The present invention comes from the field of automation technology, in particular from the field of programmable controllers, in particular from the field of safety controllers; it describes a device for increasing the safety of application processes, and it describes a method for operating a controller of this type.
It is critical that individuals be protected against uncontrolled machine movements in the case of machine tools, printing presses, and packaging machines, and in applications related to assembly, handling, and robots. All machine manufacturers must perform a hazard analysis and risk assessment in the process of designing their machines. In order to fulfill these very high requirements, “safety controllers” must be used to control the machines.
DE 102004018857 A1 shows a safety controller from the prior art. The aim of the solution described here is to provide a method and a device for controlling safety functions within the framework of a system controller that is not directed to safety functions, wherein the safety program which includes all of the safety functions is characterized by a low level of complexity and the fact that it may be run in any unsafe program environment without the risk that faults that occur in the control of non-safety-relevant control functions will cause a fault to occur in the control of safety functions.
Application processes in combination with safety controllers are typically realized using a controller and a large number of field controllers. The task of the field controllers is to detect or monitor the process states, and to transfer this process-relevant information to the controller, or to receive process-relevant information from the controller. Field controllers may be, e.g. sensors, probes, motion alarms, and electrical drives. The field controller and the controller are connected, e.g. via “input/output means” (I/O assemblies). The I/O assemblies may communicate with the controller, e.g. via a field bus. The I/O assemblies may be arranged in a hierarchy, and they are typically connected to a field bus via a “field bus head”. A secure controller also includes secure I/O assemblies.
The applicant currently offers a distributed communication system with a ring-type structure on the market, called the SERCOS Interface® (SErial Real Time COmmunication System). This system is suitable for use as a field bus in safety-related applications, although this is not mandatory. The participants are typically connected to a central participant (e.g. the controller) via optical waveguides. The SERCOS interface® specifies strictly hierarchical communication. Data are exchanged in the form of data blocks, the “telegrams” or “frames”, between the controller (master) and the substations (slaves) in temporally constant cycles. The further participants and/or substations do not communicate directly with one another. In addition, data contents are specified, i.e., the significance, depiction, and functionality of the transmitted data are predefined to a significant extent. In the SERCOS interface®, the connection of the controller to the ring is the master, and the connection of one or more substations (drives or I/O assemblies) is the slave. A plurality of rings may be linked to one controller, with the controller being responsible for coordinating the individual rings with one another. This is not specified by the SERCOS interface®. Alternative field bus standards would be Profibus or CAN bus.
The basic prerequisite for components of a safety application is that they adopt a safe state if a malfunction occurs. A “safe state” refers to a state in which a potential hazard is reliably prevented. In the field of automation technology, the energy-free state is typically a safe state. “Secure” field busses which may be based, e.g. on the SERCOS interfaced described above, are used for communication in these applications. Safety-relevant components must also comply with applicable standards, such as IEC 61508, and they must be certified by certification agencies, e.g. TÜV. In addition, there are various safety levels SIL 1-4 to which these assemblies may be assigned.
The controllers known from the prior art typically operate using at least one data processing means in order to realize at least two data channels, and they preferably operate using one data separator, via which it is possible to combine the two data channels and store them in one memory means. The data may also be stored in a memory without using a separator, and they may then be checked for correctness. A higher-order data processing unit may access the memory and read out the data. The higher-order data processing unit is typically a host system, e.g. a field bus system (Profibus, SERCOS, etc.).
Approaches for realizing safety controllers that are known from the prior art may be susceptible to error and therefore pose a safety risk if the memory means may be accessed at any time and in an uncontrolled manner. This means that, regardless of whether the data in the memory means are complete or correct, an accessing of data that are theoretically incomplete and, therefore, insecure, could take place.