The present invention relates to a method and an apparatus for creating a user program for a safety controller designed to control an automated installation having a plurality of sensors and a plurality of actuators.
A safety controller in terms of the present invention is a device or an apparatus, which picks up input signals provided by sensors and produces output signals therefrom by means of logic combinations and possibly further signal or data processing steps. The output signals can then be supplied to actuators which effect actions or reactions in a controlled installation depending on the input signals.
A preferred field of application for such safety controllers is the monitoring of emergency off pushbuttons, two-hand controllers, guard doors or light grids in the field of machine safety. Such sensors are used in order to safeguard a machine, for example, which presents a hazard to humans or material goods during operation. When the guard door is opened or when the emergency off pushbutton is operated, a respective signal is produced and supplied to the safety controller as an input signal. In response thereto, the safety controller uses an actuator, for example, to shut down that part of the machine which is presenting the hazard.
In contrast to a “standard” controller, a characteristic of a safety controller is that the safety controller always ensures a safe state for the installation or machine presenting the hazard, even if a malfunction occurs in the safety controller or in a device connected to it. Extremely high demands are therefore made of safety controllers in terms of their own failsafety, which results in high complexity for development and manufacture.
Usually, safety controllers require particular approval from competent supervisory authorities, such as the professional associations or what is called TÜV in Germany, before they are used. The safety controller must meet prescribed safety standards as set down, by way of example, in the European standard EN 954-1 or a comparable standard, such as the standard IEC 61508 or standard EN ISO 13849-1. In the following, a safety controller is therefore understood to mean a device or an apparatus which at least complies with safety category 3 of the European standard EN 954-1 or with a Safety Integrity Level (SIL) 2 of the cited standard IEC 61508.
A programmable safety controller provides the user with the opportunity to stipulate the logic combinations and possibly further signal or data processing steps individually according to his needs using a piece of software, namely the user program. This results in a great deal of flexibility in comparison with earlier solutions, in which logic combinations were produced by defined wiring between various safety chips. By way of example, a user program can be written using a commercially available personal computer (PC) and using appropriately set-up software programs.
In the case of installations based on the prior art, two programmable controllers are usually used: a safety controller for accomplishing the safety tasks and a standard controller for accomplishing the standard tasks. Rarely, a joint controller may be used in order to accomplish all standard and safety tasks. In both forms of implementation, the safety tasks are accomplished by failsafe processing of safety-related program variables. To this end, safety sensors—which are sensors of failsafe design—capture safety-related variables and supply them by means of safety-related control input signals to the safety controller or the joint controller. The controller uses safety-related program variables to determine values for safety-related control output signals. These control output signals are used to actuate safety actuators—which are actuators of failsafe design—to perform safety-related actions. The standard tasks are accomplished by processing non-safety-related program variables, which do not require failsafe processing. To this end, standard sensors capture non-safety-related variables, which may be called process-related variables. Non-safety-related control input signals are used to supply these variables to the standard controller or the joint controller. The controller uses the non-safety-related program variables to determine values for non-safety-related control output signals. These control output signals are used to actuate standard actuators, which then perform non-safety-related actions.
In both forms of implementation, the safety tasks require the use of expensive—because they are of failsafe design—sensors. Up to now, it is not possible to employ inexpensive non-failsafe design standard sensors, nor to use values of non-safety-related program variables for safety-related control operations.