1. Field of the Invention
The invention relates to a method of transmitting data packets on a data transmission link between two communication subscribers and to an automation system having two communication subscribers which are connected via a data transmission link and which respectively have an interface unit.
2. Description of the Related Art
In automation systems for controlling machines, the assurance must be given that even if the automation system fails there is no risk to humans and the environment. Automation systems therefore normally operate on the basis of what is known as the failsafe principle, according to which the automation system changes to a safe state in the event of important components failing. Fundamental demands on the automation system when executing safety-related control functions on the basis of the failsafe principle are in this case that the process data from the machine sensors are processed in current and uncorrupted form during execution of the safety control functions and that a safe process state is always indicated to the machine actuators.
In the case of automation systems, however, the number of safety-related control functions is normally much lower than the number of non-safety-related control functions which are used for maintaining normal operation in the automation system. To ensure that the functionality of safety-related control functions is not influenced by the non-safety-related control functions in the automation system, the safety-related control functions are conventionally combined in a standalone safety program which is isolated from the non-safety-related control functions.
Complete isolation of safety-related and non-safety-related control functions is achieved if the safety program is executed on a standalone automation computer, which is often also connected to the emergency off switches, light barriers and other components ensuring machine safety by means of dedicated wiring. To reduce this additional hardware complexity through an additional automation computer in the automation system, automation systems are already known in which a safety program and a non-safety-related control program are implemented on the same hardware components by extending the non-safety-related control program by what is known as a safety layer.
Modern automation systems are normally of a decentralized design, with the process peripherals, i.e. the sensor and actuator levels, communicating with the control computers via local area networks, preferably a field bus system. For the purpose of machine control, the control computers read in the input signals for the control programs via the field bus from the process peripherals and, following real-time processing by the control computer, output the output signals to the process peripherals via the field bus. To be able to use the field bus in the automation system for simultaneously also transmitting process signals from a safety program, the field bus system is expanded by what is known as a safety layer, which minimizes the probability of a fault corrupting the transmission of the data between the process peripherals and the control computers such that this corruption is no longer identified to an admissible minimum degree, so that the field bus can also be used for transmitting safety-related data.
Such additional safety layers in field bus systems normally contain an additional address relationship between the two communication subscribers on the field bus, in order to allow a distinct association. In addition, the safety-related data packet transmitted between the communication subscribers is provided with an additional check character which is calculated from the transmitted process data and addresses, in order to be able to identify data corruption reliably. To be able to check the correct order of the safety-related process data which are to be transmitted and their prompt arrival at the communication subscribers, the safety-related data packet is also normally provided with a consecutive sequence number. In this context, the sequence number is normally taken from a prescribed numbering block which is then reset again after the complete pass.
A known automation system in which the control program and the safety program can be implemented on the same hardware components is the Simatic system from Siemens. In this case, the field bus system used is the Profibus system, which is expanded by what is known as a Profisafe protocol for transmitting safety-related data packets. However, the automation system with the safety program can be expanded only within the context of this precisely stipulated configuration and data processing environment.
In automation systems, however, the Ethernet protocol is increasingly being used besides the known proprietary field bus protocols in order to transmit process signals. The Ethernet protocol is the most widely used technology in office communication for transmitting data at high speeds in local area communication networks. On account of the advantages of the Ethernet concept when using standard hardware and software components and also the opportunity to achieve high data transmission rates with simple networking technology, Ethernet field bus systems are increasingly also being used in industrial production for data interchange between the actuator/sensor level and the control computers.
It would therefore also be desirable to be able to equip Ethernet field bus systems with a safety layer so as also to be able to execute safety programs on the Ethernet field bus besides conventional control programs. However, Ethernet networks are normally designed using “switches” in order to prevent data collisions on the network. Switches are data packet switching nodes with a plurality of inputs and outputs, where the data packet arriving at an input is switched through exclusively to the output which knows the receiver station. However, data packet switching using switches in an Ethernet network gives rise to time delays, since the data packet received by the switch at one input is buffer-stored and only then switched through to the desired output.
The delayed forwarding of the data packets in the Ethernet equipped with switches means that there is the risk with conventional safety layers, such as the Profisafe protocol, that an incorrect process state will arise. Since the safety data packets are provided with a consecutive sequence number from a numbering block with a prescribed number of numbers, the buffer-storage of the data packets in a switch means that the sequence number can overflow, which can then result in incorrect safety data being transmitted. In the case of the Profisafe protocol, for example, the safety data packets are transmitted with an 8-bit sequence number, i.e. a data packet in which the process data do not change is repeated every 255 cycles during data transmission in the automation system, since at that time the sequence number overflows, 0 being an impermissible sequence number. As a result, an emergency off switch cannot then be identified promptly or machine protection cannot be switched off promptly and hence it is not possible to ensure a safe process state for the machines in the automation system.