The present disclosure relates to a method for safely switching off an electrical load, a corresponding system for this purpose, and an output unit in said system.
The disclosure generally relates to the field of safe automation, in particular the control and monitoring of safety-critical processes. Safety-critical processes in the sense of the present disclosure are technical sequences, relationships and/or events during which error-free operation must be ensured in order to avoid any risk to persons or material objects of value. This involves, in particular, the monitoring and control of operations which take place in an automated manner in the field of mechanical and plant engineering in order to avoid accidents. Typical examples are the protection of a pressing plant, the protection of robots operating in an automated manner or the safeguarding of a harmless state for maintenance work on a technical plant.
For such processes, the EN ISO 13839-1 and EN/IEC 62061 standards sets levels which, on the one hand, specify the ability of safety-related parts of a controller to carry out a safety function under foreseeable conditions and, on the other hand, indicate the safety integrity of the safety functions assigned to the process. The former is the so-called performance level (PL) with levels from a to e, where e is the highest level. With regard to the specification of the safety integrity, safety integrity levels (SIL) with the levels 1 to 3 are specified, where an SIL3 is the highest level. The present disclosure relates to safety-critical processes for which at least a performance level d and a safety integrity level 2 must be complied with.
Controllers having spatially remote input and output (I/O) units, which are connected to one another via a data transmission path, in particular via a so-called field bus, are increasingly being used for process control. Sensors for recording process data and actuators for carrying out control operations are connected to the input and output units. Typical sensors in the field of safety technology are emergency off switches, guard doors, two-hand switches, rev counters or light barrier arrangements. Typical actuators are, for example, contactors which can be used to switch off the drives of a plant being monitored. In such an arrangement, the input and output units are used substantially as spatially distributed signal sensor and signal output stations, whereas the process data are actually processed and control signals for the actuators are generated by a superordinate control unit, for example a programmable logic controller (PLC).
In order to be able to control safety-critical processes using a bus-based system, the transmission of data from the input and output units to the control unit must be made failsafe. In particular, it must be ensured that a hazardous state cannot occur in the overall plant as a result of transmitted process data being lost, repeated, corrupted, inserted or changed and/or as a result of a fault in a remote input and output unit.
DE 197 42 716 A1 discloses a system in which the transmission path is protected by virtue of so-called safety-related devices being present both in the superordinate control unit and in the remote input and output unit. This involves, for example, the redundant design of all signal receiving, signal processing and signal output paths. Safe switching off can therefore be initiated both by a superordinate control unit and by the remote units, thus making it possible to ensure failsafe switch off independently of the transmission of data. The safety function is therefore independent of the transmission technology used or the structure of the bus system. However, since the input and output units themselves undertake control functions by means of the safety-related devices, the units are complex and expensive and are not suitable for systems in which a plurality of actuators have to be safely controlled. In addition, with this approach, complete intrinsic fail-safety must be demonstrated for the remote input and output units within the scope of the approval procedures. This is accordingly complicated and expensive.
An alternative approach involves configuring the remote input and output units to be “non-failsafe” and instead implementing the data transmission path with two channels, that is to say with two separate signal paths. In this case, the superordinate control unit which has a failsafe design has the possibility of accessing the process data and carrying out the necessary error checking in two channels. The input and output units themselves may have a single-channel design in this approach, but the amount of cabling is increased since an additional separate line is needed for each I/O unit for a redundant design of the data transmission path.
Alternatively, a safe transmission with regard to machine safety can also be achieved via a single-channel data transmission path using appropriate protocols. One example of this is the SafetyBUS p standard developed by the applicant for failsafe field bus communication. SafetyBUS p is technologically based on the CAN field bus system, in which case additional mechanisms for protecting the transmission are added in layers 2 and 7 of the OSI reference system. In SafetyBUS p networks, only safety-related devices are used. In addition to safe multi-channel control, multi-channel input and output units are therefore used which multi-channeled redundantly process the data received from the safe controller at a logical level.
An intermediate route to the approaches described above is described by EP 1 620 768 B1 which discloses multiple transmission of the process data from the input units to a control unit via a single-channel transmission path. The diversitary transmission is intended to ensure failsafe reading at least for the input signals of the transmission path. In this case, the process data are coded with a variable, constantly changing keyword for transmission, thus producing determined dynamics of the process data which make it possible to redundantly evaluate input signals by means of a superordinate control unit. This makes it possible to dispense with a completely redundant design of the input units. However, a separate switch off path which is not routed via the field bus is still needed on the output side to ensure safe switching off independently of errors in the transmission. An additional line is therefore still required at least for output units having safe outputs.
DE 199 27 635 B4 discloses another possible way of implementing the intermediate route mentioned above. Therefore, an additional safety analyzer, which listens in on the flow of data between the control unit and the remote units on the transmission path and is designed to carry out safety-related functions, is inserted for the purpose of protecting a controller having remote input and output units. By monitoring, the safety analyzer can simultaneously read the data acquired by a sensor and can process said data by means of an internal logic unit. For the purpose of controlling the actuators, the safety analyzer possibly overwrites the data messages intended for an actuator from the control unit and inserts its own control data for the actuator. In this manner, the safety analyzer can control the connected actuators. However, an additional switch off path is also provided when using a safety analyzer in order to achieve a high safety category. This additional switch off path is provided by additional safe outputs which are locally arranged on the safety analyzer. The safety analyzer is therefore designed to be able to independently switch off a plant to be monitored without interchanging control data with a remote output unit for this purpose. This makes it possible to dispense with an additional switch off path routed via the output units, as a result of which the amount of cabling is not reduced, but rather shifted since the local safe outputs must also be connected to the plant to be monitored via additional lines.
The previously described concept of the safety analyzer has been implemented, for example, in AS-i SAFETY AT WORK. The AS interface (abbreviated to AS-i for actuator/sensor interface) is a standard for field bus communication developed to connect actuators and sensors with the aim of reducing parallel cabling. Safety-oriented components can be incorporated in an AS-i network using AS-i SAFETY AT WORK. Safety and standard components then operate in a parallel manner on the same cable, in which case an additional safety monitor monitors the safety-oriented components. The safety monitor has two-channel enable circuits for safety-oriented switch off. Safe switch off via a remote output unit is therefore also not possible with AS-i SAFETY AT WORK without additional local safe outputs on the safety analyzer.