The present invention relates to a safety controller for controlling an automated installation in accordance with a user program running on the safety controller, and to a method for generating a user program for such a safety controller.
A safety controller in terms of the present invention is an apparatus which picks up input signals delivered by sensors and produces output signals therefrom by virtue of logic combinations and possibly further signal or data processing steps. The output signals are typically supplied to actuators which take the output signals as a basis for prompting actions or reactions in a controlled installation.
A preferred field of application for such safety controllers is the monitoring of emergency off pushbuttons, two-hand controllers, guard door switches or light grids in the field of machine safety. Such sensors are used in order to safeguard a machine, for example, which presents a hazard to humans or material goods during operation. When a guard door is opened or when the emergency off pushbutton is operated, a respective signal is produced and supplied to the safety controller as an input signal. In response thereto, the safety controller then uses an actuator to shut down the part of the machine which is presenting the hazard.
In contrast to a “normal” controller, a characteristic of a safety controller is that the safety controller always ensures a safe state for the installations or machines presenting the hazard, even if a malfunction occurs in said safety controller or in a device connected thereto. Extremely high demands are therefore made of safety controllers in terms of their own failsafety, which results in considerable complexity for development and manufacture.
Usually, safety controllers require particular approval from competent supervisory authorities, such as the professional associations or what is called TÜV in Germany, before they are used. In this case, the safety controller must observe prescribed safety standards as set down, by way of example, in European standard EN 954-1, standard IEC 61508, standard EN ISO 13849-1 or other comparable standards. In the following, a safety controller is therefore understood to mean an apparatus which at least complies with safety category 3 of EN 954-1 or the Safety Integrity Level (SIL) of which at least reaches level 2 according to IEC 61508.
A programmable safety controller allows a user to individually define the logic combinations and any further signal or data processing steps according to his needs using a piece of software that is typically known as the user program. This results in a great deal of flexibility in comparison with earlier solutions, in which the logic combinations were defined by selected wiring between different safety relays.
For large and complex prior art installations, distributed safety controllers are often used. Distributed safety controllers have a plurality of spatially distributed control components (control units, sensors and actuators) which communicate with one another via a communication network. The control components are associated with installation components. Installation components are the component parts of the controlled installation, such as handling stations, conveyor belts, individual robots or the like. As regards the hardware, distributed safety controllers provide a high level of flexibility. Thus, a safety controller can be built from a plurality of different control components and can therefore be flexibly varied to suit the circumstances of the installation to be controlled. As regards the configuration of the communication relationships between the individual control components and the issues concerning data processing, however, distributed safety controllers are not yet optimum. They require a high level of configuration complexity before startup. For each control unit, it is necessary to individually determine which input signals are read in and which output signals are output. In addition, the user has to individually determine the communication relationships between all the components in the control system. This also includes time parameters which need to be observed during communication.
Configuration of the communication relationships between the individual control components particularly comprises the following configuration parameters: configuration parameters which define what kind of data are transmitted, i.e. what data type the data to be transmitted have; configuration parameters which define from where to where data are transmitted, i.e. between which control components data interchange takes place; configuration parameters which define how frequently individual data items need to be transmitted; configuration parameters which define how quickly the safety controller needs to react to external circumstances for the safety functions.