Below, a safety-relevant process is understood to be a process that does not generate a more than negligible risk to people and/or material goods if an error occurs. Therefore, in a safety-relevant process, in the ideal case, 100-percent safety must be guaranteed, such that, if an error occurs in this process, a subsequent process coupled with this process and/or an overall system including this process is brought into a state of safety. Thus, such safety-relevant processes may also be sub-processes of larger, higher-level overall processes. Examples of safety-relevant processes are chemical processes in which critical parameters must absolutely be kept within a given range, complex machine controllers, such as, for example, in a hydraulic press or a production line, in which, for example, the start-up of a pressing/cutting tool can represent a safety-relevant sub-process. Additional examples for safety-relevant (sub) processes are the monitoring of protective screens, protective doors, or light barriers, the control of two-hand switches, or also the reaction to an emergency cut-off switch.
Thus, for all safety-relevant processes, it is absolutely necessary that the associated safety-relevant data that is generated, detected, or measured is transported in real time without any corruption, because any corruption could result in an incorrect function and/or reaction that could ultimately endanger the life and health of people.
To satisfy safety requirements, in recent years, numerous agreements have been made that require essentially error-free data transport in the use of bus systems. These concern, in particular, the data transport itself and also a permissible residual error probability as a function of each application or each process. Here, appropriate standards include, in particular, EN 61508 and EN 954-1, as well as the principles for testing and certifying “bus systems for the transmission of safety-relevant messages” of testing and certification bodies in the service of occupational health and safety.
According to these agreements and standards, safety-oriented bus systems have been developed that transmit data with a high redundancy. Possible errors are discovered in due time and danger can be avoided. Examples here are, among other things, Safety Bus P, Profibus F, Interbus Safety, etc.
Here, it is disadvantageous, however, that for the use of safety-oriented bus systems, already installed bus systems must be replaced and frequently, restrictions on the number of subscribers, data transport rate, or data protocol must be taken into account.
Consequently, safety-oriented methods and/or components have been developed that allow simpler and more economical retrofitting of already existing bus systems. In particular, electronic safety methods for control and automation technology use (field) bus systems already in use for data communications between the individual units taking part in a process for the transmission of safety-relevant data, in particular, between sensors, actuators, and/or control devices.
EP 1 188 096 B1 discloses, for example, a control system for a safety-relevant process with a field bus, by means of which a control unit for controlling the safety-relevant process and a signal unit, which is linked with the safety-relevant process by means of I/O channels, are connected. To guarantee error-free communication with each other, these units have safety-relevant devices, through which non-safe units are made safe units. In detail, every two or more redundant processing channels are provided such that an error in one of the processing channels can be detected and possibly corrected with reference to a result that deviates from the result of the other redundant processing channel. This multiple-channel structure is realized, in particular, by two redundant processors, wherein the safety analysis ends after the two redundant processors and the analysis of safe data protocol being used starting from this point without additional details.
In the following, the general term of processor should be understood, if not specified in more detail, to be essentially any type of data-processing device, such as microcomputers, microprocessors, microcontrollers, or also PCs.
WO 01/15385 A2 also relates to the control of safety-relevant processes under the use of (field) bus systems, wherein the units taking part in the control of the safety-relevant process usually have, in turn, redundant processing channels. Each of the redundant channels comprises a processor that monitors the other. This multiple-channel structure is transferred via another processor connected to the field bus into a single-channel structure (FIG. 3). More detailed specifications including the transfer of the multiple-channel structure to the single-channel structure are not to be found in the publication.
WO 01/15391 A1 and the Laid-Open Specification DE 199 39 567 A1 are additional examples of safe bus subscribers with redundant processing channels and/or processors mutually controlling each other with respect to a safe protocol design and subsequent transfer from the double-channel structure to the single-channel structure by means of another processor, which is coupled to the bus and which is connected to a protocol chip or which is integrated with this protocol chip. Here, safety analysis also ends after the two redundant processors without the disclosure of additional technical measures and the analysis is used for a safe data protocol after this point.
To reduce the circuitry expense, Patent Specification DE 195 32 639 C2, which concerns a device for the single-channel transmission of data formed by means of two redundant processors, integrates the function of the bus coupling into one of the two redundant processors. Thus, only the processor with the bus-coupling functionality has an output channel, to which useful data originating from this processor and test data originating from the other processor are fed or vice versa or to which useful data and test data of both processors are fed in an interleaved way (FIG. 4). However, to guarantee that the processor that operates the bus is not in the position to generate data packets that cannot affect the other processor, in the conversion an increased effort in safety analysis is necessary, because, for one, the freedom from feedback and, second, the independence of the computer for establishing the safe protocol must be detected. For this purpose, the patent specification merely proposes a corresponding connection or non-connection of the corresponding processor outputs.
DE 100 65 907 A1 further describes a method concerning the principle of “redundancy with cross-check” for safe data transport for data transmission on parallel or serial networks or bus systems, wherein a buffer register is used with two identical logic data areas for the transfer of the double-channel structure to the single-channel structure. The complete safety-oriented message to be transmitted with a single channel via the bus system comprises the data contents of both data areas of the buffer register. Before the buffer register on the side of the transmitter, two redundant processors, in turn, are connected, which prepare safety-relevant data provided with a single channel or double channels according to the type of application, each with redundant information to form safe data and which exchange this data for checking. If both reach the same result, then each of the processors transmits its safe data to the buffer register, wherein each data area is occupied with the safe data of each processor, which, on its side, already contains redundant information for error recognition. In an alternative embodiment, if the buffer register is contained in one of the two processors, so that this one processor consequently assigns both data areas of the buffer register accordingly in agreement with the second processor, this second processor performs another read process for controlling the buffer register with the two data areas. According to the application, the data contents of one of the two data areas of the buffer register can also have inverted data or other additional interleaving, in order to recognize, for example, systemic errors in the transmitters, receivers, and/or other units forwarding the units. A disadvantage here is that, in particular, the total data length of the safety-oriented message is extremely large with respect to the actual usable data and the data transfer rate is thus small with respect to the actual usable data, because for each usable data set to be transmitted, two identical usable data sets and also redundant information for each of the identical usable data sets are to be transmitted. For a decreasing number of usable data units to be transmitted in each data packet, as is given, for example, for the Interbus, the ratio of usable data length to the total data length becomes increasingly worse.
The task of the German Patent Application No. 10 2004 039 932.8 filed on Aug. 17, 2004 by the same applicant as the present invention, wherein the present invention represents a refinement of this patent application, is to provide, for the safe bus coupling of safety-relevant processes, another, novel, and improved way for the transmission of the multiple-channel structure to the single-channel structure and to guarantee, in a way that is easy to realize and especially also in a way that is easy to test, a freedom from feedback and independence in the establishment of a safety-oriented protocol, which is to be transmitted as a safety packet via a bus.
For this purpose, it was proposed to provide a method for the single-channel bus coupling of a safety-critical process, in which a data set that is relevant for the safety-critical process is processed by means of at least two redundant processing channels, in particular, in a protocol-specific way, according to identical laws for each safety-oriented protocol, and the redundant, safety-oriented protocols for single-channel bus coupling are assembled back into a common safety-oriented protocol, in that each of the processing channels accesses a common buffer register, wherein, for each register location, a write authorization is allocated only once, such that the common safety-oriented protocol, that is, the safety packet to be transmitted, is assembled proportionally by writing different portions of each safety-oriented protocol.
Consequently, one significant advantage here is that, first, both processing channels are in the position to calculate the complete safety-oriented protocol, so that this has a positive effect on the necessary packet length, because all of the data bits are already known with the different safety mechanisms in the redundant processing channels and no additional data bits must be transmitted, which permit a determination to be made on the error-free calculation on the receiver side. In addition, it is guaranteed that one processing channel alone is not in the position to transmit a safety packet, wherein the control by means of the write authorization that can be allocated only once for data into a register location represents one possibility that is easy to implement and that is highly efficient, in order to guarantee safety that is significantly increased in an economical way independent of the bus (system) that is used.
Thus, the realization of an intelligent unit for performing the method according to the invention can already be guaranteed by the use of an apparatus with at least two redundant processors, in which the processors for processing an identical input data set are configured under the use of identical laws for each safety-oriented protocol and which are connected by means of a circuit arrangement to a common buffer register in such a way that for each register location of the buffer register, a write access is given for only one of the processors.
The invention according to the German Patent Application No. 10 2004 039 932.8 thus allows, through the use of standard components and independent of each bus system, a highly dynamic and highly efficient solution that is easy to implement for the feedback-free and independent formation of each safety-oriented protocol, wherein the specific processing rules for forming the safety packet are here preferably suitable for satisfying the corresponding safety requirements, in particular, the safety requirements for a simple transmission according to SIL 3 IEC 61508.
Furthermore, the invention according to the German Patent Application No. 10 2004 039 932.8 already provides the construction of the circuit arrangement in a useful way such that each of the processors can read access each register location of the buffer register, so that, according to the preferred construction, before a transmission of the common safety-oriented protocol from the buffer register for transmission, each register location is read accessed by each of the redundant processing channels, in order to perform a verification of the safety-oriented protocol formed in common. Here, due to the possible additional comparison of the safety-oriented protocol formed in common with each safety-oriented protocol formed separately or individually by means of the processing channels, the achieved degree of safety may also be increased significantly again, because for the loss of or an error in a processor, a complete safety packet cannot be generated, so that an error is definitely identified and a safety-oriented function can be initiated.