The invention relates to a method for operation of a safety-oriented control system with a plurality of centralized and/or decentralized stations provided with inputs and/or outputs and exchanging information with each other via a bus line, and to a safety-oriented control system for performance of the method.
A control system for interlinking of subsystems in motor vehicles is known from a specialist essay by J. U. Pehrs et al. “Das sichere Buskonzept” (the safe bus concept) in ELEKTRONIK, 17/1991, pp. 96-100. Here safety-relevant information such as braking, steering and engine data are transmitted to a central unit and processed there. The control system is designed as a bus system, with all the stations of the bus having a programmable control unit in the microcomputer with an integrated CAN controller. The task of the microcomputer with integrated CAN controller is to control bus line faults. By these are understood short-circuits or breaks in the bus line which impair or prevent communication of the nodes of the network.
The system described is designed exclusively for the recognition of bus faults in the event of short-circuits or breaks. It does not provide any indication of how the information such as such as braking, steering and engine data are processed within the microcomputer or how the data are exchanged between the stations of the bus with a central unit.
EP 0 732 657 A1 describes a method for fault-tolerant communication under high real-time conditions. The communication takes place in a local network, with a double bus architecture being used for fault reporting and for toleration of global bus faults. In one of the redundant bus systems all process data are transmitted in fault-free operation, and status information in the other bus system. The double-bus architecture does however involve greater assembly work and cost expenditure.
Also known from the prior art are control systems designed as bus systems. On the one hand, the bus systems are designed as so-called “master/slave systems”, with a centralized station as the “master” and decentralized stations as the “slaves”. In this case, the slaves are connected for example to signal transmitters and/or actuators whose states are transmitted via a bus line to the master. The control linkage of the input signals to corresponding output signals is performed in the centralized master, which in turn has outputs or controls decentralized outputs in order to operate a control-engineering facility.
On the other hand, “multi-master systems” are also known in which both centralized and decentralized stations are designed as masters. In this case, the control linkage of the input signals to corresponding output signals in the decentralized stations takes place with one or more masters. It is also possible to assign higher-order coordinating control functions to a centralized master station.
The bus systems described are not however safety-oriented systems. For the transmission of safety signals, only buses or bus systems that are fault-tolerating or fault-controlling can be used, e.g. of redundant design. Safety signals are those for safety purposes or duties for preventing or rapidly rectifying dangerous states for personnel or damage to plant equipment. A redundant bus system meeting the safety requirements comprises for example two identical bus systems that both evaluate the safety signals and check them for identity using a fail-safe comparator. In a bus system of this type, faults are detected by the evaluation. In the event of a fault, i.e. in the event of differences in the evaluated states, a system shutdown takes place, as a result of which machinery, production plant etc. is brought to a state which poses no risks to personnel or plant parts. The differences must be detected within a fault reaction time of—for example—20 msecs and also lead within this time to an emergency shutdown of the electrical equipment, this emergency shutdown corresponding to a safety-oriented control command.
A completely duplicated bus design requires not only a duplicated two-channel design of the bus modules for the sensors and actuators and two bus masters for system monitoring and fail-safe shutdown, but also the laying of two independent cabling systems.
The signal processing in safety circuits as a rule comprises the functions “signal transmission”, “signal linking/signal evaluation” and “processing to a control command”.
The functions “signal linking/signal evaluation” and “processing to a control command” of a safety circuit are traditionally of centralized design here. For example, the signal linking/signal evaluation and the processing to a control command for emergency-off command devices, locking devices for movable protective equipment etc. is performed centrally in one or—for larger machines, production systems or in complex facilities—several switchgear cabinets.
Here all input signals from the safety circuit are first transmitted, linked and processed to control commands regardless of the type of transmission, said control commands then having to be decentralized again in order to shut down a drive unit, for example, that powers a dangerous movement.
On that basis, the problem underlying the present invention is to develop a safety-oriented control system such that the reaction times of the control system to fault signals and input signals are shortened.
The problem is solved in accordance with the invention in that a message content in the form of logic links between inputs and outputs of the respective station is filed in at least one decentralized and/or at least one centralized station and in that a comparison is made between the message content and a data block transmitted via the bus line and having a message content and an action is activated when a predetermined pattern is obtained between the message content of the data block and the filed message content.
In processes in which a CPU such as a microcomputer is involved, the interaction of computer power and program size is crucial for the reaction speed of the overall system. If for example the state of an input of a station is inquired, the next inquiry would only be made in the next run of the program, as a result each input in the system is inquired after each cycle time of a program run. In safety-oriented systems, logic linkages are generally assigned to certain inputs and in turn act on outputs that trigger a safety shutdown. The reaction time of the system corresponds to the time from actuation of a switching element leading to a input state change, to switching of the respective output.
To achieve a minimization of the reaction time in the event of a requirement, it is necessary that the outputs within a bus system initiate an independent shutdown without the shutdown of a higher-order control system being initiated. The outputs react directly and independently to safety-relevant state changes effected at the bus by input state changes. The direct reaction of the outputs is preferably to state changes which would lead to shutdown of the releases.