The invention refers to a bus system.
Busses connect subscribers via electric transmission lines. The interfaces to the bus subscribers are located anywhere along the transmission line. A serial bus transmission line can consist of a coaxial or a twisted pair cable. In comparison to conventional wiring, busses represent a significant cost advantage, as well as the central availability of a wide variety of information and flexibility. Serial busses are known for example under names such as Profibus, Bitbus etc. Subscribers are for instance input and output modules for sensor signals and/or functional elements such as actuators.
For transmission of safety-critical signals only busses or bus systems of fault-tolerant or redundant design can be used. Safety-critical signals are any such signals whose purpose is safety-related and which are used to prevent or quickly rectify hazardous situations which could lead to human casualties or damage caused by electrical equipment. A redundant data bus system meeting safety requirements is described in DE-Z, messen, prxc3xcfen, automatisieren, 10/95, page 10, 12-14 and 16. In this known data bus system a fault-proof automation processor and subscribers are connected via two bus interfaces. The fault-proof automation processor consists of two processor systems containing a microprocessor, memory and system bus each. Both processor systems process the same program cycle-synchronously. A comparator which is checked in certain time intervals for perfect working order monitors both processor systems. If a fault is detected in one of the processor systems, all subscriber outputs are set to a defined signal which causes all actuators controlled by the subscribers to move into a pre-defined safe state. The fault-proof automation processors are connected to a plant bus via two automation processors. Only one of the two automation processors, both of which contain the same components, must be in working order. The automation processors run in pattern-stand-by operation. To detected a fault in the system with certainty, apart from self-tests, the communication connections and other hardware components are checked in cycles. In case of a fault, the defective automation processor is switched to a defined stop state.
A system shut-down due to a detected fault means that the machines, manufacturing plants and similar equipment is rendered harmless, i.e. brought into state where it is not hazardous to people. A fault must be detected within an error reaction time of for instance 20 ms. The emergency shut-down of electrical equipment must be effected within this time period also. A completely double bus design not only requires double two-channel bus module design for the sensors and the 2 bus masters for system monitoring and fault-proof system shut-down but also two independent wiring systems. The double bus design partly offsets a decisive advantage of a bus system in comparison to common individual wiring i.e. of every sensor switch. The double cabling, however, can be avoided by forced dynamisation of an individual bus line. This is known as dynamic redundancy, a method already known. Dynamisation means that all bus modules are continuously and cyclically polled by the processing master in relation to working order and signalling state (master-slave system) or that the modules signal themselves on a regular basis (multi-master system).
Busses in multi-master systems are able to signal immediately (i.e. in case of switch actuation) within the xcexcsec range (so-called real-time capability) so that no continuous module polling would be required for safety monitoring of a plant. However, to detect faults in the monitoring bus system itself, for instance the failure of a bus module within the fault reaction time (e.g. 20 ms, see above), all bus module subscribers are checked as to their functionality at least once within this period of time. As the messages consist of extensive data protocols (50 . . . 80 bits) to guarantee a high degree of data transfer safety (Hamming distance 4), dynamisation means that the data flow (data transfer rate) increases proportionally in relation to the number of subscribers required for system monitoring.
On the other hand the data transfer rate of a bus system is limited due to signal propagation time (length of line) as well as module reaction times (number of subscribers).
Thus, there is a conflict between the requirement of longer lines (for instance 100 . . . 300 m) and a large number of bus subscribers, e.g. 50 . . . 100 on the one hand and the technical requirements for transmission and processing of higher data transfer rates (typical 125 . . . 1000 Kbits) on the other hand.
To reduce the data transfer rate, there is the possibility, as bus modules for a safety bus are designed as two-channel/redundant anyway, that the busses monitor each other in pairs for fault-free operation so that in case of an internal difference a subscriber of a bus module pair must send an error signal. However, the method assumes that the bus line between the processing master and every module is error-free and fully operational at any time. As the line is not intended to be doubled and/or spatially separated, it therefore must be checked dynamically up to all subscribers. A fault in the line must be detected within the fault tolerance time. Due to the high data transfer rates, cyclic checking of all bus subscribers requires so much time that the required fault reaction time cannot be met or fallen below.
Also known is a local network which is designed with two serial bus systems connected to the network nodes for redundancy reasons. Each network node is connected to both busses with two separate couplers. One of the bus systems is used to transfer process data in fault-free operation, while the other one transmits status information. Each coupler contains at least one communication controller, a communication CPU and a transceiver. Each communication CPU monitors the proper working order of the other communication CPU in a network node and thus fulfils the function of a watchdog processor. Any faults in the lines as well as malfunctioning of communication controllers will cause falsification of bus messages which are detected by error detection mechanisms. Errors occurring in the components between bus and communication CPU are detected by cyclic functional monitoring of the components. In case of a fault, each bus will be used as a watchdog bus to inform the other network subscribers of the fault detected in the other bus system. If a fault occurs in the bus system transmitting process data, the bus is locked out and the process data traffic is re-routed using the other bus (DE 195 09 558 AI).
The invention is based on the problem to provide a bus system suitable for safety-critical signals and a large number of bus subscribers as well as long bus lines, and which also has a short reaction time in case of a fault while being less expensive, and in which lines should be monitored for faults using simple measures.
This problem is solved with the invention particularly by a bus system involving a serial data bus with a transmission medium with the first active bus subscriber at the one end and the second active bus subscriber at the other end as well as further bus subscribers physically passed through by the transmission medium, whereby at least the first active bus subscriber and/or the second active bus subscriber contains a facility for regular transmission and/or receiving of status messages, whereby at least one of the subscribers monitors the status messages sent by the other bus subscribers for their non-presence within a defined period of time or for deviation from the form indicating the error-free state of the bus system, and whereby then, if the status messages are not received within the defined period of time or if status messages deviating from the form indicating a fault-free bus system are received, the bus system is brought into a state which meets defined safety criteria.
The bus system of the invention does not require polling of all bus subscribers for monitoring as there is particularly the possibility that the second active bus subscriber (terminating bus subscriber, terminating module) takes over the monitoring function of the transmission medium. This advantage is especially felt in bus systems working with active redundant multi-master modules, although the bus may only have one channel. The first active central bus subscriber or bus master transmits status messages via all bus subscribers to the second active sub subscriber at a very high clock rate ranging form 10 to 20 ms and is able to return the same or other suitable status messages at the same high clock rate if the transmission medium is in perfect condition. Alternatively, there is the possibility that the second active bus subscriber transmits status messages to the first active bus subscriber independently from the signals sent by the first active subscriber.
Regardless of the method generating the status messages transmitted by the second active bus subscriber, the transmission medium can be checked as to its proper state. Thus, the transmission medium can be checked within the time period in which an initial fault can occur and which is to kept as short as possible. The checking data transmission for the bus thus essentially occurs between the bus subscribers at either end of the bus line so that the number of subscribers has only little or no effect on the time the checking data needs to propagate through the bus. In the bus system of the invention, the bus subscribers between the central bus subscriber or bus module at the one end and the active bus subscriber or bus module at the other end of the bus are not connected to the transmission medium by spur lines. In particular, the transmission medium consists of a two wire cable. This may also include a transmission medium with one first wire and a second, conducting earth wire. Thus, when designed according this invention, the bus leads from the first active or central bus subscriber or bus module, hereinafter also referred to as bus master, physically through all bus subscribers, hereinafter also referred to as slaves, and is equipped at the end with the second active bus module, also called the terminating module. Therefore the bus consists of a galvanic line leading from the one end to the other. As spur lines to the slaves are not required, the bus is also more effective.
It is intended that the first active bus subscriber monitors the status messages of the second active bus subscriber and vice versa, and that the other bus subscribers monitor the status messages, or status messages deviating from the form indicating the error-free state of the transmission medium, generated by the other bus subscribers.
Preferably at least some of the bus subscribers contain units monitoring each other.
It is practical to implement at least some, preferably all, bus subscribers as two unit modules connected to sensors and/or actuators and which are monitoring each other. When designed in such a way, the bus subscribers are redundant. No initial fault should be expected in the bus subscribers when using this design in connection with monitoring, i.e. these bus subscribers can be dimensioned much more generously in safety terms.
As a matter of principle, the bus master is the first device in the line, the terminating bus module the last one. The bus master and terminating bus module each have only one connection to the bus, all other bus module have exactly one bus input and one bus output each.
The bus master as the first device and the bus terminating module as the last device in the line transmit and/or receive preferably independent status messages at a very high transfer rate (for instance every 10 ms). These are checked by all bus subscribers.
For practical reasons the central bus subscriber is implemented as a two-channel design. In this case a two-channel design is to be understood as a module containing two identical units. The two identical units are particularly equipped with a joint fault-proof comparator which has an output to for instance a relay level or an equally safe shut-down level which preferably can be used to switch on and off electric consumers. A relay level is to be equipped with forced-controlled relays.
In case of the absence of messages or deviating messages exceeding a defined fault tolerance time (for instance 15 ms), a faulty bus line or a defective bus subscriber must be assumed. The system will then go into a safe state.
The physical passing through of the bus line includes a fault exclusion within the bus module between bus line and two-channel bus module (as no logical passing on of the data flow is intended). This is achieved by electromechanical measures:
The inputting bus wire of the bus line is implemented at least as one conductor path on-board the two-channel bus subscriber. The bus line is passed through on this board by an etched, flat conductor path. Practically the two-channel bus controller units are also implemented on the same board which are connected directly, but independently via short spur lines to the conductor path. Both bus controller modules are monitoring each other. The galvanic connection in the bus line is to be effected in such a way as to exclude concurrent electrical separation of both bus controllers from the passed through bus line.
The on-board conductor path routing must be designed in such a way as to exclude concurrent cutting off of the spur lines between bus and the two controllers even in case of any boring through the board, or otherwise the passed through bus line must be destroyed by this action also.
This fault would then be detected by the bus system within the initial fault detection time of 15 ms.
Further details, features and advantages of the invention are not only based on the claims and the characteristics mentioned thereinxe2x80x94on their own or as a combinationxe2x80x94but also on the following description of a preferred application example.