The present invention relates to a safety controller and a method for controlling an automated installation, and more particularly to a safety controller and a method providing enhanced diagnosis capabilities.
A safety controller within the meaning of the present invention is an apparatus or an arrangement which receives input signals delivered by sensors and produces output signals therefrom by means of logic combinations and sometimes further signal or data processing steps. The output signals can then be supplied to actuators, which then effect desired actions or reactions in the installation on the basis of the input signals.
A preferred area of application for safety controllers of this kind is in the field of machine safety for monitoring emergency-off pushbuttons, two-hand controllers, guard doors or light grids. Such sensors are used in order to safeguard a machine, for example, which presents a hazard to humans or material goods during operation. When the guard door is opened or when the emergency-off pushbutton is operated, a respective signal is produced which is supplied to the safety controller as an input signal. In response thereto, the safety controller then uses an actuator, for example, to shut down that part of the machine which is presenting the hazard.
In contrast to a “normal” controller, a characteristic of a safety controller is that the safety controller always ensures a safe state of the installation or machine presenting the hazard, even if a malfunction occurs in the safety controller or in a device connected to it. Extremely high demands are therefore put on safety controllers in terms of their own failsafety, which results in considerable complexity for development and manufacture.
Usually, safety controllers require particular approval from competent supervisory authorities, such as by the professional associations or the TÜV in Germany, before they are used. In this case, the safety controller must observe prescribed safety standards as set down, by way of example, in the European Standard EN 954-1 or a comparable standard, such as standard IEC 61508 or standard EN ISO 13849-1. In the following, a safety controller is therefore understood to mean an arrangement or an apparatus which complies at least with safety category 3 of the cited European standard EN 954-1.
A programmable safety controller provides the user with the opportunity to individually define the logic combinations and possibly further signal or data processing steps according to his needs using a piece of software that is typically called the user program. This results in a great deal of flexibility in comparison with earlier solutions, in which the logic combinations were established by defined hardware wiring between various safety components. By way of example, a user program can be written using a commercially available personal computer (PC) and using appropriately set-up software programs.
The user program executed in the safety controller defines the process which runs on the installation controlled by the safety controller. This process is monitored by means of process diagnosis. The installation diagnosis involves a check to determine which of a plurality of installation states for the system to be controlled is present at a defined time. Hence, both admissible and inadmissible installation states are detected. One aim is to detect inadmissible installation states, what are known as faults, and to display them on a display unit, so that the operating personnel on the system to be controlled can rectify the fault. Usually, such a display unit is a display unit integrated in the control console of the system to be controlled.
Overall, the installation diagnosis and the associated display of the detected or determined installation states present a process map on the display unit which comprises both the admissible and the inadmissible installation states.
The installation states detected by means of the installation diagnosis are established by virtue of logic requests, inter alia, which is why determined inadmissible installation states may be referred to as logical errors in the following. These logic requests involve threshold value or area comparisons, by way of example, being performed for variables detected by means of sensors, i.e. the respective measured value of the detected variable is compared with one or more threshold values.
One example is monitoring the filling level of a container. To this end, the container has associated a filling level sensor. The filling level sensor produces a filling level signal which represents the detected filling level of the container. Usually, the filling level signal is a voltage, the value of the voltage being proportional to the filling level which is present in the container. Depending on whether the further processing takes place in analog or digital fashion, this voltage value itself or a variable derived therefrom is compared with a threshold value. If this comparison determines that the threshold value has been exceeded, this may be interpreted as “container full” and no diagnosis report is created. If, by contrast, the comparison determines that the threshold value has not been reached, this may be interpreted as “container empty”. This is assumed to be an inadmissible installation state, i.e. an error state is present. The display unit is used to display a diagnosis report which represents this inadmissible installation state. Hence, the display unit is used to present a logical error.
There are now two possible situations. In the first situation, the container is actually empty. In this case, the determined installation state, i.e. the determined logical error, is based on reality. The diagnosis report presented on the display unit correctly reproduces reality. The container needs to be filled by the operating personnel, such as maintenance personnel.
However, a second situation is also conceivable, in which the container is actually not empty. In this case, the determined installation state, i.e. the determined logical error, is not based on reality and the diagnosis report presented on the display unit does not correctly reproduce reality. This may be the case, by way of example, when the filling level sensor is faulty or there is an error in the wiring connecting the filling level sensor to the safety controller, or an error in the safety controller itself. In all cases, a diagnosis report is displayed which indicates that the container is empty even though the container is full. The display of this diagnosis report is not only misleading, the operating personnel is either not provided with any advice of the actual cause that led to the installation diagnosis determining the installation state on which the displayed diagnosis report is based.
The above thoughts show that the diagnosis measures used in the known safety controllers and methods are still not optimal.