Modern concepts of industrial automation, that is to say the control and monitoring of technical processes with the aid of software, are based on the idea of central control with a distributed sensor/actuator level. In this case, the subscribers communicate with one another and with superordinate systems via industrial local networks, also referred to as automation networks below. The control function is based on two fundamental ideas: the geographical decentralization and the hierarchical division of the control functions. In this case, the functional hierarchy divides the automation task substantially into a control level and a sensor/actuator level. The industrial local networks are usually in the form of so-called master/slave communication networks in which the master subscriber forms the control level and the slave subscribers form the sensor/actuator level.
An important requirement imposed on an automation network is fail-safety. When controlling and monitoring technical processes, it must be ensured that, when the automation network operates incorrectly, this does not result in any risk to humans and the environment. The automation network generally operates according to the so-called fail-safe principle in which the automation network changes to a safe state in the event of a fault.
In order to be able to classify the danger from an automation network, there is an obligatory requirement to carry out a risk analysis. According to the European standard EN 1050, the risk assessment has to be carried out as a sequence of logical steps, which allows the systematic investigation of danger coming from the automation network or the individual subscribers. The technical and organizational requirements imposed on the automation network for the purpose of ensuring sufficient safety are then stipulated on the basis of the risk analysis.
In the field of machine and installation safety, in particular also of programmable electronic control systems, the standards EN ISO 13849-1 and IEC/EN 62061 have become established as the international standard for carrying out a danger analysis. The standards concomitantly include all safety-relevant subscribers irrespective of the subscriber type and subdivide the safety-related performance into categories. The control structure in the automation network is then stipulated on the basis of the determined safety category in order to achieve the requirements imposed on the safety functions and to achieve a required system behavior in the event of a fault.
The standards EN ISO 13849-1 and IEC/EN 62061 specify the safety-related performance of programmable electronic control systems which is needed to reduce the risk. For the purpose of subdividing the safety-related performance, the two standards define safety integrity levels. For this purpose, all safety functions of the automation network are considered with all subscribers involved in their execution.
The standard IEC/EN 62061 specifies four safety integrity levels (SIL) SIL1 to SIL4, in which case the individual levels are defined by the permissible residual error probability for the occurrence of an error. The safety integrity level SIL1 represents the lowest requirements according to the standard. The requirements then increase from level to level up to the safety integrity level SIL4. In this case, the safety integrity level of the automation network is determined on the basis of safety-related characteristic variables of the subscribers involved in the safety functions. In addition to the knowledge of the safety-related characteristic variables of all subscribers involved in the safety function, accurate information relating to the logical linking of the subscribers in the automation network is also needed to determine the safety integrity level of the automation network. The safety integrity level is also substantially influenced by the bus architecture used in the automation network.
Since the requirements imposed on the subscribers in an automation network with respect to the safety functions are often different, automation networks are generally operated with subscribers having a different SIL level. However, in such a case, the safety integrity level of the overall system is determined by the subscriber with the lowest SIL level. The reason for this is that data traffic between subscribers having a different SIL level in an automation network results in considerable safety-related problems. This is because, if a subscriber having a low SIL level transmits data packets to a subscriber having a high SIL level, a valid data packet for the receiving subscriber having a high SIL level may be generated even if a simple error occurs when generating the data packet in the transmitting subscriber, which error is permissible within the low SIL level of the transmitting subscriber. Although the error in the transmitted data packet is then detected in the receiver with a high degree of probability on account of its high SIL level, the possible data traffic with the subscriber having the low SIL level may then result in the compliance with the high SIL level required in the receiver no longer being able to be ensured since a data packet which is valid per se can be formed by the subscriber having the low SIL level.
Furthermore, when expanding an automation network with further safety-relevant subscribers, in particular when their SIL level differs from the SIL level of the other subscribers, it is generally necessary to reconfigure the overall system in order to prevent the safety functions to be executed by the subscribers already present in the automation system coming into conflict with the safety functions of the newly added subscribers. In this case, there is the risk, in particular, of the same addresses as those of old subscribers being allocated to new subscribers during address allocation, which may result in misdirection of data packets which are then not detected. Address allocation is complicated, in particular, when the addresses assigned to the subscribers in the data packets are transmitted only implicitly as part of safety codes, which are generated by a data protection mechanism, and/or cannot be determined from the outside.
The object of the present invention is to provide a method for operating safety control and an automation network, in which subscribers having any safety integrity level can be connected via the automation network without adversely affecting safety.