The present invention relates to a method for determining a safety step in an automation network comprising subscribers, as well as to a safety manager and to an automation network.
Modern concepts of industrial automation, i.e. controlling and monitoring technical processes by means of software, are based on the idea of a central control comprising a distributed sensor/actuator layer. Thereby, the subscribers communicate with one another and with superordinate systems via industrial local networks, in the following also referred to as automation networks. The automation networks are usually configured as what is known as master-slave communication networks in which the master subscriber represents the control layer and the slave subscribers represent the sensor/actuator layer.
Safety is an essential demand in industrial automation. When carrying out automation tasks, it has to be safeguarded that the automation network, upon failure of one of the subscribers or if other errors occur, will not pose any danger to humans and the environment. In order to be able to categorize the danger represented by an automation network, it is mandatory to have a danger assessment carried out. According to European standard EN1050, the risk assessment has to be carried out in a sequence of logical steps which allow for systematically examining danger emanating from the automation network and/or the individual subscribers. On the basis of the danger analysis, the technical and organizational demands to the automation network are then determined in order to ensure sufficient safety.
In this context, European standard EN 954-1 “Safety of machinery—Safety-related parts of control systems” has established itself as an International standard in the field of machine and plant safety for carrying out a danger analysis. The standard takes all safety-relevant subscribers regardless of their subscriber type into account, and categorizes their safety-related capacity. Based on the determined safety category, the control structure in the automation network is then configured in order to fulfil the demands to safety functions as well as to achieve a necessary system behaviour in the case of an error.
In order to be able to do particular justice to programmable electronic control systems with regard to safety demands, further standards have been introduced in addition to the EN 954-1 standard during the last few years. For danger analysis in automation networks, the EN ISO3849-1 and the IEC/EN 62061 standard are particularly relevant. By means of these two standards, a quantitative contemplation of safety functions is carried out in addition to the qualitative approach of the EN954-1 standard.
The EN ISO13849-1 and the IEC/EN 62061 standards specify the safety-relevant capacity of programmable electronic control systems required for risk reduction. In order to categorize the safety-relevant capacity, the two standards define safety steps. For this purpose, all safety functions of the automation network are considered together with all subscribers taking part in their execution.
The safety step of the automation network is determined on the basis of safety-relevant parameters of the subscribers participating in the safety functions. According to the EN 15013849-1 standard etc., these parameters are: mean time to failure (MTTF), diagnostic coverage (DC), probability of a dangerous failure per hour (PFH), time of use (TM), number of cycles in which 10% of a sample of the wear-afflicted subscribers were found to be dangerous (B10d), and common cause failure (CCF). Apart from the aforesaid safety-relevant parameters, further factors—even operational ones such as the requisition rate or the test rate of the safety function—may influence the safety step.
In order to determine the safety step of an automation network, exact information on the logic operation between the subscribers in the automation network is furthermore required apart from the knowledge of the safety-relevant parameters of all the subscribers participating in the safety function.
In order to be able to reliably categorize the danger posed by an automation network, complex calculations, e.g. by means of Markov analysis, are required. Moreover, the failure probability of individual subscribers has to be partially estimated due to insufficient data, which makes it difficult to give a definite statement. The determining of the safety step in the automation network thus poses considerable problems for small and medium-sized companies.
In the last few years, safety tools have increasingly hit the market, such as the safety calculator PAScal provided by the company Pilz, Ostfildern, Germany and the Safeexpert program provided by the company Sick, Weiskirch, Germany. These safety tools calculate the safety step of safety functions in automation networks depending on the used subscribers. Thereby, the subscriber-specific safety parameters are taken from a software library. However, in addition, the structure in the system, i.e. the data and process-specific link of the subscribers within the automation network, has to be entered individually. The safety tools verify the calculated safety step by means of the safety step required according to the EN ISO13849-1 and EN/EC62061 standards and show a potential need for action in order to improve the safety within the automation network.
The use of a software library for detecting the subscriber-specific safety parameters requires constant up-dating of this library in order to be able to take new subscribers into account during the safety calculation and/or in order to be able to consider modifications carried out in the subscribers. Moreover, the demand of individually entering the data and process-specific link between the subscribers in the automation network into the safety tool is time-consuming and error-prone. Thus, when determining the safety step, usually only a simplified contemplation of the control logic in the automation network is carried out. If the automation network is expanded or modified, it is additionally required to re-detect the modified structure in order to be able to determine the current safety step.
DE 103 18 837 A1 discloses a network in which data and process-specific links between the subscribers may be automatically detected by a safety manager.
EP 1 300 657 A2 and DE 44 09 543 A1 disclose networks in which subscriber-specific parameters may be determined automatically.
“Wahrscheinlichkeitsrechnung leicht gemacht” (Probability calculation made easy) from the service box of the CIC-web online magazine (online service of Henrich Publikationen GmbH), edition AUT June 2005, p. 1-3 (http://www.cicweb.de/index.cfm?pid=1473&pk=66042#)) shows a method for determining a safety step within an automation network comprising subscribers, in which the safety step in the automation network is calculated by means of an algorithm which connects the data and process-specific link between the subscribers in the automation network as well as the subscriber-specific safety parameters. This method has been realized in the “Safety Calculator PAScal” program by the company PILZ.