The invention concerns a control and data transmission installation as set forth in the classifying portion of claim 1 and a process for the transmission of safety-related data in such an installation as set forth in claim 11.
For a number of years the automation field has increasingly frequently seen the use of field bus systems to which input/output devices and a higher-order control device are connected. The cabling expenditure can be considerably reduced with such field bus systems as it is possible to save on copper lines. So that the field bus systems do justice to the necessary requirements in terms of safety procedures, certain safety functions, such as for example a stop function or an emergency off function, by which the field bus system can be put into a safe condition, must be implemented. In the previously known field bus systems the transmission of the control signals required for that purpose is respectively effected by way of parallel individual lines, that is to say not by way of the field bus itself. Other known approaches involve designing all those devices which are to perform safety functions in a suitably redundant mode. The known technologies suffer from the disadvantage that either a high level of redundant components is required, or individual parallel lines are needed for the transmission of the additional control signals.
The object of the present invention is therefore that of so improving the above-indicated control and data transmission installation with a serial field bus, that the above-specified disadvantages are avoided and the flexibility of the installation can be increased, insofar as safety-related units which are independent of manufacturer can be integrated in the installation in a simple fashion.
The invention attains that object on the one hand by means of the features of claim 1.
The core notion of the invention is that of providing a field bus system with safety functions which for example comply with category 3 or 4 respectively of the European Standard EN 954-1 (status 1996) and the classes of service requirements 4 and 6 respectively in accordance with DIN V 19250 (status May 1994).
For that purpose there is provided a control and data transmission installation have a serial field bus to which a master control device and a plurality of bus parties or subscribers, that is to say for example input/output devices, are connected. A respective safety-related device for the implementation of predetermined safety functions is arranged both in the master control device and also in the bus subscribers. The term safety-related device is used to denote a device which, substantially in response to status information in respect of the installation, performs predetermined safety functions which make it possible for the entire installation, predetermined units or portions of the installation to reach a safe condition. Safety functions include for example a stop function which can put the entire installation or given parts thereof into a safe condition, as rapidly as necessary. The emergency off function is also a safety function, with which the entire system can be put into a safe condition. Further safety functions involve for example the locking of doors, unintentional re-starting in the fault condition of the installation or a predetermined region, and other functions as defined for example in the European Standard EN 954-1. Unlike the state of the art wherein either redundant components are implemented for steps relating to safety procedures, or parallel lines are required for the transmission of the necessary control signals, the safety-related devices in accordance with the invention are implemented without redundancy in the master control device and in the bus subscribers and are capable of communicating with each other by way of the field bus itself.
Each bus subscriber is connected to the field bus by way of a bus connecting device. The bus connecting device can have an ASIC-component in which the data transmission protocol is implemented. The data transmission protocol can be for example the interbus protocol if an interbus is used as the field bus. The bus connecting device serves to transmit by way of the field field, the safety-related data which are to be exchanged between the safety-related devices, in the useful data fields of predetermined data frames. If an interbus protocol is used, the data frame is a sum frame in which the useful data of all connected bus subscribers are contained. Throughout the description and the claims the expression safety-related data is used to denote data which represent the safety condition of the respective bus subscriber or also the master safety device. The safety conditions of a bus subscriber are detected by monitoring devices, in particular sensors, which are associated with the units to be safeguarded which are connected to the respective bus subscriber. For example a sensor detects the speed of rotation of a machine. In that case the safety-related data indicate whether the speed of rotation of the machine is in the tolerance range or has exceeded a critical speed. It is possible that the master control device and the bus subscribers embed the safety-related data to be transmitted into the useful data fields of the respective bus subscriber so that the useful data intended for the master control device and the safety-related data of the bus subscriber can be transmitted in the same bus cycle. In addition it is also possible to envisage the safety-related data of a bus subscriber being transmitted in the useful data field during a separate bus cycle.
In a preferred development the safety-related device of each bus subscriber and/or of the master control device has at least one input which is connected to the monitoring device, for example a sensor. The design configuration of the safety-related device is such that it negates the output signal of the monitoring device and produces from the output signal and/or the negated output signal thereof an item of check information which together represent the items of safety-related information of the respective bus subscriber, which are to be transmitted. In that way the degree of installation safety can be further increased as, in the event of defective transmission of the safety-related data, the correct information can be obtained either from the negated data or from the check sum. This procedure makes it possible to achieve a bit error probability of 1013.
In per se known manner each bus subscriber and/or the master control device has at least one output which is connected to a device to be safeguarded. As already mentioned, the devices to be safeguarded may be robots, machines and the like.
In accordance with an advantageous development each output is connected by way of a switch to the bus connecting device and directly to the safety-related device of the respective bus subscriber and/or the master control device. The safety-related device opens or closes the switch in dependence on the output signal of the monitoring device associated with a device to be safeguarded. In other words, the device to be safeguarded is put into a safe condition, that is to say it is disconnected from the installation if a fault has occurred. It should already be mentioned at this point that the safety function which is to be performed as a consequence of a detected fault is effected either by the output signal of the respective monitoring device or it is triggered by suitable safety-related data which are produced by the master control device and which are transmitted to the safety-related device of the respective bus subscriber.
In accordance with an advantageous development associated with the master control device is a higher-order control unit which can trigger one or more predetermined safety functions in dependence on the safety-related data of the bus subscribers. Thus for example, depending on the nature of the fault ascertained in a bus subscriber, either the devices to be safeguarded, which are connected to that bus subscriber, on their own, predetermined regions of the installation, or even the entire installation, can be switched off.
So that the master control device can read the safety-related data of the bus subscribers out of the data frame, it has a receiving device, an evaluation device for evaluation of the received safety-related data, and a device which, in response to the evaluated data, produces new safety-related data which are intended for the respective bus subscriber and which correspond to a predetermined safety function. In addition the design configuration of the receiving device is such that it can receive the safety-related data, the negated data thereof, and the items of check information, which are formed therefrom, in respect of the respective bus subscriber, and that the data-producing device can produce new safety-related data, the negated data thereof, and a new item of check information formed therefrom, and can transmit same in the useful data field of a data frame to the respective bus subscriber.