Such bus modules can be connected e.g. to an AS-i bus system in accordance with the EN 50295 standard or in accordance with the IEC 62026-2 standard which is awaiting publication. The AS-i (Actuator Sensor interface) bus system is a field bus which uses an unshielded 2-conductor flat cable for the shared transmission of electrical energy and data. The maximal cable length is approximately 100 m in this case, wherein the cable length can be extended by means of repeaters. Furthermore, any network topology of the bus system is permitted, e.g. a tree structure.
Up to 31 or 62 slaves can be connected to a master via a bus system of the above cited type. The slave establishes a data connection to a sensor or an actuator, and the master establishes a data connection to a host system which consists of e.g. an SPC (Stored Programmable Control), a PC (Personal Computer) or a coupler to a superordinate field bus system. The functionality of the slave is preferably completely integrated in the sensor or the actuator.
As part of the data transmission, a safety-relevant signal is transmitted in the form of a repeated unambiguous code sequence, wherein each signal is checked more than once for transmission errors. In the event of an error, the code sequence of the signal is automatically repeated, wherein this erroneous code sequence must then be followed by at least nine correct code sequences.
The AS-i bus system is designed in particular for binary and analog devices belonging to the underlying automation level. Such devices are e.g. components related to work safety such as emergency off switches, door contact switches, light shutters, tread mats, barriers, etc. The signals from such safety sensors are monitored by a monitor which can set machines or the installations into a safe state by means of corresponding switch outputs.
The bus modules such as slave, master, monitor or power supply can be connected at any desired position of the bus system. The bus system can be expanded, is easy to install and is considerably less expensive to purchase in comparison with more complex bus systems such as Profibus or CAN-Bus.
A bus module having the functionality of a slave can generate safety-relevant signals e.g. by means of internal operational logic. However, the signals can also be read in from a superordinate bus system or from a connected back-panel bus. Such a safety-relevant signal can be generated e.g. from an OR operation from a tread mat signal and from a light shutter signal. The signal is cyclically polled by the master and then routed to the actuator that is addressed in each case.
A safety-relevant signal is output onto the bus system as a repeated code sequence with an unambiguous encoding. If the signal is active and identified for output for an actuator, seven encodings are cyclically generated according to the above cited standards, wherein a current encoding differs from a preceding encoding. Seven 4-bit encodings are cyclically output for an actuator, wherein an encoding comprising four logical “0” values or four “1” values alone is not generated. Instead of the binary value designation “0” or “1” for a logical state, the value designation “L” or “H” is also common. On the receiver side, i.e. on the side of the actuator, this 7×4-bit code sequence is compared internally with a code sequence which is formed in the same way. In the event of an error, i.e. if a variation is detected, the actuator resets its switch output. A bus module can therefore reset the switch state of an actuator by changing or interrupting the code sequence. In the case of the present example, the safety-relevant signal is dropped e.g. if the tread mat is stepped on. The addressed actuator detects a variation between the received sequence and the internally generated comparison sequence and changes the switch state at the output accordingly. This can result in a warning light signal being switched on, for example.
In accordance with the above cited standards, eight repeated encodings are used instead of seven repeated encodings if a monitor is being addressed. In the event of an error, or if a safety-relevant signal is dropped by the bus module, the monitor changes its switch status accordingly. In this way, it is possible to disconnect e.g. the energy supply of the machine that is to be monitored or of the installation.
Until now, the output of the safety-relevant signals has been coordinated by means of a computer unit on which secure software is executed. Safety devices or safety controllers usually require a special authorization by relevant regulatory authorities before use, e.g. by the TÜV or by the trade associations in Germany. In this case, the safety device must comply with prescribed safety standards, e.g. as laid down in the European standard EN 954-1, and satisfy at least the safety category 3 of the cited European standard.
Disadvantages of this include the extremely demanding requirements relating to the internal error protection of a device and the associated time and development costs for the approval or certification of safety-related software on such a device. When developing the safety-related software, it must be ensured in particular that the output code sequence is at least changed securely in the event of any possible failure of the computer unit, such that the actuator or the monitor can detect the erroneous code sequence in the next cycle or at the latest in the cycle after that. It is therefore entirely conceivable that, if the computer unit crashes, the processor remains in a loop such that the code sequence continues to be output in a cyclical manner.