DE102005007477A1 - Machine control with safety function - Google Patents

Abstract

The invention relates to a programmable controller for machine and / or plant automation with a standard controller with standard control functions and a safety controller with security functions based on a personal computer (PC) with a PC-CPU and a PC bus, the PC is operated with a standard operating system and wherein the standard functions are implemented on the PC or a PC module for standard control. DOLLAR A If the safety controller consists of one or more safety modules connected to the PC bus and if a safety-certified firmware is provided in the safety modules, the control thus provides a separation between the non-safety-related standard function and the safety function through modular division within of the control unit. The standard function is subject to this division no safety-related restrictions and can be correspondingly complex, for example, based on a standard PC processor and a standard operating system, realized.

Description

The The invention relates to a programmable controller for machine and / or plant automation with a standard controller with Standard control functions and a safety controller with Security functions based on a personal computer (PC) with a PC-CPU and a PC bus wherein the PC is operated with a standard operating system and wherein the standard functions are implemented on the PC or a PC plug-in module for the standard control.

The The invention further relates to a method for operating such programmable controller.

control systems based on automation and drive bus systems become today in big Number used in particular in automated manufacturing processes. In this case, for example, manufacturing machines using a or several mostly programmable controllers over the Controlled bus systems. As feedback can from the manufacturing facilities, for example, data about the respective process and machine parameters via the bus systems to the control be directed.

Become Safety-critical system components are activated, so are connected to the Control system increased Requirements regarding the fault and reliability provided. design guidelines for such Control systems are defined in standards such as EN 954 and EN 61508. It will be for the control according to the desired safety category or the desired safety integrity level activities such as two-channel redundant design, cyclic diagnostics in operation with sufficient coverage or low enough Error and probability of failure prescribed.

The Suitability and approval of a controller for carrying out safety-related Control tasks is through an appropriate certification approved. The certification effort increases with increasing complexity of the control. controls based on standard PC hardware (e.g., Pentium processor) with A standard operating system (e.g., Windows) is today due to their complexity for safety controllers considered non-certifiable.

today Approved safety controls are therefore more likely to be the single control area assigned. They are due to their safety overhead for standard tasks not economical and because of its simplicity for demanding Automation tasks less suitable. Your commitment is therefore generally limited to safety applications.

to execution Demanding automation tasks today finds a separation an arbitrarily complex standard control and the one mentioned Restricted safety-related control instead. This separation takes place in the known automation structures in Generally at the system or plant level. A disadvantage of a such separation is the use of different control devices with separate configuration, Installation and programming, the latter usually with different Programming tools.

From the DE 199 27 635 An automation system is known which has at least one bus system, connected I / O bus users and a standard control device and at least one safety analyzer, wherein the safety analyzer overhears the data flow via the bus system and is designed to perform at least safety-related functions. The standard control device controls at least one safety-related output and the safety analyzer is set up to check and / or process safety-related data in the bus data stream.

Out the cited document is still a method for operating a Automation system known in which by the standard control device the process control with the processing of process-bound I / O data and a safety-related control with the processing of safety-related data is performed and continues to be a Processing of security-related data on at least one security analyzer carried out with safety-related data in the safety analyzer, in particular safety-related linkage data in the bus data stream are processed.

there The system allows the implementation of standard functions based on a PC solution. The Separation between standard function and safety function takes place at the fieldbus level.

adversely with this automation system is that it is the use of a certain fieldbus presupposes. Refer to the safety functions only to participants of this fieldbus. The disadvantage is continue, that the system has additional components in the form of safety analyzers on the fieldbus needed must be programmed separately with a safety program.

It The object of the invention is a programmable control of the input mentioned To create kind, which economically usable both the standard functions as well as the security functions.

It Another object of the invention is to provide a method therefor.

Advantages of invention

The the task of the programmable controller the invention is achieved by that the safety controller consists of one or more safety modules connected to the PC bus and that in the security modules a safety certified Firmware is provided.

The Control according to the invention thus provides a separation between the non-safety-related Standard function and safety function through modular division within the control unit. The standard function is not subject to safety in this distribution justified Restrictions and can be correspondingly complex, based for example a standard PC processor and a standard operating system, be realized. The tasks of the security modules are limited to the safety applications of the system and are for its Requirements designed and certified. They are designed to that they are self-sufficient in the event of a fault achieve the achievement of a secure state alone. The safety-related units can monitor each other and ensure so for the entire system achieving a secured state.

Standard functions and security-related features can be so on a PC-based hardware platform to get integrated.

A essential prerequisite for the certification of the control, that the programmable controller as a feedback-free combination from standard control functions and at least one security module is executed. The reaction freedom is to be proved during the certification. She prevents that malfunction of the standard control on the safety features affect the safety control. Is the absence of feedback ensured? are for the standard function PC-based solutions up to pure software control possible on a standard PC.

A simple and variable integration of the security module in the PC hardware leaves achieve this by having at least one security module as a PC plug-in module with at least one interface to a PC bus running is. The plug-in module can be connected directly to the PC-PCI bus be adapted or it can be over a separate PCI interface be connected to the standard controller. The infrastructure of PC's, such as the power supply can be used.

In A preferred embodiment of the invention are the standard control functions in a running in the PC-CPU under control of the PC operating system Software realized and the security module has an interface to the PC bus. The connection between standard control and security module takes place via the PC-PCI bus. There are existing units of the PC such as PC-CPU, PC operating system and PC PCI bus used and it will be for the realization of the standard control functions No additional Components needed. Advantageously, the programming and configuration software as Application on the PC.

In Another embodiment of the invention is the standard control functions realized in a PC plug-in module and this PC plug-in module has an interface to connect to the safety controller on. In this structure, the PC serves as a carrier of the functional unit control (Safety and standard control) and provides the operation necessary infrastructure (power supply, operating and display function, etc.). Again, the programming and configuration software as an application on the PC. The Control function itself, represents through the user program, is running independently from the PC and its operating system on the PC plug-in module, under the control of a Runtime system and a separate real-time operating system.

A particularly variable programmable control architecture with regard to The usable interfaces provides that communication interfaces the programmable controller is part of the PC plug-in module are the standard controller and / or as additional interface modules in the form of plug-in cards are executed.

The control of system components or production equipment and machines is made possible by the fact that one or more decentralized digital and / or analog outputs can be controlled via an automation bus and / or a drive bus designed for drive communication within the programmable controller. In doing so, both are done via these interfaces The data transfer from the controller to the connected system parts as well as the declining data transfer from the system components to the controller, for example with information on process deviations to the specified values.

is the programmable controller via the automation bus and / or the drive bus connected to drives, the above The respective bus can be controlled, a large number marketable Drives can be connected to the programmable controller.

A simplified programming of standard and safety functions let yourself achieve that for a programming of standard functions and safety functions provided a uniform engineering and programming interface is. The programmer thus finds a consistent unified user interface for the configuration and programming software for the standard as well as for the security features and does not have different systems combine.

The The object relating to the method is achieved in that Safety features exclusively expire in security modules. This ensures that a clear separation of safety-related functions and standard functions possible is that a separate certification of the safety-related Assemblies possible.

A extensive use of the infrastructure of the standard PC is made possible by a non-security-related data transfer and a security-related Data transmission via the PC bus takes place, whereby the security-related data transmission over secured data packages done that untouched about the PC bus are transported and communication end users on integrity checked become.

takes in the realization of the standard control functions in the PC-CPU as well as in the form of a PC plug-in module, the standard controller a master function for the data transmission over the PC bus true, can be achieved that the standard controller the security-relevant as well as non-safety-relevant data the respectively associated Can distribute interfaces.

takes in the realization of the standard control functions in the form of PC plug-in module the security module at least temporarily the master function for the security-related data transmission over the PC bus true, can be achieved that with the PC bus of the PC plug-in module Connected security module prefers high priority data can handle without conflicting with the traffic on the PC-PCI bus get.

can the safety control directly on interfaces and / or on accessing the standard controller, security-relevant processes can be triggered without the standard control initiated a data transfer.

drawings

The Invention will be described below with reference to the figures Embodiments explained in more detail. It demonstrate:

1 a schematic representation of the basic system architecture,

2 a version with a security module on the PC-PCI bus,

3 a version with the safety module on the bus of a standard controller in the form of a PC plug-in module.

description the embodiments

1 shows an overview of the system architecture of a safety controller with a function module for safety functions. The programmable controller 1 consists of a personal computer (PC) 10 and with it via an automation bus 40 , a drive bus 50 and other non-secure communication links 60 connected external devices. The computer 10 is from a standard controller 20 and one via a PC bus 12 with its associated security control 30 built up. The standard controller 20 is about a programming 70 loaded with programs for the operating system, standard functions and also security functions. Over all system levels, a mixed operation of safe and non-safe control functions and components is provided.

The automation bus 40 connects the standard controller 20 with a decentralized standard input / output (I / O) 41 , a decentralized safety input / output (I / O) 42 and one or more drives 43 , each consisting of a drive controller 44 and an integrated security function 45 are constructed. This is ensured by the safety function 45 in the event of an error self-sufficient for achieving a safe state. The decentralized standard I / O 41 and the decentralized safety I / O 42 can process digital and analog signals. The data transmission between the security control tion 30 and the decentralized security I / O 42 is carried out via the transmission paths also used for non-secure communication, but is additionally secured by the error models known from the standards and the literature. For this purpose, methods such as the formation of checksums, numbering, time monitoring and redundancy can be used. These procedures create data packets that are transported intact via the standard components and standard channels ("gray channels"), and are protected only in the respective communication end users who check the data packets for safety integrity.

In the present embodiment are other drives 51 over the drive bus 50 with the standard controller 20 connected. Like the drives 43 assign drive controllers 52 and integrated security features 53 that provide self-sufficient for the achievement of a safe condition in case of error.

The non-secure functional units carry the standard functions out. The safety-related functional units are designed to that the standard features have no immediate impact on the Have security features. The non-secure functional units are therefore not subject to safety-related restrictions. In the development of hardware and software, therefore, no security-specific rules be applied. In particular, this has changes in these functional units no reaction on the security features.

The Safety-related functional units each have their own for the desired safety category (Cat. 3 or Cat. 4 according to EN 954-1) or the for the security integrity level (SIL2 or SIL3 according to EN 61508) normatively required architecture and security integrity. For this can dual-channel redundant design, cyclical diagnostics in operation with sufficient coverage and sufficiently low error and / or Failure probability should be provided. For these functional units is from the concept creation to decommissioning in the EN 61508 defined lifecycle and development All necessary error-prevention measures are taken.

For programming 70 the programmable controller 1 An engineering suite can be provided which also includes the programming and parameterization of the safety-related functional units. The tools provided are certified according to the desired security categories or security integrity levels. The advantage here is that the user can use a consistent programming interface for standard and safety functions.

In 2 is a version of the PC 10 shown at the standard control 20 either as a PC CPU 11 or as a PC plug-in module 21 with an interface 22 on the PC bus 12 acts. The standard controller can be used when using the PC CPU 11 be executed as pure software. The safety controller 30 is in the form of one or more security modules 31 . 32 directly with the PC bus 12 connected. The PC bus 12 can be designed as a standard PCI bus. Interface Modules 23 be from the PC CPU 11 via the PC bus 12 charged with data and queried. In this version, the PC presents 10 the infrastructure consisting of power supply, operating and display function as well as interface modules 23 for both the standard controller 20 as well as for the safety control 30 to disposal.

In 3 an embodiment is shown in which, in addition to the in 2 displayed directly with the PC bus 12 connected security control 30 another security control 30 with a PC bus 13 the standard controller implemented as a function module 20 connected is. Also in this embodiment it is ensured that in the data transfer between the on the PC bus 13 arranged safety control 30 and the decentralized safety I / O not shown here 42 and / or the drives 43 . 51 the security of data transmission is maintained.

The master functionality for data transfer via the PC bus 12 is from the standard controller 20 perceived. It initiates and monitors the data transfer and distributes the data to the interfaces 23 , For data transfer via the PC bus 13 when the PC plug-in module 21 executed standard control 20 generally also takes over the standard control 20 the master functionality. However, it is also possible that on the PC bus 13 temporarily or permanently the safety control 30 gets assigned the master functionality and directly to the interfaces 23 and on the standard controller 20 can access. Furthermore, it is conceivable that in this embodiment, the safety controller 30 owns interfaces and can operate them without the PC bus 13 to use.

1

programmable control

10

Personal computer (PC)

11

PC CPU

12

PC bus

13

PC bus

20

Standard control

21

PC plug-in module

22

interface

23

Interface Module

30

Safety control

31

security module

32

security module

40

automation bus

41

decentralized Standard I / O

42

decentralized Safety I / O

43

drive

44

drive controller

45

integrated safety function

50

drive bus

51

drive

52

drive controller

53

integrated safety function

60

communication link

70

programming

80

program the safety function and parameters

81

Diagnosis- and status data

82

control data

83

process variables

84

process data

85

dates to interfaces

Claims (14)

Programmable controller ( 1 ) for machine and / or plant automation with a standard controller ( 20 ) with standard control functions and a safety controller ( 30 ) with security functions based on a personal computer (PC) ( 10 ) with a PC-CPU ( 11 ) and a PC bus ( 12 . 13 ), whereby the PC ( 10 ) is operated with a standard operating system and the standard functions on the PC ( 10 ) or a PC plug-in module ( 21 ) for the standard control ( 20 ), characterized in that the safety controller ( 30 ) from one or more with the PC bus ( 12 . 13 ) security modules ( 31 . 32 ) and that the security modules ( 31 . 32 ) comprise security certified hardware and / or firmware. Device according to claim 1, characterized in that the programmable controller ( 1 ) as a non-reactive combination of standard control functions and at least one safety module ( 31 . 32 ) is executed. Apparatus according to claim 1 or 2, characterized in that the at least one security module ( 31 . 32 ) as a PC plug-in module with at least one interface to a PC bus ( 12 . 13 ) is executed. Device according to one of claims 1 to 3, characterized in that the standard control functions in one in the PC-CPU ( 11 ) are implemented under the control of the PC operating system software and that the security module ( 31 . 32 ) an interface to the PC bus ( 12 . 13 ) having. Device according to one of claims 1 to 3, characterized in that the standard control functions in a PC plug-in module ( 21 ) and that this PC plug-in module ( 21 ) an interface for connection to the safety controller ( 30 ) having. Device according to one of claims 1 to 5, characterized in that communication interfaces ( 22 . 23 ) of the programmable controller ( 1 ) Part of the PC plug-in module ( 21 ) of the standard controller ( 20 ) and / or as additional interface modules ( 23 ) in the form of plug-in cards are executed. Device according to one of claims 1 to 6, characterized in that one or more decentralized digital and / or analog outputs ( 41 . 42 ) via an automation bus ( 40 ) and / or a drive bus designed for drive communication ( 50 ) within the programmable controller ( 1 ) are controllable. Device according to one of claims 1 to 7, characterized in that the programmable controller ( 1 ) via the automation bus ( 40 ) and / or the drive bus ( 50 ) with drives ( 43 . 51 ), which can be controlled via the respective bus. Device according to one of claims 1 to 8, characterized that for a programming of standard functions and safety functions provided a uniform engineering and programming interface is. Method for operating a programmable controller ( 1 ) for machine and / or plant automation with a standard controller ( 20 ) with standard control functions and a safety controller ( 30 ) with security functions based on a personal computer (PC) ( 10 ) with a PC-CPU ( 11 ) and a PC bus ( 12 . 13 ), whereby the PC ( 10 ) is operated with a standard operating system and the standard control functions on the PC ( 10 ) or a plug-in module ( 21 ) for the PC ( 10 ) are realized, characterized in that security functions exclusively in security modules ( 31 . 32 ) expire. Method according to Claim 10, characterized in that a non-safety-related data transmission and a safety-related data transmission via the PC bus ( 12 . 13 ), whereby the security-related data transmission takes place via secured data packets which are not touched via the PC bus ( 12 . 13 ) and be checked for integrity by communication end users. Method according to one of claims 10 or 11, characterized in that in the realization of the standard control functions in the PC-CPU ( 11 ) as well as in the form of a PC plug-in module ( 21 ) the standard controller ( 20 ) a master function for a safety-related data transmission via the PC bus ( 12 . 13 ) perceives. Method according to one of claims 10 or 11, characterized in that in the realization of the standard control functions in the form of the PC plug-in module ( 21 ) the security module ( 31 . 32 ) at least temporarily the master function for the safety-related data transmission via the PC bus ( 13 ) perceives. Method according to one of claims 10 and 11 or 13, characterized in that the safety controller ( 30 ) directly on interfaces ( 22 . 23 . 41 . 42 ) and / or to the standard controller ( 20 ) can access.