As is known, a process is referred to in safety engineering as safety-critical if it can result in a non-negligible danger in case of a fault, so that it must be guaranteed for this case that a safe state will be taken up.
In current safety engineering, safety relays, secure controllers and small safety controllers are principally used.
Safety relays are understood to be electromechanical or electronic components that perform complete ready-made safety functions, which can optionally be parameterized by means of switches or wiring. Secure inputs and outputs are directly wired to the safety relay.
Small safety controllers are understood to be electromechanical or electronic components that can perform various safety functions by simple auxiliary means, e.g., an interface that is programmable to a limited extent, or switch combinations. Ready-made safety functions are simply linked to the small controllers. The number of inputs and outputs can be increased, flexibly if desired, to a slight extent by expansion components. Sometimes network access is also offered.
Safety controllers, on the other hand, offer the advantages of a flexible control system with network connection, high performance, and a flexibly programmable interface, and conform to the IEC 61131 standard, for example.
Secure or safety-oriented devices and components are fundamentally devices and components that are secure, due to suitable measures, with respect to the data to be processed and/or transmitted by them. This can be accomplished, for instance, by a redundant design of the processing or transmitting structure, by adding a checksum to the data to be transmitted and/or by other measures conventionally known to those in the art.
Data processing and transmitting systems that connect decentralized input/output devices and controllers are used in current machines and systems. The networks that are used for transporting safety-relevant data are supported by secure network protocols. The signal flow that is used originates from a centralized safety technology, in which safety-relevant input data, generally acquired by sensors, that has been processed into secure input signals is transported to the secure controller, further processed there by a secure application, and then transported to the corresponding actuators.
Two tendencies have for a long time been noticeable in automation technology. The first is the decentralization of the control function, and the second is the integration of the safety technology into the control and network technology.
With decentralization, the controlling function is being shifted more and more into the output level. For example, the control function is being integrated, to a limited extent, into drive units. Strong interdependencies in the application process are produced by the integration of safety technology into controllers and networks. These interdependencies lead to more complex project engineering and programming of the systems.
In order to counteract this situation, quite different mechanisms are sometimes used. For example: the combination of secure and nonsecure on a common controller; secure and nonsecure on separate controllers; approval locally with decentralized secure units; decentralized safety controller with associated secure inputs and outputs in a network.
The disadvantageous aspects in combining secure and nonsecure control on a central platform, or in decentralized control technology as well, are the mutual functional dependencies, which in some cases can again be safety-critical. Additional disadvantages are performance losses and availability problems, and the safety technology must come from the same manufacturer as the standard controllers.
A control system for controlling safety-critical processes is known from DE 19928517, with a first control unit for controlling safety-critical processes that is linked via I/O channels to the safety-critical process, and additionally with a fieldbus via which the first control unit and the signal unit are connected, and with a bus master for controlling the communication on the fieldbus, wherein the first control unit and the signal unit have safety-related devices and are thus secure units, in order to guarantee a failsafe communication, and wherein the fieldbus provides a circulating telegram traffic between individual units connected to the fieldbus. In order to guarantee a failsafe communication of the units participating in the safety-critical process and, at the same time, to allow the use of standard components as the bus master, it was proposed, according to the above mentioned patent, that the bus master be connected to the fieldbus separately from the first control unit and the signal unit and the first control unit be arranged upstream of the signal unit relative to a circulation direction of the telegram traffic, wherein the first control unit further comprises means to replace telegram data addressed to the signal unit with failsafe telegram data.
A considerable disadvantage of the path proposed there, however, is that the secure control unit can in principle communicate with every single unit, but only insofar as it is aware of the network structure. Moreover, the secure control unit can only replace already existing information with secure information.