The field of the invention relates generally to computerized control of machines, and more particularly to preventing instructions for unsafe operations from being issued to machines.
Complex machines, such as those found in a silicon wafer manufacturing plant or other industrial plant, often include multiple components whose operations must be precisely orchestrated to produce a product properly and to prevent unsafe conditions from occurring. Often, not only must the multiple components of a given machine work in concert, interactions between different machines must be coordinated as well. The components can include valves, motors, heaters, fans, and sensors, to name a few. To properly make a product pursuant to certain specifications set by an engineer, raw materials might undergo a multitude of processes as they transition into an intermediate product and finally a finished product. The processes might involve, for example, heating silicon in a crucible, extracting the silicon from the crucible at a specific rate and temperature to form a crystal, and partitioning the crystal into wafers. Other processes might include vapor deposition and etching of a wafer of silicon. In other industrial plants, similarly complex processes are carried out. Rather than relying on human operators to individually control each machine used in processes like those described above, a computerized control server which is communicatively coupled to the components of the various machines monitors the status of each machine and issues instructions to the machine components to generate a product from the raw materials.
The instructions issued by a control server to various components of machines originate from a program or “recipe” written by an engineer. Accordingly, in generating the program, the engineer must consider whether a set of instructions issued by the control server will cause an unsafe condition. Some machines include protective mechanisms which cause the machine to ignore an instruction that will cause damage to the machine. For example, if a machine receives an instruction to increase the temperature of a heating element beyond a temperature that would cause damage to surrounding components of the machine, or if an instruction would cause an overcurrent in an electrical component, the safety mechanism may disregard the instruction. However, such safety mechanisms do not have knowledge of other machines around them. Accordingly, these safety mechanisms are unable to assess whether an instruction issued to one machine, when combined with an instruction issued to another machine, would result in an unsafe condition, even if the instructions, considered independently, would not lead to an unsafe condition. For example, if a first machine is instructed to heat a heating element that is exposed to the environment and the second machine is instructed to release a combustible gas, an unsafe condition may result.