeness of mechanical equipment.
2. Related Art
Conventionally, a safety circuit that supplies an electric power to a load (such as a motor) that is of a power source for mechanical equipment in the state in which safety is secured is constructed in order to establish work safety of a production site. Generally the conventional safety circuit includes a safety instrument such as a relay unit and a safety controller.
For example, Japanese Unexamined Patent Publication No. 2005-157665 describes a relay unit and a safety controller as the safety instrument. According to Japanese Unexamined Patent Publication No. 2005-157665, the relay unit is operated as follows. The relay unit has a function of monitoring a state of a safety circuit based on an input signal from a safety switch such as an emergency stop switch or a safety area sensor such as a safety door switch and a function of securely cutting off a power supply of mechanical equipment in generating a trouble. The relay unit further has a function of not restarting the mechanical equipment unless the cause of the trouble is removed.
The safety controller disclosed in Japanese Unexamined Patent Publication No. 2005-157665 is configured as follows. The safety controller includes first and second CPUs (Central Processing Units) that control a safety output to a safety output control target such as a magnet contactor based on a safety input from the input instrument such as the safety door switch. The safety controller provides a semiconductor output that is of the safety output. An extension unit that outputs a relay output to the safety output control target according to the safety output can be connected to the safety controller, and the safety controller can detect an abnormality of the extension unit.
FIG. 12 is a view illustrating a configuration example of a conventional safety circuit. Referring to FIG. 12, a control system 200 supplies driving power from a three-phase AC power supply (AC power supply 101) to a motor 102 that is of a load and cuts off the supply of the driving power. For example, the motor 102 is used to drive various mechanical installations in a factory.
The control system 200 includes a door switch 111 that is of an input device, a relay unit 116, and contactors 121 and 122.
The door switch 111 detects that a mechanical guard or cover is closed. A manipulation key 115 attached to a door 114 is inserted in and pulled out from the door switch 111. Therefore, the door switch 111 detects the opening and closing of the door 114.
Contactors 121 and 122 are inserted in and connected to a power-supply line 103 that is of the feeding pathway between the AC power supply 101 and the motor 102. The relay unit 116 turns on/off the contactor 121 based on a signal from the door switch 111.
The relay unit 116 has a function of monitoring the contactors 121 and 122. For example, when the relay unit 116 detects the abnormality of the contactor 121, the relay unit 116 turns off the contactor 122. Therefore, the motor 102 is stopped because the supply of the electric power to the motor 102 is cut off.
The safety instrument disclosed in Japanese Unexamined Patent Publication No. 2005-157665 has a function of checking whether the input instrument and the output instrument are normal. This is because the safety circuit compatible with category 2 of ISO 13849-1 is constructed.
Conventionally, in discussing safety protection in a measure to reduce a machine risk, evaluation of an extent of the risk and a performance criterion of the safety system according to the evaluation are generally expressed by “category” of European Standard EN 954-1 or International Standard ISO 13849-1 based on European Standard EN 954-1. The “category” means an architecture (structure) of a safety control system, and the “category” is based on a so-called definitive technology of an electric mechanism component, which is typified by an accumulated contact technology of a switch or a relay.
FIG. 13 is a view explaining the category defined by ISO 13849-1. Referring to FIG. 13, categories of five stages “B”, “1”, “2”, “3”, and “4” are defined in ISO 13849-1. An achievement level of a performance criterion is enhanced as the category progresses from “B” to “4”.
In the revised edition of ISO 13849-1, indexes of five stages “a” to “e” called “PL (Performance Level)” are defined to evaluate the safety control system. In the PL, concepts of “reliability” and “quality” are taken in a concept of the conventional “category” to evaluate Mean Time To dangerous Failure (MTTFd), DCavg (Average Diagnostic Coverage), and Common Cause Failure (CCF). The safety control system can quantitatively be evaluated along an actual usage by the PL.
A formal name of the revised edition of ISO 13849-1 is “ISO 13849-1 (Second edition 2006-11-01) Safety of machinery safety-related parts of control systems, Part 1: General principles for design”. Hereinafter, occasionally the revised edition of ISO 13849-1 is referred to as “ISO 13849-1:2006”. The old edition and revised edition of ISO 13849-1 are collectively referred to as “ISO 13849-1” unless particularly distinguished from each other.
In ISO 13849-1:2006, requirements of the safety control systems in each category are identical to those of the old edition. However, the features of each safety control system are schematized in an easy-to-understand manner while three portions of an I (input instrument), an L (logic operation instrument), and an O (output instrument) are focused around.
FIG. 14 is a block diagram for explaining the requirements of the safety control system required for each category, which are expressed by ISO 13849-1:2006.
Referring to FIG. 14, the structure compatible with the category B and category 1 is realized by the I, L, and O. For example, the structure compatible with the category 2 can be realized by adding a TE (checking instrument) to the I, L, and O. For example, the structure compatible with the category 2 can also be realized by the I, O, and TE. An OTE is a function of performing an operation based on an output of the TE. For example, the OTE may be a function included in the O (output instrument) or a function of an instrument that is different from the I, L, and O.
The structure compatible with the categories 3 and 4 is realized by duplicating the I, L, and O. The category 4 is identical to the category 3 in the structure although the category 4 differs from the category 3 in that higher detection capability is required for the category 4.
As illustrated in FIG. 14, checking whether the input instrument and the output instrument are normal is included in the requirements of the category 2. Because the safety instrument such as the relay unit and the safety controller has the checking function, the safety instrument is compatible with the category 2 of ISO 13849-1.
Although not illustrated in FIG. 12, for example, a general-purpose PLC (Programmable logic controller) performs general control in the control system. The general-purpose PLC is not involved in the safety-related control. This is because the control system is not compatible with the safety standard (category 2 of ISO 13849-1) when the general-purpose PLC performs the safety-related control.
FIG. 15 is a graph for explaining the method for evaluating a performance level defined by ISO 13849-1:2006. Referring to FIG. 15, four parameters including category (indicated by “Cat” in FIG. 15), MTTFd, DCavg, and CCF are used to evaluate the PL.
As illustrated in FIG. 15, for example, the performance level “c” can be achieved by plural combinations of parameters. In other words, the desired performance level can be achieved by the proper combination of the four parameters. Accordingly, in ISO 13849-1:2006, it is said that a degree of freedom is increased in constructing the safety system compared with ISO 13849-1:1999 that is of the old edition.
Thus, ISO 13849-1 is the standard for the safety-related control. However, specific implementation means for satisfying the requirements is not defined by ISO 13849-1. Therefore, it is difficult that the functions defined by ISO 13849-1 are cut into the function that should be realized by the safety instrument and the function that can be realized by a general control instrument (such as the general-purpose PLC). Accordingly, as described in Japanese Unexamined Patent Publication No. 2005-157665 and FIG. 12, conventionally the functions defined by the category 2 of ISO 13849-1 are realized by the dedicated safety instrument.
However, generally a product that receives third-party certificate is used in the safety instrument or the safety component. That is, because the safety dedicated instrument is a special product that is different from a general-purpose product, a price of the safety dedicated instrument tends to become expensive.
On the other hand, as illustrated in FIG. 15, it is believed that the degree of freedom is increased in constructing the safety system by ISO 13849-1:2006. However, according to the conventional technique, the safety system is constructed by the use of the dedicated safety instrument. Therefore, not only cost is increased to construct the safety system, but also the configuration of the safety system is restricted.