The present invention relates to a controller network and to a method for transmitting data in such a controller network, and more particularly to a controller network and a method, where delay times of the messages are monitored in order to guarantee that safety-relevant data is transmitted and received within predefined time intervals.
DE 10 2005 032 877 A1 discloses a method for time synchronization of subscribers in a network for automated control of a technical installation. The subscribers interchange safety-relevant data, with the term “safety-relevant” referring to the operational safety of the installation. A typical example is the transmission of a message that signals actuation of an emergency-off switch. In order to ensure the operational safety, the installation must be switched off within a defined time period in response to such a message. In order to ensure compliance with this defined time period, it is necessary to monitor the delay time of the messages in the network. The delay time may vary because of the number of messages varying, because of external interference, or for other reasons. While delaying messages in an office network may not have any serious consequences apart from possibly inconvenient waiting time, the delay of messages in a network that is used for safety-relevant control of an installation can have fatal consequences, for example if a dangerous drive is not switched off in good time because of the delay.
Coping with message delays is a prerequisite for certification of a network intended to be accepted for transmission of safety-relevant messages within the meaning of the Standards EN 954-1, IEC 61508 and EN ISO 13849-1. Measures for coping with delays are described in the document “Prüfgrundsätze für Bussysteme für die Übertragung sicherheitsrelevanter Nachrichten” [Test principles for bus systems for transmission of safety-relevant messages], which was issued as document GS-ET-26 by the Fachausschuss Elektrotechnik des Hauptverbandes der gewerblichen Berufsgenossen-schaften [Specialist Committee for Electrical Engineering within the Federation of Industrial Trade Associations] in Germany. According to this document, a time out is generally required. Time out means that the receiver expects to receive messages within defined time intervals, and it produces an error message if the expected message does not arrive within the defined time interval. The time out criterion and the length of the time out interval, however, must include a certain tolerance time in order to prevent an error signal from being produced merely in the event of minor, non-problematic fluctuations in the delay time.
However, a time out criterion at the message receiver is, per se, not sufficient in order to cope with message delays within a controller network, if the message receiver cannot check how up-to-date a message is when the message arrives at an expected time. It is possible that the message receiver receives a message meeting its time out criterion, but this message originates from a very much older message cycle, and, therefore, the message must not be used as a substitute for an expected up-to-date message which has actually not been received. The message receiver cannot identify this on the basis of its time out alone.
Therefore, there are two fundamental concepts for coping with the delay of messages in a network in practical applications. The first concept uses a second time out at the message transmitter, i.e. the message transmitter waits for a confirmation message (acknowledge) within a defined time interval after sending its message. The combination of time out and acknowledge is implemented, for example, in the PROFIBUS and PROFINET/PROFIsafe communication networks from the Siemens Company, Germany, in the EtherCAT communication network from the Beckhoff Company, Germany, or the SafetyBUS p communication network from the present applicant.
An alternative concept includes the use of so-called time stamps in addition to the time out at the receiver end. In this case, each transmitted message is provided with a time stamp, on the basis of which a message receiver can determine when the message transmitter actually sent the message. Use of time stamps, however, requires that the clocks in the message transmitter and the message receiver are running synchronously. Accordingly, all the subscribers must have clocks which are synchronized before communication and at regular time intervals.
One known method for time synchronization is described in the Standard IEEE-1588. According to this method, a master subscriber sends a plurality of synchronization messages which contain time stamps generated by the master subscriber on the basis of its own clock. A slave subscriber can use the time stamps to determine the time difference between its own clock and the master subscriber clock. However, this difference still includes the delay time of the synchronization messages. The slave subscriber therefore sends a request message to the master subscriber, and, with the aid of its own clock, it measures the time period until it receives a response message from the master subscriber. The slave subscriber determines the delay time of the messages by dividing the measured time period by two. The slave subscriber then corrects its clock by the time difference and by the delay time of the messages. By way of example, the DeviceNet communication network from the Rockwell Company, USA, uses time stamps and time synchronization.
Clock synchronization is complex because it requires repeated communication between the master subscriber and the slave subscribers. Furthermore, for safety-relevant applications, the synchronization must be monitored, and this represents further complexity. In addition, a portion of the transmission capacity of the network is constantly occupied for the transmission of the time stamps.
The use of time out criteria at the transmitter end loads the network with a plurality of acknowledge messages. Therefore, the transmission capacity of the network is negatively affected as well. Furthermore, this approach requires that every message transmitter must know its message receiver in order to allow it to wait for the acknowledgment. This necessitates a high level of configuration complexity for setting up the network and for replacing, adding or removing subscribers.
Above mentioned DE 10 2005 032 877 A1 discloses a method for time synchronization of subscribers in a network, wherein the message receivers periodically check the time information from all the connected message transmitters. In contrast to IEEE 1588, time synchronization is in this case initiated by the individual message receivers. Even if the synchronization were to be simplified in this way, the disadvantage still exists that all the messages must be provided with time stamps. Furthermore, the time synchronization is not reliably monitored in this case.