The present invention relates to a method for programming a safety controller and to a safety controller, which has a plurality of inputs for receiving sensor signals, a plurality of outputs for outputting actuator signals, and at least one processor for executing program code.
A typical example of a safety controller is available from Pilz GmbH & Co. KG, Felix-Wankel-Strasse 2, 72760 Ostfildern, Germany, under the brand name “Automation System PSS 4000”. It is described in a company brochure titled “Automation System PSS 4000—Building Block System” from 2015.
Another example of a safety controller is disclosed by DE 10 2009 019 096 A1. This known safety controller comprises a plurality of hardware and software components, from which a user is able to put together an automation system according to the user's individual requirements. Depending on the size of the application, the system may comprise a plurality of control units which are connected to one another via a communication network, each control unit controlling sub-processes within a complex installation.
However, the invention is not limited to a complex system having a plurality of networked control units and may likewise be used for programming a “small” safety controller, which has a compact design and controls a few safety functions in an automatically operated machine or installation. Moreover, the invention is either not limited to a “pure” safety controller. Rather, it can also be used in control systems which control both safety-related processes (so-called FS or failsafe processes) and non-safety-related processes (so-called standard processes). A non-safety-related standard process typically relates to normal operation of an automated installation. Failures in the control system of this process may be problematic for economic reasons and should therefore be avoided if possible. However, they do not pose a risk to the health or the life of an operator or other persons in the vicinity of the installation. In contrast, safety-related control functions are primarily used to manage the hazards originating from an automated installation. For this reason, particular demands are made on the control system of safety-related processes in automation technology with respect to preventing and managing failures. Safety-related control systems and control components require a higher level of development effort and typically require special approvals, in particular according to the standards EN ISO 13849, EN/IEC 61508, EN IEC 62061, and others.
The PSS 4000 automation system is a safety controller that fulfils the requirements of the aforementioned standards, since it contains numerous components which have the required approvals for controlling safety-critical processes. In particular, numerous components meet the requirements in accordance with SIL 2 and higher according to EN/IEC 61508 and/or PL d in accordance with EN ISO 13849 and higher. In addition, however, the automation system PSS 4000 is also designed to control standard processes of a complex installation. Programming of the known safety controller may therefore be very complex and comprehensive in individual cases, if a large number of safety-related and non-safety-related processes must be controlled within a complex installation.
It is typical for such systems that the so-called user program, which defines the logical dependencies between the sensor signals and actuator signals within the installation, is created in multiple parts or modules, wherein the user generally uses a higher-level programming language which is based on international standard IEC 61131. The individual program portions are subsequently compiled, i.e., translated into a machine-readable code, and linked together. The resulting program code is then downloaded into all control units which are to execute the relevant program code.
The creation of a complex user program is often not possible in a single step. Generally, after commissioning the safety controller, there is a need for modifications and/or additions, since it may be possible to identify all interdependencies only when the installation is running. In the known safety controller, the user may modify one or multiple parts of the user program in the higher-level programming language. Subsequently, the modified user program must be recompiled, and the compiled parts must be relinked, in order to obtain machine-readable program code with the relevant modifications. The modified program code is then reloaded into the safety controller and overwrites the previous (original) program code. In the known safety controller, making a modification thus requires stopping the control process in order to enable downloading the modified program code. Subsequently, the installation must be restarted, which may be time-consuming, in particular in the case of complex installations.
In an earlier control system from Pilz GmbH & Co. KG, which was provided under the brand name PSS 3000, it was possible to transfer standard components to the memory of the control system even while the machine was running. This facilitates a later modification of a user program. However, this update option was strictly limited to program portions related to non-safety-related standard processes. The practical use of this function was therefore limited.