The present invention relates to a method and an apparatus for generating a user program for a safety controller which is designed to control an automated installation having a plurality of sensors and a plurality of actuators.
A safety controller in terms of the present invention is an apparatus or a device which picks up input signals delivered by sensors and produces output signals therefrom by virtue of logic combinations and possibly further signal or data processing steps. The output signals can then be supplied to actuators which take the input signals as a basis for effecting actions or reactions in a controlled installation.
A preferred field of application for such safety controllers is the monitoring of emergency-off pushbuttons, two-hand controllers, guard doors or light grids in the field of machine safety. Such sensors are used in order to safeguard a machine, for example, which represents a hazard to humans or material goods during operation. When the guard door is opened or when the emergency-off pushbutton is operated, a respective signal is produced and supplied to the safety controller as an input signal. In response thereto, the safety controller then uses an actuator, for example, to shut down the part of the machine which is presenting the hazard.
In contrast to a “normal” controller, a characteristic of a safety controller is that the safety controller always ensures a safe state for the installations or machines presenting the hazard, even if a malfunction occurs in said safety controller or in an appliance connected thereto. Extremely high demands are therefore put on safety controllers in terms of their own failsafety, which results in considerable complexity for development and manufacture.
Usually, safety controllers require particular approval from a competent supervisory authority, such as the professional associations or what is called TÜV in Germany, before they are used. In this case, the safety controller must observe prescribed safety standards as set down, by way of example, in European standard EN 954-1 or a comparable standard, such as standard IEC 61508 or standard EN ISO 13849-1. In the following, a safety controller is therefore understood to mean an apparatus or device which at least complies with safety category 3 of the aforementioned European standard EN 954-1 or Safety Integrity Level (SIL) 2 according to the aforementioned standard IEC 61508.
A programmable safety controller allows the user to individually define the logic combinations and possibly further signal or data processing steps according to his needs using a piece of software, what is known as the user program. This results in a great deal of flexibility in comparison with earlier solutions, in which the logic combinations were produced by defined hardwiring between different safety components. By way of example, a user program can be written using a commercially available personal computer (PC) and using appropriately set-up software programs.
As already mentioned, safety controllers require a particular approval from a competent supervisory authority before they are used. Such approval involves verification of the safety-related scope of the user program. The safety-related part of the user program is defined by the safety instructions required for the safety tasks which are to be accomplished by the safety controller. The handling of the safety instructions involves safety-related program variables being processed in failsafe fashion. When verification has been performed, a checksum is determined for the safety-related part of the user program, particularly for the safety-related part of the machine code, and this safety-related part is put under the seal of the checksum. Following acceptance, the supervisory authority can use the checksum to detect changes made to the safety-related part of the user program. It is thus possible to identify inadmissible manipulations concerning the safety-related part of a user program, for example.
If, following approval by the supervisory authority, changes to the safety-related scope of an existing user program are made, for example in order to optimize the application running on the controlled installation, it is necessary for the modified user program to be approved again by the supervisory authority. Since the safety-related scope of a user program also comprises diagnosis instructions, a new approval is also required when changes to such diagnosis instructions are merely made. Unfortunately, it is not unusual for changes to the diagnosis instructions to be made following approval. By way of example, knowledge requiring adaptation of the diagnosis instructions is obtained only on the basis of a test mode in the installation. Since diagnosis instructions, in contrast to safety control instructions, are not relevant to safety per se, it is disadvantageous if a new approval from a supervisory authority is required even though mere changes to the diagnosis instructions have been made after the approval has taken place. This results to an increased time effort and additional costs. Moreover, this restricts the flexibility in the development of an installation to be controlled and hence for the generating of a user program.