The present invention relates to an apparatus for controlling safety-critical processes, in particular an apparatus having a safe control unit for controlling the safety-critical processes and having at least two safe signal units which are connected via I/O channels to the safety critical processes, with the safe control unit and the safe signal units being connected to a common fieldbus, and with the safe signal units communicating with the safe control unit, but not with one another, when the apparatus is in the control mode.
A fieldbus is a system for data communication, in which the connected units are connected to one another via a common bus-line. Two units which are connected to the fieldbus can thus communicate with one another without needing to be directly wired up to one another individually. Examples of known fieldbuses include the so-called CAN bus, the so-called Profibus and the so-called Interbus.
The use of fieldbuses has already been sufficiently well known for a long time in the field of control and automation. However, this is not true for the control of safety-critical processes in which, in practice, the units involved in the control system have been individually wired up to one another until the very recent past. This is because it was not possible for the known fieldbuses to ensure the fault protection (fault probability of less than 10xe2x88x9211) required for controlling safety-critical processes. All known fieldbuses admittedly have measures for fault protection during data transmission, but these measures are not sufficient to ensure the required fault protection. In addition, fieldbuses are open systems to which, in principle, any desired units can be connected. There is a risk in this case of a unit which has nothing whatsoever to do with a safety-critical process that is to be controlled influencing said process in an undesirable manner.
In this context, the term xe2x80x9csafety-critical processxe2x80x9d means a process which results in an unacceptable risk to people or material goods if a fault occurs. Thus, ideally, a safety-critical process must provide a 100% guarantee that the process will be changed to a safe state if a fault occurs. In the case of a machine system, this may include the system being switched off. In the case of a chemical production process, switching off may, however, lead to an uncontrolled reaction so that, in a case such as this, it is better to change the process to a non-critical parameter range.
Safety-critical processes may also be process elements of larger, higher-level overall processes. By way of example, in the case of a hydraulic press, the material supply may be a non-safety-critical process element, while, an the other hand, the starting up of the pressing tool is a safety-critical process element. Further examples of safety-critical processes (or process elements) are the monitoring of safety guards, protection doors or light barriers, the control of two-hand operated switches, or the monitoring and evaluation of an emergency-off switch.
The units which are involved in the control of a safety-critical process must have safety-related devices going beyond their actual function. These are used primarily for fault and functional monitoring. Units such as these generally have a redundant design, in order to guarantee that they operate safely even when a fault occurs. Units with safety-related measures such as these are referred to in the following text as safe, in contrast to xe2x80x9cnormalxe2x80x9d units.
For the purposes of the present invention, units which have a certain amount of intelligence for controlling a process are referred to as control units. Control units such as these are frequently referred to as clients, in the specialist terminology.
These receive data and/or signals which represent state variables of the controlled processes and activate actuators, which influence the process to be controlled, as a function of this information. The intelligence is normally stored in a memory in the control units, in the form of a variable user programs. Programmable logic controls (PLC) are generally used as the control units.
In contrast, a signal unit is a module which essentially provides input and output channels (I/O channels) to which, firstly, sensors for recording process variables and, secondly, actuators can be connected. A signal unit has no intelligence in the form of a variable user programs, and it thus does not have the capability, either, to autonomously control a machine or a process. Moreover, an emergency switch-off may be carried out autonomously when a fault occurs. A signal unit is provided, per se, only to locally carry out a command received from a physically remote control unit. To do this, the signal unit may have a programs in the form of an operating system. However, the user cannot vary this programs without modifying the hardware of the signal unit. Signal units are normally referred to as servers in the specialist technology.
DE-A-197 42 716 describes an apparatus for controlling safety-critical processes, such as the monitoring of a safety guard. The known apparatus has a control unit and, for example, three signal units, which are connected to one another via a fieldbus. Both the control unit and the signal units have safety-related devices for carrying out predetermined safety functions. In an entirely general form, these are thus safe units for the purposes of the present invention.
In the known apparatus, the process to be controlled is changed to a safe state when a fault occurs. The switching signal which is used to initiate this action can be triggered firstly by the higher-level control unit or secondly in the area of that signal unit in which the fault has occurred.
However, with the known apparatus, it is impossible for a first signal unit in whose area the fault has occurred to cause other signal units which are connected to that fieldbus likewise to switch off the associated processes there, or to change these processes to a safe state. If a number of processes which are actuated via different signal units need to be changed to a safe state, it is necessary to transmit an appropriate individual control command to each of the signal units which are affected. This is because the known signal units have no intelligence which would make it possible for them to control other signal units.
The known apparatuses thus have the disadvantage that valuable time may be lost, when a fault occurs in the area of a signal unit, before safety-critical processes which are associated with other signal units can be changed to a safe state. In detail, a data interchange is in this case first of all required between the first signal unit and the higher-level control unit, followed by a further data interchange between the higher-level control unit and the further signal units which are affected. There is thus a risk with the known apparatuses of a process which is only indirectly affected by a fault not being switched off sufficiently quickly.
It is known from DE-A-197 42 716 that an entire system having a large number of process elements can be completely switched off by a single signal unit. In this case, the corresponding signal unit is used as a central switch, in particular interrupting the main power supply. In this case, although the entire system can be switched off quickly if a fault occurs, it is then impossible, however, to exclude individual process elements from this, as a function of the situation.
Until now, the apparatuses of this generic type have in each case had only one control unit. This means that the apparatus is no longer available at all when the control unit fails. However, it is desirable to be able to continue to operate an apparatus of this generic type in a flexible way even in a case such as this.
Furthermore, fieldbus systems are subject to the problem that only one unit which is connected to the fieldbus can ever transmit at one time. Collisions may thus occur when two or more units wish to transmit at the same time. In known fieldbus systems, collisions such as these are avoided by allocating priorities. In detail, however, it is possible when collisions occur for a unit with a low priority to be blocked for a very long time, that is to say, not to be given any transmission window.
In non-safe fieldbus systems, this problem is solved by defining a maximum permissible busload of, for example, 50%. The busload is in this case the quotient of the time in which the fieldbus is being used and the time in which the fieldbus is freely available. If, for example, the busload is below the defined limit, it can be assumed that, statistically an average, the connected units have sufficient access to the fieldbus.
However, when controlling a safety-critical process, a solution such as this is inadequate, since, in individual situations, and in contrast to the statistical average, it is possible for the corresponding unit to be blocked for an unacceptably long time.
It is an object of the present invention to specify an apparatus of the type initially mentioned, by means of which, when a fault occurs in the area of a signal unit, any desired combinations of process elements within an entire system can be changed to a safe state as quickly as possible.
For the inventive apparatus, a key feature to achieve this object is that the safe signal units have an evaluator for evaluating a fault message which is broadcasted in general form via the fieldbus, as well as a switching device which autonomously changes the safety-critical process to a safe state when a fault message which is evaluated as being relevant occurs.
In contrast to the already known apparatuses, the signal units in the present invention have the capability to react autonomously to a fault message which is transmitted in general form via the fieldbus, that is to say, a fault message which is not directed specifically to them.
An autonomous reaction by the signal units means that they can react even without a control command directed specifically to them from the higher-level control unit. In plain words, the signal units in the present invention thus have a certain amount of intelligence, which is stored within their operating system and/or their hardware.
The apparatus according to the invention has the advantage that, by virtue of the intelligence that they have been given, the individual signal units are able to autonomously evaluate a generally transmitted fault message. Thus, independently of the higher-level control unit, they can react to a fault which has occurred in a different area of the overall apparatus. Accordingly, there is no longer any need for each individual signal unit to receive a specific control command to switch off the safety-critical processes associated with it. This measure means that it is possible when a fault occurs to switch off any desired combinations of process elements at the same time by means of a single fault message. This is considerably faster than if each of the relevant signal units had to be addressed specifically by the higher-level control unit.
In one refinement of the invention, each of the signal units has transmission means for sending a fault message to a large number of signal units.
This measure has the advantage that each of the signal units is able, when a fault occurs in their area, to directly inform the other signal units connected to that fieldbus. Since each of the signal units is furthermore able to react autonomously to the reception of a fault message, it is thus possible in this way to change safety-critical process elements which are affected by the fault to a safe state particularly quickly. The particular advantage of this measure is that a higher-level control unit is in this case no longer involved at all in the communication with the signal units, that is to say the signal units communicate directly with one another without the indirect route via the control unit. This results in a considerable amount of time being saved.
In a further refinement of the invention, the signal units which are connected to the fieldbus are each allocated to at least one defined group of signal units, with the evaluator of each signal unit evaluating the fault message for its relevance to the respectively associated group.
This measure has the advantage that the individual signal units can very quickly find out whether a fault which has occurred in the area of another signal unit has any relevance to its own safety-critical processes. In consequence, each of the signal units which are affected can react particularly quickly to a fault message sent in general form.
In a further refinement of the measure mentioned above, the groups affected by the fault are coded in each fault message.
This measure has the advantage that each of the signal units can itself identify the relevance of the fault message directly from the fault message itself. This makes it possible to react even more quickly to the occurrence of a relevant fault.
In a further refinement of the invention, fault messages within the bus protocol have the highest transmission priority, irrespective of the priority of their sender.
In this refinement of the invention, it is possible, independently of the busload, for a signal unit to send a fault message immediately after identification of that fault. This is true even if that signal unit has only a relatively low transmission priority within the structure of the fieldbus. In plain words, each subscriber which is connected to the fieldbus is in this case provided with the capability to send a message with the highest possible priority. It is thus possible to inform other units which are connected to the field bus particularly quickly of the occurrence of a fault, even in a lower-level area of the system. In consequence, it is possible to react very quickly even to apparently xe2x80x9cminorxe2x80x9d faults. Furthermore, each unit is in this way provided with the capability to demand bus access even when the busload is very high, and irrespective of its priority.
In a further refinement of the invention, the evaluator. of each signal unit evaluate a fault message without sending an acknowledgment message.
This measure represents a special feature in comparison to known apparatuses, since, when controlling safety-critical processes, each message which is sent is first of all normally acknowledged via an acknowledgment message, which is sent back from the receiving unit to the transmitting unit. The transmitting unit normally reacts to the absence of an acknowledgment message by using suitable measures to interrupt the data processing in the receiving unit. In contrast, the said measure has the advantage that a signal unit can directly process a fault message that has been received, without any time delay, since in this case, exceptionally, no acknowledgment message is required. This measure makes it possible to further speed up the reaction to the occurrence of a fault.
In a further refinement of the invention, each signal unit has a time monitor, which initiates the sending of a fault message in the absence of an expected event.
This measure has the advantage that it provides a high level of redundancy within the overall apparatus, since each signal unit which is connected to the fieldbus monitors that the specified time sequences are complied with. The said measure thus contributes to improving the safety within the overall apparatus, since the mutual monitoring is shared xe2x80x9cover numerous shouldersxe2x80x9d.
In a further refinement of the measure mentioned above, the expected event is the reception of an acknowledgment message.
This measure has the advantage that each of the units which are connected to the fieldbus automatically carries out a fault check of the addressed units when a message is sent. This results in continuous mutual monitoring, virtually without any gaps.
In a further refinement of the measures mentioned above, the expected event is the reception of a test message which is sent cyclically.
The test message is a message which is sent from one unit, for example a higher-level control unit, to other units which are connected to the fieldbus. Since, as already explained, a message such as this must be acknowledged by an acknowledgment message, this provides the higher-level unit with the capability to check that the connection to the addressed units is fault-free. Conversely, the higher-level unit is monitored, since each signal unit monitors the regular, cyclical receipt of the test messages.
In a further refinement of the measures mentioned above, but which is itself likewise regarded as an invention, the expected event is a transmission window.
As already mentioned, the communication of the individual connected units in a large number of fieldbus systems is co-ordinated by the specific allocation of transmission authorization or by providing specific transmission windows (for example in the case of Frofibus). In other fieldbus systems, the individual units are provided with their transmission authorization on the basis of a fixed priority allocated to them. In both cases, it is possible for a unit to have to wait for an unacceptably long time for the transmission window, owing to a high load. This may be dangerous when controlling safety-critical processes, since each unit is inhibited from communicating for a correspondingly long time. However, the said measure makes it possible for the affected unit to communicate even with bus subscribers which have a higher priority, specifically by generating a fault message with a correspondingly high or the highest priority. This measure has the advantage that the fieldbus can be operated with a very high busload even when controlling safety-critical processes, since it is always possible in this case for any unit to circumvent unacceptably long blocking. Even if the busload is very high, this ensures that messages are always transmitted via the fieldbus within a fixed defined maximum time interval. This measure is also of particular advantage in its own right, by virtue of this fact.
In a further refinement of the invention, the fieldbus is a CAN bus.
This measure is particularly advantageous, since, by virtue of its basic structure, a CAN bus allows the transmission and reception of messages between any units which are connected to the bus. In consequence, a CAN bus is particularly highly suitable for very quickly sending a fault message to a large number of connected units when a fault occurs in a specific area. At the same time, however, owing to this characteristic, a CAN bus requires very strictly defined rules relating to communication co-ordination to be complied with when controlling safety-critical processes. The measures according to the invention are particularly advantageous in conjunction with a CAN bus, since, firstly, they include clear rules relating to communication co-ordination and, secondly, they make optimum use of the special feature of the CAN bus. Overall, a CAN bus in combination with the measures according to the invention is thus particularly highly suitable for controlling safety-critical processes.
In a further refinement, but which is also advantageous in its own right, the apparatus has at least two safe control units for controlling safety-critical processes, and these are connected to at least one signal unit via a common fieldbus.
This measure has the advantage that the apparatus can then still be used to control processes even when one of the control units has failed. For example, this makes it possible to control two identical machine systems separately from one another via one common fieldbus. If one of the machine systems fails, the other can continue to operate and, in some circumstances, can even increase production in order to compensate for the loss of the first machine system.
In a further refinement of the measure mentioned above, the apparatus also has an administration unit for coordinating the at least two safe control units.
This measure has the advantage that the co-ordination of a number of control units can be carried out by them separately, so that the control units are themselves completely available for controlling the processes, that is to say, for carrying out the application programs. Furthermore, the co-ordination of the control units, which in turn has to take account of safety aspects relating to the apparatus, is taken away from user access.
In one further refinement, the at least two safe control units have at least one signal unit associated jointly with them, with a first of the safe control units communicating directly with the said signal unit, while a second of the safe control unit communicates with the said signal unit via the first control unit.
This measure has the advantage that individual resources within the apparatus, for example an emergency-off switch, can be used jointly by the number of control units. This allows costs to be saved, and increases the overall flexibility. In this case, the said measure makes it possible to avoid collisions when accessing the jointly used signal unit.
It is self-evident that the features mentioned above and which will also be explained in the following text can be used not only in the respectively stated combination but also in other combinations and on their own, without having to depart from the scope of the present invention.