A programmable controller (hereinafter referred to as PLC) used in factory automation (hereinafter referred to as FA) performs its control function by entering ON/OFF information from input devices such as switches and sensors; executing logical calculation along a sequence program (also referred to as a user program) written in latter language; and outputting ON/OFF information signals to output devices such as relays, valves, and actuators in accordance with the obtained calculation results.
In some cases, the input and output devices are directly connected with the PLC, and in other cases, these devices are connected via a network. In a network system established with this network, the ON/OFF information are transmitted and received via the network. In this case, information is exchanged by a master-slave system where the PLC is the master and the devices are slaves.
On the other hand, a fail-safe system has been recently introduced into the control by a PLC. In this fail-safe system the network have a safety function therein, not to mention the PLC and devices. The term “safety function” indicates the function of verifying safety and performing an output. A safe system indicates that if the network system causes a dangerous condition, for example, an emergency shutdown switch is pushed or a light curtain or another sensor detects entry of a person (part of the body), fail-safe works and the system is shifted to the safe side to stop the operation. In other words, the system allows an output and machine operation only when the safety function verifies safety. If safety is not verified, the machines come to a stop.
Some of facility systems are equipped with production robots, pressure press machines and cutting machines, which are operated by men. In such a workplace there is a fear of dangerous accidents, such as the arm of a production robot touches a man's body, the pressure of a pressure press machine is applied on a part of a man's body, or the blade of a cutting machine touches a man's body. In an attempt to prevent such accidents, if there is a dangerous condition, the facility system brings the operation of the facility into a standstill (stops the operations of the production robots, pressure press machines and cutting machines). In some cases these machines are not brought to a full stop, but their operations are slowed down enough not to cause a danger to a person by reducing the moving speed of the arm of the production robot or decreasing the pressure of the pressure press machine. Thus, the safe system controls keeping the facility system out of a dangerous condition.
In the network system equipped with the aforementioned safety function (safe network system), it is necessary to fix a maximum response time elapsed between the occurrence of an abnormal or dangerous condition and the execution of a safety operation (stopping of the operation of a device, for example). To be more specific, as is well known, in the case where information is transmitted by the master-slave system, as shown in FIG. 1(a), when there is a request from the master, the slaves in turn send back a safety response. In this example, the network system has three slaves. The ON/OFF information to be treated in this case is I/O information for safe control, which indicates to be normal (safe)/abnormal (dangerous). As the maximum response time, the time required for one communication cycle is secured.
According to the specific procedure of data transmission and reception between the safe PLC and the safe slaves, the safe PLC makes a request to one of the safe slaves connected with the safe network, and the safe slave received the request sends back safety information. For example, when there are three safe slaves {circle around (1)} to {circle around (3)}, the safe PLC can make a request to the safe slaves {circle around (1)}, {circle around (2)}, and {circle around (3)} in this order to collect safety information from the three safe slaves in the same order.
Since the sequence of sending back a safety response from the safe slaves is fixed in one communication cycle, the safety response from the safe slave {circle around (1)} is transmitted comparatively quickly to the safe PLC, whereas the safety response from the safe slave {circle around (3)}, which is the last in one communication cycle, is transmitted late.
As the number of slaves (nodes) to be connected increases, the time for one communication cycle gets longer. The result is that the aforementioned maximum response time becomes longer. Consequently, in the same communication cycle, the data to be received first and the data to be received last have a larger time difference. Hence, when a safe system is designed, the maximum response time must always be taken into consideration.
On the other hand, when a danger (a failure or a dangerous factor) has actually been detected, it is ideal to perform safe control (output interruption) as soon as possible. To be more specific, when the safe system is designed by taking the maximum response time into consideration, if information about an abnormality (danger) can be reported early in one communication cycle, the time elapsed between the report and the maximum response time becomes longer (safe margin becomes larger), so as to carry out the safety function more securely and to make fail-safe work with a sufficient amount of time, thereby shifting the system to the safe side and stopping the operation.
However, the communication inside the network is under the control of the PLC side which is the master, so it has been impossible for the conventional system to make the slave which has detected a danger transmit safety information early in one communication cycle. In other words, the PLC cannot know there is a slave in an abnormal (dangerous) condition until it receives safety information (the presence of a danger) from all the slaves. Therefore, all it can do is to acquire safety information from the slaves in turn in accordance with the predetermined rule (the sequence of node addresses, for example).
This invention has an object of providing a safe network system, safe slaves, and a communication method which can inform the master (controller) and other devices of the occurrence of an abnormality (a danger) detected by a safe slave or the like as soon as possible.