WO2024038747A1 - Processing device - Google Patents

Processing device Download PDF

Info

Publication number
WO2024038747A1
WO2024038747A1 PCT/JP2023/027446 JP2023027446W WO2024038747A1 WO 2024038747 A1 WO2024038747 A1 WO 2024038747A1 JP 2023027446 W JP2023027446 W JP 2023027446W WO 2024038747 A1 WO2024038747 A1 WO 2024038747A1
Authority
WO
WIPO (PCT)
Prior art keywords
program
output
processing device
cpu
execution
Prior art date
Application number
PCT/JP2023/027446
Other languages
French (fr)
Japanese (ja)
Inventor
靖啓 衣笠
康之 田中
Original Assignee
パナソニックIpマネジメント株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by パナソニックIpマネジメント株式会社 filed Critical パナソニックIpマネジメント株式会社
Priority to CN202380013311.9A priority Critical patent/CN117980885A/en
Publication of WO2024038747A1 publication Critical patent/WO2024038747A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Definitions

  • the present disclosure relates to a processing device that executes a program.
  • the processing device disclosed in Patent Document 1 includes an execution unit that executes a program, and a storage unit that stores a boot program, a copy program, and a control program.
  • a processing device such as that disclosed in Patent Document 1 may be installed in equipment or systems that have safety functions. In such a case, if all programs executed by the execution unit are made to comply with predetermined functional safety standards, the number of steps and costs for program development will increase.
  • the present disclosure has been made in view of these points, and its purpose is to reduce the man-hours and cost of program development while ensuring the safety of equipment and systems in which the processing device is installed. be.
  • the present disclosure provides an execution program storage unit that stores a first program and a second program that starts the first program, and a program storage unit that stores the first program and the second program that starts the first program.
  • an output unit that outputs a processing result of the execution unit; and a watchdog that resets the output of the output unit when a predetermined signal is not received for a predetermined period of time.
  • the second program includes an output opening operation of transmitting the predetermined signal to the watchdog timer at a predetermined period, and an output opening operation before starting the first program.
  • the execution unit is characterized in that it causes the execution unit to execute the output cutoff operation to stop.
  • the first program when the first program is executed, the output of the output section is reset by the watchdog timer, so even if the processing device goes out of control due to execution of the first program, the output of the output section is not affected and the processing Do not compromise the safety of the equipment or system in which the device is installed. Therefore, in order to ensure the safety of the equipment or system in which the processing device is installed, the first program does not have to conform to a predetermined functional safety standard, so it is possible to reduce the number of steps and cost for developing the program.
  • FIG. 1 is a block diagram showing the configuration of a robot system.
  • FIG. 2 is a block diagram showing the configuration of the robot control system.
  • FIG. 3 is a block diagram showing the configuration of a duplex processing device according to an embodiment of the present disclosure.
  • FIG. 4 is a flowchart showing the operation of each processing section of the duplex processing device when the power is turned on.
  • FIG. 1 shows the configuration of a robot system 1.
  • This robot system 1 includes a plurality of robots 11, a plurality of area sensors 12, a plurality of lamps 13, a plurality of robot control systems 14, and a safety PLC (programmable logic controller) 17.
  • PLC programmable logic controller
  • each robot 11 has nine motors 111 and nine encoders 112 that respectively detect and output the position of the rotation axis of the corresponding motor 111.
  • illustration of some motors 111 and encoders 112 is omitted.
  • Each robot 11 is a six-axis robot having six rotary joints, six of the nine motors 111 are motors that rotate the rotary joints, and three motors 111 are connected to an external axis (not shown). ) motor.
  • Each area sensor 12 is provided for each robot 11.
  • the area sensor 12 outputs a detection result indicating whether or not a person is within the working range of the robot 11.
  • Each lamp 13 is also provided for each robot 11.
  • Each robot control system 14 is also provided for each robot 11.
  • Each robot control system 14 includes a teach pendant 15 and a robot controller 16.
  • the teach pendant 15 includes an input section 151, an operation input board 152, and a TP side communication board 153.
  • the input unit 151 receives an input operation by a user and outputs an operation signal according to the input operation.
  • the operation input board 152 generates operation input information based on the operation signal output by the input unit 151, and transmits it using the communication method specified in IEC61784-3.
  • the TP side communication board 153 receives the operation input information transmitted by the operation input board 152, and transmits it to the robot controller 16 via the communication medium M.
  • the robot controller 16 includes a sensor input board 161, a monitoring board 162, a notification board 163, a main control board 164, a motor control section 165, and nine amplifiers 166.
  • the sensor input board 161 generates sensor input information indicating the detection results output by the external area sensor 12. Further, the sensor input board 161 receives an on/off signal indicating whether to turn on/off the lamp 13 from the notification board 163, and causes the lamp 13 to blink based on the on/off signal.
  • the monitoring board 162 meets the safety conditions that the positions (angles) of the rotation axes of the nine motors 111 that rotate the rotary joints are within the safety range, and the speed of the rotation axes of the nine motors 111 is less than the speed limit. Monitoring information indicating whether or not is satisfied is generated and output based on the outputs of the nine corresponding encoders 112.
  • the monitoring board 162 also refers to a notification signal (described later) output by the notification board 163, and outputs a stop signal to the amplifier 166 if the notification signal is at a low level.
  • the notification board 163 performs a reception process of receiving operation input information, sensor input information, and monitoring information, and a notification signal output process of generating a notification signal regarding the robot 11 and outputting it to the outside based on these information. It is doable. Specifically, for example, the notification board 163 indicates that if the safety conditions are not met or if a person is within the working range of the robot 11, an input operation to stop the robot 11 has been performed. The notification signal is set to low level when a request to stop the robot 11 is received from the safety PLC 17. On the other hand, the notification board 163 indicates that the safety conditions are satisfied, no person is within the working range of the robot 11, no input operation is performed to stop the robot 11, and the robot 11 is stopped. If no request is received from the safety PLC 17, the notification signal is set to high level.
  • the main control board 164 transmits the operation input information transmitted from the TP side communication board 153 to the notification board 163.
  • the motor control unit 165 controls the nine motors 111 by controlling the nine amplifiers 166.
  • the amplifier 166 stops the motor 111 when the monitoring board 162 outputs a stop signal.
  • the amplifier 166 can rotate the motor 111 under the control of the motor control unit 165 when the monitoring board 162 does not output a stop signal.
  • Transmission and reception of signals (information) between the operation input board 152 and the notification board 163 is performed using a communication method defined in IEC61784-3 (black channel communication protocol).
  • the TP side communication board 153, the main control board 164, and the wiring connecting both boards 153 and 164 constitute a so-called black channel.
  • Transmission and reception of signals (information) between the monitoring board 162 and the notification board 163 and between the sensor input board 161 and the notification board 163 are also performed using a communication method defined in IEC61784-3.
  • the safety PLC 17 requests the robot control system 14 corresponding to all the robots 11 to stop the robots 11, for example. Note that this stop request may be made to only the robot control systems 14 corresponding to some of the robots 11, if necessary. Note that a device other than the safety PLC 17 may have the function of requesting the robot 11 to stop based on the notification signal.
  • the operation input board 152, the sensor input board 161, the monitoring board 162, and the notification board 163 are each equipped with the duplex processing device 200 shown in FIG. 3.
  • the duplex processing device 200 includes first and second processing sections 200a and 200b.
  • the first processing unit 200a includes a first execution program storage unit 201a, a first CPU (Central Processing Unit) 203a as an execution unit, a first output unit 204a, and a first watchdog timer ( WDT (Watchdog timer) 205a.
  • a first execution program storage unit 201a includes a first CPU (Central Processing Unit) 203a as an execution unit, a first output unit 204a, and a first watchdog timer ( WDT (Watchdog timer) 205a.
  • WDT Watchdog timer
  • the second processing unit 200b includes a second execution program storage unit 201b, a second CPU 203b as an execution unit, a second output unit 204b, and a second watchdog timer (WDT) 205b. ing.
  • the first and second execution program storage units 201a and 201b each store a boot program as a second program, a control program, and a rewriting program as a first program.
  • the boot program and the control program conform to functional safety standards such as IEC61508, and the rewriting program does not conform to functional safety standards.
  • the boot program is executed by the corresponding CPUs 203a and 203b when the power is turned on.
  • the boot program determines whether there is an abnormality in the control program using a method such as a sum check, and if there is an abnormality, starts a rewriting program, and if there is no abnormality, starts the control program.
  • the boot program and the control program cause the corresponding CPUs 203a and 203b to always execute an output opening operation that transmits the predetermined signal to the corresponding watchdog timer 205a and 205b at a predetermined period.
  • the boot program causes the corresponding CPUs 203a and 203b to execute an output cutoff operation that stops the output opening operation before starting the rewrite program.
  • the rewriting program receives a new program from the main control board 164, and executes a rewriting process of rewriting the control program stored in the corresponding execution program storage unit 201a, 201b to the received new program by the corresponding CPU 203a, 203b.
  • the first CPU 203a executes the boot program, control program, and rewrite program stored in the first execution program storage unit 201a, and obtains processing results.
  • the second CPU 203b executes the boot program, control program, and rewrite program stored in the second execution program storage unit 201b, and obtains processing results.
  • the first and second CPUs 203a, 203b each determine whether the calculated value obtained by executing the program matches the calculated value output by the other CPU 203a, 203b.
  • the calculated value may be, for example, a processing result output to the corresponding output unit 204a, 204b, or may be a calculated value obtained in the calculation process up to obtaining the processing result. If the calculated value obtained by the CPU 203a, 203b matches the calculated value obtained by the other CPU 203a, 203b, the first and second CPUs 203a, 203b synchronize and continue processing, If they do not match, the robot 11 is stopped.
  • the first CPU 203a stops outputting when notified of an abnormality from the second watchdog timer 205b.
  • the second CPU 203b stops outputting when notified of an abnormality from the first watchdog timer 205a.
  • the first output unit 204a outputs the processing result of the first CPU 203a.
  • the second output unit 204b outputs the processing result of the second CPU 203b.
  • the first watchdog timer 205a resets the output of the first output unit 204a and notifies the second CPU 203b of the abnormality.
  • the second watchdog timer 205b resets the output of the second output section 204b and notifies the first CPU 203a of the abnormality.
  • the first and second CPUs 203a and 203b obtain operation input information as a processing result.
  • the first and second CPUs 203a and 203b acquire sensor input information as a processing result.
  • the monitoring board 162 the first and second CPUs 203a and 203b obtain monitoring information as a processing result.
  • the notification board 163 the first and second CPUs 203a and 203b obtain notification signals as processing results.
  • FIG. 4 shows the operation of each processing section 200a, 200b of the duplex processing device 200 when the power is turned on.
  • the first CPU 203a loads the boot program from the first execution program storage unit 201a. Read and start its execution. When the first CPU 203a starts executing the boot program, it starts an output opening operation of transmitting the predetermined signal to the first watchdog timer 205a at a predetermined period.
  • the first CPU 203a determines whether there is an abnormality in the control program. The presence or absence of an abnormality is checked using a method such as a sum check.
  • the first CPU 203a determines that there is no abnormality, it starts executing the control program in (S13), whereas if it determines that there is an abnormality, it proceeds to the process of (S14).
  • the first CPU 203a executes an output cutoff operation to stop the output opening operation. That is, the first CPU 203a stops transmitting the predetermined signal to the first watchdog timer 205a. Thereafter, when the period in which the predetermined signal is not received exceeds a predetermined period, in (S15), the first watchdog timer 205a resets the output of the first output section 204a, and also causes the second CPU 203b to detect an abnormality. By notifying the CPU 203b, the output of the second CPU 203b is stopped.
  • the first CPU 203a then waits for notification of the abnormality from the second watchdog timer 205b. Thereafter, the first CPU 203a receives the abnormality notification from the second watchdog timer 205b, confirms that the output of the second CPU 203b has stopped, and proceeds to the process of (S16). In (S16), the first CPU 203a executes the rewriting program. That is, the first CPU 203a receives a new program from the main control board 164, and executes a rewriting process to rewrite the control program stored in the first execution program storage unit 201a with the received new program. . This completes the operation at power-on.
  • the second processing unit 200b also performs the same operations as the first processing unit 200a in parallel and in synchronization with the operations of the first processing unit 200a.
  • the outputs of the first and second output units 204a and 204b are reset, so the execution of the rewriting program causes the first and second CPUs 203a and 203b to Even if the robot goes out of control, the outputs of the first and second output sections 204a and 204b are not affected, and the safety of the entire robot system 1 can be ensured.
  • the rewriting program does not have to conform to functional safety standards, and an existing program can be used as the rewriting program. Therefore, the number of man-hours and costs for developing the program executed by the duplex processing device 200 can be reduced.
  • the first and second CPUs 203a and 203b make the determination in (S12), and do not execute the control program if the control program is not normal. Therefore, even if the control programs stored in the first and second execution program storage units 201a and 201b become abnormal due to execution of the rewriting program, the safety of the robot system 1 can be ensured.
  • the present invention was applied to the duplex processing device 200 provided in the robot system 1, but it may be applied to processing devices provided in other devices.
  • the processing device of the present disclosure can reduce the man-hours and cost of program development while ensuring the safety of equipment and systems in which the processing device is installed, and is useful as a processing device that executes programs.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Numerical Control (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A duplicated processing device 200 provided with a first CPU 203a for executing first and second programs is provided with a first output unit 204a for outputting a processing result of the first CPU 203a, and a first watchdog timer 205a for resetting the output of the first output unit 204a if a period in which a prescribed signal is not received exceeds a prescribed period. The second program is configured to cause the first CPU 203a to execute an output opening operation for transmitting the prescribed signal to the first watchdog timer 205a with a prescribed period, and an output interrupting operation for suspending the output opening operation before the first program is launched.

Description

処理装置processing equipment
 本開示は、プログラムを実行する処理装置に関する。 The present disclosure relates to a processing device that executes a program.
 特許文献1に開示された処理装置は、プログラムを実行する実行部と、ブートプログラム、複写プログラム、及び制御プログラムを記憶する記憶部とを備えている。 The processing device disclosed in Patent Document 1 includes an execution unit that executes a program, and a storage unit that stores a boot program, a copy program, and a control program.
特開2003-122590号公報Japanese Patent Application Publication No. 2003-122590
 上記特許文献1のような処理装置を、安全機能を有する機器やシステムに設けることがある。このような場合、実行部によって実行されるプログラム全部を所定の機能安全規格に適合させるようにすると、プログラムの開発の工数及びコストが増大する。 A processing device such as that disclosed in Patent Document 1 may be installed in equipment or systems that have safety functions. In such a case, if all programs executed by the execution unit are made to comply with predetermined functional safety standards, the number of steps and costs for program development will increase.
 一方で、所定の機能安全規格に適合しないプログラムを実行部に実行させるようにすると、処理装置が暴走し、外部への出力が異常となり、機器やシステムの安全性を担保できなくなる虞がある。 On the other hand, if the execution unit is made to execute a program that does not comply with predetermined functional safety standards, there is a risk that the processing device will run out of control, output to the outside will become abnormal, and the safety of the equipment and system will not be guaranteed.
 本開示は、かかる点に鑑みてなされたものであり、その目的とするところは、処理装置が設けられる機器やシステムの安全性を担保しつつ、プログラムの開発の工数及びコストを削減することにある。 The present disclosure has been made in view of these points, and its purpose is to reduce the man-hours and cost of program development while ensuring the safety of equipment and systems in which the processing device is installed. be.
 上記の目的を達成するため、本開示は、第1のプログラム、及び前記第1のプログラムを起動する第2のプログラムを記憶する実行用プログラム記憶部と、前記第1及び第2のプログラムを実行する実行部とを備えた処理装置であって、前記実行部の処理結果を出力する出力部と、所定の信号を受信しない期間が所定期間を超えると、前記出力部の出力をリセットするウォッチドッグタイマとをさらに備え、前記第2のブログラムは、所定周期で前記ウォッチドッグタイマへ前記所定の信号を送信する出力開通動作と、前記第1のプログラムを起動する前に、前記出力開通動作を停止する出力遮断動作とを前記実行部に実行させるものであることを特徴とする。 In order to achieve the above object, the present disclosure provides an execution program storage unit that stores a first program and a second program that starts the first program, and a program storage unit that stores the first program and the second program that starts the first program. an output unit that outputs a processing result of the execution unit; and a watchdog that resets the output of the output unit when a predetermined signal is not received for a predetermined period of time. and a timer, the second program includes an output opening operation of transmitting the predetermined signal to the watchdog timer at a predetermined period, and an output opening operation before starting the first program. The execution unit is characterized in that it causes the execution unit to execute the output cutoff operation to stop.
 これにより、第1のプログラムの実行時には、出力部の出力がウォッチドッグタイマによってリセットされるので、第1のプログラムの実行によって処理装置が暴走しても、出力部の出力に影響せず、処理装置が設けられる機器やシステムの安全性を損なわない。したがって、処理装置が設けられる機器やシステムの安全性を担保するために、第1のプログラムを所定の機能安全規格に適合させなくてもよいので、プログラムの開発の工数及びコストを削減できる。 As a result, when the first program is executed, the output of the output section is reset by the watchdog timer, so even if the processing device goes out of control due to execution of the first program, the output of the output section is not affected and the processing Do not compromise the safety of the equipment or system in which the device is installed. Therefore, in order to ensure the safety of the equipment or system in which the processing device is installed, the first program does not have to conform to a predetermined functional safety standard, so it is possible to reduce the number of steps and cost for developing the program.
 本開示によると、処理装置が設けられる機器やシステムの安全性を担保しつつ、プログラムの開発の工数及びコストを削減できる。 According to the present disclosure, it is possible to reduce the man-hours and cost of program development while ensuring the safety of equipment and systems in which the processing device is installed.
図1は、ロボットシステムの構成を示すブロック図である。FIG. 1 is a block diagram showing the configuration of a robot system. 図2は、ロボット制御システムの構成を示すブロック図である。FIG. 2 is a block diagram showing the configuration of the robot control system. 図3は、本開示の実施形態に係る二重化処理装置の構成を示すブロック図である。FIG. 3 is a block diagram showing the configuration of a duplex processing device according to an embodiment of the present disclosure. 図4は、電源投入時における二重化処理装置の各処理部の動作を示すフローチャートである。FIG. 4 is a flowchart showing the operation of each processing section of the duplex processing device when the power is turned on.
 以下、本開示の実施形態を図面に基づいて詳細に説明する。以下の好ましい実施形態の説明は、本質的に例示に過ぎず、本発明、その適用物或いはその用途を制限することを意図するものでは全くない。 Hereinafter, embodiments of the present disclosure will be described in detail based on the drawings. The following description of preferred embodiments is merely exemplary in nature and is in no way intended to limit the invention, its applications, or its uses.
 図1は、ロボットシステム1の構成を示す。このロボットシステム1は、複数のロボット11と、複数のエリアセンサ12と、複数のランプ13と、複数のロボット制御システム14と、安全PLC(programmable logic controller)17とを備えている。 FIG. 1 shows the configuration of a robot system 1. This robot system 1 includes a plurality of robots 11, a plurality of area sensors 12, a plurality of lamps 13, a plurality of robot control systems 14, and a safety PLC (programmable logic controller) 17.
 各ロボット11は、図2に示すように、9つのモータ111と、対応するモータ111の回転軸の位置をそれぞれ検出して出力する9つのエンコーダ112とを有している。図2において、一部のモータ111及びエンコーダ112の図示を省略している。各ロボット11は、6つの回転関節を有する6軸ロボットであり、9つのモータ111のうちの6つのモータ111は、回転関節を回転させるモータであり、3つのモータ111は外部軸(図示せず)のモータである。 As shown in FIG. 2, each robot 11 has nine motors 111 and nine encoders 112 that respectively detect and output the position of the rotation axis of the corresponding motor 111. In FIG. 2, illustration of some motors 111 and encoders 112 is omitted. Each robot 11 is a six-axis robot having six rotary joints, six of the nine motors 111 are motors that rotate the rotary joints, and three motors 111 are connected to an external axis (not shown). ) motor.
 各エリアセンサ12は、ロボット11毎に設けられている。エリアセンサ12は、人がロボット11の作業範囲内に入っているか否かを示す検知結果を出力する。 Each area sensor 12 is provided for each robot 11. The area sensor 12 outputs a detection result indicating whether or not a person is within the working range of the robot 11.
 各ランプ13も、ロボット11毎に設けられている。 Each lamp 13 is also provided for each robot 11.
 各ロボット制御システム14も、ロボット11毎に設けられている。各ロボット制御システム14は、ティーチペンダント15とロボットコントローラ16とを備えている。 Each robot control system 14 is also provided for each robot 11. Each robot control system 14 includes a teach pendant 15 and a robot controller 16.
 ティーチペンダント15は、入力部151と、操作入力用基板152と、TP側通信用基板153とを有している。 The teach pendant 15 includes an input section 151, an operation input board 152, and a TP side communication board 153.
 入力部151は、ユーザによる入力操作を受け付け、当該入力操作に応じた操作信号を出力する。 The input unit 151 receives an input operation by a user and outputs an operation signal according to the input operation.
 操作入力用基板152は、入力部151により出力された操作信号に基づいて、操作入力情報を生成し、IEC61784-3に規定された通信方式を用いて送信する。 The operation input board 152 generates operation input information based on the operation signal output by the input unit 151, and transmits it using the communication method specified in IEC61784-3.
 TP側通信用基板153は、操作入力用基板152により送信された操作入力情報を受け取り、通信媒体Mを介してロボットコントローラ16に送信する。 The TP side communication board 153 receives the operation input information transmitted by the operation input board 152, and transmits it to the robot controller 16 via the communication medium M.
 ロボットコントローラ16は、センサ入力用基板161と、監視用基板162と、通知用基板163と、メイン制御基板164と、モータ制御部165と、9つのアンプ166とを備えている。 The robot controller 16 includes a sensor input board 161, a monitoring board 162, a notification board 163, a main control board 164, a motor control section 165, and nine amplifiers 166.
 センサ入力用基板161は、外部のエリアセンサ12により出力された検知結果を示すセンサ入力情報を生成する。また、センサ入力用基板161は、ランプ13をオンオフさせるか否かのオンオフ信号を通知用基板163から受信し、当該オンオフ信号に基づいてランプ13を点滅させる。 The sensor input board 161 generates sensor input information indicating the detection results output by the external area sensor 12. Further, the sensor input board 161 receives an on/off signal indicating whether to turn on/off the lamp 13 from the notification board 163, and causes the lamp 13 to blink based on the on/off signal.
 監視用基板162は、回転関節を回転させる9つのモータ111の回転軸の位置(角度)が安全領域内であり、かつ当該9つのモータ111の回転軸の速度が制限速度未満であるという安全条件が満たされているか否かを示す監視情報を、対応する9つのエンコーダ112の出力に基づいて生成して出力する。また、監視用基板162は、通知用基板163により出力される通知信号(後述)を参照し、通知信号がローレベルである場合には、アンプ166に停止信号を出力する。 The monitoring board 162 meets the safety conditions that the positions (angles) of the rotation axes of the nine motors 111 that rotate the rotary joints are within the safety range, and the speed of the rotation axes of the nine motors 111 is less than the speed limit. Monitoring information indicating whether or not is satisfied is generated and output based on the outputs of the nine corresponding encoders 112. The monitoring board 162 also refers to a notification signal (described later) output by the notification board 163, and outputs a stop signal to the amplifier 166 if the notification signal is at a low level.
 通知用基板163は、操作入力情報、センサ入力情報、及び監視情報を受信する受信処理と、これらの情報に基づいて、ロボット11に関する通知信号を生成して外部に出力する通知信号出力処理とを実行可能である。具体的には、例えば、通知用基板163は、前記安全条件が満たされていない場合、人がロボット11の作業範囲内に入っている場合、ロボット11を停止させるための入力操作が行われた場合、及びロボット11の停止要求を安全PLC17から受信した場合に通知信号をローレベルとする。一方、通知用基板163は、前記安全条件が満たされ、人がロボット11の作業範囲内に入っておらず、ロボット11を停止させるための入力操作が行われておらず、かつロボット11の停止要求を安全PLC17から受信していない場合には、通知信号をハイレベルとする。 The notification board 163 performs a reception process of receiving operation input information, sensor input information, and monitoring information, and a notification signal output process of generating a notification signal regarding the robot 11 and outputting it to the outside based on these information. It is doable. Specifically, for example, the notification board 163 indicates that if the safety conditions are not met or if a person is within the working range of the robot 11, an input operation to stop the robot 11 has been performed. The notification signal is set to low level when a request to stop the robot 11 is received from the safety PLC 17. On the other hand, the notification board 163 indicates that the safety conditions are satisfied, no person is within the working range of the robot 11, no input operation is performed to stop the robot 11, and the robot 11 is stopped. If no request is received from the safety PLC 17, the notification signal is set to high level.
 メイン制御基板164は、TP側通信用基板153から送信された操作入力情報を通知用基板163に送信する。 The main control board 164 transmits the operation input information transmitted from the TP side communication board 153 to the notification board 163.
 モータ制御部165は、9つのアンプ166を制御することにより9つのモータ111を制御する。 The motor control unit 165 controls the nine motors 111 by controlling the nine amplifiers 166.
 アンプ166は、監視用基板162により停止信号が出力されているとき、モータ111を停止させる。アンプ166は、監視用基板162により停止信号が出力されていないときには、モータ制御部165の制御によってモータ111を回転させることができる。 The amplifier 166 stops the motor 111 when the monitoring board 162 outputs a stop signal. The amplifier 166 can rotate the motor 111 under the control of the motor control unit 165 when the monitoring board 162 does not output a stop signal.
 操作入力用基板152と通知用基板163との間での信号(情報)の送受信は、IEC61784-3(ブラックチャネル通信プロトコル)に規定された通信方式で行われる。TP側通信用基板153とメイン制御基板164と両基板153,164を接続する配線とは、いわゆるブラックチャネル(Black Channel)を構成する。監視用基板162と通知用基板163との間、及びセンサ入力用基板161と通知用基板163との間での信号(情報)の送受信も、IEC61784-3に規定された通信方式で行われる。 Transmission and reception of signals (information) between the operation input board 152 and the notification board 163 is performed using a communication method defined in IEC61784-3 (black channel communication protocol). The TP side communication board 153, the main control board 164, and the wiring connecting both boards 153 and 164 constitute a so-called black channel. Transmission and reception of signals (information) between the monitoring board 162 and the notification board 163 and between the sensor input board 161 and the notification board 163 are also performed using a communication method defined in IEC61784-3.
 安全PLC17は、通知用基板163によりローレベルの通知信号が出力された場合には、例えば、すべてのロボット11に対応するロボット制御システム14に対し、ロボット11の停止要求を行う。なお、この停止要求は、必要に応じて、一部のロボット11に対応するロボット制御システム14だけに行われるようにしてもよい。なお、通知信号に基づいてロボット11の停止要求を行う機能を、安全PLC17以外の装置に持たせてもよい。 When the notification board 163 outputs a low-level notification signal, the safety PLC 17 requests the robot control system 14 corresponding to all the robots 11 to stop the robots 11, for example. Note that this stop request may be made to only the robot control systems 14 corresponding to some of the robots 11, if necessary. Note that a device other than the safety PLC 17 may have the function of requesting the robot 11 to stop based on the notification signal.
 操作入力用基板152、センサ入力用基板161、監視用基板162、及び通知用基板163は、それぞれ、図3に示す二重化処理装置200を搭載している。二重化処理装置200は、第1及び第2の処理部200a,200bを備えている。 The operation input board 152, the sensor input board 161, the monitoring board 162, and the notification board 163 are each equipped with the duplex processing device 200 shown in FIG. 3. The duplex processing device 200 includes first and second processing sections 200a and 200b.
 第1の処理部200aは、第1の実行用プログラム記憶部201aと、実行部としての第1のCPU(Central Processing Unit)203aと、第1の出力部204aと、第1のウォッチドッグタイマ(WDT: Watchdog timer)205aとを備えている。 The first processing unit 200a includes a first execution program storage unit 201a, a first CPU (Central Processing Unit) 203a as an execution unit, a first output unit 204a, and a first watchdog timer ( WDT (Watchdog timer) 205a.
 第2の処理部200bは、第2の実行用プログラム記憶部201bと、実行部としての第2のCPU203bと、第2の出力部204bと、第2のウォッチドッグタイマ(WDT)205bとを備えている。 The second processing unit 200b includes a second execution program storage unit 201b, a second CPU 203b as an execution unit, a second output unit 204b, and a second watchdog timer (WDT) 205b. ing.
 第1及び第2の実行用プログラム記憶部201a,201bはそれぞれ、第2のプログラムとしてのブートプログラム、制御プログラム、及び第1のプログラムとしての書き換えプログラムを記憶する。ブートプログラム及び制御プログラムは、IEC61508等の機能安全規格に適合し、書き換えプログラムは、機能安全規格に適合していない。ブートプログラムは、対応するCPU203a,203bにより電源投入時に実行される。ブートプログラムは、制御プログラムの異常の有無をサムチェック等の手法で判定させ、異常があれば書き換えプログラムを起動させる一方、異常がなければ制御プログラムを起動させるものである。ブートプログラム及び制御プログラムは、対応するウォッチドッグタイマ205a,205bへ前記所定の信号を所定周期で送信する出力開通動作を、対応するCPU203a,203bに常時実行させるものである。ただし、ブートプログラムは、書き換えプログラムを起動する前に前記出力開通動作を停止する出力遮断動作を、対応するCPU203a,203bに実行させるものである。書き換えプログラムは、メイン制御基板164から新たなプログラムを受信し、対応する実行用プログラム記憶部201a,201bに記憶されている制御プログラムを、受信した新たなプログラムに書き換える書き換え処理を、対応するCPU203a,203bに実行させるものである。 The first and second execution program storage units 201a and 201b each store a boot program as a second program, a control program, and a rewriting program as a first program. The boot program and the control program conform to functional safety standards such as IEC61508, and the rewriting program does not conform to functional safety standards. The boot program is executed by the corresponding CPUs 203a and 203b when the power is turned on. The boot program determines whether there is an abnormality in the control program using a method such as a sum check, and if there is an abnormality, starts a rewriting program, and if there is no abnormality, starts the control program. The boot program and the control program cause the corresponding CPUs 203a and 203b to always execute an output opening operation that transmits the predetermined signal to the corresponding watchdog timer 205a and 205b at a predetermined period. However, the boot program causes the corresponding CPUs 203a and 203b to execute an output cutoff operation that stops the output opening operation before starting the rewrite program. The rewriting program receives a new program from the main control board 164, and executes a rewriting process of rewriting the control program stored in the corresponding execution program storage unit 201a, 201b to the received new program by the corresponding CPU 203a, 203b.
 第1のCPU203aは、第1の実行用プログラム記憶部201aに記憶されたブートプログラム、制御プログラム、及び書き換えプログラムを実行し、処理結果を取得する。 The first CPU 203a executes the boot program, control program, and rewrite program stored in the first execution program storage unit 201a, and obtains processing results.
 第2のCPU203bは、第2の実行用プログラム記憶部201bに記憶されたブートプログラム、制御プログラム、及び書き換えプログラムを実行し、処理結果を取得する。 The second CPU 203b executes the boot program, control program, and rewrite program stored in the second execution program storage unit 201b, and obtains processing results.
 第1及び第2のCPU203a,203bはそれぞれ、プログラムの実行により得られた算出値と他方のCPU203a,203bにより出力された算出値とが一致するか否かを判定する。算出値は、例えば、対応する出力部204a,204bに出力する処理結果であってもよいし、処理結果を取得するまでの演算過程で得られる算出値であってもよい。第1及び第2のCPU203a,203bはそれぞれ、当該CPU203a,203bにより得た算出値と、他方のCPU203a,203bにより得た算出値とが一致する場合には、そのまま同期して処理を続ける一方、一致しない場合には、ロボット11を停止させる。 The first and second CPUs 203a, 203b each determine whether the calculated value obtained by executing the program matches the calculated value output by the other CPU 203a, 203b. The calculated value may be, for example, a processing result output to the corresponding output unit 204a, 204b, or may be a calculated value obtained in the calculation process up to obtaining the processing result. If the calculated value obtained by the CPU 203a, 203b matches the calculated value obtained by the other CPU 203a, 203b, the first and second CPUs 203a, 203b synchronize and continue processing, If they do not match, the robot 11 is stopped.
 また、第1のCPU203aは、第2のウォッチドッグタイマ205bから異常を通知された場合に、出力を停止する。 Furthermore, the first CPU 203a stops outputting when notified of an abnormality from the second watchdog timer 205b.
 また、第2のCPU203bは、第1のウォッチドッグタイマ205aから異常を通知された場合に、出力を停止する。 Further, the second CPU 203b stops outputting when notified of an abnormality from the first watchdog timer 205a.
 第1の出力部204aは、第1のCPU203aの処理結果を出力する。 The first output unit 204a outputs the processing result of the first CPU 203a.
 第2の出力部204bは、第2のCPU203bの処理結果を出力する。 The second output unit 204b outputs the processing result of the second CPU 203b.
 第1のウォッチドッグタイマ205aは、前記所定の信号を受信しない期間が所定期間を超えると、第1の出力部204aの出力をリセットするとともに、第2のCPU203bに異常を通知する。 When the period during which the predetermined signal is not received exceeds a predetermined period, the first watchdog timer 205a resets the output of the first output unit 204a and notifies the second CPU 203b of the abnormality.
 第2のウォッチドッグタイマ205bは、前記所定の信号を受信しない期間が所定期間を超えると、第2の出力部204bの出力をリセットするとともに、第1のCPU203aに異常を通知する。 When the period during which the predetermined signal is not received exceeds a predetermined period, the second watchdog timer 205b resets the output of the second output section 204b and notifies the first CPU 203a of the abnormality.
 例えば、操作入力用基板152では、第1及び第2のCPU203a,203bが処理結果として、操作入力情報を取得する。センサ入力用基板161では、第1及び第2のCPU203a,203bが処理結果として、センサ入力情報を取得する。監視用基板162では、第1及び第2のCPU203a,203bが処理結果として、監視情報を取得する。通知用基板163では、第1及び第2のCPU203a,203bが処理結果として、通知信号を取得する。 For example, in the operation input board 152, the first and second CPUs 203a and 203b obtain operation input information as a processing result. In the sensor input board 161, the first and second CPUs 203a and 203b acquire sensor input information as a processing result. In the monitoring board 162, the first and second CPUs 203a and 203b obtain monitoring information as a processing result. In the notification board 163, the first and second CPUs 203a and 203b obtain notification signals as processing results.
 図4は、電源投入時における二重化処理装置200の各処理部200a,200bの動作を示す。 FIG. 4 shows the operation of each processing section 200a, 200b of the duplex processing device 200 when the power is turned on.
 上述のように構成された二重化処理装置200に電源が投入されると、第1の処理部200aでは、(S11)において、第1のCPU203aが第1の実行用プログラム記憶部201aからブートプログラムを読み出してその実行を開始する。第1のCPU203aは、ブートプログラムの実行を開始すると、所定周期で第1のウォッチドッグタイマ205aへ前記所定の信号を送信する出力開通動作を開始する。次いで、(S12)において、第1のCPU203aは、制御プログラムの異常の有無を判定する。異常の有無は、サムチェック等の手法でチェックする。第1のCPU203aは、異常が無いと判定した場合、(S13)において、制御プログラムの実行を開始する一方、異常が有ると判定した場合には、(S14)の処理に進む。第1のCPU203aは、(S14)では、出力開通動作を停止する出力遮断動作を実行する。つまり、第1のCPU203aは、第1のウォッチドッグタイマ205aへの前記所定の信号の送信を停止する。その後、前記所定の信号を受信しない期間が所定期間を超えると、(S15)において、第1のウォッチドッグタイマ205aは、第1の出力部204aの出力をリセットするとともに、第2のCPU203bに異常を通知することにより、第2のCPU203bの出力を停止させる。そして、第1のCPU203aは、第2のウォッチドッグタイマ205bから異常が通知されるのを待つ。その後、第1のCPU203aは、第2のウォッチドッグタイマ205bから異常の通知を受信し、第2のCPU203bの出力が停止したことを確認し、(S16)の処理に進む。(S16)において、第1のCPU203aは、書き換えプログラムを実行する。つまり、第1のCPU203aは、メイン制御基板164から新たなプログラムを受信し、第1の実行用プログラム記憶部201aに記憶されている制御プログラムを、受信した新たなプログラムに書き換える書き換え処理を実行する。これにより、電源投入時の動作が終了する。 When the duplex processing device 200 configured as described above is powered on, in the first processing unit 200a, in (S11), the first CPU 203a loads the boot program from the first execution program storage unit 201a. Read and start its execution. When the first CPU 203a starts executing the boot program, it starts an output opening operation of transmitting the predetermined signal to the first watchdog timer 205a at a predetermined period. Next, in (S12), the first CPU 203a determines whether there is an abnormality in the control program. The presence or absence of an abnormality is checked using a method such as a sum check. If the first CPU 203a determines that there is no abnormality, it starts executing the control program in (S13), whereas if it determines that there is an abnormality, it proceeds to the process of (S14). In (S14), the first CPU 203a executes an output cutoff operation to stop the output opening operation. That is, the first CPU 203a stops transmitting the predetermined signal to the first watchdog timer 205a. Thereafter, when the period in which the predetermined signal is not received exceeds a predetermined period, in (S15), the first watchdog timer 205a resets the output of the first output section 204a, and also causes the second CPU 203b to detect an abnormality. By notifying the CPU 203b, the output of the second CPU 203b is stopped. The first CPU 203a then waits for notification of the abnormality from the second watchdog timer 205b. Thereafter, the first CPU 203a receives the abnormality notification from the second watchdog timer 205b, confirms that the output of the second CPU 203b has stopped, and proceeds to the process of (S16). In (S16), the first CPU 203a executes the rewriting program. That is, the first CPU 203a receives a new program from the main control board 164, and executes a rewriting process to rewrite the control program stored in the first execution program storage unit 201a with the received new program. . This completes the operation at power-on.
 第2の処理部200bにおいても、第1の処理部200aと同じ動作が、第1の処理部200aの動作と同期して並行して実行される。 The second processing unit 200b also performs the same operations as the first processing unit 200a in parallel and in synchronization with the operations of the first processing unit 200a.
 第1及び第2のCPU203a,203bによる書き換えプログラムの実行中、第1及び第2の出力部204a,204bの出力はリセットされているので、書き換えプログラムの実行によって第1及び第2のCPU203a,203bが暴走しても、第1及び第2の出力部204a,204bの出力に影響せず、ロボットシステム1全体の安全性を担保できる。これにより、ロボットシステム1全体の安全性を担保するために、書き換えプログラムを機能安全規格に適合させなくてもよく、書き換えプログラムとして既存のプログラムを流用できるようになる。したがって、二重化処理装置200によって実行されるプログラムの開発の工数及びコストを削減できる。 During the execution of the rewriting program by the first and second CPUs 203a and 203b, the outputs of the first and second output units 204a and 204b are reset, so the execution of the rewriting program causes the first and second CPUs 203a and 203b to Even if the robot goes out of control, the outputs of the first and second output sections 204a and 204b are not affected, and the safety of the entire robot system 1 can be ensured. As a result, in order to ensure the safety of the entire robot system 1, the rewriting program does not have to conform to functional safety standards, and an existing program can be used as the rewriting program. Therefore, the number of man-hours and costs for developing the program executed by the duplex processing device 200 can be reduced.
 また、第1及び第2のCPU203a,203bは、(S12)の判定を行い、制御プログラムが正常でない場合には、制御プログラムを実行しない。したがって、書き換えプログラムの実行により、第1及び第2の実行用プログラム記憶部201a,201bに記憶された制御プログラムが正常でなくなっても、ロボットシステム1の安全性を担保できる。 Furthermore, the first and second CPUs 203a and 203b make the determination in (S12), and do not execute the control program if the control program is not normal. Therefore, even if the control programs stored in the first and second execution program storage units 201a and 201b become abnormal due to execution of the rewriting program, the safety of the robot system 1 can be ensured.
 なお、上記実施形態では、本発明を、ロボットシステム1に設けられる二重化処理装置200に適用したが、その他の機器に設けられる処理装置に適用してもよい。 Note that in the above embodiment, the present invention was applied to the duplex processing device 200 provided in the robot system 1, but it may be applied to processing devices provided in other devices.
 本開示の処理装置は、処理装置が設けられる機器やシステムの安全性を担保しつつ、プログラムの開発の工数及びコストを削減でき、プログラムを実行する処理装置として有用である。 The processing device of the present disclosure can reduce the man-hours and cost of program development while ensuring the safety of equipment and systems in which the processing device is installed, and is useful as a processing device that executes programs.
200   二重化処理装置 
201a  第1の実行用プログラム記憶部
201b  第2の実行用プログラム記憶部 
203a  第1のCPU(実行部) 
203b  第2のCPU(実行部) 
204a  第1の出力部 
204b  第2の出力部 
205a  第1のウォッチドッグタイマ 
205b  第2のウォッチドッグタイマ 200 Duplex processing equipment
201a First execution program storage unit 201b Second execution program storage unit
203a First CPU (execution unit)
203b Second CPU (execution unit)
204a first output section
204b second output section
205a First watchdog timer
205b Second watchdog timer

Claims (3)

  1.  第1のプログラム、及び前記第1のプログラムを起動する第2のプログラムを記憶する実行用プログラム記憶部と、
     前記第1及び第2のプログラムを実行する実行部と
     を備えた処理装置であって、
     前記実行部の処理結果を出力する出力部と、
     所定の信号を受信しない期間が所定期間を超えると、前記出力部の出力をリセットするウォッチドッグタイマとをさらに備え、
     前記第2のブログラムは、所定周期で前記ウォッチドッグタイマへ前記所定の信号を送信する出力開通動作と、前記第1のプログラムを起動する前に、前記出力開通動作を停止する出力遮断動作とを前記実行部に実行させるものであることを特徴とする処理装置。     an execution program storage unit that stores a first program and a second program that starts the first program;
    A processing device comprising: an execution unit that executes the first and second programs;
    an output unit that outputs a processing result of the execution unit;
    Further comprising a watchdog timer that resets the output of the output section when a period of not receiving a predetermined signal exceeds a predetermined period,
    The second program includes an output opening operation that transmits the predetermined signal to the watchdog timer at a predetermined period, and an output cutting operation that stops the output opening operation before starting the first program. A processing device that causes the execution unit to execute.
  2.  請求項1に記載の処理装置において、
     前記第1のプログラムは、前記実行用プログラム記憶部に記憶されているプログラムを、新たなプログラムに書き換える書き換え処理を前記実行部に実行させるものであることを特徴とする処理装置。     The processing device according to claim 1,
    The processing device according to claim 1, wherein the first program causes the execution unit to execute a rewriting process of rewriting a program stored in the execution program storage unit to a new program.
  3.  請求項2に記載の処理装置において、
     前記第2のプログラムは、前記実行部により電源投入時に実行されるブートプログラムであることを特徴とする処理装置。     The processing device according to claim 2,
    The processing device is characterized in that the second program is a boot program executed by the execution unit when power is turned on.
PCT/JP2023/027446 2022-08-19 2023-07-26 Processing device WO2024038747A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202380013311.9A CN117980885A (en) 2022-08-19 2023-07-26 Processing device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2022131321 2022-08-19
JP2022-131321 2022-08-19

Publications (1)

Publication Number Publication Date
WO2024038747A1 true WO2024038747A1 (en) 2024-02-22

Family

ID=89941517

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/027446 WO2024038747A1 (en) 2022-08-19 2023-07-26 Processing device

Country Status (2)

Country Link
CN (1) CN117980885A (en)
WO (1) WO2024038747A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010186220A (en) * 2009-02-10 2010-08-26 Nisca Corp Apparatus and method for monitoring microprocessor
JP2013029939A (en) * 2011-07-27 2013-02-07 Kyocera Document Solutions Inc Control device
JP2016218864A (en) * 2015-05-22 2016-12-22 日本精工株式会社 Reset method for processor, reset program for processor, electronic control device having microcontroller loaded with program, motor driving system having electronic control device, and machine tool having motor driving system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010186220A (en) * 2009-02-10 2010-08-26 Nisca Corp Apparatus and method for monitoring microprocessor
JP2013029939A (en) * 2011-07-27 2013-02-07 Kyocera Document Solutions Inc Control device
JP2016218864A (en) * 2015-05-22 2016-12-22 日本精工株式会社 Reset method for processor, reset program for processor, electronic control device having microcontroller loaded with program, motor driving system having electronic control device, and machine tool having motor driving system

Also Published As

Publication number Publication date
CN117980885A (en) 2024-05-03

Similar Documents

Publication Publication Date Title
JP2010003081A (en) Arithmetic processing unit multiplexing control system
JP2019128638A (en) Duplex control system
WO2024038747A1 (en) Processing device
KR20190029977A (en) A control system for device and process for operationg the control system
KR102030461B1 (en) Multi-Processors error detection system and method thereof
JP6149393B2 (en) Communication coupler, information processing apparatus, control method, and program
US10083138B2 (en) Controller, bus circuit, control method, and recording medium
US11526137B2 (en) Operation verification program, operation synchronization method, and error detection apparatus
JP3233274B2 (en) Microcomputer program reboot method and program reboot device
CN109070348B (en) System and method for controlling a robot
WO2024075556A1 (en) Processor and control system comprising same
JP5575086B2 (en) Electronic control unit
JP2024016475A (en) Processor for notification, and control system provided with the same
JPS63224446A (en) Communication system
KR20190136997A (en) Facilities monitoring system and communication method for facilities monitoring system
WO2024070540A1 (en) Control system
KR102262090B1 (en) Apparatus and method for duplexing input of plc
WO2021065185A1 (en) Motor control device, and motor control system
JPH02281343A (en) Cpu operation monitor system
JP2004070393A (en) Remote shutdown method
KR20170106797A (en) Plc module and plc system for firmware multiple download and method for firmware multiple download using the same
JP6540142B2 (en) Baseboard Management Controller, Information Processing System, and Baseboard Management Controller Processing Execution Method
JP4214974B2 (en) Communication data block transmission method
JP2738788B2 (en) Data communication device
JP2004341995A (en) Remote control device

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 202380013311.9

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23854782

Country of ref document: EP

Kind code of ref document: A1