Method of operating a conveyor arrangement
The method enhances conveyor arrangement reliability by using zone controllers with integrity checks for interzone messages, addressing the issue of incorrect or malicious communications to prevent operational errors and ensure secure, efficient operation.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- INTERROLL HLDG
- Filing Date
- 2025-12-19
- Publication Date
- 2026-06-25
AI Technical Summary
Conveyor arrangements are prone to malfunctions due to the transmission of incorrect or malicious messages, which can lead to operational errors and inefficiencies, especially under varying loads or faulty device data conditions.
Implementing a method that includes zone controllers with integrity checks for interzone messages, using verification details generated based on a predefined policy, to ensure only authentic messages are processed, thereby enhancing communication security and reliability.
The method improves the reliability and efficiency of conveyor arrangements by preventing erroneous message processing and reducing the risk of malfunctions, ensuring secure and timely local zone control operations.
Smart Images

Figure EP2025088353_25062026_PF_FP_ABST
Abstract
Description
[0001] Method of operating a conveyor arrangement
[0002] Technical field
[0003] The invention refers to a method of operating a conveyor arrangement and a zone controller adapted to control a conveyor zone within a conveyor arrangement.
[0004] Background of the invention
[0005] Conveyor arrangements of the generic type are disclosed in US 2004 / 186615 A1 , WO 2025 / 002878 A1 (published after the priority date of the present application), WO 2024 / 149872 A1 , WO 2023 / 117521 A1 , and WO 2023 / 247237 A1.
[0006] In such a conveyor arrangement comprising a plurality of separate conveyor zone, the operation depends on signals issued from a large plurality of devices. In particular signals of presence sensor in a first conveyor zone have a significant influence on the operation of second, neighboring conveyor zones. A risk is, that messages containing wrong information may led to significant malfunctions of the conveyor arrangement.
[0007] CA 3 073 549 C discloses a method for secure data communication in which messages are encoded by converting N-bit input segments into N-bit output segments using a 2AN-by-2AN one-to-one mapping (permutation matrix). The context of this disclosure is cryptographic protection of data streams against brute-force attacks and quantum computing threats, primarily in general-purpose communication networks and loT environments. While such encoding techniques increase complexity for unauthorized decryption, they do not inherently prevent the transmission of falsified or maliciously generated messages. An encoded message can still be fabricated and injected into a communication channel, and the encoding process itself does not contribute to reliably verifying the sender’s identity or the operational authenticity of the message.
[0008] Summary of the invention
[0009] It is the object of the present invention to avoid malfunctions within a conveyor arrangement, in particular to enable a reliable operation of a conveyor arrangement so that local zone control operations are made reliably and on time, even under varying loads, congestion, or faulty received device data, while minimizing shutdowns and misrouting. The invention comprises a method, a zone controller and a conveyor arrangement according to the main claims; embodiments are subject of the subclaims and the description.
[0010] In an embodiment, a method of operating a conveyor arrangement includes multiple conveyor zones arranged sequentially. Each conveyor zone is adapted to convey an object from an inlet
[0011] - 1 -
[0012] 20251219 24040PWO text.docx to an outlet. The method involves multiple zone controllers, each controlling one or more conveyor zones. Optionally, a central controller is provided, which provides control commands to the zone controllers. A first data connection links the zone controllers and optionally the central controller. Multiple device controllers control field devices such as actuators and sensors within the conveyor zones. Each device controller connected to exactly one zone controller forms with said zone controller a zone control group. A sending zone controller sends an interzone message to a receiving zone controller. A device controller issues device information and thereby sending it to the zone controller of the same zone control group. The sending zone controller generates the interzone message based on the device information. The receiving zone controller performs an integrity check of the received interzone message.
[0013] This method improves the reliability and efficiency of the conveyor arrangement.
[0014] In an embodiment, during the integrity check, it is verified that the received interzone message originates from a verified sending zone controller. This verification process enhances the security and integrity of the communication between zone controllers, preventing erroneous messages.
[0015] In an embodiment, the integrity check is performed with the help of verification details contained in the received interzone message. Using verification details ensures that only authentic messages are processed, reducing the risk of errors and improving system reliability.
[0016] In an embodiment, the sending zone controller adds a verification detail to the interzone message, which is intended to be used by the receiving zone controller for performing the integrity check. Adding verification details to messages further strengthens the security and authenticity of the communication between zone controllers.
[0017] In an embodiment, the verification detail is separate from a sender and / or recipient identification contained in the interzone message.
[0018] The term verification detail in particular refers to a data element generated by the sending zone controller according to a predefined generation policy. This element may be appended to each interzone message and serves exclusively for integrity verification by the receiving zone controller. The verification detail may be distinct from sender identification and recipient identification and does not include operational instructions or object-related data. Its sole purpose may be to enable the receiving zone controller to authenticate the origin and integrity of the message using a verification database, thereby preventing acceptance of falsified or malicious messages.
[0019] - 2 -
[0020] 20251219 24040PWO text.docx In an embodiment, an inventive zone controller is adapted to control a conveyor zone within a conveyor arrangement includes a central processing unit, at least one memory, a first communication section to communicate with other zone controllers, and a second communication section to communicate with device controllers within the conveyor zone. The zone controller is adapted to perform an integrity check of an interzone message received by the zone controller, based on verification details contained in the interzone message.
[0021] This design ensures robust and secure communication within the conveyor arrangement, enhancing overall system performance and reliability.
[0022] In an embodiment, the zone controller comprises a message integrity check section performing the integrity check. Having a dedicated section for integrity checks improves the efficiency and accuracy of message verification, contributing to the system's security.
[0023] In an embodiment, the integrity check section comprises a check unit and a verification database. The check unit performs the integrity check based on verification information stored in the verification database. This structure allows for efficient and reliable verification of messages, ensuring that only valid communications are processed.
[0024] In an embodiment, the zone controller includes a verification detail generator that generates a verification detail. The zone controller adds the generated verification detail to an interzone message sent by the conveyor zone to another conveyor zone. Generating and adding verification details to messages enhances the security and authenticity of communications within the conveyor arrangement.
[0025] In an embodiment, the verification detail generator comprises a generation unit and a policy database. The generation unit generates the verification detail based on a detail generation policy stored in the policy database. Using a policy-based approach for generating verification details ensures consistency and security in message verification.
[0026] In an embodiment, the zone controller is adapted to control a conveyor zone within a conveyor arrangement. The conveyor arrangement includes multiple conveyor zones arranged sequentially, each adapted to convey an object from an inlet to an outlet. Multiple zone controllers control the operation of the conveyor zones. A central controller provides control commands to the zone controllers. A first data connection links the zone controllers and the central controller. Multiple device controllers control field devices such as actuators and sensors within the conveyor zones. Each device controller is connected to exactly one zone controller, forming a zone control group. A sending zone controller sends an interzone message to a receiving zone controller. An issuing device controller issues device information
[0027] - 3 -
[0028] 20251219 24040PWO text.docx and thereby sends it to the zone controller of the same zone control group. The sending zone controller generates the interzone message based on the device information.
[0029] In an embodiment, a conveyor arrangement includes multiple conveyor zones arranged sequentially, each adapted to convey an object from an inlet to an outlet. The arrangement includes multiple zone controllers as described above or which are adapted to control the operation of the conveyor zones as described above a central controller providing control commands to the zone controllers, a first data connection linking the zone controllers and the central controller, and multiple device controllers controlling field devices such as actuators and sensors within the conveyor zones. Each device controller is connected to exactly one zone controller, forming a zone control group. A sending zone controller sends an interzone message to a receiving zone controller. An issuing device controller issues device information and sends it to the zone controller of the same zone control group. The sending zone controller generates the interzone message based on the device information.
[0030] The advantages or further embodiments and features of subclaims, relating the method are also applicable to the claimed controller and vice versa.
[0031] Brief description of the drawings
[0032] An example embodiment of the invention is described in more detail with the help of the figures; herein show fig. 1 a conveyor zone in perspective view having a first embodiment light barrier; fig. 2 a basic conveyor arrangement; fig. 3 a schematic representation of the controls structure within an inventive conveyor arrangement in a first situation; fig. 4 a schematic representation of the controls structure within the inventive conveyor arrangement in a second situation; fig. 5 a schematic representation of a zone controller of the control structure within the inventive conveyor arrangement; fig. 6 a schematic representation of a interzone message communicated within the inventive conveyor arrangement.
[0033] Detailed description of the invention
[0034] Figure 1 shows an exemplary conveyor zone 2, comprising several conveyor rollers 3 which are driven together. For this purpose, one of the conveyor rollers 3 is designed as a motor- driven conveyor roller 3M, in particular a motorized roller 3M. The motor-driven conveyor roller 3M is driven in particular by a three-phase motor arranged in the motorized conveyor roller
[0035] - 4 -
[0036] 20251219 24040PWO text.docx 3M. Via one or more drive connectors 3C, e.g. a drive belt, the conveyor rollers 3 of a conveyor zone 2 are drive-connected to each other and are jointly driven by the motor-driven conveyor roller 3M. An object 9 is linearly conveyed from an inlet I to an outlet O along a conveying direction d.
[0037] By means of a presence sensor 5, the presence of a conveyed object 9 arranged within the conveyor zone 2 can be determined. The presence sensor 5 thereby generates a sensor signal S5, which is connected via a signal line (not shown) to a local zone controller 12 presented further below. In the present embodiment the presence sensor 5 is a light barrier. Other detection technologies are applicable as well.
[0038] The conveyor rollers 3 and the presence sensor 5 are attached to a common support frame 6. The conveyor rollers 3 of several conveyor zones 2 can be attached to a common support frame 6.
[0039] The motor-driven conveyor rollers 3M are each controlled by at least one or a plurality of local zone controllers 12. A single zone controller 12 can control the motor-driven conveyor rollers 3M of several conveyor zones 2. A plurality of local zone controllers 12 are arranged in a conveyor arrangement 1 (figure 2), which communicate with each other via a data connection 18.
[0040] Figure 2 shows a basic conveyor arrangement 1 , where conveyor zones 2a... e as described previously are used. A plurality of zone controllers 12 control the operation of the conveyor zones 2. A central controller 11 (e.g. programmable logic control) may be provided to control the overall operation of the conveyor arrangement 1.
[0041] Scanners (not shown), such as QR code scanners or barcode scanners, may be arranged along at least some of the conveyor zones 2 and provide identification data relating to objects 9 passing the scanner in the conveyor zones 2. The central controller 11 has access to an object database (not shown), which provides destination data based on the identification of the objects 9. Based on the acquired data the central controller 11 provides operation instructions to a local zone controller 12, on how to handle the object 9, i.e. to which of a plurality of outlets O said object 9 is to be conveyed. To change the direction of an object a zone can be equipped with a transfer device 4 comprising a transfer controller 14. Such a transfer device is shown in EP 3222 564 B1 (in this document and figure the transfer device is marked with the reference sign “20”)
[0042] For the proper operation it is not required that each conveyor zone is equipped with an own scanner for identifying the object located in each conveyor zone. As a consequence, some
[0043] - 5 -
[0044] 20251219 24040PWO text.docx conveyor zones, usually one of the most upstream zones, are provided merely with a scanner. In contrast thereto, in an embodiment all or nearly all of the conveyor zones 2 may be equipped with a presence sensor
[0045] In an alternative embodiment, as described in European patent application 22 180 381.0, the central controller 11 is an object data broker, to which the local zone controllers 12 are also connected. The data broker provides destination data related to the identified objects 9 and the zone controllers 12 are adapted to control operation of the zones based on the provided destination data. For the purpose of the present invention the provision of a PLC is not required.
[0046] In particular the local zone controllers 12 control the motor-driven conveyor rollers 3M in such a way that the successively approaching conveyed objects 9 do not collide with each other. The control takes place in such a way that essentially only one conveyed object 9 is present per conveyor zone 2. However, slight overlaps may occur. For example, an upstream conveyed object 9b located on an upstream conveyor zone 2c may already enter a downstream conveyor zone 2d even though the downstream conveyed object 9a has not yet left this downstream conveyor zone 2d completely.
[0047] Alternatively, the position of the objects within the zones are accurately tracked by considering the conveying speed, so that also more than one object can be located with in one zone. In this case, the gaps between two objects are controlled, to avoid that the objects do not collide with each other (see-non published European patent application EP24208395.4).
[0048] In the example of figure 2, the presence sensor 5 located within zone 2d (see arrow P1) provides timing information, which is relevant for determining a time, when an object will arrive at the transfer device 4 the downstream conveyor zone 2e (see arrow P2).
[0049] The presence sensor 5 has a sensor controller 15, which is in data contact with one the zone controllers 12. The motorized roller 3M has a motor controller 13, which is in data contact with one the zone controllers 12. The transfer device 4 has a transfer controller 14, which is in data contact with one of the other zone controllers 12.
[0050] The conveyor zones 2 each are controlled by a local zone controller 12 as shown in figure 1 or 2, in particular wherein one local zone controller 12 may be adapted to control the operation of more than one conveyor zone 2.
[0051] Figure 3 shows a control network 10 which is used to control a conveyor arrangement in main similar to the arrangement as shown in figure 2. Reference is made to the description above.
[0052] - 6 -
[0053] 20251219 24040PWO text.docx The plurality of zone controllers 12 are connected to each other and to the central controller 11 by means of a first data bus 18.
[0054] The different zone controllers 12 are connected to individual device controller 13, 14, 15, such as
[0055] - a roller controller 13 of a roller 3,
[0056] - a transfer controller 14 of a transfer device 4,
[0057] - a sensor controller 15 of a presence sensor 5 or any other kind of sensor, such as a identification scanner (not shown),
[0058] - any other actuating device.
[0059] The zone controller 12 may be connected to each of the device controller 13, 14, 15 by means of a second data bus 19, as shown in figure 3 for the first and second zone controller 12a. 12b.
[0060] Via the first data bus 18, also a detachable maintenance computer 17 for maintenance of the zone controller 12 may be connected from time to time to the zone controller 12 via a connector 18C in the first data bus 18.
[0061] Alternatively the zone controller 12 is connected to the device controller by a direct digital or analogous direct connection. As an example the zone controller 12c and 12d each are connected to the presences sensor controllers 15 by means of a direct sensor data line 15L. As another example the zone controller 12d is connected to the motor controllers 13 by means of a direct motor control line 13L.
[0062] Each zone controller 12a..d forms with the device controllers 13, 14, 15 a zone control group C1..C4. In particular the zone controller 12 of the zone control group form the connection between device controllers 13, 14, 15 of said zone control group and the first data bus 18.
[0063] So each zone control group C1..C4 necessarily comprises exactly one zone controller 12 and at least one, in particular a plurality of, device controller 13, 14, 15 connected to the zone controller 12. The device controller 13, 14, 15 of a certain zone control group are not connected to a zone controller 12 of another zone control group than the certain zone control group.
[0064] As described previously with reference to figure 2 there may be a first situation, where the second zone controller 12b of the second zone control group C2 is controlling the operation of the transfer device 4. The transfer controller 14 of said transfer device 4 is part of the second zone control group C2. Thereby the second zone controller 12b sends out a command to the transfer controller 14 within the same second zone control group C2. For controlling the operation of the respective transfer device 4, the second zone controller 12 requires an
[0065] - 7 -
[0066] 20251219 24040PWO text.docx information from the upstream zones, in particular a timing information. In this particular example, the required information comprises a timing information, from which the second zone controller can determine the time, when the object will enter the zones controlled by the second zone control group C2 from the zone controlled by the first zone control group C2.
[0067] This timing information is based on a first device information 11 issued by an upstream sensor controller 15 marked with arrow P1 in figure 3. This first device information may comprise a time when an object has passed the respective presence sensor. The sensor controller 15, which is issuing this first device information 11. This sensor controller 15 is part of the other first zone control group C1.
[0068] Since there is no direct data connection between the second zone controller 12b of the second zone control group C1 and the sensor controller 15 of the first zone control group C1 , the zone 12 controller of different zone control groups C1..C4 are adapted to exchange interzone messages M between each other to provide data between each other.
[0069] It is to be noted, that the first information may be nothing more than a sensor ON I sensor OFF signal. This signal usually does not provide a reliable information, when an object will enter a certain zone. The zone controller may also include a further information about a travel speed, which originates from a motor controller 13 (see arrow P1a) in figure 3.
[0070] In the present example the first zone controller 12a of the first zone control group C1 sends a first interzone message M1 to the second zone controller 12b of the second zone control group C2 containing the timing information, which is based on the first device information 11 issued by the sensor controller 15 indicated with arrow P1 in figure 3. Based on the first interzone message M1 the second zone controller 12b can determine the point in time, when an object is entering the conveyor zones controlled by the second zone control group C2 and in particular the area of the transfer device 4, which is controlled by said transfer controller 14 within the second zone control group C2.
[0071] In a second situation a second object is to be conveyed from a conveyor zone of the second zone control group C2 (arrow P2 points to the motor controller 13 controlling the motor of this zone) into a downstream conveyor zone. Arrow P3 points to the motor controller 13 controlling the motor of this downstream zone, which is already located within the third zone control group C3.
[0072] In this second situation, a third object (blocking object) is blocking the most upstream conveyor zone controlled by the third zone control group C3. In said second situation a sensor controller 15 (see arrow P3 in figure 3) of this most upstream conveyor zone within the third zone control
[0073] - 8 -
[0074] 20251219 24040PWO text.docx group C3 issues a permanent “occupied” signal as a second information 12. In this situation this sensor controller 15 is considered as an example for an issuing device controller according to the claims.
[0075] The third zone controller 12c of the third zone control group C2 sends a second message M2 to the second zone controller 12b of the second zone control group C2, containing an information, that the most upstream zone within the third zone control group C3 is not in a condition to receive any further objects from the zone upstream of said zone (within the second zone control group C2). As a consequence, the second zone controller 12b instructs the motor controller 15 marked with arrow P2 to stop the connected drive motor. As a consequence the second object is prevented to be conveyed by into the next conveyor zone.
[0076] The above two situations depict, that zone controllers 12 within a certain zone control group (e.g. zone control group C2) requires data from a separate zone control group (e.g. zone control group C1 or C3), which is based on an information 11, I2, issued by a issuing device controller 13, 14, 15 of said separate zone control group (e.g. zone control group C1 or C3).
[0077] The message M1 , M2 exchanged from a sending zone controller 12a, 12c to a receiving zone controller 12b, where the sending zone controller 12a, 12c and the receiving zone controller 12b belongs to separate zone control groups, via the first bus connection 18 are called interzone messages M1 , M2.
[0078] In general and according to the present disclosure, an interzone messages M1, M2 comprise information which is based on information provided by an issuing device controller 13, 14, 15, which belongs to same zone control group as the sending zone controller 12b.
[0079] As described above the interzone messages based on information issued by an issuing device controller, is crucial for the proper operation of the conveyor arrangement.
[0080] As can be apparent from, the information transported by said interzone message can cause significant malfunction to the operation of the conveyor arrangement, in case that a certain zone controller follows an information contained in a message which is not intended for this certain zone controller.
[0081] Figure 4 shows another situation where a malicious attacker 8 is trying disturb the proper operation of the conveying arrangement. Here the malicious attacker continuously sends out fake messages M2F over the first bus connection 18, which comprise in main the same content as the second interzone message M2, as described in the situation of figure 3.
[0082] - 9 -
[0083] 20251219 24040PWO text.docx Now the second zone controller 12b gets permanently a notification by said second fake message M2F, which message falsely states that the first conveyor zone within the third zone control group C3 is not in a condition to receive a further object. By continuously sending this second fake message F2M, the malicious attacker 8 can shut down the proper operation of conveyor arrangement since no object can pass the transition between the most downstream zone of the second zone control group and the first zone of the third zone control group C3.
[0084] It is apparent, that there are numerous other possibilities how faked interzone messages can significantly disturb the proper operation. As another example, just small deviations in the timing information can lead to the result, that the transfer 4 is not working properly and objects are conveyed on wrong paths leading to incorrect destinations.
[0085] The invention proposes a possibility to reduce the risk of malfunctions within the conveyor arrangement of figure 3 which may be based on incorrectly delivered interzone messages.
[0086] Figure 5 shows a zone controller 12 of the conveyor arrangement 10 of figures 3 and 4 in more detail. The zone controller 12 has central processing unit (CPU) 12, a RAM and a boot section. A first communication section 128 is communication interface to the first data bus 18, where a bus connecting cable can be plugged into first communication socket 128S. A second communication section 129 is a communication interface 129 to all the device controllers of the same zone control group attached to the zone controller, where connecting cables can be plugged into second communication socket 129S to connect said device controllers.
[0087] An internal bus 120 connects the CPU 121, the RAM 122, the permanent memory 123 and the communication sections 128, 129 with each other.
[0088] The interzone message M1, M2 as well as a fake interzone message F2M are communicated via the first data bus 18 and are received by the first communication section 128. Details of the content of an interzone message are shown in figure 6. The exemplary interzone message comprises
[0089] - a sender identification Ms, indicating the sending zone controller;
[0090] - a recipient identification Mr, indicating the zone controller, for which the information is intended to receive;
[0091] - a message body, containing the main information in view of the conveying operation;
[0092] - a verification detail, the purpose of which is described below.
[0093] For assessing the integrity of a message M1 , M2 or for separating the first and second interzone message M1, M2 from a fake message M2F, the zone controller 12 comprises a message integrity check section 127. When the first communication section 128 receives an
[0094] - IQ -
[0095] 20251219 24040PWO text.docx interzone message M1, M2, the first communication section 128 sends a verification request to the message integrity check section 127. The message integrity check section 127 checks the integrity of said interzone message and provides a positive or a negative check result to the first communication section 128. Only in case of a positive check result, the received interzone message is further processed, so that the content is communicated via the internal bus 120 to the CPU and the memories, otherwise the message is deleted or no or not further processed. In an embodiment, a report can be issued for the case, that a non-verified message has been identified; now measures against a malicious attacker can be initiated. In another embodiment any other section of the zone controller may communicate with the integrity check section 127.
[0096] As an example the message integrity check section 127 uses thereby the verification detail Md of the interzone message M2 to be checked. It is to be noted, that the verification detail Md is separate to the simple sender identification Ms and / or the recipient identification Mr of said interzone message. For performing the integrity check, the message integrity check section has a check unit 127A and a verification database 127B. The check unit 127A receives the verification details Md attached in said interzone message from said first communication section 128 and compares the verification details Md with a verification information Mi of a positive list stored within in the verification database 127B.
[0097] The zone controller 12 as a sending zone controller comprises a verification detail generator 126. When the first communication section 128 intends to send a new interzone message M, the first communication section 128 requests verification details Md from the verification detail generator 126 and subsequently adds that verification details Md provided by said verification detail generator 126 to the interzone message M to be sent. For generating the verification details, the verification detail generator 126 has a generation unit 126A and a policy database 126B. The generation unit 126a generates the verification detail Md based on a detail generation policy Mp stored in said policy database 126B.
[0098] The verification detail generator 126 can be made integral with the integrity check section 127.
[0099] The only gate to access the verification database 127B is the check unit 127A. The only gate to access the policy database 126B is the generation unit 126A.
[0100] To avoid any misuse and attacks, the check unit 127A and the generation unit 126A have merely a limited scope of functionalities, and can merely send out very limited responses based on queries from the first communication section 128. Accordingly, the message integrity check section 127 and the verification detail generator 126 are designed in a manner that it is not possible to get direct data access to the content of databases 127B, 126B from outside of the message integrity check section 127 and the verification detail generator 126. As a
[0101] - 11 -
[0102] 20251219 24040PWO text.docx consequence, it is not possible for a malicious attacker 8 to access (write and / or read access) to the content of the verification database 127B for the matter of stealing or amending the identifier information (see crossed-out line X2 in figure 5) or the generation policy Mp (see crossed-out line X1 in figure 5) . Accordingly, the attack fails due to lack of access. In contrary case, where the attacker would have access to the verification information Mi within the verification database 127B or the details generation policy Mp within the policy database 126B, the attacker 8 could add respective verification details Md to his fake message M2F, making it impossible for the first communication section 128 to detect the fake character of the fake message M2F.
[0103] - 12 -
[0104] 20251219 24040PWO text.docx List of reference signs
[0105] 1 conveyor arrangement
[0106] 2 conveyor zone
[0107] 3 conveyor roller
[0108] 3M motor-driven conveyor roller
[0109] 3C drive connector
[0110] 4 transfer device
[0111] 5 presence sensor
[0112] 6 support frame
[0113] 7 identification scanner (e.g. barcode reader)
[0114] 8 malicious attacker
[0115] 9 object to be conveyed
[0116] 10 control arrangement
[0117] 11 central controller
[0118] 12 zone controller
[0119] 13 motor controller
[0120] 13L motor control line
[0121] 14 transfer controller
[0122] 15 sensor controller
[0123] 15L sensor data line
[0124] 17 maintenance computer, detachable
[0125] 18 first data bus
[0126] 18C connector in first data bus line
[0127] 19 second data bus
[0128] C1..C4 zone control group
[0129] M1 ,2 interzone message
[0130] Ms sender identification in interzone message
[0131] Mr recipient identification in interzone message
[0132] Md verification details in interzone message
[0133] Mi verification information in verification database
[0134] Mp detail generation policy in policy database
[0135] Mb message body in interzone message
[0136] 11,2 device information
[0137] 120 internal bus
[0138] 121 CPU
[0139] - 13 -
[0140] 20251219 24040PWO text.docx 122 RAM
[0141] 123 permanent memory
[0142] 126 verification detail generator
[0143] 126A generation unit
[0144] 126B policy database
[0145] 127 message integrity check section
[0146] 127A check unit
[0147] 127B verification database
[0148] 128 first communication section
[0149] 128S first communication socket
[0150] 129 second communication section
[0151] 129S second communication socket d conveying direction
[0152] S5 sensor signal (of presence sensor)
[0153] - 14 -
[0154] 20251219 24040PWO text.docx
Claims
Claims1. Method of operating a conveyor arrangement (1), the conveyor arrangement comprising,- a plurality of conveyor zones (2) arranged one behind the other, each conveyor zone (2) is adapted to convey an object (9) from an inlet (I) of said conveyor zone (2) to an outlet (O) of said conveyor zone (2),- a plurality of zone controllers (12) each adapted to control the operation of one or more of said conveyor zones (2);- in particular a central controller (11), adapted to provide control commands to the zone controller (12);- a first data connection (18), connecting the zone controllers (12), and in particular the central controller (11), with each other;- a plurality of device controllers (13, 14, 15) each adapted to control at least one or a plurality of field devices such as actuators (3, 4) and / or sensors (5) within said conveyor zones (2), each of the device controllers (13, 14, 15) are connected to a, in particular exactly one, zone controller (12), wherein the device controller (13, 14, 15) attached to one of said zone controller (12) form together with said zone controller (12) a zone control group (C1...C4); wherein one of said zone controller (12) is a sending zone controller (12a, 12c) , which sends an interzone message (M1, M2) to a receiving zone controller (12b) of the plurality of zone controller (12); wherein one of said device controllers (13, 14, 15) is an issuing device controller (13, 14, 15), which issues a device information (11 , I2) and sends said device information (11 , I2) to the zone controller (12) of the same zone control group (C2..C4); wherein the sending zone controller (12a, c) generates the interzone message (M1, M2) based on said device information (11 , I2) issued by the issuing device controller of the same zone control group (C1..C4) of said sending zone controller (12a, c); characterized in that the receiving zone controller (12b) performs an integrity check of the received interzone message (M1, M2).- 15 -20251219 24040PWO text.docx2. Method according to the preceding claim, wherein during the integrity check, it is verified, that the received interzone message (M1, M2) originates from a verified sending zone controller (12a,c).
3. Method according to any of the preceding claims, wherein the integrity check is performed with the help of verification detail (Md), which is contained the received interzone message (M1, M2).
4. Method according to any of the preceding claims, wherein the sending zone controller (12a, c) adds a verification detail (Md) to the interzone message (M1 , M2), which is intended to be used by the receiving zone controller (12b) for performing the integrity check.
5. Method according to claim 3 or 4, wherein the verification detail (Md) is separate to a sender and / or recipient identification (Ms, Mr) contained in the interzone message (M1 , M2).
6. Zone controller (12) adapted to control a conveyor zone within a conveyor arrangement (1), the zone controller comprising:- a central processing unit (121)- at least one memory (122, 123), in particular a RAM and / or a permanent memory (123)- a first communication section (128) adapted to communicate with other zone controllers;- a second communication section adapted to communicate with a device controller (13, 14, 15) of a field device (3, 4, 5) within the conveyor zone controlled by said zone controller (12); wherein the zone controller (12) is adapted to perform an integrity check of an interzone message (M1 , M2) received by said zone controller (12), in particular based on verification detail contained in said interzone message (M1 , M2).
7. Zone controller (12) according to the preceding claim, wherein the zone controller (12) comprises a message integrity check section (127) performing said integrity check.- 16 -20251219 24040PWO text.docx8. Zone controller (12) according to the preceding claim, the integrity check section (127) comprises a check unit (127A) and a verification database (127B), wherein the check unit (127A) is adapted to perform said integrity check based on verification information (Mi) stored in said verification database (127B).
9. Zone controller (12) according to any of claims 6 to 8, wherein the zone controller (12) comprises a verification detail generator (126) generating a verification detail (Md) and the zone controller (12) is adapted to add said generated verification detail (Md) to an interzone message, sent by the conveyor zone to another conveyor zone (2).10 Zone controller (12) according to the preceding claim, wherein the verification detail generator (126) comprises a generation unit (126A) and a policy database (126B); wherein the generation unit (126A) is adapted to generate said verification detail (Md) based on a detail generation policy (Mp) stored in said policy database (126B).
11. Zone controller (12) according to any of claims 6 to 10, wherein the zone controller is adapted to control a conveyor zone within a conveyor arrangement (1), wherein the conveyor arrangement comprises- a plurality of conveyor zones (2) arranged one behind the other, each conveyor zone (2) is adapted to convey an object (9) from an inlet (I) of said conveyor zone (2) to an outlet (O) of said conveyor zone (2),- a plurality of said zone controllers (12) each adapted to control the operation of one or more of said conveyor zones (2);- in particular a central controller (11), adapted to provide control commands to the zone controller (12);- a first data connection (18), connecting the zone controllers (12), and in particular the central controller (11), with each other;- a plurality of device controllers (13, 14, 15) each adapted to control at least one or a plurality of field devices such as actuators (3, 4) and / or sensors (5) within said conveyor zones (2), each of the device controllers (13, 14, 15) are connected to a, in particular exactly one, zone controller (12), wherein the device controller (13, 14, 15) attached to a zone controller (12) form together with said zone controller (12) a zone control group (C1...C4);- 17 -20251219 24040PWO text.docxwherein one of said zone controller (12) is a sending zone controller (12a, 12c), which is adapted to send an interzone message (M1 , M2) to a receiving zone controller (12b) of the plurality of zone controller (12); wherein one of said device controller (13, 14, 15) is an issuing device controller (13, 14, 15), which is adapted to issue a device information (11 , I2) and sends said device information (11 , I2) to the zone controller (12) of the same zone control group (C2..C4); wherein the sending zone controller (12a,c) is adapted to generate the interzone message (M1 , M2) based on said device information (11 , I2) issued by the issuing device controller of the same zone control group (C1 ..C4) of said sending zone controller (12a,c).
12. Conveyor arrangement (1), comprising- a plurality of conveyor zones (2) arranged one behind the other, each conveyor zone (2) is adapted to convey an object (9) from an inlet (I) of said conveyor zone (2) to an outlet (O) of said conveyor zone (2),- a plurality of zone controllers (12) according to any of claims 6 to 11 or a plurality of zone controllers (12) adapted to control the method according to any of claims 1 to 5);- in particular a central controller (11), adapted to provide control commands to the zone controller (12);- a first data connection (18), connecting the zone controllers (12), and in particular the central controller (11), with each other;- a plurality of device controllers (13, 14, 15) each adapted to control at least one or a plurality of field devices such as actuators (3, 4) and / or sensors (5) within said conveyor zones (2), each of the device controllers (13, 14, 15) are connected to a, in particular exactly one, zone controller (12), wherein the device controller (13, 14, 15) attached to a zone controller (12) form together with said zone controller (12) a zone control group (C1... C4); wherein one of said zone controller (12) is a sending zone controller (12a, 12c), which is adapted to send an interzone message (M1 , M2) to a receiving zone controller (12b) of the plurality of zone controller (12);- 18 -20251219 24040PWO text.docxwherein one of said device controller (13, 14, 15) is an issuing device controller (13, 14, 15), which is adapted to issue a device information (11 , I2) and sends said device information (11 , I2) to the zone controller (12) of the same zone control group (C2..C4); wherein the sending zone controller (12a,c) is adapted to generate the interzone message (M1 , M2) based on said device information (11 , I2) issued from the issuing device controller of the same zone control group (C1 ..C4) of said sending zone controller (12a,c).- 19 -20251219 24040PWO text.docx