The patent application claims the priority of the German patent application 10 2016 110 641.0, the content of which is included to the full extent in the disclosure of the present application by way of back-reference.
In automation engineering, fieldbus systems are used to control automation processes in installations having components in a distributed arrangement. The fieldbus systems comprise a fieldbus connecting a central control unit to for the most part multiple input/output modules in a distributed arrangement. Inputs of the input/output modules have the sensing system connected to them, and outputs of the input/output modules have the actuating system of the fieldbus system connected to them. In this case, the sensing system comprises all sensors that sense the state of the automation process to be controlled. The actuating system comprises all actuators that can alter the state of the process to be controlled.
The fieldbus normally comprises a data transmission medium, for example a network connection, by which data are interchanged between the control unit and the input/output modules. To control the automation process, the input/output modules use their inputs to read in input signals from the sensing system, the input signals representing the measured values captured by the sensors. The input/output modules convert the input signals into input data that are subsequently transmitted to the control unit via the fieldbus. The control unit performs a logic function on the input data in order to generate output data for controlling the automation process by the actuating system. The output data are transmitted from the control unit to the input/output modules via the fieldbus and converted by the input/output modules into output signals that are output via the outputs of the input/output modules in order to actuate the actuators.
In the case of fieldbus systems in safety-critical installations, it is frequently necessary to be able to put outputs of input/output modules into a safe state. The safe state in this case is a state in which it is ensured that the parts of the installation that are driven by the actuators cannot endanger the operating personnel or damage the installation. For the most part, the safe state is the “deenergized” or “zero voltage” or “zero current” state, in which the actuators are no longer supplied with drive power.
In the case of safety-critical installations, the control process that puts the outputs into the safe state must itself be implemented in safe fashion. In particular, special protective measures need to ensure that the safe state is also actually adopted and is subsequently not left again. Normally, the actuating system is put into the safe state by specific safety input/output modules.