The present invention relates to a method of programming a failsafe control system, and in particular to a method of programming a failsafe control system comprising the steps of:                defining logical interconnections between input signals of the failsafe control system and        assigning interconnection products to output signals of the failsafe control system,        
with the definition of the interconnections and the assignment taking place on the basis of predefined function-specific program modules, which are selected from a set of such program modules.
The invention furthermore relates to a device for programming a failsafe control system, and in particular a device having a first part for selecting and parameterizing predefined function-specific program modules, by means of which logical interconnections can be defined between input signals of the failsafe control system and interconnection products can be assigned to output signals of the failsafe control system.
For the purposes of the present invention, a failsafe control system is a unit or a device which picks up the input signals supplied by sensors and generates output signals there from by logical interconnections and, under some circumstances, some further signal- or data-processing steps. The output signals can then be fed to actuators, which specifically effect actions or reactions in the surroundings in response to the input signals. A preferred field of application for such failsafe control systems is in the area of machine safety, and in particular the monitoring of emergency-off buttons, two-hand controls, protective doors or light curtains. Such sensors are used for example to make safe a machine which, when operated, gives rise to a risk to people or property. When the protective door is opened or when the emergency-off button is actuated, a respective signal is generated and fed to the failsafe control system as an input signal. In response to this, the failsafe control system then shuts down the dangerous part of the machine by means of an actuator for example.
In contrast to a “normal” control system, it is characteristic of a failsafe control system that, even when a malfunction occurs in it or in a device connected to it, the failsafe control system must always ensure a safe state of the dangerous installation or machine. Therefore, failsafe control systems have to meet extremely high requirements in terms of intrinsic failsafety, which has the consequence of considerable expenditure on development and production. Failsafe control systems generally require special authorization from responsible supervisory authorities before they are used, such as for example in Germany from the employers' liability insurance associations or what is known the TÜV (technical inspection and testing organization). The failsafe control system must in this case conform to predetermined safety standards, which are laid down for example in European Standard EN 954-1. Therefore, a failsafe control system is understood hereafter as meaning a device which conforms at least to safety category 3 of said European standard or an equivalent standard.
A programmable failsafe control system offers the user the possibility of individually defining logical interconnections, and if appropriate further signal- or data-processing steps, according to his needs with the aid of software, known as the user program. This results in great flexibility compared to earlier solutions, in which the logical interconnections were produced by defined wiring between various safety modules. One problem in the programming of a failsafe control system is, however, that the user program to be created is itself a safety-critical element, since an error in the user program can cause an uncontrolled situation and consequently a dangerous state in the case of the monitored machine or installation. Additionally, for monitoring of a large machine installation with many safety devices, the user program can become very complex and confusing, which makes it considerably more difficult to ensure the required failsafety. In this case, serious errors in the user program may be caused not only by human error in the programming but also by programming aids which are not failsafe. If, for example, the user program for the failsafe control system is created by means of a non-failsafe, commercially available personal computer (PC), memory errors of the PC could lead unnoticed to serious falsification of the user program.
In WO 98/44399, a method is disclosed according to which a commercially available PC can be used to program a safety-oriented control system, i.e. a failsafe control system. For this purpose, function-specific program modules in the form of what are known as software macros are stored in the failsafe control system. To create the user program, the user generates program-module function calls with the aid of the PC, which function calls are subsequently transferred to the failsafe control system. With the aid of the program-module function calls, the required program modules in the failsafe control system are called up and linked to form the actual user program. The programming device, i.e. the PC, merely serves for the purpose of selecting and linking the required program modules. The program modules themselves cannot be changed, and consequently the PC cannot exert any influence on them.
The known method simplifies the programming of a failsafe control system. Moreover, a certain safety is additionally achieved by the fact that the program-module function calls transferred to the failsafe control system have to be read back into the programming device and reconfirmed there by the user. However, the known method is not yet optimal with regard to failsafety in the creation of a user program.