In the following text, the expression “safety-relevant or safety-critical process” means a process which, when an error occurs, results in a risk to people and/or also material goods which cannot be ignored. In a safety-relevant process, it is therefore necessary to ensure, with 100% confidence in the ideal case, that, when an error is present, this process, a subsequent process that is coupled to this process, and/or an overall system which includes this process is/are changed to a safe state. Such safety-relevant processes may thus also be subprocesses of larger, higher-level overall processes. Examples of safety-relevant processes are chemical processes in which it is absolutely necessary to keep critical parameters in a predetermined range, complex machine control systems, for example for a hydraulic press or a production line, in which, by way of example, the starting-up of a pressing/cutting tool may represent a safety-relevant subprocess. Further examples of safety-relevant (sub)processes are the monitoring of protective guards, protective doors or light barriers, the control of two-handed-operation switches or else the reaction to emergency stop switches.
It is thus absolutely essential, for all safety-relevant processes, that the respectively associated safety-relevant data which are produced, recorded or measured are transported in real time without any corruption, since any corruption can result in an incorrect operation and/or reaction which, in the end, may endanger people's lives and health.
In order to comply with the safety regulations, numerous agreements which require virtually error-free data transport when using bus systems have been reached in recent years. These agreements relate, in particular, to the data transport itself and to a permissible residual error probability as a function of the respective application and/or the respective process. Relevant standards which may be quoted in this case include, in particular, EN 61508 and EN 954-1, as well as the principles for the testing and certification of “bus systems for the transmission of safety-relevant messages” produced by the test and certification center of the industrial professional associations.
Safety-based bus systems which transmit data with a high level of redundancy have been developed in accordance with these agreements and standards. Possible errors are discovered in good time, and any risk can be avoided. Examples of these include, inter alia, the Safety Bus P, Profibus F, Interbus Safety etc.
However, one disadvantage in this case is that bus systems which have already been installed must be replaced in order to use safety-based bus systems, and it is frequently necessary to accept restrictions to the number of subscribers, to the data transport rate or to the data protocol.
As a result, safety-based methods and/or components which make it possible to retrofit already existing bus systems in a simpler and more cost-effective manner have been developed. In particular, electronic safety methods which are used in control and automation technology in this case use the (field) bus systems, which are already used for data communication between the individual units involved in a process, for the purpose of transmitting safety-relevant data, in particular between sensors, actuators and/or control devices.
By way of example, EP 1 188 096 B1 discloses a control system for a safety-relevant process with a field bus which is used to connect a control unit for controlling the safety-relevant process and a signal unit which is linked to the safety-relevant process via I/O channels. In order to ensure failsafe communication with one another, these units have safety-related devices which are intended to be used to make units that are not safe become safe units. Specifically, at least two redundant processing channels are respectively provided in such a manner that an error in one of the processing channels can be identified and possibly corrected on the basis of a result which differs from that of another of the redundant processing channels. This multichannel structure is realized, in particular, using two redundant computers, with the safety analysis ending after the two redundant computers and the analysis being used for a safe data protocol from this point on, without any further statements.
In the following text, the general term computer should essentially be understood as meaning any type of data processing devices, such as microcomputers, microprocessors, microcontrollers or else PCs, which comprise software and/or hardware.
WO 01/15385 A2 also relates to the control of safety-relevant processes using (field) bus systems, with the units which are involved in the control of the safety-relevant process once again generally having redundant processing channels. Each of the redundant channels comprises a computer, and the computers monitor one another. This multichannel structure is changed to a single-channel structure by means of a further computer which is connected to the field bus (FIG. 3). The document does not contain any more far-reaching statements, including the change from the multichannel form to the single-channel form.
WO 01/15391 A1 and the laid-open specification DE 199 39 567 A1 contain further examples of safe bus subscribers with redundant processing channels, and/or computers, which monitor one another for safe protocol creation, and a subsequent change from the two-channel form to the single-channel form via a further computer which is coupled to the bus, is connected to a protocol chip or has the latter integrated in it. In this case as well, the safety analysis ends without the disclosure of further technical measures based on the two redundant computers, and the analysis is used for a safe data protocol from this point on.
Patent Specification DE 195 32 639 C2, which relates to a device for the single-channel transmission of data which have been formed using two redundant computers, integrates the function of bus coupling into one of the two redundant computers in order to reduce the circuit complexity. Only that computer which has the bus coupling functionality thus has an output channel, to which useful data originating from this computer and test data originating from the other computer are supplied, or vice versa, or useful data and test data from both computers are supplied in such a manner that they are interleaved in one another (FIG. 4). However, in order to ensure that the computer which is controlling the bus is not able to generate messages which the other computer cannot influence, the implementation of the safety analysis requires increased complexity since, on the one hand, the freedom from reactions and, on the other hand, the independence of the computers for creation of the safe protocol must be verified. In this context, the patent specification proposes only appropriate connection and non-connection of the respective computer outputs.
Furthermore, DE 100 65 907 A1 describes a method, based on the principle of “redundancy with cross-over comparison”, for safe data transport for data transmission in parallel or serial networks or bus systems, in which a buffer register with two logically identical data areas for changing from the two-channel form to the single-channel form is used. The complete, safety-based message to be transmitted on one channel via the bus system includes the data contents of both data areas of the buffer register (FIG. 4). Two redundant computers are in turn connected upstream of the buffer register at the transmitter end and, depending on the type of application, respectively preprocess safety-relevant data, which is provided on one channel or two channels, with redundant information to form safe data, which they interchange with one another for checking. If both arrive at the same result, each of the computers transfers its safe data to the buffer register, with each data area being filled with the safe data from a respective computer, which data itself already contain redundant information for error identification. If, in an alternative embodiment, the buffer register is contained in one of the two computers, such that this one computer in consequence appropriately fills both data areas of the buffer register after agreement with the second computer, this second computer reads out the buffer register with the two data areas once again, for monitoring purposes. Depending on the application, the data content of one of the two data areas of the buffer register may also have inverted data or other additional interleaving in order, for example, to identify systematic faults in the transmitters, receivers and/or other units which forward the data. This therefore has the particular disadvantage that the overall data length of the safety-based message is extremely large with respect to the actual useful data, and the data transmission rate for the actual useful data is thus low, since two identical useful data records as well as a respective redundant item of information for each of the identical useful data records have to be transmitted for each useful data record to be transmitted. If the number of useful data items to be transmitted per data packet decreases, as is the case by way of example with the Interbus, the ratio of the useful data length to the overall data length becomes increasingly worse.
German patent application 10 2004 039 932.8 by the same applicant, as regards which the present invention constitutes a further development, was based on the object of providing a further, new and improved approach for the change from the multichannel form to the single-channel form for the safe bus coupling of safety-relevant processes, and to ensure, in a manner that is simple to implement, in particular additionally in a manner which is simple to test, freedom from reactions and independence when creating a safety-based protocol which is intended to be transmitted as a safety message via a bus.
To this end, it was proposed to provide a method for the single-channel bus coupling of a safety-critical process, in which a data record which is relevant to the safety-critical process is processed, in particular on a protocol-specific basis, to form a respective safety-based protocol using at least two redundant processing channels in accordance with identical laws, and the redundant safety-based protocols for single-channel bus coupling are again joined together to form a common safety-based protocol, to be precise in that each of the processing channels accesses a common buffer register, with write authorization for each register location being allocated only once, in such a way that the common safety-based protocol, i.e. the safety message to be transmitted, is joined together, in the buffer register, by necessarily writing in respective different elements of the respective safety-based protocols.
Consequently, one major advantage in this case was that, on the one hand, both processing channels are able to calculate the complete safety-based protocol in such a way that it has a positive effect on the required message length, since all of the data bits are already known, with the various safety mechanisms, in the redundant processing channels, and no additional data bits need to be transmitted to allow the deduction of the correct calculation at the receiver end. Furthermore, this ensures that one processing channel on its own is not able to send a safety message, with the control by means of the write authorization, which can respectively be allocated only once, for data in a registered location representing a capability which is simple to implement and is highly efficient for ensuring cost-effective, considerably better safety, independently of the bus (system) used.
The implementation of an intelligent unit for carrying out the method could thus be ensured just by the use of an apparatus which comprises at least two redundant computers and in which the computers are designed to process an identical input data record, to form a respective safety-based protocol, using identical laws and are connected, via a circuit arrangement, to a common buffer register in such a manner that write access is given to each computer for particular respective register locations and write access is given to only a respective one of the computers for each register location in the buffer register.
Just by the use of standard components and independently of the respective bus system, the invention disclosed in German patent application 10 2004 039 932.8 thus allowed a highly dynamic and highly efficient solution, which is simple to implement, for the reaction-free and independent formation of a respective safety-based protocol.