1. Field of the Invention
The present invention relates to a method for operating a control device for an industrial-technical process.
The present invention further relates to a control program for a control device for an industrial-technical process, where the control program comprises machine code which is able to be processed directly by a processor device of the control device and the processing of which by the processor device causes the control device to implement such an operating method.
The present invention further relates to a control device for an industrial-technical process, where the control program comprises a processor device, where the control device is programmed with such a control program so that during operation, because of the processing of the machine code of the control program by the processor device, it performs such an operating method.
2. Description of the Related Art
Operating methods for control devices for an industrial-technical process are generally known. Often—but not exclusively—they are executed by programmable logic controllers. A programmable logic controller is thus a typical control device within the meaning of the present invention.
The conventional methods of operation for the control device generally executed by the control device accepting input signals from the process, the control device determining, using the input signals (and possibly further internal controller states such as timers and flags for example) specific control signals for the process, and the control device controlling the process in accordance with the control signals determined.
For many applications, this method of operation is sufficient. However, many safety-oriented applications also exist. In safety oriented applications an individual fault, regardless of the fault location, may not lead to the industrial-technical process getting into a dangerous state. Instead, the fault must be detected. In reaction to the fault, the process must be put into a safe state. A dangerous state within the meaning of the invention is a state in which the danger of damage to material or even personal injury occurs. A safe state of the present invention is a state in which such a danger does not exist. An example of a dangerous state is, for example, that an emergency-off switch becomes defective. In such a case, for example, an emergency shutdown could no longer be initiated by the emergency-off switch. A safe state is, for example, when the power to a plant is switched off.
The procedure for realizing such fail-safe behavior can be achieved in conventional systems by the control device accepting safety-oriented input signals from the process in a fail-safe manner, and the control device determining specific safety-oriented control signals in a fail-safe manner for the industrial-technical process.
In addition, a decision is performed (for example, as a result of a two-channel embodiment of the control devices), whether it recognizes the determined safety-oriented control signals as correct, and depending on the result of the decision, the control device either controls the industrial-technical process in accordance with the safety-oriented control signals in a fail-safe manner or it puts the industrial-technical process in a fail-safe manner into a safe state.
In conjunction with “normal”, non-safety-oriented control processes, it is further known that the control device accepts input signals from the process, transfers the input signals to a computer via a link to a computer network, accepts specific control signals for the industrial-technical process from the computer via the link to the computer network and controls the industrial-technical process in accordance with the control signals accepted.
The topic of Cloud computing is currently revolutionizing data processing. The noticeable effect for users is an especially marked reduction in the response time in processor-intensive data processing tasks. However, questions also remain within the context of Cloud computing, such as redundancy and/or load distribution, and are supported by corresponding solutions. The focus is, however, rather directed to ensuring a desired level of performance (by distributing the load to different systems). Furthermore, reliability is dealt with within the meaning of fail-safe behavior or availability of the respective Cloud services. Server-specific standby functionality is thus involved.
It would be desirable to also employ Cloud computing in the area of safety-oriented control processes. For this purpose, the fail-safe input signals would have to be transferred via a fail-safe protocol to at least two computers, the control signals determined in each case by the respective computer and the comparison results with the control signals of the respective other computer or a corresponding enabling signal being accepted by both computers. Furthermore, a corresponding check of the accepted control signals would have to be made. However, this is not readily possible. This is because, within the framework of Cloud computing, virtual mapping of the desired processing request—undetectable for the user—to a computer of a computer network occurs. The mapping occurs hidden to the user. Therefore, it cannot be readily guaranteed that the control signals will be determined on physically separated computers. Instead, the situation can occur that the determination of the control signals occurs on two logical computers that are realized physically by the same computer. In such cases, an error in the one physical computer that realizes both logical computers would no longer be able to be detected, so that a dangerous situation can arise unnoticed.