HK1092884B - Method and device for controlling a safety-critical process - Google Patents
Method and device for controlling a safety-critical process Download PDFInfo
- Publication number
- HK1092884B HK1092884B HK06113386.9A HK06113386A HK1092884B HK 1092884 B HK1092884 B HK 1092884B HK 06113386 A HK06113386 A HK 06113386A HK 1092884 B HK1092884 B HK 1092884B
- Authority
- HK
- Hong Kong
- Prior art keywords
- process data
- safety
- control unit
- unit
- variably
- Prior art date
Links
Description
Technical Field
The invention relates to a method for controlling a safety-critical process, comprising the following steps:
a control unit for processing safety-critical process data is provided,
providing an I/O unit connected to said control unit via a data transmission link, an
Transmitting the process data from the I/O unit to the control unit, the process data being protected using diversity multiplexing (diversity multiplex transmission).
The invention also relates to an apparatus for controlling a safety-critical process, comprising a control unit for processing safety-critical process data, and further comprising an I/O unit connected to the control unit via a data transmission link, the control unit and the I/O unit being designed to transmit process data from the I/O unit to the control unit using diversity multiplexing.
Background
Such a method and a corresponding device are known from DE 19742716 a 1.
Safety-critical processes in the sense of the present invention are technical sequences, relationships and/or events for which error-free operation is to be ensured in order to avoid any risk to personnel or physical value. In particular, this relates to operation monitoring and control which is automated in the field of machinery and plant engineering to prevent accidents. Typical examples are the safety protection of press brake devices, the safety protection of automatic handling robots, or the safety state assurance of maintenance work on technical devices. For these processes, european standard EN954-1 divides the security classes into 1 to 4, with 4 being the highest security class. The safety critical processes to which the present invention relates need to at least meet category 3 in EN 954-1.
The control of safety-critical processes in the sense of the present invention requires devices and elements related to the control in order to have an inherent fail-safe. This means that the required safety, for example the safety required by the operator on the machinery, needs to be maintained even if the safety-related equipment fails or experiences an error. For this reason, safety-related devices and equipment are often designed redundantly and, in many countries, require appropriate approval from regulatory authorities. As part of the approval process, the manufacturer of the safety-relevant apparatus generally needs to prove that the required intrinsic fail-safe is appropriate, which is very complicated and expensive due to the large number of error cases that need to be taken into account.
DE 19742716 a1, which was mentioned at the outset, discloses a prior art device in which the actual control unit is connected to a physically remote I/O unit via a so-called field bus. The I/O unit is coupled to the sensor to receive process data and to the actuator (activator) to initiate control operations. Typical sensors in the field of safety technology are emergency stop switches, protective doors (protective doors), two-hand switches (two-hand switch), rotational speed sensors or light barrier arrangements (light barrier arrangement). Typical actuators are contactors for deactivating a drive mechanism in the device being monitored, or are solenoid valves. The I/O units in this configuration are basically used as physically distributed signal pickups and signal output stations, while the actual processing of the process data and the generation of control signals for the actuators takes place in a high-level control unit. In many cases, the high-level control unit used is a Programmable Logic Controller (PLC).
In order to be able to control safety-critical processes using such a fieldbus based system, the data transmission from the I/O unit to the control unit must be fail-safe. In particular, it is necessary to ensure that in the event of errors in the transmitted process data and/or in the event of a fault in the remote I/O unit, no dangerous states occur in the entire apparatus.
In the known system of DE 19742716 a1, this can be achieved by providing "safety-related" devices in the advanced control unit and the remote I/O unit. This involves, for example, all signal pickup (all signal pickup), signal processing, and redundant design signal output paths. The redundant channels monitor each other and, in the event of a fault or undefined state, transfer the device to a safe state, for example, disconnection. Additionally, the process data is transmitted to the controller a plurality of times. In the case of the known device, this can be achieved by transmitting the binary process data in an unchanged form for the first time, in a negated form for the second time, and in a checksum derived from the process data for the third time. This different transmission scheme is called diversity (diversity).
The fact that, in the known apparatus, the safety-relevant devices are present in both the control unit and the remote I/O unit means that the actual data transmission can be effected via a single-channel field bus. The process data is checked for security both by the sender and by the receiver. However, this approach has the disadvantage of requiring the inherent fail-safe required for all remote I/O unit validations as part of the approval process. This would be very complex and expensive.
An alternative approach involves designing the remote I/O unit to be "non-fail-safe" and instead generating the data transmission link in a dual channel fashion, i.e., using two separate signal channels. In this case, the higher-level control unit, which has a failsafe design, can choose to access the process data with two channels and to perform the necessary fault checks. A disadvantage of this approach is that the entire data transmission link needs to be in dual channel form, which means increased wiring complexity.
DE 3706325 a1 discloses an arrangement in which, in addition to the actual field bus, a remote I/O unit is connected to the superordinate control unit via a separate disconnection path. However, this document does not disclose the extent to which the transmission of the process data from the I/O unit to the controller is in a fail-safe form.
Disclosure of Invention
In view of this background, it is an object of the present invention to identify an alternative method and a corresponding device, which can be provided and implemented more cheaply given the same safety requirements.
This object is achieved by a method of the type mentioned at the outset in which the process data is encoded at least once with a variable key to generate variably encoded (variablycoded) process data, and in which the variably encoded process data is transmitted to the control unit as part of the diversity multiplexing.
This object is also achieved by a device of the type mentioned at the outset in which an encoding chip is provided which is designed to encode the process data at least once with a variable key to generate variably encoded process data and in which the variably encoded process data are transmitted to the control unit as part of the diversity multiplexing.
The solution according to the invention follows the method known from DE 19742716 a1, according to which the process data are transmitted to the control unit as part of a diversity multiplex. However, according to an aspect of the invention, the diversity is now achieved by virtue of the process data being encoded at least once with a variable key. In this connection, encoding means that the process data, usually in the form of binary information, is logically combined using the variable key. Obviously, the logical combination must be reversible so that the high level control unit can retrieve redundant information from the encoded process data. For example, the logical combination may be a logical exclusive-or combination of the actual process data and the variable key. The xor combination changes each bit of the process data without losing information. Alternatively, the process data may be added to, or otherwise logically combined with, the key, in which case the logical combination may preferably affect each bit of the process data (in the case of a binary representation).
Encoding the process data to be transmitted with variable keys may result in a defined dynamic behavior which enables the safety function to be controlled only in the region of the advanced control unit. Thus, fail-safe design at the I/O unit, e.g., dual channel redundancy, may be dispensed with. Thus, there is no need to verify that the I/O unit is fail-safe as part of the approval process.
On the other hand, due to the dynamic multiplexing now, the data transfer can continue via a single channel connection, and this will reduce the wiring complexity. Overall, the inventive design and the corresponding method can be implemented more inexpensively.
All of the above objects are achieved.
In a refinement of the invention, the variable key is generated by the control unit and transmitted to the I/O unit.
Alternatively, the variable key may also be generated, typically in the area of the I/O unit or at another location throughout the system. On the contrary, the present improvement also has the advantage that the control unit is provided with a central control over the variable key, which means that all safety-critical areas are combined in the control unit. Therefore, failure consideration, safety check, and the like can be concentrated on the control unit. In addition, the control unit, as a central unit, can address all I/O cells independently, making the distribution of the variable keys in this refinement simpler.
In a further refinement, the variable key is changed for each operation of transmitting process data to the control unit.
Alternatively, the variable key may not be changed for each process data transmission in general. However, due to the more dynamic nature, the control unit may react more quickly to safety critical situations, so that the preferred improvements may achieve a high level of safety. It is, however, clear that in the case of burst transmissions of process data to the control unit, in this refinement all burst data can be encoded with a generic key, so that the data traffic on the data transmission link is reduced as much as possible.
In a further refinement, the control unit reads the process data cyclically from the I/O unit.
This improvement may be referred to as "polling" in the terminology of the art. Instead of this, there are also systems known as "event control" or "interrupt control" in which process data is requested and/or transmitted only when a start event occurs. In the preferred development, however, the advantages of the invention emerge particularly clearly, since in these cases the I/O cell can be designed to be technically particularly simple. In this refinement, the I/O cells are of minimal material and development complexity.
In a further refinement, the process data are encoded in a separate coding chip in the I/O unit, which preferably has a hard-wired logic section.
In a preferred exemplary embodiment, the separate coding chip may be in the form of an FPGA (field programmable gate array) or in the form of an ASIC (application specific integrated circuit), since in the case of a hardware-based solution the verification of the fail-safe required as part of the approval process is simpler than in the case of a software-based solution. Since the "rest" of the I/O cell can be generated largely independently of the inventive encoding, a separate encoding chip can further simplify the approval process. It is thus possible to easily upgrade already existing "dumb" or non-secure I/O units to the inventive concept.
In a further refinement, the diversity multiplexing is limited to a duplex transmission of the process data, the duplex transmission comprising the variably coded process data.
In other words, the diversity multiplex now comprises only the duplex transmission of the process data, which is variably coded once. At the second time, the process data is preferably transmitted unchanged, since it is directly available in the control unit in "plain text" form. The advantage of this improvement is that the amount of data transmitted is minimized, which allows the data transmission link to have a smaller transmission capacity. In addition, in this refinement, the inventive device can react more rapidly, which represents an increased level of security. A particular aspect of this improvement compared to all possible known security-related systems is that it makes it possible to dispense with the generation and transmission of checksums.
In a further refinement, the I/O unit contains an actuator output and a separate test unit for the actuator output, the test results from the test unit being transmitted as process data values to the control unit.
This improvement advantageously uses the options provided by the present invention. While systems with "smart" and fail-safe I/O units are basically considered capable of checking their own actuator outputs for operational safety on a regular basis, systems with "non-smart" and non-fail-safe I/O units always require testing of the actuator outputs initiated by the high-level control unit. This increases the bus load and makes it difficult to implement a cut-off test with only small cut-off pulses, since the signal propagates several times more than the data transmission link. The inventive solution now makes it possible for the control unit to initiate a shut-down test with a simple command and to read the result in as a process data value. A very short shut-off pulse can then be generated by the I/O cell, while the actual evaluation of the result is performed in the control unit, which greatly reduces the intelligence required by the I/O cell.
It is obvious that the features mentioned above and to be explained below can be used not only in the combinations indicated, but also in other combinations or on their own, without departing from the scope of the invention.
Drawings
Exemplary embodiments of the invention are illustrated in the accompanying drawings and explained in detail in the following description. The attached drawings are as follows:
FIG. 1 is a block diagram showing a schematic illustration of the inventive apparatus;
FIG. 2 shows a schematic illustration of an I/O cell as an input cell;
FIG. 3 shows a schematic illustration of a preferred embodiment of an I/O unit as an output unit;
fig. 4 shows two simplified flow diagrams to explain the inventive method.
Detailed Description
In fig. 1, an exemplary embodiment of the inventive device is designated in its entirety by reference numeral 10.
The device 10 comprises a control unit 12, for example a fail-safe PLC, sold under the PSS trademark by the applicant of the present invention. However, it is preferably a fail-safe microcontroller or any other type of fail-safe control unit within the meaning of the present invention (at least for category 3 in EN954-1 or for comparable use/purpose).
In this case, the device 10 is shown by way of example with four I/O units 14, 16, 18, 20, which are physically remote from the control unit 12 and are connected to the control unit 12 via a single-channel data transmission link 22. In an exemplary embodiment, the data transmission link 22 is a fieldbus. Preferably, however, the transmission link is a simple data link in which there is no special transmission protocol for the higher layers of the OSI reference model. The I/O units 14-20 are relatively non-intelligent and non-fail-safe units (i.e., non-fail-safe does not meet or meet the requirements of category 3 or 4 in EN 954-1), as explained in detail below with reference to FIGS. 2 and 3. They are mainly used for signal pick-up and output, i.e. for reading safety-critical sensors and for exciting safety-critical actuators. As examples of typical applications, the safety-critical sensors are a protective door 24, an emergency stop switch 26, a contactor 28 for disconnecting a drive mechanism 30 in a fail-safe manner, and a light curtain 32. Thus, the I/O units 14, 16 and 20 operate as input units to pick up the sensor signals, while the I/O unit 18 operates as an output unit for energizing the contactor 28. However, in addition to this simplified illustration, the I/O cells 14-20 may also be combined input and output cells.
The control unit 12 is designed with multi-channel redundancy itself, ensuring the required intrinsic fail-safe. As a simplification of the redundant signal processing channels, two microcontrollers 34, 36 are shown in this case, which can exchange data with one another via a connection 38 and thus can be controlled with one another. For example, the connection 38 may be implemented as a dual port RAM, or may be implemented in other ways.
Reference numeral 40 denotes a bus interface module, i.e. a communication interface used by the microcontrollers 34, 36 to access the field bus 22. The two microcontrollers 34, 36 have access to the bus interface module 40 with the same priority, which should likewise be understood as an example in this case. Alternative embodiments will be known to those skilled in the art.
According to a preferred aspect of the invention, the control unit 12 has a key generator 42, which can be implemented, for example, by suitable programming of the microcontroller 36. The key generator 42 generates variable keys that are used to encode the process data to be transmitted by the I/O units 14-20 in a manner explained below.
As illustrated in this case, the variable key may be generated using one channel, or two channels may be used. In a preferred exemplary embodiment, the variable key is generated based on (quasi-) random, which may make use of a random number generator or algorithm known per se. As an example, a four-bit binary key "0101" is shown at reference numeral 44.
To read in process data, the control unit 12 transmits the key 44 to the appropriate I/O unit (in this case, as shown by the I/O unit 20). This unit then transmits the requested process data, in particular, according to a preferred exemplary embodiment, once in "plain text" and a second time in encoded form. By way of example, FIG. 1 shows process data "1001" as indicated by reference numeral 46, and encoded process data "0101" as indicated by reference numeral 48. In this case, the process data 46 and 48 are a common part of the data telegrams sent by the I/O unit 20 to the control unit 12. Alternatively, however, the process data 46 and 48 can also be transmitted to the control unit 12 in separate data telegrams.
In a representation of a preferred exemplary embodiment, the process data 46 is in this case encoded with an exclusive-or combination with the key 44, resulting in the encoded process data 48.
Reference numeral 50 indicates an additional disconnect path, which will be explained in detail in fig. 3 with respect to the output unit 18. According to a preferred exemplary embodiment, the disconnection path 50 leads in a separate line to the I/O unit 18.
Hereinafter, the same reference symbols denote the same elements as in fig. 1.
Using the example of the I/O cell 20, fig. 2 shows a basic design of a preferred input cell. The I/O unit 20 includes a microprocessor 60 (single channel, and thus non-fail-safe) and a separate encoding chip 62. According to a preferred exemplary embodiment, the encoding chip 62 is in the form of an FPGA or an ASIC. As an alternative thereto, the encoder chip 62 can in principle also be in the form of a microcontroller, or can also be integrated in the microcontroller 60. The reference numeral 64 indicates a plurality of signal input ports with which the I/O unit 20 picks up status signals from the connected light sheet 32. The status signals applied to the input port 64 are provided in parallel to the microcontroller 60 and the encoding chip 62.
In the exemplary embodiment described here, only the microcontroller 60 can access the field bus 22 via the bus interface module 40. For this reason, in this exemplary embodiment, the microcontroller 60 picks up the key 44 transmitted by the control unit 12 and transmits it to the encoding chip 62 via connection 66. The encoding chip 62 logically combines the data applied to the signal input port 64 with the variable key 44 and makes the encoded process data available to the microcontroller 60 again via connection 68. The microcontroller 60 then transmits the process data it picked up directly and the encoded process data, as in the example shown in fig. 1 with reference numerals 46, 48. In this case, the I/O unit 20 does not need a dual channel redundancy design with continuous fail-safe.
Using the example of the I/O unit 18, fig. 3 shows a preferred design of the output unit. The I/O unit 18 also has a suitably programmed microprocessor 60 as an output unit. The microcontroller 60 is connected to the encoder chip 62 via forward and reverse channels 66, 68. As an alternative thereto, in principle, the encoder chip 62 itself can also access the field bus 22 via the bus interface module 40 or via a dedicated bus interface module (not shown).
In this case, the I/O cell 18 can be represented as a number of inherently known embodiments in which there are two switching elements 74, 76 arranged in series so that they are redundant to one another. For example, one connection 78 of the series circuit has an operating voltage of 24 volts. For example, the outputs of the switching elements 74, 76 are routed to an output 80, and this output 80 is connected to one or more contactors 28. It is clear that the illustration shown is simplified and exemplary, as a variant of which there can be a plurality of output openings 80 which are activated via a plurality of switching elements 74, 76. When the microcontroller 60 receives a suitable switch-off command from the control unit 12 via the field bus 22, it opens the switching elements 74, 76.
According to a preferred exemplary embodiment, in this case, a second severing option is provided by means of the severing path 50. For simplicity, the cut-off path 50 also leads to the switching elements 74, 76 via two and gates 82. This allows the control unit 12 to open the contactor 28 even if the microcontroller 60 in the I/O unit 18 fails.
Reference numeral 84 denotes a readback line, which is provided to the microcontroller 60 and the encoder chip 62. This is used to monitor the state (open or closed) of the switch elements 74, 76. The states are process data values which, according to the invention, are read in once in the form of "plain text" and a second time in the form of variable coding by the control unit 12. In particular, when the control unit 12 transmits a test command to the I/O unit 18, this is required to be done, where the unit briefly opens the switching elements 74, 76 and then closes them again. The result of this shut-off test is then transmitted as a process data value to the control unit 12.
In fig. 4, the flow chart on the left shows schematically the execution sequence of the inventive method in the control unit 12, while the flow chart on the right shows the corresponding sequence in the I/O units 14-20.
In step 90, the control unit 12 outputs a control command, which is read in by the I/O units 14-20 in step 92. The control unit 12 then generates a variable (new) key using the key generator 42 in step 94, which key is communicated to the I/O units 14-20 in step 96. As indicated by reference numeral 98, the I/O unit 14-20 executes the control command received in step 92. This involves, for example, testing the switching elements 74, 76.
In step 100, the I/O unit 14-20 reads in the newly generated key and sequentially encodes the process data to be transmitted in step 102. The I/O units 14 to 20 then transmit the process data and the encoded process data in steps 104, 106, and the control unit 12 reads these data in steps 108, 110. The control unit 12 then evaluates the received process data, as shown in step 112.
The execution sequence of the two methods is repeated cyclically, which is illustrated by the arrows 114, 116. In a preferred embodiment, the cyclical sequence in which the control unit 12 polls the I/O units 14-20 may generate and communicate to the I/O units 14-20 a key that changes constantly. Even if the process data from the I/O units 14-20 has not changed for a long time, which is normal for guard doors, emergency stop switches, etc., the data traffic on the fieldbus 22 changes with each polling operation, which means that the control unit 12 is able to recognize interruptions in the data link, and I/O unit "hanging" (hanging) in static and other faults.
Claims (10)
1. A method for controlling a safety critical process, comprising the steps of:
a control unit (12) for processing safety-critical process data (46) and variably coded process data (48) is provided,
providing I/O units (14-20) connected to the control unit (12) via a data transmission link (22), and
transmitting the safety-critical process data (46) and variably coded process data (48) from the I/O units (14-20) to the control unit (12), the safety-critical process data (46) and variably coded process data (48) being protected with diversity multiplexing,
characterized in that the safety-critical process data (46) are encoded with a changing variable key (44) to generate variably encoded process data (48), wherein the variably encoded process data (48) lead to a defined dynamic behavior, and in that the variably encoded process data (48) are transmitted to the control unit (12) as part of the diversity multiplexing.
2. A method according to claim 1, characterized in that the variable key is generated by the control unit (12) and transmitted to the I/O unit (14-20).
3. A method according to claim 1 or 2, characterized by changing the variable key (44) for each transmission of the safety-critical process data (46) and variably coded process data (48) to the control unit (12).
4. The method according to claim 1 or 2, characterized in that the control unit (12) reads the safety-critical process data (46) and variably coded process data (48) cyclically from the I/O unit (14-20).
5. Method according to claim 1 or 2, characterized in that the safety-critical process data (46) is encoded in a separate encoding chip (62) in the I/O unit (14-20), which chip has a hard-wired logic section.
6. The method according to claim 1 or 2, characterized in that the diversity multiplexing is limited to a duplex transmission of the safety critical process data (46) and variably coded process data (48).
7. Method according to claim 1 or 2, characterized in that the I/O unit (14-20) comprises an actuator output (80) and a separate test unit for the actuator output (80), the test results from the test unit being transmitted as process data values (46, 48) to the control unit (12).
8. An arrangement for controlling a safety-critical process, comprising a control unit (12) for processing safety-critical process data, and an I/O unit (14-20) connected to the control unit (12) via a data transmission link (22), the control unit (12) and the I/O unit (14-20) being designed to transmit safety-critical process data (46) and variably coded process data (48) from the I/O unit (14-20) to the control unit (12) using a multiplicity of multiplexing, characterized in that an encoding chip (62) is provided which is designed to encode the safety-critical process data (46) with a variable and constantly changing keyword (44) to generate variably coded process data (48), wherein the variably coded process data lead to defined dynamic characteristics, and in that the variably coded process data (48) is transmitted to the control unit (12) as part of the diversity multiplexing.
9. A control unit for use in an arrangement as claimed in claim 8, having a section (34, 36, 38) for automatic safety-protected processing of safety-critical process data (46), wherein the safety-critical process data (46) are received from I/O units (14-20) located remotely from the sections (34, 36, 38) via a data transmission link (22), characterized by a key generator (42) for generating a changing variable key (44) and transmitting the key to the I/O units (14-20), and the part (34, 36, 38) of the automatic safety protection process for the safety-critical process data (46) is designed to read in and process variably coded process data (48), wherein the variably encoded process data (48) is encoded using the variable key (44).
10. An I/O unit for use in an arrangement as claimed in claim 8, having an encoding chip (62) which is designed to encode safety-critical process data (46) with a variable and constantly changing key (44) so as to generate variably encoded process data (48) with defined dynamics.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| DE10320522.5 | 2003-05-02 | ||
| DE10320522A DE10320522A1 (en) | 2003-05-02 | 2003-05-02 | Method and device for controlling a safety-critical process |
| PCT/EP2004/003852 WO2004097539A1 (en) | 2003-05-02 | 2004-04-10 | Method and device for controlling a safety-critical process |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1092884A1 HK1092884A1 (en) | 2007-02-16 |
| HK1092884B true HK1092884B (en) | 2009-08-14 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100472380C (en) | Method and apparatus for controlling a safety-critical process | |
| US6957115B1 (en) | Security-related bus automation system | |
| US10126727B2 (en) | Method and system for safely switching off an electrical load | |
| US8509927B2 (en) | Control system for controlling safety-critical processes | |
| US10127163B2 (en) | Control device for controlling a safety device, and use of an IO link for transmission of a safety protocol to a safety device | |
| JP4263339B2 (en) | Safety switch device | |
| US8321774B2 (en) | Method for fail-safe transmission, safety switching device and control unit | |
| US20110313580A1 (en) | Method and platform to implement safety critical systems | |
| JP4480269B2 (en) | Data transmission method | |
| EP2612207A2 (en) | Method and platform to implement safety critical systems | |
| US6826433B1 (en) | Failsafe data output system and automation system having the same | |
| CN100576790C (en) | The single signal transmission of safe handling information | |
| US7844865B2 (en) | Bus module for connection to a bus system and use of such a bus module in an AS-i bus system | |
| US5777834A (en) | Safety switch arrangement | |
| CN101900995A (en) | Method for logically connecting security circles and planning device for implementing the method | |
| HK1092884B (en) | Method and device for controlling a safety-critical process | |
| US20240053717A1 (en) | Modular control apparatus | |
| CN114488769A (en) | Protection module, control device with protection module and control method | |
| CN111224651B (en) | Switching device | |
| EP2824572B1 (en) | Fail safe device and method for operating the fail safe device | |
| JP2011248625A (en) | Failure diagnosis circuit and failure diagnosis method of control device | |
| JP2009538767A (en) | Device with multiple electrical switches | |
| Buchheit et al. | SIS in Industry | |
| HK1099122B (en) | Safety swtich for a fail-safe circuit | |
| HK1099122C (en) | Safety swtich for a fail-safe circuit |