The present invention relates to an automation system and to a method, and an input/output assembly for the automation system. In particular, the present invention relates to an input/output assembly for a safety-oriented automation system for performing safety-oriented automation.
To deal with desired automated nominal functions, automation systems require appropriate control and regulation of the assemblies involved in an automation process. In this case, what is known as a programmable logic controller (PLC) is usually used for control, said programmable logic controller using, by way of example, a field bus (such as the PROFIBUS, standardized in Germany through DIN 19245 and in Europe through EN 50170) to communicate with the assemblies connected to the field bus.
During operation of the automation system, appropriately standardized bus protocols are used to forward the control signals coming from the SPS to the assemblies stipulated beforehand in a configuration phase via the field bus or else to receive signals from other assemblies. The individual assemblies, such as output assemblies for connecting actuators, input assemblies for connecting sensors, or also assemblies which undertake locally determined terminated automation functions largely independently, are therefore combined to form an automation system which, during operation, executes the previously configured automation functions largely independently.
For safe operation of such automation systems, possible sources of danger need to be identified and need to be taken into account on the basis of stipulated standards and guidelines, as may be derived from the EU machine guideline (98/37/EG) or also from product liability laws, for example. For an error situation arising during operation, for example, it is thus necessary to ensure that the actuators involved, such as valves, are transferred to a safe state and hence further operation of the automation system is interrupted.
FIG. 1 illustrates a solution for an automation system 1 which is able to meet such safety-oriented requirements. In this case, a central controller 10 is connected to a plurality of output assemblies 30 by means of a field bus 20. The output assemblies 30 have the actuators, such as the valves 40 shown or else contactors etc, connected to them. A standard bus protocol S transmitted via the field bus 20 is used by the controller 10 to control this actuator system in line with the previously configured automation functions. The controller 10 may have standardized program parts 11 and 12 for this purpose. In this context, these “standard program parts” may be split into what are known as NC (Numeric Controller) and PLC (Programmable Logic Controller) program parts. In this case, NC program parts 11 are used essentially for movement guidance for the machine, whereas PLC program parts 12 are used essentially for logical processing of process signals via input/output assemblies.
There are various approaches for implementing the demanded safety-oriented automation functions. Thus, as FIG. 1 indicates, what is known as a failsafe controller could be introduced for safely controlling the automation system. In the case of failsafe controllers, safety-oriented program parts, known as “failsafe program parts” 13 and 14, and standard program parts 11 and 12 are executed beside one another in the PLC and NC of the control assembly 10. In this context, the safety-oriented program parts are distinguished essentially in that the routines which are fundamental to them are handled redundantly. The result of this is that during handling their cycle times are higher in comparison with routines from standard program parts. If the failsafe program parts now identify an error during execution of the automation functions then at least certain actuators need to be transferred to a safe state so as not to present a source of danger. Consequently, all automation functions, even those controlled by the standard program parts, would need to be controlled by means of these failsafe program parts for the safest possible operation. However, this would have the drawback that the whole automation process would be slowed down in a way which is usually not acceptable for the user.
To avoid such time delays, an approach as shown in FIG. 1 is therefore generally chosen. In this case, the active safety-oriented disconnection of particular actuators 40 takes place, without or even with interposition of the controller 10, through an appropriate sensor system 60, such as an emergency-stop command unit, a light grille or an overfill protection system. To this end, a peripheral assembly 50 is provided which has an interface module 51 for connection to the field bus 20, a power supply module 52, an input module 53 for connecting the emergency-stop command unit 60, and two load switching modules 54. Appropriate connections 70 between load switching modules 54 and output assemblies 30 are used to supply the actuators 40 connected to the output assembly with a suitable operating voltage from the power supply module 52. If the sensor, in this case the emergency-stop command unit 60, is now activated then the controller 10 in the load switching module 54 is used to disconnect the power supply for the output assembly 30 and hence also for the actuators 40 connected thereto (e.g.: F′=0V) and hence to transfer the actuators 40 to a safe state.
Accordingly, the peripheral assembly 50, which is connected to the controller by means of the interface module 51 via the field bus 20, can also react to failsafe program parts from the controller 10. If the failsafe program parts 13 or 14 now identify an error in the controller, for example, then the field bus 20 is used to route a “failsafe bus protocol” F to the peripheral assembly 50. In response to this, in the load switching module 54 the power supply for the output assembly 30 is also disconnected in this case, and the actuators connected thereto are transferred to the safe state.
In both cases, it is therefore assured that, regardless of whether the controller 10 continues to try to address and control this output assembly 30 using the standard bus protocol S, the actuators 40 for this output assembly remain disconnected and hence in a safe state.
However, such a safety-oriented automation system, as shown in FIG. 1, has the drawback that it has an involved, complex network topology. In particular, this comes from the fact that the paths for normal control and safety-oriented disconnection are separate from one another. In addition, in the case of the approach to a solution shown here, it is only ever possible to switch an entire output assembly and hence all the actuators connected thereto on a safety-oriented basis in an error situation, and not individual actuators selectively. If it is necessary to switch actuators with load currents of up to several amps, there is an additional requirement for expensive load switching modules for disconnecting the respective output assemblies.
It is therefore an object of the present invention to provide an input/output assembly and an appropriate automation system for performing safety-oriented automation functions which overcomes the aforementioned drawbacks.