The invention relates to an interface module having a high level of error immunity for programmable logic controllers, particularly to an analog-input circuit.
U.S. Pat. No. 5,508,910 discloses a redundant analog input/output system having two identical analog input/output units, with in respective input/output unit being in operating mode and the respective other one being in monitor mode. Each analog input/output unit has a microcomputer, two D/A converters and a D/A converter. In a fault situation, the respective microcomputer for one analog input/output unit switches itself to monitor mode and switches the respective other input/output unit to operating mode.
If industrial and other, technically complicated plant processes are being automated to an ever increasing extent through the use of programmable logic controllers, then this was probably originally influenced by the idea of transferring simple activities, such as the activation of various processing steps in a serial processing process, and simple control sections, e.g. filling-level control sections or temperature control sections. The design of control loops had resulted in feedback of process signals, and this tendency finally resulted in the transfer of extensive monitoring tasks to programmable logic controllers. In this context, however, it is found that when a monitoring person delegates such tasks to a machine, one human property important to monitoring tasks is of very great significance, namely the responsibility for preventing accidents and other damage during operation of a plant as far as possible and of ensuring the highest possible level of safety for people, machines and the environment. The regularly recurring reports about the escape of poisonous gases from plants in the chemical industry and the countless risks lying in wait as a result of the use of large amounts of power in a wide variety of plants in the raw-materials industry, power generation, mechanical conveying and handling, mechanical working and automated production have to be regarded in this context as an incentive to increase plant safety further.
In this context, malfunctioning of individual plant parts can probably never be ruled out, and the task of an automatic controller therefore needs to be to identify such malfunctions and to initiate countermeasures or to shut down the plant or trigger an alarm as quickly as possible. However, it can only perform this task if it is certain to work correctly itself even, and specifically, upon the occurrence of malfunctions in the plant. Although the use of microelectronics in millions of wristwatches, household appliances, aircraft and vehicles shows that the greatest risk when operating an electronic circuit is probably failure of the supply voltage, particularly a drop in the battery voltage, it must not be forgotten that industrial plants are operated on a crude basis and only rarely is it possible to presuppose an atmosphere which is entirely free of vapors, gases and other chemicals. For this reason, particularly in the case of critical processes in which there should be no malfunction if at all possible, additional measures should be taken in order to increase the operational reliability of the control device further.
When dealing with this problem, the design of a programmable logic controller should be recalled: to allow optimum matching to a very wide variety of application instances, a modular design has been implemented for this in practice, the core of the programmable logic controller being formed by a central processor unit which processes a program specific to the application instance in question. By contrast, the interfaces to the individual actuators for the process in question and also hived-off subfunctions, such as control sections, are held in modules which are separate therefrom and are normally all coupled to a communications line, for example in the form of a serial bus, so that information interchange between the various components is possible. In such a case, an error can theoretically occur in all the components, i.e. both in the central processor unit and in the connected components, and also on the communications line connecting them to one another.
While the first two sources of error can be prevented, or can be reduced to an extremely minimal residual risk, for critical processes by increasing the availability, for example by using a second central processor unit connected in parallel and/or a second communication bus operated in parallel, duplication of all other components in most application instances would entail a substantial level of additional involvement, and the enormous increase in complexity would additionally mean that it would instead even impose the risk of additional sources of error as a result of wiring or setting errors. In addition, the interchange of information via the communications line in question would be at least doubled in such a case, which would necessitate a further power increase for the controller. It should then be remembered that, on the other hand, increased significance should specifically be attached to the interface modules as the interface between the process and the controller, since failure of such a component may result in crucial signals being lost or in the influence of the controller on the process being restricted or even interrupted.