The present invention relates to a method and an apparatus for controlling a safety-critical process. More particularly, the invention relates to a method and an apparatus for an improved process data transmission in safety-critical process control.
Safety-critical processes within the meaning of the present invention are technical sequences, relationships and/or events for which faultless operation needs to be ensured in order to avoid any risk to people or material objects of value. In particular, this involves the monitoring and control of operations taking place automatically in the field of mechanical and plant engineering in order to prevent accidents. Classic examples are the safeguarding of a press brake installation, the safeguarding of automatically operating robots, or ensuring a safe state for maintenance work on a technical installation. For such processes, European standard EN 954-1 classifies safety categories from 1 to 4, where 4 is the highest safety category. The present invention particularly relates to safety-critical processes for which at least category 3 from EN 954-1 or a comparable standard needs to be met.
The control of safety-critical processes requires the devices and components involved in the control to have intrinsic failsafety. This means that even if the safety-related device fails or develops a fault the required safety, for example of the operating personnel on the mechanical installation, needs to be maintained. For this reason, safety-related installations and devices are usually of redundant design, and in a large number of countries require appropriate approval from competent supervisory authorities. As part of the approval process, the manufacturer of the safety-related device usually has to prove that the required intrinsic failsafety is in place, which is very complex and expensive due the extensive fault considerations.
DE 197 42 716 A1 discloses a prior art apparatus in which the control unit is connected to physically remote I/O units via what is called a fieldbus. The I/O units have sensors connected to them for receiving process data and also actuators for initiating control operations. Typical sensors in the field of safety technology are emergency stop switches, protective doors, two-hand switches, rotational speed sensors or light barrier arrangements. Typical actuators are contactors, which are used to deactivate the drive mechanisms in an installation which is being monitored, or solenoid valves. The I/O units in such an arrangement are essentially used as physically distributed signal pickup and signal output stations, whereas the actual processing of the process data and the generation of control signals for the actuators take place in the superordinate control unit. In many cases, the superordinate control unit used is what is known as a programmable logic controller (PLC).
To be able to use such a fieldbus-based system to control safety-critical processes, the data transmission from the I/O units to the control unit needs to be made failsafe. In particular, it is necessary to ensure that a dangerous state cannot arise in the whole installation as a result of corruption of transmitted process data and/or as a result of a fault in a remote I/O unit.
In the known system from DE 197 42 716 A1, this is done by providing “safety-related” devices both in the superordinate control unit and in the remote I/O units. This involves all signal pickup, signal processing and signal output paths being of redundant design, for example. The redundant channels monitor each other, and when a fault or an undefined state occurs the installation is transferred to a safe state, for example is disconnected. In addition, the process data are transmitted to the controller several times. In the case of the known apparatus, this is done by transmitting the binary process data once in unchanged form, a second time in negated form and a third time in the form of a checksum derived from the process data. The different manner of transmission is referred to as diversitary.
The fact that safety-related devices in the known installation are present both in the control unit and in the remote I/O units means that the actual data transmission can take place via a single-channel fieldbus. The process data are checked for safety both by the sender and by the receiver. A drawback of this approach, however, is that for all remote I/O units the required intrinsic failsafety needs to be proved as part of the approval processes. This is complex and expensive.
One alternative approach involves designing the remote I/O units to be “non-failsafe” and instead producing the data transmission link in two-channel form, i.e. with two separate signal paths. In this case, the superordinate control unit, which is of failsafe design, has the option of accessing the process data using two channels and of carrying out the necessary fault check. A drawback of this approach is that the entire data transmission link needs to be in two-channel form, which means increased wiring complexity.
DE 37 06 325 A1 discloses an apparatus in which remote I/O units are connected to the superordinate control unit via a separate disconnection path in addition to the actual fieldbus. However, this document does not reveal the extent to which the transmission of the process data from the I/O units to the controller is in failsafe form.