A programmable controller (hereinafter called “PLC”) used in FA (Factory Automation) performs control by acquiring ON/OFF information from input devices such as switches and sensors connected to the PLC, executes a logic operation in accordance with a sequence program (user program) written in a ladder language and outputs ON/OFF information to a relay output connected to the PLC or a signal of driving/stop information to output devices such as valves and actuators on the basis of the operation result. Such control of the PLC is executed while a so-called “cyclic processing” is repeated.
Connection forms between the PLC and the input devices and between the PLC and the output devices are made through connection of terminals of the PLC and terminals of I/O units in some cases and through a network in other cases. To build up a network system connected through such a network, the exchange of the ON/OFF information described above is made through the network. At this time, the information is generally transferred by a master-slave system in which the PLC side is a master and the device side is a slave. This master-slave system is also referred to as a “remote I/O system”, and uses a communication master unit provided to the PLC and a communication slave unit connected to the communication master unit through a network line. A plurality of input devices or a plurality of output devices is connected to the terminals of the communication slave unit. Communication between the master and the slave is made in a predetermined cycle in a serial communication transfer form. In the data transfer, the master raises a data request to the slave. Receiving this request, the slave converts ON/OFF information (I/O information) of each input or output device connected to the slave to a serial signal and returns it. In other words, the master controls communication right of the network and the slave executes the transfer processing to the network in accordance with control of the communication right. Incidentally, communication between the master and the slave may be conducted either synchronously or asynchronously with the cyclic processing of the PLC. The information exchange between a CPU of the PLC and the master may be conducted by either an I/O refresh processing of the PLC or a peripheral processing. Mutual communication can also be made by connecting a plurality of slaves to one master.
On the other hand, control by the PLC has been assumed in recent years for the application in which safety is highly required such as in robot machines, press machines, cutting machines, and the like, too. In robot control, for example, PLC control has now been introduced gradually into systems called a “safety system” and a “safety net system” lest a robot arm comes into contact with a human body and invites injury due to an abnormal operation or failure of the control system. In such a case, the safety system or the safety net system is constituted by the PLC as an element of the control system, each device or apparatus itself and a network incorporating a safety function. Here, the term “safety function” means the function that confirms safety and outputs. The term “safety system” means the function that doubles CPU and other processing portion, for example, and reliably brings a machine system into a safe condition or compulsively lets the machine system operate stop under a safe condition as a fail-safe operation when each processing portion judges abnormality by detecting inequality between the CPU and each processing portion, or when any abnormality (failure of normal communication) occurs in the network for some reasons or other, or when the operation enters a danger state as an emergency stop switch of the machine system is pushed or when a multi-axis photoelectric sensor detects a danger condition as a person (or a part of the body) enters a light curtain. In other words, the safety system outputs the signal and operates the machine only when the safety function stores safety. Therefore, when safety is not confirmed, the machine stops.
To build up the safety system or safety network system having the safety function described above, it has been necessary that devices to be connected to the network (PLC, slave, devices connected to the slave, etc) are all those having the safety function. For, when even one device not having the safety function is assembled in the system, the failsafe function does not operate in the control including that device and in the data communication with that device, so that the safety function of the overall system cannot be guaranteed.
In the control by the PLC, the overall system does not always require the safety function but the safety system must be used when even a part of the system needs guarantee of the safety function. In consequence, those devices that do not have the safety function cannot be included in the system. Then, the safety PLC and the safety devices are used for the portions that do not originally need the safety function. Because the devices having the safety function are more expensive than ordinary devices, the cost of the overall system becomes higher.
When an attempt is made to later introduce additionally and partially the devices having the safety function and the safety PLC into the environment in which the network system is constituted on the basis of the conventional PLC not having the safety function, or to allow the devices having the safety function to coexist with the conventional existing facilities, the attempt does not prove successful. In other words, the existing portions not having the safety function and the portions having the safety function must be isolated completely and they cannot coexist under the same environment. It is of course possible to discard the existing facilities and to install a fresh a safety network system but a large number of replacement steps will be necessary.
On the other hand, there is a desire to constitute a safety network for only those portions that require the safety function in view of the explanation given above. However, because the safety system and the non-safety system are to be isolated as described above, the data exchange between both systems becomes difficult. Further, because the network systems of both safety system and non-safety system are arranged independently and in parallel, two kinds of setting/management tools become necessary and must be used appropriately, and the operation becomes complicated.
In view of the problems described above, the invention aims at accomplishing a controller under the state where a safety system and a non-safety system coexist satisfactorily, and providing a safety unit a controller system, a connection method of controllers, a control method of the control system and a monitor method of the controller system in which those portions that can be handled as a common processing between the safety system and the non-safety system are made in common with each other, while a safety function of the safety system can be guaranteed.