The present invention generally relates to a method of configuring a safe bus user when connecting it to a field bus of a safe control system, and more particularly, to a method of allocating a defined user address to the safe bus user when connecting it to the field bus.
In addition, the invention also relates to a control system for safely controlling safety-critical processes, said system comprising at least one safe bus user which is to be configured when connecting it to a field bus. The safe bus user comprises a receiver for receiving a bus message, an evaluator for evaluating the bus message, and a memory for storing a user address which is to be allocated to the bus user.
A field bus generally is a system for data communication, in which the connected bus users are linked to one another via s bus. For this reason, two bus users connected to the field bus can communicate with one another without being directly cabled to one another individually. Examples of known field buses are the so-called CAN bus, the so-called Profibus and the so-called Interbus.
The use of field buses has already been known sufficiently well for a relatively long time in the field of control and automation engineering. However, this does not apply to the control of safety-critical processes in which, in practice, the units involved in the controlling were individually cabled to one another until very recently. The reason for this is that the known field buses could not guarantee the fault tolerance required for controlling safety-critical processes (fault probability less than 10−11). Although all known field buses contain measures for fault protection during the data transmission, these measures are not sufficient for guaranteeing the required fault tolerance. Furthermore, field buses are open systems to which, in principle, any units can be connected. The risk is then that a unit which has nothing at all to do with a safety-critical process to be controlled will influence the latter un-intentionally.
A safety-critical process is understood to be a process in which an unacceptable risk arises for persons or material goods when a fault occurs. In the case of a safety critical process, therefore, it must be ensured with 100% reliability in the ideal case that the process is moved to a safe state when a fault occurs. In the case of a machine installation, this may mean that the installation is switched off. In the case of a chemical production process, however, switching off may cause an uncontrolled reaction in some circumstances so that it is better to run the process in an uncritical range of parameters in such a case.
Critical processes with regard to safety can also be subprocesses of larger higher-level overall processes. In the case of an hydraulic press, for example, the supply of material can be a subprocess which is not critical with regard to safety but the starting up of the press tool can be a critical subprocess with regard to safety. Other examples of critical (sub)processes with regard to safety are the monitoring of protective gratings, protective doors or light barriers, the control of two-hand switches or the monitoring and evaluation of an emergency off switch.
The units involved in controlling a critical process with regard to safety must have safety-related facilities going beyond their actual function in order to be licensed for critical tasks with regard to safety by the relevant supervisory authorities. These facilities are mainly used for monitoring faults and functions. As a rule, the units involved are redundantly configured in order to ensure safe operation even when a fault occurs. Units having such safety-related facilities will be designated as safe in the text which follows, in distinction from “normal” units.
The units connected to the field bus will be generally called bus users in the text which follows. In the case of a control system for safely controlling critical processes with regard to safety, the bus users are normally either control units or signal units. A control unit is a bus user which has a certain intelligence for controlling a process. In technical terminology, such bus users are usually called clients. They receive data and/or signals which represent state variables of the controlled processes and, in dependence on this information, activate actuators which influence the process to be controlled. The intelligence is normally stored in the form of a variable user program in a memory of the control units. As a rule, so-called PLCs (Programmable Logic Controllers) are used as control units.
By comparison, a signal unit is a bus user which essentially provides input and output channels (I/O channels) to which, on the one hand, sensors for receiving process variables, and, on the other hand, actuators can be connected. As a rule, the signal units do not have any intelligence in the form of a variable user program. They are normally called servers in technical terminology.
In many field buses such as, for example the CAN bus, it is known to allocate an individual user address to the individual bus users. The user address is used for selectively conveying bus messages with information to be transmitted from the transmitting bus user to the receiving bus user. In configuring a control system for controlling critical processes with regard to safety, the allocation of the user addresses to the bus users is a critical procedure with regard to safety. That is because, for example, if two different signal units pick up the state data of two different protective screens and forward them to the control unit, a wrong address allocation of the two signal units can lead to the control unit not switching off the movement of a machine to be protected even though the corresponding protective screen has been opened.
In the case of the generic control systems hitherto known or, respectively, the corresponding methods for configuring the safe bus users, the user addresses are set directly at the bus user. For this purpose, each bus user has either a mechanical coding switch, particularly a rotary switch, or a serial programming interface. One disadvantage of this solution is that the user addresses must be set directly at the location of the individual bus user. In the case of complex process controls in the industrial field, the individual bus users connected to the field bus can be up to several hundred meters apart, however. In this case, therefore, long walking distances are required for configuring a safe control system and these make setting up and configuring awkward.
Furthermore, due to the long walking distances, it is easily possible to lose one's overview in this case which can lead to faulty address allocations. Another significant disadvantage of the known solutions is that when a defective bus user is exchanged, its user address must be known so that it can subsequently be allocated to the replacement bus user. In the case of industrial installations which are frequently operated around the clock, this means that correspondingly knowledgeable personnel must always be available in order to exchange a defective bus user. In the case where the user address is allocated to the bus user via the serial interface with the aid of a programming device, the corresponding programming device is also always required.
When allocating a user address via a programming interface, there is the additional disadvantage that the user address allocated to the bus user cannot be recognized from the outside. As a result, there is the risk that a bus user which has been previously used with a different user address is accidentally operated with its old user address when it is used in a new environment. This risk is particularly great if a bus user which has already been used is to be integrated into another control system during a maintenance operation.