1. Technical Field
The present invention relates to a safety controller for handling an input device (emergency stop switch, light curtain etc.) adapted to a predetermined safety standard and an output device (safety contactor, safety relay etc.) adapted to a predetermined safety standard, in particular, to a safety controller (hereinafter referred to as “safety master”) incorporating a user program for realizing an interlock function among a plurality of equipment including the input/output device adapted to a predetermined safety standard.
2. Related Art
For instance, a manufacturing system applied to automobiles, semiconductors, and the like is generally configured by coupling a few pieces of equipment. Each of such equipment is performed with various safety measures and an interlock is adopted among the equipment, so that safety measures for an entire manufacturing system are performed.
Explanatory views of one example of an entire manufacturing system performed with safety measures of each equipment and with safety measures for the entire manufacturing system are shown in FIGS. 12A and 12B. As shown in FIG. 12A, the entire manufacturing system is configured by n equipment D1 to Dn in this example.
Each equipment D1 to Dn includes an input device (emergency stop switch is illustrated in the example) IN1 to INn adapted to a predetermined safety standard, and an output device (contactor is illustrated in the example) OUT1 to OUTn adapted to a predetermined safety standard.
Each equipment D1 to Dn further includes a safety controller or a safety remote I/O terminal C1 to Cn functioning as a “safety slave” to manage the input devices IN1 to INn and the output devices OUT1 to OUTn.
Such safety controllers or safety remote I/O terminals C1 to Cn are communicable with a safety controller C0 functioning as a “safety master” by way of a safety field network (not shown).
The “safety master” and the “safety slave” refers to a master-servant relationship in processes of acquisition of a status signal related to interlock and output of an operation instruction signal according to the present invention, and differs from the relationship of “master” and “slave” in the general field network.
A status signal indicating whether the relevant equipment is in a “safe state” or in an “unsafe state” is transmitted at a predetermined timing to the safety controller (i.e., “safety master”) C0 from each safety controller (i.e., “safety slave”) C1 to Cn and the like of each equipment D1 to Dn. In this case, the content of the status signal is defined to be ON (“1”) when in the “safe state”, and OFF (“0”) when in the “unsafe state”.
If one of the equipment D1 to Dn does not exist, the content of the status signal corresponding to the equipment that does not exist of the status signals received on a side of the safety controller C0 is defined to be OFF (“0”), which corresponds to the “unsafe state”.
The operation instruction signal instructing whether to have the relevant equipment in an “operation state” or in a “stopped state” in which a power supply is shielded is transmitted at a predetermined timing to each safety controller or each safety remote I/O terminal C1 to Cn from the safety controller C0.
In this case, the content of the operation instruction signal is defined to be ON (“1”) when in the “operation state instruction” and OFF (“0”) when in the “stopped state instruction”.
A user memory (not shown) in the safety controller C0 stores a safety control user program including interlock function. The interlock function realization user program may be represented in a logic symbol diagram, and for example, may be represented as a multi-input logical product circuit AND having the status signal received from each equipment as the input and the operation instruction signal to each equipment as the output, as shown in FIG. 12B.
According to such configuration, if all of the plurality of equipment D1 to Dn configuring the manufacturing system exists, and each of such equipment is in a predetermined “safe state”, the content of the status signal of each equipment D1 to Dn received on the side of the safety controller C0 all becomes ON (“1”), and thus the output of the multi-input logical product circuit AND configuring the interlock function becomes ON (“1”).
Then, the content of the operation instruction signal received on each equipment side all becomes ON (“1”), whereby all pieces of the equipment D1 to Dn can be in the “operation state”, thereby enabling the operation of the entire manufacturing system.
In the operation state of the manufacturing system, if the “unsafe state” is found in one of the equipment D1 to Dn, the content of the status signal transmitted to the safety controller C0 conducting the interlock control from the safety controller etc. of the equipment in the “unsafe state” becomes OFF (“0”) indicating the “unsafe state”, and thus the output of the multi-input logical product circuit AND configuring the interlock function incorporated in the user program becomes OFF (“0”).
The content of the operation instruction signal received on each equipment side then all becomes OFF (“0”), whereby all pieces of equipment D1 to Dn are in the “stopped state”, and the entire manufacturing system is in the stopped state in which the power supply is shielded.
In a state where one of the equipment D1 to Dn configuring the manufacturing system is missing (“absent”) or in a state where communication failure, power disconnection and the like occurred in one of the equipment D1 to Dn, “not participating in communication” state is realized, where in such “not participating in communication”, the content of the status signal of the equipment that is absent or in which communication failure, power disconnection, and the like occurred seen from the safety controller C0 conducting the interlock control becomes OFF (“0”), which corresponds to the “unsafe state”, whereby the output of the multi-input logical product circuit AND configuring the interlock function incorporated in the user program becomes OFF (“0”).
Then, similar to when one of the equipment D1 to Dn is in the “unsafe state”, the content of the operation instruction signal received on each equipment side all becomes OFF (“0”), whereby all pieces of equipment D1 to Dn are in the “stopped state”, and the entire manufacturing system is in the stopped state where the power supply is shielded.