The present invention relates to a safety controller and to a method for controlling an automated installation which comprises a plurality of sensors and a plurality of actuators.
A safety controller in terms of the present invention is an appliance or an apparatus which receives input signals delivered by sensors and produces output signals therefrom by means of logic combinations and sometimes further signal or data processing steps. The output signals can then be supplied to actuators, which effect specific actions or reactions in the environment on the basis of the input signals.
A preferred area of application for safety controllers of this kind is in the field of machine safety for monitoring emergency-off pushbuttons, two-hand controllers, guard doors or light grids. Such sensors are used in order to safeguard a machine, for example, which presents a hazard to humans or material goods during operation. When the guard door is opened or when the emergency-off pushbutton is operated, a respective signal is produced which is supplied to the safety controller as an input signal. In response thereto, the safety controller then uses an actuator to shut down, for example, that part of the machine which is presenting the hazard.
In contrast to a “normal” controller, a characteristic of a safety controller is that the safety controller always ensures a safe state of the installation or machine presenting the hazard even if a malfunction occurs in it or in a device connected to it. Extremely high demands are therefore made of safety controllers in terms of their own failsafety, which results in considerable complexity for development and manufacture.
Usually, safety controllers require particular approval by competent supervisory authorities, such as by the professional associations or the TÜV in Germany, before they are used. In this case, the safety controller must observe prescribed safety standards as set down, by way of example, in the European Standard EN 954-1 or a comparable Standard, such as Standard IEC 6158 or Standard EN ISO 13849-1. In the following, a safety controller is therefore understood to mean a device or an arrangement which at least complies with safety category 3 of the cited European Standard EN 954-1.
A programmable safety controller allows the user to individually define the logic combinations and possibly further signal or data processing steps according to his needs using a piece of software, what is known as the user program. This results in a great deal of flexibility in comparison with earlier solutions, in which the logic combinations were produced by defined wiring between various safety devices. By way of example, a user program can be written using a commercially available personal computer (PC) and using appropriately set-up software programs.
The detection of malfunctions is of central importance in the field of safety control. This is because it is necessary to ensure that a controlled machine or installation is transferred to a safe state when a malfunction occurs.
Besides the actual detection of a malfunction and the triggering of appropriate countermeasures which are used to transfer the controlled machine or installation to a safe state, it is also important to provide, by way of example, the user of the controlled machine or installation or another person with information about a malfunction which is present. To this end, safety controllers and methods in the prior art display a diagnosis report which represents a malfunction using a display unit when a malfunction occurs. In this case, the diagnosis report displayed is merely dependent on the malfunction which has been ascertained by an appropriate diagnosis unit. There is no provision in this context for different diagnosis reports to be displayed for one and the same malfunction. There is therefore no opportunity, in the event of a malfunction occurring, to adjust the diagnosis report to be displayed in order to match external circumstances, for example. In this connection, an external circumstance is a circumstance which is defined neither by the user program itself stored in the safety controller nor by a variable which is processed as an input variable in the user program.
The detection of a malfunction corresponds to ascertaining which of a plurality of system states for a safety controller is present at a defined instant of time.
The above considerations apply not only to the detection of malfunctions and hence to the ascertainment of system states for a safety controller, but also to the ascertainment of process states for an installation or machine to be controlled. In this case too, the safety controllers and methods from the prior art do not allow to adjust a diagnosis report to external circumstances, when a process state has been ascertained.
Although the known safety controllers and methods ensure reliable ascertainment of system states for a safety controller and of process states for an installation to be controlled, they are not yet optimal for the conveyance of information, i.e. for the conveyance of that information which represents the ascertained system states and process states.