In many applications of automation and process engineering, not only does the process control have to control the actual working process, but safety aspects must also be taken into account. In the control of process devices, for example actuators, a combination of process data and safety data or a combination of the corresponding signals is, for example, necessary when movements of a machine part driven by an actuator which are critical to safety or which are dangerous for persons or also for capital goods should both be controlled by the actual process control and also switched off by the safety control in a case of emergency or disturbance.
Different methods for the combination of the process control with the safety control are already known.
In accordance with one method, the process control and the safety control are separate from one another: the control of the actual working process of the process device takes place by the process control. In the case of a fault, the safety control switches the voltage supply of the process device off independently of the process control, whereby the process device runs out in an uncontrolled manner. There are improved solutions in which actuators with so-called integrated safety are used which have separate switch inputs for the process control, on the one hand, and for the safety control, on the other hand.
In accordance with a further known method, the process logic, on the one hand, and the safety logic, on the other hand, are combined with one another in the safety control. The process data and the safety data are taken into account in the safety control in this process, with only a resulting signal being communicated to the process device to be controlled. The required exchange of data between the process control and the safety control is disadvantageous in this process. In practice, field bus systems are increasingly used such that, when this known method is used, a common communication protocol has to be implemented both in the process control and in the safety control.
A further known method proposes that the data stream from the process control to the process device be monitored by the safety control. As with the known methods described above, it is, however, disadvantageous here that the data of the process control have to be taken into account in the safety program of the safety control. Not only the calculation effort in the safety control is hereby increased, but a communication relationship between the process control and the safety control is moreover required.
It is furthermore problematic that the data exchange of process data and safety data is frequently critical, since there is the risk that, in particular due to the inexperience of the user, only unsafe input signals of the process control, which are not securely recorded, are used for safety functions. For example, a configuration can thus be accidentally realized in which a signal corresponding to an “emergency off” is read in at an unsafe input module and a dangerous movement of an actuator is hereby controlled due to the exchange of data in the safety control. This represents a non-acceptable interruption of the safety chain for the practical application.
Reference is generally made in another respect to DE 199 28 517 C2, DE 199 25 693 A1, DE 102 01 212 A1, DE 102 11 939 A1, DE 102 11 938 A1 and DE 199 22 561 A1 with respect to the prior art.