Automation systems for controlling a technical process or a technical plant often require particular safety-critical process or plant components to be controlled separately from non-safety-critical components.
In DE 10 2005 009 795 A1, a microprocessor system which includes two areas is disclosed for a machine control in safety-critical applications. A first area is provided for non-safety-critical or non-safety-oriented functions, respectively, and includes a main processor, a program and data memory, an input/output unit and a bus for connecting the aforementioned components with one another. A second area is provided for safety-critical or safety-oriented functions, respectively, and includes a safety processor having its own program and data memory which is also connected to the bus.
By means of a secure transmission link, programs and data are loaded into the data memory of the safety processor, the function of which is based on the fact that it drives, in collaboration with other safety-oriented components such as, for example, safety-oriented input/output units, the plant or the process into a “safe” state in the case of a conflict.
In DE 103 53 950 A1, another control system is disclosed for controlling safety-critical processes. This control system includes a field bus, a bus master for controlling the communication via the field bus and a signal unit for linking up with the safety-critical process. The bus master and the signal unit are connected to one another via the field bus. Communication of the signal unit with the bus master is provided via the field bus. Furthermore, a first control unit for controlling the safety-critical process is provided, wherein the signal unit and the first control unit have safety-related facilities for failsafe communication for controlling the safety-critical processes. The first control unit can be connected field-bus-independently to the bus master.
The safety-oriented control systems described above are not provided for use in modularly configured control systems as described, for example, in DE 10 2004 056 363 A1 or can be integrated only with additional expenditure since, for example, communication modules, interfaces, voltage supplies and monitoring functions must be matched to the safety criteria specified. For this purpose, these components must be replaced and equipped with new software as a result of which considerable costs arise.
It is often also difficult to separate the safety-critical functions unambiguously from the non-safety-critical functions.