The present invention relates to a method for operating a safety control on an automation network comprising a master subscriber implementing the safety control as well as to an automation network comprising a master subscriber implementing a safety control.
Modern concepts of industrial automation, e.g. controlling and monitoring technical processes by means of software, are based on the idea of a central control comprising a distributed sensor/actuator layer. Thereby, the subscribers communicate with one another and with superordinate systems via industrial local networks, in the following also referred to as automation networks. The control function is based on two basic ideas, i.e. geographically distributing and hierarchically subdividing the control functions. In this context, the functional hierarchy essentially divides up the automation task into a control layer and a sensor/actuator layer. The industrial local networks are usually configured as what is known as master-slave communication networks in which the master subscriber represents the control layer and the slave subscribers represent the sensor/actuator layer.
Safety is an essential demand in industrial automation. When carrying out automation tasks, it has to be safeguarded that the master-slave communication network, upon failure or if other errors occur, will not pose any danger to humans and the environment. For this reason, automation networks usually operate according to what is known as the fail-safe principle according to which the automation network is transferred into a safe state upon failure of a safety-relevant subscriber.
Within the framework of industrial automation, it is a safety-related issue if a safety-relevant subscriber is exchanged or newly implemented in the automation network to provide measures which reliably avoid errors during these procedures. When exchanging and/or newly implementing a safety-relevant subscriber in the automation system, it is usually necessary to load the facility-specific safe configuration of the subscriber, in the following also referred to as the safety control, into the exchanged and/or newly implemented safety-relevant subscriber.
The facility-specific safe configuration is usually stored as a back-up on a further subscriber in the industrial local network. In general, service personnel are able to download the safety control from a back-up memory to the safety-relevant subscriber only if they have a special authorization. Instead of downloading via the automation network, it is also possible to directly connect the back-up memory to the safety-relevant subscriber in order to transfer the facility-specific safe configuration. Basically, however, the installation of the safety control always holds the danger that a member of the service personnel inadvertently downloads the wrong configuration. For this reason, a lot of organizational time and effort is necessary in order to ensure sufficient safety during the exchange and/or the new installation of the safety-relevant subscriber.
In order to guarantee a reliable loading of the safety control to the safety-relevant subscriber in an automatic manner instead of calling upon service personnel, back-up systems are used in which the facility-specific safety-relevant configuration is stored in a stationary back-up memory which is e.g. arranged in the connecting plug of the safety-relevant subscriber. It is then possible to automatically upload the facility-specific safe configuration to the safety-relevant subscriber as long as the stationary back-up memory is intact and has e.g. not been damaged during the failure of the safety-relevant subscriber. In such automatic back-up systems, however, a high amount of hardware is involved since each of the safety-relevant subscribers requires a self-contained stationary back-up memory associated with it.
The problem of incorrectly downloading a facility-specific safe configuration to a safety-relevant subscriber in the automation network during the exchange of the safety-relevant subscriber as well as during the first implementation particularly occurs if a plurality of automation networks are coupled to one another, whereby varying safety controls operate on the individual industrial local network and thus, differing facility-specific safe configurations have to be downloaded to the safety-relevant subscribers of the individual industrial local networks. In this context, it is necessary that a reliable allocation of the different safety controls to the individual industrial local networks is carried out.