The present invention relates to a safety-related control unit for controlling an automated installation in accordance with an application program, with the installation comprising a plurality of sensors and a plurality of actuators, and the application program comprising a plurality of control instructions for controlling the actuators in response to signals from the sensors. The invention also relates to a method for controlling such an automated installation.
A safety-related control unit in terms of the present invention is an apparatus or a device which receives input signals delivered by sensors and generates output signals from these input signals by logical combinations and possibly other signal or data processing steps. The output signals can then be supplied to actuators which effect actions or reactions in a controlled installation on the basis of the input signals.
A preferred field of application for such safety-related control units is the monitoring of emergency-off buttons, two-hand controllers, protective doors or light grids in the field of machine safety. Such sensors are used in order to safeguard, for example, a machine which, in operation, entails a risk for persons or material goods. When the protective door is opened or when the emergency-off button is operated, a respective signal is generated and supplied as input signal to the safety-related control unit. In response thereto, the safety-related control unit then switches off the hazardous part of the machine with the aid of an actuator, for example.
In contrast to a “normal” control unit, it is characteristic of a safety-related control unit that the safety-related control unit always ensures a safe state of the hazardous installations or machines even if a malfunction occurs in it or an apparatus connected to it. For this reason, extremely high demands are made on their own failsafety in the case of safety-related control units, which results in a considerable expenditure in the development and production.
As a rule, safety-related control units need a special approval from a competent supervisory authority such as, for example, from the professional associations or what is called TUV in Germany. In this context, the safety-related control unit must meet predetermined safety standards which are defined, for example, in European Standard EN 954-1, IEC 61508 or EN ISO 13849-1 or a comparable standard. In the text which follows, a safety-related control unit is understood to be an apparatus or a device which meets at least the safety category 3 of the European Standard EN 954-1, or Safety Integrity Level (SIL) 2 in accordance with the IEC 61508.
A programmable safety-related control unit offers the user the possibility to individually define the logical combinations and possibly further signal or data processing steps using a piece of software, the so-called application program, in accordance with his requirements. This results in great flexibility in comparison with earlier solutions in which the logical combinations were generated by a defined hardwiring between various safety-related modules. An application program can be generated, for example, with the aid of a commercially available personal computer (PC) and by using appropriate software programs.
As already mentioned, extremely high demands in terms of failsafety are put on a safety-related control unit. One approach is, for example, to design a safety-related control unit redundantly at least in the data-processing components such as, for example, the processors. This achieves the greatest possible availability of the safety-related control unit with a view to faults occurring in the safety-related control unit. Similarly, high availability of a safety-related control unit is desirable with a view to faults possibly occurring outside the safety-related control unit. For example, after the voltage failure a safety-related control unit should be operated again without problems in the state assumed by the safety-related control unit before a voltage failure occurred. But it is especially with regard to the availability in the case of faults occurring outside the safety-related control unit that safety-related control units are not yet optimal.