In order to reduce risks to humans or the environment in automated processes, machines, and installations, safety functions have to be implemented, such as the shutdown of a machine when an emergency stop button has been pressed, or the transition of the system into a safe state after an error has been detected. For this purpose, failsafe automation systems are increasingly being used in automated processes, machines, and installations. Such fail-safe automation systems generally implement the actual safety function (such as emergency stop, two-hand control, mode selector switch, etc.) on the one hand, and on the other hand also fault-detecting and fault-controlling measures according to mechanisms defined in standards (IEC 61508, ISO 13849, . . . ) corresponding to the state of the art.
In the context of the invention as well as in the description and the claims, the terms “safe/safety” refer to functional safety, unless otherwise stated, to be distinguished from secure/security which relates to the protection of technical information processing against unauthorized data manipulation or data leakage).
International standard IEC 61508 and the substantially identical European standard EN 61508 describe functionally safe electrical, electronic, and programmable electronic systems, also with regard to their development. The requirements defined therein with respect to the development process of safe systems lead to significantly higher costs and an increased development budget compared to the development of standard systems. Also, the requirements increase with increasing Safety Integrity Level (SIL; SIL1 to SIL4). The term “safety integrity level” (or safety requirement level) defines a specific degree, corresponding to the respective level, for the required or achieved effectiveness of safety functions for risk reduction. If no safety-directed (also referred to as safety-related or safety-relevant) requirements apply, the development is to be carried out in accordance with the normal standards of operational quality management. Beyond that, the safety integrity level SIL1 imposes the lowest requirements. The higher the safety integrity level, the higher the safety requirements.
Functional safety according to standard IEC 61508 includes, for example, the use of various methods for managing errors, such as the avoidance of systematic errors in the development, the monitoring during ongoing operation in order to detect random errors, and/or the safe managing of detected errors and transition to a state that has been predefined as safe. All these measures may be part of specific previously defined safety functions. Generally, it can be stated that two- or multi-channel systems in which each channel alone can trigger a safety function are able to achieve a higher SIL with less technical effort than systems which have only one channel. Here, channel refers to the information flow through a safety chain (also known as safety loop, even if the chain does not or need not form a loop), for example starting with the request of a safety function (e.g. by a sensor, proximity detector, light barrier, or pushbutton), ending with the actuator which initiates the safe state of a machine.
So, if it is ensured by appropriate measures that an electrical, electronic, and/or programmable system, but also a single subsystem module and also a single hardware and/or software component effectively fulfills a certain safety function, this system or the respective subsystem module is considered as safe or safety-related in the context of the following description and the claims. A system that is adapted to fulfil certain safety functions and which comprises a plurality of subsystem modules, i.e. at least two or more than two subsystem modules each of which in turn are adapted to fulfill safety functions (partial safety functions) is considered as a safety system within the context of the present invention.
Present-day machines and installations employ communication systems (or data transmission systems), such as Ethernet-based networks or fieldbuses to connect distributed I/O devices (input/output devices such as sensors or actuators) and controllers, depending on the size of the installations and the degree of automation. For transmitting safety-relevant data, safety communication protocols (or data transfer protocols, or network protocols) are generally used. Safety communication protocols are nowadays standardized, e.g. in IEC 61784-3, where different safety profiles are described based on principles of safe network communication. All of these network protocols must be able to manage the different error models, e.g. falsification, loss, delay, swap etc. of data and/or telegrams.
The effectiveness of the risk-minimizing technical measures in machines and/or installations must be demonstrated and logged or documented during commissioning of a machine or installation by an overall safety validation. In this case, all safety functions have to be validated for their effectiveness before transitioning into the operating phase of the machine or installation. Although this is still manageable for a complete and non-altered machine or installation, it is becoming increasingly cumbersome and complex in modular machines or installations which are becoming increasingly common.
If, moreover, a plurality of machines and/or installations are used within a system, which furthermore have to implement safety functions cooperatively, they form subsystem modules of the system in the context of the invention, which then forms one or more safety system(s) composed of the plurality of these subsystem modules. In this case, the effectiveness of the risk-minimizing technical measures must be demonstrated by an overall safety validation of the safety system encompassing the involved subsystem modules. To give an example of such a safety system, a punching system is mentioned, which is composed of a feeding machine, a punching machine, and an ejection machine, all three of which have to implement specific safety functions, and also the punching system as a whole has to implement certain safety functions as a safety system to be considered, that means in the interaction of the individual subsystem modules (i.e. in the example the feeding machine, punching machine, and the ejection machine). Thus, such a safety system in the context of the invention usually comprises a plurality of fail-safe automation systems arranged in different subsystem modules within a system, i.e. an overall system, but interact within the system and form a safety system encompassing the involved subsystem modules.
However, an overall safety validation of the safety system encompassing the involved subsystem modules does not only have to take place during the first commissioning. This also applies to any change in the configuration of a modular safety system, a modular installation or machine. For each configuration it is necessary to recalculate and document the parameters, make new error considerations, perform error calculations and validation steps to prove the safety category (safety levels) required for the system or machine, e.g. SIL4, for example when replacing a single module or else as a result of aging processes within individual modules. Therefore, the safety-relevant parameters of the individual modules must be functionally combined according to their interaction. These parameters are typically documented in device specifications and must be up-to-date at the time of the calculation. The relevant safety standards and rules obligate machine manufacturers to specify the safety-relevant parameters, such as failure rates, diagnostic coverage, safe failure fraction, or response times for individual modules. For the calculation of the safety-relevant parameters, offline software tools are used nowadays, such as, e.g., SISTEMA (SIcherheit von STEuerungen an MAschinen; engl.: safety of controls on machines) by the Institute for Occupational safety of the German Social Accident Insurance (IFA).
Furthermore, the functionality and effectiveness of the technical risk-minimizing measures has to be tested in defined time intervals during operation of the safety system or the safe installation or machine.
However, at least up to now, current safety standards such as, e.g., IEC 61508, EN 13849, IEC 62061 do only partially take account for the modularization of machines, installations, or safety systems, and for dynamic modifications in configuration or adaptive combinations of previously unknown safety modules.
Furthermore, the present time is dominated by cyber-physical systems (CPS), the distribution of intelligences, and the Internet of Things (IoT). Industry 4.0 refers to the advent of Internet technologies in automation technology. The complete networking of smart devices from sensor/actuator to control is a prerequisite for modularization, reuse, and adaptability of machine and installation modules. Production operations can then be further optimized and manufacturing in batch size 1 will be possible, for example. The integration and use of cloud services allows predictive diagnostics, for example. All of these trends and technologies in turn contribute to the increasing complexity of modular installations, machines, and safety systems, and to the increased complexity in the overall safety validation.
It will be understood that this required and increasingly higher complexity for the overall safety validation does not meet the flexibility requirements of manufacturers and operators of modular safety systems, installations, and machines.
In this regard, EP 2 359 201 proposes a method for determining a safety level in an automation network comprising a plurality of safety-relevant subscribers, which comprises the steps of: automatic ascertainment of the data-oriented and flow-oriented links between the subscribers of the automation network by a configuration capture module; automatic ascertainment of the subscriber-specific safety characteristic data by a characteristic data capture module; and computation of the safety level in the automation network using a computation code that connects the ascertained data-oriented and flow-oriented links between the subscribers in the automation network and the ascertained subscriber-specific safety characteristic data. The configuration capture module and the characteristic data capture module are part of a central safety manager that accesses the components involved in a safety function, online, via a network.
In addition, in a previous application DE 10 2015 108 359, the present applicant proposes a method for automatic validation of safety functions on a modular safety system, with a central validation device also referred to as a safety validator being connected to the safety system. The method includes, inter alia, the steps of: transferring the local module-specific safety-relevant actual characteristic values from the individual subsystem modules to the validation device; automatically processing the read-out local module-specific safety-relevant actual characteristic values to obtain overall safety-relevant actual characteristic values resulting from the interaction of the individual subsystem modules, by this validation device; automatically comparing the resulting overall safety-relevant actual characteristic values with the nominal characteristic values of the system stored in the memory of the validation device, specifically by the validation device; and automatically generating a reaction signal depending on the result of the comparison. Thus, the so-called safety validator checks online changing safety-related parameters of decentralized partial safety functions, during commissioning and ongoing operation, combines these parameters, monitors the adherence to preconfigured limits and, if the latter are exceeded, can cause transition of the system into a safe state.
Furthermore, in a previous application DE 10 2015 103 740, the present applicant proposes a method for processing and transmitting data within a functionally safe electrical, electronic, or programmable electronic system which is composed of at least two subsystems, each of which complies with a specific safety level. The method comprises the steps of: processing data using the safe hardware and/or software component of a first one of the sub-systems to obtain functionally safe data of a first safety level, and adding to these data at least one indication attribute indicating suitability of these data for use of this first safety level; transmitting these data including the added indication attribute to a second one of these subsystems; and checking the received indication attribute by the second subsystem using the safety hardware and/or software component thereof to determine whether the safety level indicated by said indication attribute is equal to or different from the safety level the second subsystem is complying with; and if the check reveals non-equal safety levels, further processing the data in functionally safe manner based on the lower safety level.
Both EP 2 359 201 and DE 10 2015 108 359 provide a central instance in the form of a safety manager or a validation device. However, this may lead to a limitation in flexibility and manageability, especially with regard to the monitoring of the safety chain of an overall safety function of a modular safety system during ongoing operation. Moreover, additional hardware complexity is required.