1. Field of the Invention
The present invention relates to an input device of a safety unit preferable as an input means of the safety unit such as a safety controller and remote safety terminal.
2. Description of the Related Art
A variety of the safety controllers have been developed with currently intensified consciousness to work safety. The safety controller secures a high reliability by incorporating self-diagnostic function for the safety in addition to logic arithmetic operating function similar to general programmable controller (PLC) and I/O control function. This safety controller has a function of controlling the safety side compulsorily so as to prevent its own control from leading to a danger if an abnormality is detected as a result of the self-diagnosis. More specifically, the safety mentioned here includes specified safety standard. The standard includes for example, IEC61508, EN standard and the like. The IEC61508 (International Electrotechnical Commission concerning programmable electronic system functional safety) has defined danger fault probability per hour (probability of failure per hour) and classified the safety integrity level (SIL) to four stages depending on this probability. The EN standard evaluates the seriousness of risk of machine and obligates to take a risk reducing measure and the EN954-1 stipulates five safety categories. The safety controller of the present invention meets any one of these safety standards.
Since before, a safety control system in which a safety controller 2 and a safety slave 1 are connected with a network 3 as shown in FIG. 11 has been well known. The safety slave 1 secures a high reliability by incorporating self-diagnostic function for both input and output in addition to the same function as a slave in an ordinary PLC. The safety controller 2 has communication master function of executing communication with the safety slave 1 through network and is sometimes called safety master. The safety slave 1 is sometimes called remote safety terminal and has a function of network communication (slave function controlled by master) with the communication master function of the safety controller 2. The safety slave has a connection terminal and at least one of an input device such as a switch for outputting ON/OFF signal and an output device which acts as an output destination of the control signal is connected to that connection terminal (although FIG. 11 shows an example of the input device while an emergency stop switch SW is connected thereto, light curtain, door switch, 2-hand switch and the like can be connected. Representation of the output device is omitted. The output device includes safety relay, contactor and the like). These input devices and output devices meet the safety standards. The safety slave generates control data based on a signal inputted from a connected safety application device and transmits the generated control data to the safety controller through network. The safety slave receives the control data from the safety controller by communicating with the safety controller through network. Then, the safety controller 2 receives an input signal from an input device inputted from the safety slave 1 through network communication, executes logical operation of ON/OFF of the input signal according to a preliminarily stored logic program and outputs an output signal based on a result of the logical operation to the safety slave 1 through network communication. The safety slave outputs the output signal to an output device. As a result of executing such a series of the operations repeatedly, the safety controller controls the entire system. The communication cycle between the safety controller 2 and the safety slave 1 may be synchronous with repetitive execution cycle of the safety controller or may be asynchronous. The output device is connected to an operating robot, processing machine, cutting tool or the like and when the safety relay of the output device or a contact point of the contactor is ON, the operating robot is actuated and when the contact point is OFF, the operating robot is stopped. The safety controller controls the operating robot or the like as a control object by controlling ON/OFF of the output device. That is, if the safety controller 2 is notified that the emergency stop switch SW is operated properly when controlling a control object (not shown) by the safety slave through communication, it turns OFF the output device or controls the status to the safety side compulsorily in order to prevent the control object from taking a dangerous action so as to take a necessary safety measure immediately. Further if the safety controller receives a diagnostic result indicating that the emergency stop switch SW or other input device (not shown) has an error when controlling a control object (not shown), it turns off the output device or controls the status to the safety side compulsorily to stop the operation of the control object in order to prevent the control object from taking a dangerous action regardless of whether the emergency stop switch SW is operated or the input device is turned ON/OFF, so as to take a necessary safety measure immediately.
In the safety control system of master/slave type in which the safety controller is a communication master station and the safety slave is a communication slave station as shown in FIG. 11, if a diagnostic result indicating that an input terminal to which a safety application switch (SW) meeting the safety standard is connected has an error as a result of the operation of the self-diagnostic function of the safety slave 1, some countermeasures are adopted selectively by the safety slave side in order to secure the safety of operation on the safety master side.
A first countermeasure on the safety slave side is to set the value of control data (input data whose safety is ensured) to be transmitted to the safety master 2 corresponding to the terminal to OFF (“LOW”) compulsorily and transmit OFF (“LOW”) to the safety controller 2. A second countermeasure is to block erroneous control data from being transmitted to the safety controller by shutting down communication through network.
According to the first countermeasure, if it is diagnosed that the safety application switch (SW) has an error on the safety slave side 1, the value of the control data corresponding to the safety application switch (SW) is compulsorily set to OFF (“LOW”) status in the same way as when the safety application switch is pressed and consequently, the side of the safety controller 2 receiving the control data can take a necessary safety measure immediately.
However, according to the first countermeasure, the side of the safety master 2 cannot determine whether when the value of the control data is in OFF (“LOW”) status, it is in the OFF (“LOW”) status as a result of the safety application switch (SW)'s being pressed actually or it is in OFF (“LOW”) status as a result of being compulsorily set to the status because the diagnostic result indicates that an error exists. Therefore, the side of the safety master receiving the control data has such a problem that it cannot take an appropriate countermeasure sufficiently because it takes time and labor to restore the system after that. The reason is that because even if the system is stopped as a result of the emergency stop switch SW's being pressed properly, whether the system is stopped because the emergency stop switch is pressed properly or due to a trouble cannot be automatically determined, it is impossible to discriminate whether nothing but releasing the emergency stop switch is required or it is necessary to check for any error and thus, a necessity of checking occurs each time so that it takes time for system restoration each time when the system stops.
According to the second countermeasure, because the value of the control data is set to OFF (“LOW”) status compulsorily because of absence of receiving data on the side of the safety master, the value of the control data corresponding to the safety application switch (SW) on the side of the safety master 2 is set to OFF (“LOW”) status compulsorily in the same way as when the safety application switch is pressed by shutting down communication on the side of the safety slave 1, the side of the safety controller 2 can take a necessary safety measure immediately for the system.
However, the second countermeasure has such a problem that a reason cannot be searched for until error history is read out after the system is stopped and that it takes time for system restoration work. The reason is that because it is impossible to automatically determine whether the system is stopped because the emergency stop switch SW is pressed properly or because the system is in trouble, it is impossible to discriminate whether nothing but releasing the emergency stop switch is required or it is necessary to remove a cause for an error in the network and consequently, a necessity of checking each time occurs so that it takes time for system restoration each time the system stops.