1. Field of the Invention
The invention relates to a method and an apparatus for controlling safety functions as part of a system controller which is not oriented to safety functions, for use in automation systems.
2. Description of the Related Art
An essential demand on an automation computer for controlling machines is safety and reliability. In particular, there must be the assurance that, even if it fails, the automation system presents no risk to humans and the environment. Automation systems therefore normally operate on the basis of what is known as the failsafe principle, according to which the automation system changes to a safe state in the event of important components failing. The task of the automation computer when executing safety-related control functions on the basis of the failsafe principle is to process the process signals for executing the control functions in current and uncorrupted form and to display a safe process state to the actuators of the automation system at all times.
In automation control, the number of safety-related control functions is normally much smaller than the number of non-safety-related control functions, however, which are used for maintaining the regular operation of the automation system. To ensure that the functionalities of safety-related control functions are not influenced by non-safety-related control functions in the automation computer, the safety-related control functions are conventionally combined in a standalone safety program which is isolated from the non-safety-related control functions. To achieve complete isolation of safety-related and non-safety-related functions, the safety programs are normally executed on a standalone automation computer which is often also connected to the emergency off switches, light barriers and other components ensuring machine safety by means of dedicated wiring.
To reduce the hardware complexity in automation computers, there are also controllers for automation systems, such as Siemens' Simatic system, known in which a safety program and non-safety-related functions can be implemented on the same hardware components. In this context, the conventional automation computer for executing the non-safety-related functions can be expanded by a safety program. However, expanding the automation computer by means of the safety program is possible only with a precisely stipulated configuration and data processing environment, STEP7-Runtime in the case of the Simatic system.
WO 02/50637 also discloses a method which allows non-relevant control functions to be linked into safety programs using a safe program shell. However, the restriction also applies here that integrating safety programs and non-safety-related control programs on a common automation computer is admissible only in a precisely defined program environment, but may not be done in an arbitrary operating system environment, e.g. the Windows operating programs.
In addition, a general demand on safety programs operating on the basis of the failsafe principle is to keep down the probability of a program error as far as possible. An objective when developing safety programs is therefore to reduce the complexity of the safety program as much as possible, but this cannot readily be ensured in the case of the conventional closed safety programs, which are intended to be isolated from non-safety-related control functions. This applies particularly when the safety programs are intended to be used in programmable controllers.