1. Field of the Invention
The present invention relates to a high-reliability safety relay system suited for use, for example, to drive a target load only if a plurality of input conditions concerning safety check, etc., all hold.
2. Description of the Related Art
A safety measure apparatus is used from the necessity for a safety measure in various quarters. For example, a machine tool, a pressing machine, a robot, a packing machine, an elevator, and the like are used at a manufacturing location, and various safety measures become necessary to protect workers from the machines, the apparatus, etc. For example, when an anomaly occurs, power supply to the machine is cut off, thereby stopping the mechanical operation for securing safety for workers. To construct such a system, a safety relay apparatus is used.
The safety relay apparatus opens and closes electrical contacts to control energization. Some safety relay apparatus, for example, contain a plurality of relays each with a forcible guide and also include a self-holding function, duplexing of relay contacts, a back check function based on relay NC contacts, a heterostructure, and the like. The relay with a forcible guide is a relay of the type wherein when one normally open contact (NO) is welded, a different normally closed (NC) contact becomes open in a coil non-excitation state and when one normally closed contact is welded, a different normally open contact becomes open in a coil excitation state (for example, JP-A-11-162317). The self-holding function is a function intended so as not to restart the system if safety information is entered by operating an emergency stop switch, etc., for example, and then the state is restored (reset). Further, the duplexing of relay contacts is also called redundancy; as contacts are provided in parallel, if one contact is welded, it is made possible to provide function by another contact provided in parallel. Further, the back check function based on relay NC contacts is a function for detecting a failure of contact welding, etc., of a relay or a contactor and checking the contact state. The heterostructure (diversity structure) is a structure wherein as different types of members are used in combination, even if trouble of a bug, etc., occurs in a specific member, if the trouble is proper to the type, the same trouble does not occur at the same time and therefore it is made possible to provide function by another member.
In recent years, the number of countries and regions in which the safety measure standard is made a legal requirement has increased and particularly demand has grown for a safety relay apparatus or system of the specifications compliant with such a safety measure standard. As the safety standards, ISO, IEC, EN, JIS, and the like are defined in response to the standard targets and regions. Particularly, demands for machine safety are enhanced in response to “guidelines for comprehensive safety standard of machines” notified by the Ministry of Health, Labour and Welfare in June 2001, ISO12100, and the execution schedule of incorporating ISO12100 into JIS. For example, to receive certification of category 4, the highest safety level based on EN954-1 of a standard concerning machine safety of the European standards, a redundant structure, a heterostructure, always making self-inspection of data for maintenance of circuitry or parts, and the like are required.
FIG. 9 shows a configuration example of a system for stopping a machine with one safety component to secure safety. The safety component is an element for sending a command for cutting off power supply to any desired machine upon reception of specific operation to secure safety of workers. For example, it corresponds to output of an emergency stop button for the worker to stop the operation of a drive motor for a tooling change, teaching, or adjustment of a machine, output of a safety door switch for detecting a safety door being released to allow the worker to enter the work area of a machine, output of a light curtain for optically detecting the worker approaching a dangerous area, or the like. A safety component 1 is used with a safety output unit 2 for implementing a safety relay apparatus in combination to make up a safety circuit. A safety component switch 3 of normally closed break type is connected to the safety circuit shown in FIG. 9. When the safety circuit is closed, the safety output unit 2 determines that the state is normal, and closes a relay 4 for maintaining power supply to the connected machine. On the other hand, if the safety circuit is opened as the safety component switch 3 is operated manually by the worker or the user or is operated according to output of a sensor, etc., the safety output unit 2 determines that the state is unsafe, and releases the relay 4 for cutting off power supply to the connected machine to stop the operation thereof.
To provide the system with redundancy, a dual-redundant safety circuit made up of two safety circuits is formed as shown in FIG. 9 and as the safety component switch 3 is operated, both safety circuits are opened. Accordingly, if one of the safety circuits becomes defective or fails due to contact welding, etc., the other safety circuit functions, so that the machine can be stopped. Further, self-inspection is made, whereby an anomaly of contact welding, etc., can be detected and accumulating of failures can be prevented. The system also adopts a heterostructure for preventing the same defectiveness from occurring at the same time.
To make the apparatus or system compliant with the various standards including EN954-1, etc., described above, it is necessary to duplex the circuitry for handling safety information and provide a self-check function and generally the circuit design becomes complicated. On the other hand, even if the system is configured so as to be able to check the safety state by duplexing the circuitry, etc., if the cause, location, etc., of an accident when the system becomes down cannot be detected or determined without any measure. Since the cause of the accident needs to be removed to recover the system, it is desirable that the cause and the location of the accident should be able to be detected to recover the system early. Thus, a circuit for outputting or displaying various pieces of information for facilitating safety check and danger detection may be added to an input unit to which a safety component is connected or a safety output unit to which a safety relay is connected. For example, detailed information concerning safety information, such as the state of the safety component and error information, can be added for easily determining trouble, etc.
However, if such detailed information concerning safety information is used as safety input, the circuit for handling the information also requires facilities of duplexing, self-check, etc., for safety, and the circuitry becomes furthermore complicated; this is a problem. If design change occurs in the system, construction of the safety system responsive to the design change needs to be again designed, and the job is extremely intricate. Construction of the system compliant with the condition to receive standard certification is urgently required particularly under the present circumstances in which extreme importance tends to be placed on reception of certification of various safety standards combined with making the safety standard a legal requirement and the demands for the safety measures in recent years.