1. Field of the Invention
The present invention relates to a safety controller mounted in a service robot, transportation equipment, and the like to ensure functional safety, and particularly to a safety controller using a computer system.
2. Description of Related Art
Service robots are required to ensure functional safety by constantly monitoring a safety state using an external sensor and a self-diagnosis device and by executing appropriate safety control logic upon detecting some risk.
IEC 61508 has been established as an international standard for functional safety of the service robots described above as well as systems which operate on an electrical principle, such as transportation equipment. In IEC 61508, a system provided to ensure functional safety is called a safety-related system. IEC 61508 defines various techniques for constructing the safety-related system using hardware, such as a microprocessor and a PLC (Programmable Logic Controller), and a computer program (software). The use of techniques defined in IEC 61508 makes it possible to construct the safety-related system using a computer system.
Meanwhile, in recent years, the throughput of programmable electronic devices, such as a microprocessor, has been improved. Accordingly, various application programs are executed in parallel on a computer system by using a multitask OS (Operating System), thereby enabling integration of computer systems which are mounted in equipment, such as a service robot and a vehicle, for various purposes.
International Patent Publication No. WO 2012/104901, for example, discloses a technique for causing an application program related to ensuring of functional safety (hereinafter, referred to as “safety-related application”) and another application program (hereinafter, referred to as “non-safety-related application”) to run on a computer system by allocating the application programs to separate time partitions.
International Patent Publication No. WO 2012/104901 also discloses a technique in which a carrier interrupt is generated in synchronization with a cycle of a carrier signal for use in PWM control of an actuator to be controlled, and time partitions are switched upon generation of the interrupt. This enables control in synchronization with a control cycle of a control target.
Furthermore, International Patent Publication No. WO 2012/104901 discloses a technique in which a plurality of carrier signals with shifted phases is generated by a plurality of transmitters, to thereby shorten the interval of generating carrier interrupts and obtain a finer resolution of time partitions (time interval for switching time partitions). This leads to a reduction in delay of controlling the control target.
As described above, according to the technique disclosed in International Patent Publication No. WO 2012/104901, a plurality of carrier signals with shifted phases causes multiple carrier interrupts, which trigger switching of time partitions, to be generated, thereby shortening the time interval of switching time partitions and speeding up the control in synchronization with the control cycle of the control target. However, the applicant of the present invention has found the following problems inherent in the technique.
First, description is made assuming that an operation is performed as illustrated in FIG. 12 of the present application during a normal operation. FIG. 12 shows an example in which two carrier signals having the same cycle and phases shifted from each other by a half cycle are output from two transmitters. Accordingly, in this case, the carrier interrupt which is generated every one cycle of one carrier signal (illustrated as “carrier interrupt 1”) and the carrier interrupt which is generated every one cycle of the other carrier signal (illustrated as “carrier interrupt 2”) are generated alternately at regular intervals.
On the other hand, FIG. 13 of the present application illustrates a first case which poses a problem. FIG. 13 shows an example in which a failure occurs in one or both of the transmitters and the output timing of one or both of the carrier signals is shifted. In such a case, the generation timing of each of “carrier interrupt 1” and “carrier interrupt 2” is also shifted, so that the carrier interrupts are not generated at regular intervals. In this case, time partitions are not switched at regular intervals. This causes a problem that the lengths of the time partitions are set at non-regular intervals and processing related to control of the control target is not carried out as scheduled. For example, it is impossible to execute all scheduled processing within a shortened time partition.
Next, FIG. 14 of the present application illustrates a second case which poses a problem. FIG. 14 shows an example in which a failure occurs in one of the transmitters and one of the carrier signals is not output. In this case, one of the carrier interrupts, i.e., “carrier interrupt 2” is not generated, and only “carrier interrupt 1” is generated at an interval twice as long as an expected interval. In this case, the interval of switching time partitions is doubled. This causes a problem that the length of each time partition is doubled and processing related to control of the control target is not carried out as scheduled. For example, the processing is to be executed behind schedule.
The use of one carrier interrupt generation source (a transmitter and a carrier interrupt generation circuit) eliminates the difference between the output states of two carrier signals as described above and prevents the occurrence of a deviation in the timing of generating carrier interrupts due to the difference. However, the time interval of switching time partitions cannot be shortened, which results in deterioration of the high-speed control in synchronization with the control cycle of the control target.
The present invention has been made based on the above findings, and it is an object of the present invention to provide a safety controller and a safety control method which are capable of further improving the safety while maintaining the high-speed control of the control target.