The present invention relates to an apparatus and a method for controlling an automated installation, particularly an apparatus and a method with synchronous execution of safety-relevant control tasks in an installation having controllers remote from one another.
It is known practice to equip distributed controllers in a spatially widespread installation with local clocks that are synchronized to one another. The synchronized clocks make it possible to execute control tasks at different locations in the installation largely at the same time, for example in order to cause multiple coordinated movements in an installation having multiple driven axes. By way of example, an internet publication from the German company Beckhoff entitled “EtherCAT Distributed Clocks”, downloaded on Feb. 2, 2016, describes the principle of physically distributed clocks synchronized to one another in a control system. In this system, a controller referred to as the EtherCAT master sends a special synchronization message at short intervals of time, into which synchronization message another controller having a reference clock enters its current time. The synchronization message is read by further controllers in the system, known as the EtherCAT slaves, in order to synchronize the respective local time to the reference time. In order to take into account transfer times for the synchronization message to the different controllers, what is known as an offset measurement is performed for each controller involved and an offset time is computed that is taken into account for the synchronization of the clocks.
Another method for synchronizing physically distributed clocks in an automated installation is described in an internet publication from the German company Hirschmann entitled “White Paper—Precision Clock Synchronization”, downloaded on Feb. 2, 2016, with reference to IEEE standard 1588. According to this method, a so-called master cyclically sends synchronization messages via a communication network to the connected slaves. At the same time, the master detects the time of sending of each synchronization message as accurately as possible, and it sends the detected time of sending to the connected slaves using a further message. The slaves each measure the time of arrival of these two messages as accurately as possible and can use this information to determine a correction value that is used to match the respective local clock in the slave to the time of the master. This is what is known as offset correction. In a further phase of the synchronization, the slaves measure the transfer time for a message to the master and back by sending an inquiry message and receiving a response message. Subsequently, the respective local clocks are adjusted by the individual transfer time to the master.
A further method for synchronizing the timing of subscribers in a network is disclosed by DE 10 2005 032 877 A1. In contrast to the method of IEEE 1588, the initiative for the timing synchronization always comes from a message receiver in this case. DE 10 2005 032 877 A1 proposes the application of this synchronization method particularly for a network via which safety-relevant control information is interchanged, such as the transmission of information that represents the operating state of an emergency-off device, for example. Safety-relevant control functions of this kind require a defined time response in order to guarantee the reaction time between operation of an emergency-off switch and shutdown of a dangerous drive, for example.
EP 1 521 145 A1 discloses a safety controller with monitoring of the safety-relevant reaction time, which determines the physical distance at which a light barrier needs to be spaced away from a dangerous press in order to allow safe stoppage of the press tool after the light barrier is broken before an injury can occur. The safety controller can operate with synchronized clocks in physically distributed input/output modules, and two physically separate modules interchange messages having timestamps, so that the respective receiver module can determine the message transfer times.
U.S. Pat. No. 7,366,774 B2 and DE 10 2008 007 672 A1 disclose further apparatuses having physically distributed controllers that execute safety-relevant control tasks. These apparatuses dispense with synchronizing local clocks in view of the associated complexity. Instead, these apparatuses monitor message transfer times within the communication network, and the respective message receivers have what is known as a time expectation by which a respective current control message needs to be received in order to guarantee failsafe operation of the installation.
Use of synchronous clocks in distributed controllers provides indisputable advantages as far as coordination of the timing of control tasks is concerned. However, it holds risks if safe operation of an installation (as defined in the relevant standards relating to machine safety, particularly EN 61508, EN 62061 and/or ISO 13849-1) is critically dependent on the synchronization. Failsafe synchronization of distributed clocks in a control system having safety-relevant tasks is unknown to date, which is why safety-relevant control tasks are normally not or at least not critically dependent on clock synchronization. This results in safety distances from dangerous installation parts needing to be chosen rather generously, which can be disadvantageous with respect to the costs and efficiency of an installation.