1. Field of the Invention
The invention relates to a control system for controlling safety-critical processes in general and to a control system with communication via a fieldbus specifically.
2. Description of the Related Art
For several years, fieldbus systems have been used more and more frequently in the field of automation, said fieldbus systems being connected to input/output appliances and to a superordinate control device. One example of this is the interbus based on the EN 50254 standard.
Such fieldbus systems typically comprise a multiplicity of signal units or bus users, connected to the processes which are to be controlled, and a bus master which controls frame-based communication using “fieldbus messages” via the fieldbus.
Such fieldbus systems allow the cabling complexity to be significantly reduced, since copper lines can be saved. However, one problem is that of designing serial fieldbus systems such that they meet safety-related demands. Such safety-related functions may be, by way of example, a stop function or an emergency-off function which allows the fieldbus system to be put into a safe state.
In earlier fieldbus systems, the control signals required for this purpose are respectively transmitted between controllers and bus users via separate lines, i.e. not via the fieldbus itself.
Other known approaches involve all those devices which are intended to perform safety functions being designed with an appropriate level of redundancy. In this regard, DE 40 32 033 A1 may be mentioned, for example, which discloses an electrical automation system (for a technical installation) which is of redundant design at least in part. In this system, safety-related signals are triggered in duplicate and are transmitted on at least two mutually independent signal paths to at least partially redundant users which evaluate the safety-related signals.
DE 37 06 325 C2 describes a control and data network in which safety-related devices are connected to a separate emergency-stop control line in order to be able to communicate with one another.
These known techniques have the attendant drawback that either a large number of redundant components is required or parallel single lines are needed in order to transmit the additional control signals.
The patent DE 197 42 716 C2 now discloses a control and data transmission installation in which safety-related devices can communicate with one another via the fieldbus and each output is connected via a switch to a bus interface device and directly to the safety-related device of the respective bus user and/or of a master control device.
Although this installation already has the advantage that safe control is effected using the fieldbus, the invention described below is intended to improve it further.
A further control system for controlling safety-critical processes is proposed in the patent DE 199 28 517 C2, in which a safe control unit is connected to the fieldbus. This system has drawbacks in a variety of respects, however.
Message data which are addressed to a signal unit must first be produced and must then be replaced with failsafe message data again by the safe control unit. This procedure appears inefficient.
In addition, data can be transmitted between the bus master and the safe control unit only via the active fieldbus so that the control unit can perform processing. This is considered to be disadvantageous, since this communication is possible only when the fieldbus is active.
Furthermore, transmission via the fieldbus is relatively slow and diagnosis options are disadvantageously available under very great restrictions, if at all.