The present invention relates to industrial controllers used for real time control of industrial processes, and in particular to “high reliability” or “safety” industrial controllers appropriate for use in devices to protect human life and health.
Industrial controllers are special-purpose computers used in controlling industrial processes. Under the direction of a stored control program, an industrial controller examines a series of inputs reflecting the status of the controlled process and changes a series of outputs controlling the process. The inputs and outputs may be binary, that is, on or off, or analog, providing a value within a substantially continuous range. The inputs may be obtained from sensors attached to the controlled process, and the outputs may be signals to actuators on the controlled process.
“Safety systems” are systems intended to ensure the safety of humans working in the environment of an industrial process. Such systems may include the electronics associated with emergency-stop buttons, light curtains, and other machine lockouts. Traditionally, safety systems have been implemented by a set of redundant circuits separate from the industrial control system used to control the industrial process with which the safety system is associated. Such safety systems have been “hardwired” from switches and relays including specialized “safety relays” which provide comparison of redundant signals and internal checking of fault conditions such as welded or stuck contacts.
Hard-wired safety systems using duplicate wiring have proven cumbersome in practice in part because of the difficulty of installing and connecting hardwired components and duplicate sets of wiring, particularly in complex control applications, and in part because of the difficulty of troubleshooting and maintaining a hard-wired system whose logic can be changed only by re-wiring.
For this reason, there has been considerable interest in developing industrial controllers that may implement safety systems using a program simulating the operation of the physical components in hard-wired safety systems. Industrial controllers are not only easier to program but can provide reduced installation costs by eliminating long runs of redundant wiring in favor of a high speed serial communication network and by providing improved troubleshooting capabilities. U.S. Patent applications No. 60/373,592 filed Apr. 18, 2002; Ser. No. 10/034,387 filed Dec. 27, 2001; Ser. No. 09/667,145 filed Sep. 21, 2000; Ser. No. 09/666,438 filed Sep. 21, 2000; and Ser. No. 09/663,824 filed Sep. 18, 2000, assigned to the assignee of the present invention, describe the implementation of safety systems using industrial controller architectures, and are hereby incorporated by reference.
Establishing the necessary degree of reliability for safety controller hardware and operating system software can be done by careful attention to the design of this hardware and software. Establishing this reliability for the control program executed by the controller, however, is more difficult. The control program is normally written by the user for a specific application on an application-by-application basis. Further, the control program may be prepared on a common desktop computer using a standard commercial operating system and other software whose configuration and reliability cannot be easily verified and which is outside of the control of the safety controller manufacturer.
For this reason, each control program must be individually certified after it is loaded into the safety controller. This certifications step involves operating the control program in a test environment and confirming that the correct outputs are generated during a simulated operation of the safety system. After completion of the certification process, the control program may be run.
In the event that the safety program as stored in the safety controller is lost and must be recovered from the external desktop computer or the like, or edited using the desktop computer, the certification of the control program is lost and the certification process must be repeated, a costly and time consuming operation. In complex control programs where both safety tasks and standard tasks are executed on the same controller, the need to edit the control program is common.