The invention relates to a method for operating a safety control device and a corresponding safety control device.
Safety control devices are usually employed in order to monitor safety-critical areas in industry and to execute a countermeasure in the presence of a safety-critical problem. Safety control devices are typically connected in such a way as to exchange signals on the one hand with indicator devices and on the other hand with actuators. Indicator devices frequently employed for safety control devices include emergency-off buttons, safety door switches, two-hand switches, light barriers and a variety of sensors that provide safety-relevant signals from a monitored machine or machine installation. The safety control device then monitors safety-relevant signals from the indicator devices and evaluates them. Subsequently, depending on the evaluation, it generates control signals for control of the actuators. Typically these are then controlled in such a way that they bring about a safe condition of the installation. This can, for example, be achieved through a fail-safe switching off of the monitored installation. Alternatively or in addition, warning signals can be output to ensure the safety of the installation.
In order to ensure a particularly safe operation of the safety control device, they are typically made with redundant components. For example, the safety control device comprises two or more calculation units that perform the same tasks in parallel. In order to improve the safe operational capability, both the components and the software components processed by those components may have diverse designs, as a result of which internal, systematic errors can be compensated for. For this purpose it can, for example, be arranged that the calculation units come from different manufacturers and comprise different architectures. The important point is that it should be possible to compare two or more results from the different calculation units that have been determined in different ways on the basis of identical input data. If these results do not agree, a safety-relevant fault may exist in the safety control device. A reaction to such an error may include the execution of a suitable reaction step. For example, a warning signal can be output and/or an installation can be switched off. The transfer of control tasks to a secondary safety control device is also conceivable.
If the safety control device comprises more than two redundant components, a majority decision can be taken when the results are compared. In this way it is possible for the control task to continue if an internal fault is only present in one component. If only two components are available, an automatic countermeasure is taken as a rule. As a result, manual intervention in the installation on the part of a machine operative is usually required.
A precondition for the implementation of redundantly constructed safety control devices is a comparability of the calculated results from the components. In order to ensure this, integer calculations are typically carried out in safety control devices. Integers can be represented exactly in digital data processing, and the memory requirement when integers are used is only small. This also applies to fundamental types of calculation such as addition, subtraction, multiplication and integer division, whose results must be an integer again. Integer arithmetic moreover follows the fundamental rules of algebra, such as the associative law, the distributive law, and the commutative law. For this reason, algorithms that operate exclusively on integers are not sensitive to the permutation of operators, and are therefore robust.
It is disadvantageous that safety control devices are hitherto limited to integer operations. As a result, the precision of the results is reduced, since input signals can only be represented as integers, and therefore in most cases must be rounded up or down.
To improve the precision of the calculation, employment of floating point numbers is known from the field of general computer technology. A floating point number is an approximate representation of a real number. The floating point number is different from the fixed point number known in computer algebra. In a floating point number, a limited number of digits, the mantissa, is saved wherein the separator point is assumed to be located at a specified location. This mantissa is multiplied by another expression consisting of a base and an exponent. Typically, the value of the base is agreed by means of a convention. The exponent implicitly provides the actual location of the separator point. Floating point numbers are used so that both very large and very small numbers can easily be represented with a low memory requirement. This is achieved in that due to the “separated” separator point, the values can be scaled and new calculations can be carried out automatically. Using the floating point number makes it possible to perform significantly more accurate and complex calculations than is possible with integers. A memory of a calculation unit is exploited optimally in this way, so that the greatest possible achievable precision is ensured.
A special floating point arithmetic is known from numerical mathematics for calculations with floating point numbers. In this floating point arithmetic, the fundamental rules of algebra are partially inapplicable, since the rules of algebra can be infringed due to the arrangement of the operands around the separator point, and due to a limited length of floating point data types. The following (simplified) example is given for clarification:
The expression 0.125+4.5−4.0 consists of decimal numbers, and is to be calculated using floating point numbers in a binary system. The expression, and the decimal numbers indicated by it, have a finite representation in the binary system: 0.001+100.1−100.0.
If four bits are available to represent the binary numbers, all decimal numbers can be fully represented. Using brackets, the following calculation is obtained:(0.001+100.1)−100.0=100.1−100.0=0.1
If the brackets are placed elsewhere, however, the following calculation is obtained, with a different result:0.001+(100.1−100.0)=0.001+0.1=0.101
As illustrated, the choice of the brackets leads to different results in the binary system, whereas the corresponding application of the brackets to the expression using decimal numbers does not have any effect on the result.
On top of this is the fact that many decimal values do not have a finite expression as binary values. Storage in data types of finite size therefore usually requires rounding to a representable value. In addition, operations such as multiplication and division can increase the number of figures required for the exact representation. The frequency with which rounding occurs, and the rounding errors that arise in the process, depends largely on the implementation of the algorithm that applies the floating point arithmetic. It follows from this that when diverse hardware and software components are used for a redundant implementation, comparability of the calculated results cannot be assured. In an automation system using floating point numbers it is therefore possible that control could proceed on the basis of data with potentially unlimited errors. A safe automation system is not possible in this way.
One could contemplate to achieve comparability by avoiding diverse hardware or software, or by matching the diverse hardware and software to one another in such a way that precisely equivalent calculation results can be reached. Exactly equivalent calculation results from diverse hardware and software can, however, only be expected if operations are performed in precisely the same sequence, with precisely the same precision, and using the same rounding procedures, particularly in respect of their time and the direction of rounding. Neither the precision nor the sequence of operations can, however, be reliably determined, since available compilers and calculation units differ from one another significantly in these aspects. A safety control device of this type would therefore have to be fitted redundantly with identical hardware and software components. This would, however, conflict with the basic idea of safe automation, since it is precisely through diverse hardware and software that very high safety is achieved.
It might also be contemplated to replace floating point numbers by fixed point numbers, thus allowing a fixed point arithmetic to be applied. The fixed point arithmetic can, in turn, be implemented using integer arithmetic. However, for the same precision, this leads to a very high memory requirement, which is uneconomical and impractical.
In addition, a precision of the calculation result remains hidden in the approaches described, for which reason again a controller would proceed to operate on the basis of data with potentially any degree of error. The primary disadvantage in the use of floating point arithmetic in safe automation is therefore not overcome.