This invention relates to a risk evaluation support device and a program product, as well as a method of controlling a risk evaluation support device for a safety network.
As is well known, a network system connecting a programmable controller (PLC) and a slave through a network such as a device network is structured for a factory automation (FA) system. The slave is provided with a plurality of I/O units and sensors, relays and apparatus of various other kinds are connected to these I/O units such that sensing data detected by input devices (such as switches and sensors) connected to a slave, for example, are taken in by the PLC through the network. The PLC serves to analyze the obtained sensing data and to transmit control commands to the output devices (such as relays, valves and actuators) to be operated on the basis of these sensing results.
At factories such as production factories where such a factory automation system is actually installed, on the other hand, it is becoming a common practice to improve the environmental conditions of the work site and to reduce the risks to the workers. A safe accident-free workplace environment means the absence of reduction in productivity caused by system stoppage due to the occurrence of accidents and it eventually leads to an improved production efficiency.
In order to thus reduce the risk to the workers, attempts are being made to identify danger sources of control systems, to carry out risk evaluations (such as the frequency of approach to a danger source and the magnitude of injury in the case of a contact) and to carry out a countermeasure but many of these countermeasures are being realized by introducing safety devices for a safety network system supplied by vendors to construct a factory automation system.
In the above, safety devices mean devices for forming a safety (failsafe) system such as those that will operate a (safety) failsafe function when the network system comes to be in a danger condition, for example, as an emergency stop button has been pressed or a sensor such as a light curtain has detected the entry of a person (or a body part) such that the system will operate on a safe manner, or stop the operations.
For carrying out such a safety operation, the positional relationship (or separation distance) between the machine equipment controlled by the related output device and the input device becomes an important factor.
FIG. 1 shows a robot as an example of machine equipment controlled by an output device where its range of operation becomes a danger area 1. In this situation, a pair of light transmitter 2a and a light receiver 2b is set as an input device in front of this danger area 1. It will be assumed that walls, etc. are so set up that a worker 3 will have to pass between this light transmitter 2a and the light receiver 2b in order to penetrate into the danger area 1.
This means that the worker 3 will necessarily pass through the optical axis 4 of the light transmitted from the light transmitter 2a before reaching the danger area 1. When the light receiver 2b becomes unable to receive light from the light transmitter 2a, the safety system for this case concludes that the worker 3 has passed and switches off a warning signal. (The warning signal remains switched on under a safe condition and is switched off at the time of a danger.) The detection signal is eventually transmitted to the output device through the network and the output device serves to stop the operations of the machine equipment functioning within the danger area 1.
In other words, there is a certain time lag from the moment when the light receiver 2b detects the worker 3 passing until the machine equipment is actually stopped. This time lag necessarily includes at least the total of the internal processing times by the input device and the output device and the communication times of various data on the network.
Thus, if the aforementioned total time is shorter than the time required for the worker 3 to reach the danger area 1 after passing between the light transmitter 2a and the light receiver 2b (the distance of walking/the speed of walking), the machine equipment can be stopped before the worker 3 reaches the danger area 1. When the system is designed, therefore, this is taken into consideration such that the internal processing times of the input and output devices are set to become shorter or the distance of walking (from the position of detection by the input device to the danger area 1) such that the system (machine equipment) can be dependably stopped at the time of an abnormality.
If the necessary distance between the position of detection by the input device and the danger area 1 for carrying out a safety operation is defined as the minimum safety distance S, this may be obtained asS=K×T where K is the speed of walking such as 1 m/sec and T is the time required for stopping the operations (or the response time of the network), orS=K×T+C where C is an additional distance.
The network response time depends on the system configuration. In the case of a system configured such that the detection signal from the input device is transmitted first to the PLC and the result of process by this PLC is transmitted next to the output device, the system response time is given as the response time of the input device plus the communication cycle time plus the internal processing time by the controller plus the communication cycle time plus the response time of the output device.
Prior art systems of this type had problems of the following kind.
For example, when an actual safety system is be built by using a network, the delay time related to the communication and the processing times by the input and output devices must be reflected in the safety distance, as explained above. It is not a simple task, however, to identify the devices that form the network system related to the machine equipment and to obtain the internal processing time of each of them, that is, the input device, the PLC and the output device. As a result, the safety distance may be calculated based on a general value and that may not necessarily be close to the true value.
Even if a safety distance could be obtained for a real system, this does not mean that it is 100% safe but there necessary remains a residual risk because operations at the time of a defect must be taken into consideration and there are faulty operations due to adverse setting conditions. Moreover, if the response time becomes long due to changes caused by elapsed time, the required minimum safety distance S becomes longer accordingly and the risk will increase if no change is made from the time of the initial setting.
It has been difficult, however, to grasp and evaluate such a residual risk numerically accurately. In other words, conventional methods of evaluation depended mainly on investigations of records of the accident or interviews with victims and hence the data were not reliable.
For reasons of security maintenance and management, risk reevaluations were being carried out but since evaluations are difficult to make unless visible events such as an accident that has actually occurred are investigated, it was not possible to consider the invisible increase in risk due to the elapse of time until the time of reevaluation, to make it visible or to establish a preventive countermeasure against such a risk.
Thus, if an accident occurs, the system may be investigated again on the basis of it such that devices may be exchanged or a safety distance may be corrected but it was not possible to take any measures against any increased risk before the occurrence of an accident so as to prevent the actual occurrence of the accident.