Databus systems with head modules for controlling the data communication on an internal databus, to which input/output modules are connected, are sufficiently well known. With such bus systems it is possible to set up control and monitoring systems with little wiring complexity and a high degree of flexibility. Often, stringent requirements are placed on ensuring reliable operation for such automation systems in order to safely rule out faults resulting from failure of system components or from faulty data transmission. Hazards for personnel and faults in manufacturing processes etc. should therefore be avoided.
A safe control system which is certified, for example, corresponding to the so-called Class 4 in accordance with the European standard EN 954-1 and the safety integrity level (SIL) 3 in accordance with IEC 61508 parts 1 to 7 typically has head modules or bus system control modules with at least two microcontrollers, which execute a safety program, and, under certain circumstances, in addition also a standard application in redundant fashion. Depending on the nature of the redundancy selected (diversity or homogeneous), the two microcontrollers can be different from one another, but do not necessarily need to be. The two microcontrollers cyclically exchange data via a bus system control module-internal interface in order to be able to implement the necessary mutual checking of the safety functions. This interface is in the form of a point-to-point connection between the two microcontrollers. In this case, the two microcontrollers are typically accommodated on one or more printed circuit boards within a housing of one and the same bus system control module.
Such a solution with an interface module, which has a bus master and a safe control unit with two microprocessors functioning independently of one another, is disclosed in DE 103 53 950 A1. The interface module described can also communicate with a second control unit, which provides unsafe control of at least one non-safety-critical process. In the event of an emergency or in the event of faulty functioning, the safe control unit can take on the tasks of the unsafe control unit or the control of the unsafe processes by means of a bypass.
DE 199 28 517 has disclosed a control system for controlling safety-critical processes with a field bus coupler, to which a safety module is connected. The safety functions are executed completely in the safety module, which for this purpose in turn has two microcontrollers checking one another. The entire safety functionality is eliminated by the safety module, so that the field bus coupling module does not require any safety-relevant design or any safety functions.
DE 198 15 147 A1 has disclosed an arrangement of sensors for monitoring a working device, the sensors forming slaves of a bus system functioning on the master/slave principle. A redundant evaluation unit is connected to the bus system in order to monitor the data traffic on the databus. In the event of a fault being identified, outputs of the evaluation unit are disconnected. The evaluation unit is therefore autonomous as regards to the checking of faults and at the same time takes on the function of safety shutdown.