The present invention relates to a safety controller and to a method for controlling an automated installation based on project data, wherein the project data represent an application running on the installation.
A safety controller in terms of the present invention is an apparatus or a device which receives input signals supplied by sensors and generates output signals from these input signals by means of logical combinations and possibly further signal or data processing steps. The output signals can then be supplied to actuators which effect actions or reactions in a controlled installation based on the input signals.
A preferred field of application for such safety controllers is the monitoring of emergency-off pushbuttons, two-hand controllers, protective doors or light grids in the area of machine safety. Such sensors are used for safeguarding, by way of example, a machine which, in operation, is a danger to persons or material goods. When the protective door is opened or the emergency-off pushbutton is operated, a respective signal is generated and supplied as an input signal to the safety controller. As a response, the safety controller then switches off the dangerous part of the machine with the aid of an actuator, for example.
In contrast to a “normal” controller, it is characteristic of a safety controller that the safety controller always ensures a safe state of the dangerous installations or machines even if the safety controller itself or a device connected to it has a malfunction. Therefore, extremely high requirements are placed on the inherent failsafety of safety controllers which leads to a considerable outlay for development and production.
As a rule, before safety controllers are used, they require a special approval from a relevant supervisory authority such as, for example, the professional associations or what is called TÜV in Germany. In this context, the safety controller must meet predetermined safety standards which are defined, for example, in European Standard EN 954-1 or a comparable standard, such as IEC 61508 or EN ISO 13849-1. In the text which follows, a safety controller is therefore understood to be an apparatus or a device which meets at least the safety category 3 of the European Standard EN 954-1, or a Safety Integrity Level (SIL) 2 according to the IEC 61508 Standard.
A programmable safety controller allows the user to individually define the logical combinations and possibly other signal or data processing steps with the aid of a software, the so-called user program, in accordance with its needs. This results in great flexibility in comparison with earlier solutions, in which the logical combinations were established by a defined hardwiring of various safety modules. A user program can be generated, for example, with the aid of a commercially available personal computer (PC) and by using appropriate software programs. In this context, the term user program is understood to mean that a user program may comprise both source code and machine code.
In the case of large, and thus complex, installations of the prior art, which are constructed with a plurality of installation hardware components, distributed safety controllers are normally used. Distributed safety controllers comprise a plurality of controller hardware components. These are control units, sensors and actuators. The individual controller hardware components are allocated to individual installation hardware components. With regard to the hardware, distributed safety controllers are characterized by great flexibility. Thus, a safety controller can be constructed from an arbitrary number of different controller hardware components and thus adapted very flexibly to the given situations of the installation to be controlled. With regard to programming or software-related implementation and thus the concerns of data processing, distributed safety controllers are not yet optimal, however. Thus, a distribution of project data, i.e. data which represent an application running on the controlled installation, to the individual controller hardware components is not provided. This not only restricts the flexibility possible with regard to the hardware implementation to a considerable extent but also entails further disadvantages. Due to the fact that the project data cannot be distributed and thus processed “on site”, a considerable data exchange is required between distant controller hardware components. This leads to an impairment, more precisely to an increase in the response time of the safety controller. “On site” means in this context that the project data are processed where the data needed for such processing are actually available; for example, in a control unit located right in the vicinity of a sensor which provides an input signal for determining a drive signal for an actuator. Or the processing even takes place in the sensor itself. Instead, appropriately designed controller hardware components and data buses which permit a higher data exchange than is actually required are used in order to avoid an impairment of the response time. This increases the cost for implementing a safety controller. With respect to the cost, it is also of disadvantage that any free memory which may be present, especially data memory, in individual controller hardware components, such as in intelligent sensors and intelligent actuators, is not used and, instead, the data memory contained in control units must be dimensioned to be larger than would actually be required.