The present invention relates to a method and a programming tool for creating a user program for a safety controller which is designed to control a complex system having a plurality of hardware components which represent programmable subsystems.
A safety controller in terms of the present invention is a device which receives input signals supplied by sensors and generates output signals therefrom by means of logic combinations and possibly further signal processing steps or data processing steps. The output signals can be fed to actuators which bring about actions or reactions in a controlled system as a function of the input signals. In this context, a safety controller must comply with predefined safety standards which are laid down, for example, in European Standard EN 954-1 or a comparable standard such as Standard IEC 61508 or the Standard EN ISO 13849-1. In contrast to a control for what is generally referred to as standard applications, a safety controller guarantees at least single fault safety in the sense of Categories 3 or 4 of the European Standard EN 954-1, or it has at least a Safety Integrity Level (SIL) of 2 according to the specified Standard IEC 61508.
A preferred field of application for such safety controllers is monitoring emergency off buttons, two-hand controllers, protective doors or light curtains in the field of machine safety. Such sensors are used to safeguard a machine or system which, during operation, poses a risk to people or material goods. When the protective door is opened or when the emergency off button is actuated, a respective signal is generated which the safety controller receives as an input signal. In a reaction thereto, the safety controller operates an actuator to switch off the part of the machine or system which poses a risk.
A programmable safety controller provides the user with the possibility of individually defining the logic operations and, if appropriate, further signal processing steps or data processing steps using software, referred to as the user program, in accordance with the requirements of said user. This results in a high degree of flexibility compared to earlier solutions in which the logic operations were generated by defined wiring between several safety switching devices. An example of a method for programming a safety controller is described in DE 101 08 962 A1.
A problem with programming a safety controller is that the user program can become very complex and unwieldy for monitoring a large machine system having a high number of safety devices. Large systems, for example a cement factories, can comprise several thousand sensors. The user program to be created is itself a safety-critical element since a fault in the user program can give rise to an uncontrolled situation and therefore to a hazardous state at the monitored machine or system.
In order to reduce the risk of faults with serious consequences in the user program as a result of human error during the programming, the method according to DE 101 08 962 A1 places a number of restrictions on the user. The user can, in particular, only access predefined, certified program modules and combine them individually. According to the method of DE 101 08 962 A1, however, the user cannot modify the individual program modules and also cannot create any independent program modules. As a result, the method from DE 101 08 962 A1 is restricted to safety controllers for relatively small and medium-sized applications. The method according to DE 101 08 962 A1 does not provide sufficient flexibility for very large systems.
Furthermore, in systems according to the prior art it is disadvantageous that safety controllers are often used in addition to a largely unrestricted, programmable standard controllers. It is desirable to deal with all the standard tasks and safety tasks with a common controller. However, this would increase the complexity of the safety-related programs even further.
International Standard IEC-EN 61131 defines various methods for programming industrial controllers, partially using graphic editors. Here, graphic elements are provided in the form of what is referred to as function blocks, in accordance with the functionality of the machine or system to be controlled. In this context, any hardware component comprised in the machine or system can correspond to a graphic element which represents the functionality of the associated hardware component. The graphic elements can be connected to one another by means of logic operations. In order to reduce the complexity in such methods and devices, it is possible to use a process of forming hierarchies, i.e. the graphic elements can be assigned to the structure of the machine or system to be controlled in accordance with different hierarchy levels. When the user program is created, it is then possible to proceed on a level-by-level basis.
The known methods and devices can contribute to increasing clarity when a user program is created for a safety controller. However, this is not yet optimal, in particular with respect to very complex applications having a large number of safety-related and non-safety-related sensors and actuators.