1. Field of the Invention
The invention relates to an industrial automation system and, more particularly, to a safety-oriented automation system having automatic address recovery.
2. Description of the Related Art
In a safety-oriented automation system, data are transmitted between at least one safety-oriented central processing unit and field devices such that the temporal and content-related consistency of the data is ensured to protect against corruption. This may involve both protection against endangering people and industrial plant safety. Here, use is made of fail-safe field bus systems which interchange data in a fail-safe manner between correspondingly fail-safe components or can detect errors in a safe manner, such as with a residual error rate of less than 10-9 per hour or in accordance with the SIL3 specification for the communication part. Standards for such field bus systems are, i.e., IEC 61508, IEC 61784-3, EN 954-1 and EN 13849-1. Safety-oriented networked automation systems of this type are typically used in factory automation and process automation, such as automobile manufacturing/machine construction/plant construction, or transport technology, such as in trains/cable cars. In a safety-oriented field bus system, errors in the addressing of the components distributed in the bus system must be detected, in particular, with a high degree of discovery, with the result that it is possible to react in a safety-oriented manner when an error is present. As components, fail-safe modules and stations, in particular, are interconnected in one or more subnetworks of the field bus system and are controlled by a fail-safe (also called safety-oriented) central processing unit, i.e., a fail-safe programmable logic controller.
Here, the modules represent the interfaces to the operating means of a technical process, i.e., the actuators and sensors that are arranged in a distributed manner. Depending on the type and features of the operating means, the operating means must be assigned one or more modules of different types. Modules with digital or analog inputs, modules with digital or analog outputs, mixed modules with digital and analog inputs and outputs, modules with different numbers of input and output channels or different input and/or output voltage ranges and many more are available, for example. Actuating signals generated by the central processing unit of the automation system are output to the technical process, or measurement signals arising there are read in, i.e., process data are interchanged through the modules. In addition, stations provide a multiplicity of slots for accommodating modules and may comprise an insertion housing. Each station is provided with a station head for connection to the field bus. Each module plugged into a station can thereby interchange data with a fail-safe central processing unit bus.
Furthermore, groups of stations may be interconnected in subnetworks which each form a technological unit with respect to a technical process and are managed by a central processing unit. Here, central processing unit constitutes a superordinate processing unit, i.e., a fail-safe programmable logic controller that organizes the interchange of data with various subnetworks with the aid of field bus masters. Data are generally interchanged between the central processing unit and the stations or modules in the subnetworks with the aid of a special fail-safe communication protocol, such as PROFIsafe according to IEC 61784-3-3.
A subnetwork can be considered to be part of the overall network as well as a closed address space in which a unique address is allocated to each station and each module for the purpose of interchanging data through the field bus. These addresses are a relevant part of the planning data for the respective subnetwork. They are managed, inter alia, in the fail-safe central processing unit and are referred to as address relationships below. Here, the address relationship of each module is particularly important in a fail-safe automation system. It is understood as meaning the complete address hierarchy that can be used by the central processing unit to reach a module in a particular subnetwork through the field bus for data processing purposes.
Such an address relationship thus comprises at least the exact topological address of a module inside the respective subnetwork and the address of the superordinate central processing unit. Furthermore, an address relationship may also contain an identifier for the respective module type and, if necessary, an additional signature. In order to uncover transfer and storage errors, a signature can be calculated using the address relationship and can be additionally stored in the address relationship. The topological address of a module comprises at least the address of the station which contains the module and the address of the slot for the module in the respective station. In addition, the address relationship may also contain the subnetwork address of the associated station if a number of stations on the field bus are grouped to form different subnetworks. The address relationship of a module is stored both in a permanent memory in the respective module itself and in the central processing unit. The accuracy of the address relationship is checked, during each data transmission operation, by the fail-safe communication protocol that is executed by the central processing unit. In summary, the following exemplary relationship apply:
Module address relationship=module topological address+central processing unit address+(module identifier+signature);
Module topological address=(subnetwork address+) station address+slot address.
The exchange or addition of a module is a particularly critical situation in a safety-oriented automation system. This may impair the integrity of the automation system insofar as the address space may become defective and thus invalid as a result of tinkering with modules, i.e., removal, retrofitting or exchange, for example. Before operation of a technical plant that is controlled by a safety-oriented automation system is resumed, it is therefore necessary to ensure that, in particular, the address relationships of all modules, which are managed in the automation system, are correct or possible errors are at least clearly detected.
These errors must be detected since otherwise the automation system would react to logically incorrectly assigned inputs or outputs when operation of the safety-oriented technical plant is continued. In the extreme case, an operating means which is assumed by the plant operator to have been stopped could be unexpectedly activated. If, for example, a motor on which maintenance work is currently being performed were to be started in this manner, personal injury could not be precluded.
Address displacement, for example, is a particularly critical error in the address relationships of modules. Here, the address relationship of one or more modules is impaired such that the latter incorrectly match the addresses of adjacent modules in a station which possibly also still have matching module properties. Such an error may have fatal consequences during operation of the associated technical plant. A further critical error is, for example, that the entire addressing mechanism of the automation system, i.e., the proper allocation of addresses by the automation system and the involved components operates incorrectly. This may result in a module reporting to the automation system under the address of another, incorrect module during operation of the plant without the automation system noticing this mix-up due to the parameters which otherwise match. Errors of the above type may have a systematic or random cause. They may be caused by manual operating errors, such as cabling errors in the field bus, the mixing-up of ports in stations, or by hardware faults, such as random defects in network components, backplane buses or switches.
Different solutions are known for avoiding problems of the type described above. For example, it is possible to use a field bus which itself has safety technology properties to ensure the consistency of the address relationships, i.e, stations and modules, and to report errors. In other systems, the address relationship must be manually set or must be manually adapted if a module is exchanged. For this purpose, the address relationship for each station or each module, for example, can be manually set in situ, for example by setting a coding switch or by temporarily setting up a point-to-point data connection between the central processing unit and the respective component. In some systems, a functional test of all operating means is required after a module has been replaced to be able to uncover possible addressing errors. Systems of this type are disadvantageous since either a complicated fail-safe field bus has to be used or manual start-up or maintenance measures by operating personnel are required.